Edit tour

Windows Analysis Report
AX3-GUI-45.exe

Overview

General Information

Sample name:	AX3-GUI-45.exe
Analysis ID:	1509202
MD5:	ae4414edd46c7769589c35beeee7d0de
SHA1:	e0885269d15b87afb2b3b8e570c7c06fc28db7eb
SHA256:	00de5f7503d19911ff05e808f91cd24b6a1ac2394048fd83e7061d531cd66b11
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Installs new ROOT certificates

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sigma detected: Dot net compiler compiles file from suspicious location

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to get notified if a device is plugged in / out

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the driver directory

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64_ra

AX3-GUI-45.exe (PID: 6260 cmdline: "C:\Users\user\Desktop\AX3-GUI-45.exe" MD5: AE4414EDD46C7769589C35BEEEE7D0DE)

AX3-GUI-45.tmp (PID: 6280 cmdline: "C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp" /SL5="$60364,5170833,869888,C:\Users\user\Desktop\AX3-GUI-45.exe" MD5: 48C6508A6FD96E62F8796701A0200C8F)

setup-ax3-driver.exe (PID: 6552 cmdline: "C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe" MD5: 0ABD9CF2D191036D778F6F1FBE25FAE1)

setup-ax3-driver.tmp (PID: 6584 cmdline: "C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp" /SL5="$20314,681477,54272,C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe" MD5: 67C5A4F36E1C91A3B85E440EDD7AD026)

dpinst64.exe (PID: 6724 cmdline: "C:\Program Files\AX3-Driver\DPInst64.exe" /F /SA /SE /SW MD5: BE3C79033FA8302002D9D3A6752F2263)

OmGui.exe (PID: 2088 cmdline: "C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe" MD5: 12FEEE099449453BA386F8FBA6C72090)

csc.exe (PID: 2936 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lj4v3otx.cmdline" MD5: 2B9482EB5D3AF71029277E18F6C656C0)

conhost.exe (PID: 3888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 5148 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA99A.tmp" "c:\Users\user\AppData\Local\Temp\CSCA999.tmp" MD5: E118330B4629B12368D91B9DF6488BE0)

drvinst.exe (PID: 6836 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{a893eec2-cde1-b844-a268-dd04a77ebb2a}\mchp_msd_cdc.inf" "9" "4987fa53f" "000000000000014C" "WinSta0\Default" "000000000000011C" "208" "c:\program files\ax3-driver" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

rundll32.exe (PID: 4188 cmdline: rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{6c760311-7d3e-5f44-bbdb-3640e2127551} Global\{b1383f99-4876-844f-9d31-fe5ec27fdc7b} C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_msd_cdc.inf C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_MSD_CDC.cat MD5: EF3179D498793BF4234F708D3BE28633)

AX3-GUI-45.exe (PID: 5864 cmdline: "C:\Users\user\Desktop\AX3-GUI-45.exe" MD5: AE4414EDD46C7769589C35BEEEE7D0DE)

AX3-GUI-45.tmp (PID: 1340 cmdline: "C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp" /SL5="$20130,5170833,869888,C:\Users\user\Desktop\AX3-GUI-45.exe" MD5: 48C6508A6FD96E62F8796701A0200C8F)

AX3-GUI-45.exe (PID: 2452 cmdline: "C:\Users\user\Desktop\AX3-GUI-45.exe" /SPAWNWND=$502A0 /NOTIFYWND=$20130 MD5: AE4414EDD46C7769589C35BEEEE7D0DE)

AX3-GUI-45.tmp (PID: 364 cmdline: "C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp" /SL5="$6035A,5170833,869888,C:\Users\user\Desktop\AX3-GUI-45.exe" /SPAWNWND=$502A0 /NOTIFYWND=$20130 MD5: 48C6508A6FD96E62F8796701A0200C8F)

OmGui.exe (PID: 3580 cmdline: "C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe" MD5: 12FEEE099449453BA386F8FBA6C72090)

csc.exe (PID: 4944 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\6yss2uyv.cmdline" MD5: 2B9482EB5D3AF71029277E18F6C656C0)

conhost.exe (PID: 876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 6576 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES431B.tmp" "c:\Users\user\AppData\Local\Temp\CSC431A.tmp" MD5: E118330B4629B12368D91B9DF6488BE0)

cleanup

Sigma Signatures

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe, ProcessId: 2088, TargetFilename: C:\Users\user\AppData\Local\Temp\lj4v3otx.cmdline

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lj4v3otx.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lj4v3otx.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, ParentCommandLine: "C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe", ParentImage: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe, ParentProcessId: 2088, ParentProcessName: OmGui.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lj4v3otx.cmdline", ProcessId: 2936, ProcessName: csc.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: AX3-GUI-45.exe

Virustotal: Detection: 6%

Perma Link

Source: AX3-GUI-45.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.17:49710 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.17:49716 version: TLS 1.0

Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver\is-LFGHU.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver\is-GPPIL.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver\is-VN62H.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver\is-PG9F3.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver\is-SHR07.tmp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C12D7D33-3050-44D8-8ADA-8ADCFA9368A5}_is1

Jump to behavior

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: AX3-GUI-45.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: k0/C:\Users\user\AppData\Local\Temp\6yss2uyv.pdb source: OmGui.exe, 00000025.00000002.2102587867.0000000003AD6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Newcastle\Projects\openmovement\Software\OM\omgui\obj\x86\Release\OmGui.pdb source: OmGui.exe, 00000010.00000000.1431643900.0000000000C99000.00000002.00000001.01000000.00000011.sdmp, is-E9CM8.tmp.1.dr
Source:	Binary string: C:\Newcastle\Projects\Embedded\Bootloader.svn\Software\Booter\Release\booter.pdb source: is-MNQIV.tmp.1.dr
Source:	Binary string: C:\Newcastle\Projects\omconvert\src\omconvert\Release\omconvert.pdb source: is-83JS7.tmp.1.dr
Source:	Binary string: D:\Newcastle\Projects\openmovement\Software\OM\Release\libomapi.pdb source: OmGui.exe, 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmp, OmGui.exe, 00000025.00000002.2117056134.000000006FC7E000.00000002.00000001.01000000.00000017.sdmp, is-J5C8E.tmp.1.dr
Source:	Binary string: DpInst.pdbH source: dpinst64.exe, 00000007.00000000.1226780349.00007FF6AD951000.00000020.00000001.01000000.0000000F.sdmp, is-SHR07.tmp.5.dr
Source:	Binary string: D:\Newcastle\Projects\openmovement\Software\OM\omapinet\obj\x86\Release\OmApiNet.pdbD source: OmGui.exe, 00000010.00000002.1720028687.0000000007002000.00000002.00000001.01000000.00000016.sdmp, is-LC9GL.tmp.1.dr
Source:	Binary string: D:\Newcastle\Projects\openmovement\Software\OM\omapinet\obj\x86\Release\OmApiNet.pdb source: OmGui.exe, OmGui.exe, 00000010.00000002.1720028687.0000000007002000.00000002.00000001.01000000.00000016.sdmp, is-LC9GL.tmp.1.dr
Source:	Binary string: ISADMINLOGGEDONRelease\isunzlib.pdb source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.tmp, 00000005.00000003.1196979183.0000000003250000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.tmp, 00000005.00000003.1428996496.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, setup-ax3-driver.tmp, 00000005.00000003.1196938143.00000000022D0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr
Source:	Binary string: DpInst.pdb source: dpinst64.exe, 00000007.00000000.1226780349.00007FF6AD951000.00000020.00000001.01000000.0000000F.sdmp, is-PG9F3.tmp.5.dr, is-SHR07.tmp.5.dr
Source:	Binary string: DpInst.pdbp source: is-PG9F3.tmp.5.dr

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Code function: 16_2_6D003C20 SetWindowLongW,GetWindowLongW,DefWindowProcW,PostQuitMessage,RegisterDeviceNotificationW,MessageBoxA,UnregisterDeviceNotification,KiUserCallbackDispatcher,DefWindowProcW,

16_2_6D003C20

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D01EEDE FindFirstFileExA,		16_2_6D01EEDE
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC6EEDE FindFirstFileExA,		37_2_6FC6EEDE

Source: global traffic	HTTP traffic detected: GET /digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 185.199.111.133 185.199.111.133

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.17:49710 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.17:49716 version: TLS 1.0

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Code function: 16_2_011AA09A recv,

16_2_011AA09A

Source: global traffic	HTTP traffic detected: GET /digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: raw.githubusercontent.com

Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: OmGui.exe, 00000010.00000002.1721430944.0000000009A9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsE
Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: rundll32.exe, 0000000F.00000002.1325076830.0000025F70419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csc3-2009-2-aia.ve.
Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: drvinst.exe, 00000009.00000002.1376663620.00000279D7A14000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.1295406730.00000279D7A28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.1324344949.0000025F70140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: drvinst.exe, 00000009.00000002.1376663620.00000279D7A14000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.1295406730.00000279D7A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 0000000F.00000002.1324344949.0000025F700DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabbAD
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: OmGui.exe, 00000025.00000002.2096196339.0000000001652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: OmGui.exe, 00000025.00000002.2096196339.0000000001652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127
Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.usertru
Source: drvinst.exe, 00000009.00000002.1376663620.00000279D7A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.verisi
Source: rundll32.exe, 0000000F.00000002.1324344949.0000025F700DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.verisign.co
Source: is-0JOM7.tmp.1.dr	String found in binary or memory: http://phrogz.net/JS/_ReuseLicense.txt
Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/cscasha
Source: AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: OmGui.exe, 00000010.00000002.1708580813.0000000003471000.00000004.00000800.00020000.00000000.sdmp, OmGui.exe, 00000025.00000002.2102587867.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: OmGui.exe, 00000010.00000002.1708580813.0000000003471000.00000004.00000800.00020000.00000000.sdmp, OmGui.exe, 00000025.00000002.2102587867.0000000003AF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: AX3-GUI-45.tmp, 00000001.00000003.1098497033.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003894000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025EB000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000018.00000003.1814040575.00000000025FB000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.00000000025DB000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.dr	String found in binary or memory: http://tinyurl.com/dotnet35setup
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://twitter.github.com/bootstrap/javascript.html#affix
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://twitter.github.com/bootstrap/javascript.html#alerts
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://twitter.github.com/bootstrap/javascript.html#buttons
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://twitter.github.com/bootstrap/javascript.html#carousel
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://twitter.github.com/bootstrap/javascript.html#collapse
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://twitter.github.com/bootstrap/javascript.html#dropdowns
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://twitter.github.com/bootstrap/javascript.html#modals
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://twitter.github.com/bootstrap/javascript.html#popovers
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://twitter.github.com/bootstrap/javascript.html#scrollspy
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://twitter.github.com/bootstrap/javascript.html#tabs
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://twitter.github.com/bootstrap/javascript.html#tooltips
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://twitter.github.com/bootstrap/javascript.html#transitions
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://twitter.github.com/bootstrap/javascript.html#typeahead
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp, is-7QH66.tmp.1.dr, is-QCCS6.tmp.1.dr, is-GA9GG.tmp.1.dr, is-R9IP2.tmp.1.dr, is-233P5.tmp.1.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: setup-ax3-driver.exe, 00000004.00000003.1195303513.00000000021E8000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.exe, 00000004.00000003.1194866477.0000000002480000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.tmp, 00000005.00000000.1195968623.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: OmGui.exe, 00000010.00000002.1721430944.0000000009A9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: is-7QH66.tmp.1.dr	String found in binary or memory: http://www.modernizr.com/)
Source: AX3-GUI-45.tmp, 00000020.00000003.1807041334.00000000026BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openmovement.co.uk
Source: AX3-GUI-45.exe, 00000000.00000003.1093771706.0000000002670000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openmovement.co.uk:http://www.openmovement.co.uk:http://www.openmovement.co.uk
Source: AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000026CA000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.00000000026BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openmovement.co.uka
Source: AX3-GUI-45.exe, 00000000.00000003.1439175698.0000000000C4A000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.exe, 00000017.00000003.1817995698.00000000023BA000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.exe, 0000001F.00000003.1811571474.000000000248A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openmovement.co.ukq
Source: setup-ax3-driver.exe, 00000004.00000003.1195303513.00000000021E8000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.exe, 00000004.00000003.1194866477.0000000002480000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.tmp, 00000005.00000000.1195968623.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: setup-ax3-driver.exe, 00000004.00000003.1195303513.00000000021E8000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.exe, 00000004.00000003.1194866477.0000000002480000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.tmp, 00000005.00000000.1195968623.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: OmGui.exe, 00000025.00000002.2102587867.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/digitalinteraction/openmovement/releases/download/AX3-OmGui-v28/AX3-GUI-28.zip
Source: AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: https://jrsoftware.org/
Source: AX3-GUI-45.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: https://jrsoftware.org0
Source: OmGui.exe, 00000025.00000002.2102587867.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://openmovement.googlecode.com/svn/downloads/AX3/omgui.ini
Source: OmGui.exe, 00000010.00000002.1708580813.0000000003471000.00000004.00000800.00020000.00000000.sdmp, OmGui.exe, 00000025.00000002.2102587867.0000000003AF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: OmGui.exe, 00000025.00000002.2102587867.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/AX3-GUI-28.zi
Source: OmGui.exe, 00000010.00000002.1721430944.0000000009A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/omgui.i
Source: OmGui.exe, 00000025.00000002.2102587867.0000000003AF8000.00000004.00000800.00020000.00000000.sdmp, is-E9CM8.tmp.1.dr	String found in binary or memory: https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini
Source: OmGui.exe, 00000010.00000000.1431643900.0000000000B22000.00000002.00000001.01000000.00000011.sdmp, is-E9CM8.tmp.1.dr	String found in binary or memory: https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini3UPD
Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS05
Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	String found in binary or memory: https://www.certum.pl/CPS0
Source: AX3-GUI-45.exe, 00000000.00000003.1095350311.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.exe, 00000000.00000003.1094938915.0000000002670000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000000.1096792574.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AX3-GUI-45.tmp.31.dr, is-524O8.tmp.1.dr	String found in binary or memory: https://www.innosetup.com/
Source: AX3-GUI-45.exe, 00000000.00000003.1095350311.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.exe, 00000000.00000003.1094938915.0000000002670000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000000.1096792574.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AX3-GUI-45.tmp.31.dr, is-524O8.tmp.1.dr	String found in binary or memory: https://www.remobjects.com/ps
Source: drvinst.exe, 00000009.00000002.1376663620.00000279D7A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.verisign.c

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716

Source: C:\Program Files\AX3-Driver\dpinst64.exe	File created: C:\Users\user\AppData\Local\Temp\{a893eec2-cde1-b844-a268-dd04a77ebb2a}\SET584D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	File created: C:\Program Files\AX3-Driver\mchp_msd_cdc.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	File created: C:\Program Files\AX3-Driver\is-VN62H.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\SET6126.tmp	Jump to dropped file
Source: C:\Program Files\AX3-Driver\dpinst64.exe	File created: C:\Users\user\AppData\Local\Temp\{a893eec2-cde1-b844-a268-dd04a77ebb2a}\mchp_MSD_CDC.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_MSD_CDC.cat (copy)	Jump to dropped file

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Code function: 37_2_6FC53C20 SetWindowLongW,GetWindowLongW,NtdllDefWindowProc_W,PostQuitMessage,RegisterDeviceNotificationW,MessageBoxA,UnregisterDeviceNotification,DestroyWindow,NtdllDefWindowProc_W,

37_2_6FC53C20

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Code function: 16_2_6D002440: InterlockedDecrement,SysFreeString,VariantClear,__cftoe,VariantClear,__cftoe,CreateFileW,DeviceIoControl,CloseHandle,VariantClear,

16_2_6D002440

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}

Jump to behavior

Source: C:\Program Files\AX3-Driver\dpinst64.exe	File created: C:\Windows\DPINST.LOG	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\mchp_msd_cdc.inf_amd64_4a6fccf2a250c2d5	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf	Jump to behavior

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\SET6126.tmp

Jump to behavior

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D013D53	16_2_6D013D53
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D00B570	16_2_6D00B570
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D02542B	16_2_6D02542B
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D00AF60	16_2_6D00AF60
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D0216FE	16_2_6D0216FE
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D00C010	16_2_6D00C010
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D013B24	16_2_6D013B24
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D00DB80	16_2_6D00DB80
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D021250	16_2_6D021250
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D0262E0	16_2_6D0262E0
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_01821900	16_2_01821900
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_0182A320	16_2_0182A320
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_018218B0	16_2_018218B0
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_0182A310	16_2_0182A310
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_0182D97C	16_2_0182D97C
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_08500070	16_2_08500070
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_085078D8	16_2_085078D8
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_085045C8	16_2_085045C8
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_08508E78	16_2_08508E78
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_08500065	16_2_08500065
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_08500070	16_2_08500070
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_08508E88	16_2_08508E88
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_08500070	16_2_08500070
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_08500070	16_2_08500070
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_085045C0	16_2_085045C0
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_08500070	16_2_08500070
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_0182D980	16_2_0182D980
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC5AF60	37_2_6FC5AF60
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC716FE	37_2_6FC716FE
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC63D53	37_2_6FC63D53
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC5B570	37_2_6FC5B570
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC7542B	37_2_6FC7542B
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC5DB80	37_2_6FC5DB80
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC63B24	37_2_6FC63B24
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC762E0	37_2_6FC762E0
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC71250	37_2_6FC71250
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC5C010	37_2_6FC5C010
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_05A7A320	37_2_05A7A320
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_05A71900	37_2_05A71900
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_05A718FB	37_2_05A718FB
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_05A7A310	37_2_05A7A310
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_05A7D970	37_2_05A7D970
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_082D7828	37_2_082D7828
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_082D0070	37_2_082D0070
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_082D45C8	37_2_082D45C8
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_082D0070	37_2_082D0070
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_082D0065	37_2_082D0065
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_082D0070	37_2_082D0070
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_082D0070	37_2_082D0070
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_082D45BA	37_2_082D45BA
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_082D0070	37_2_082D0070
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_05A7D980	37_2_05A7D980

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: String function: 6D00A070 appears 73 times
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: String function: 6FC5F2F0 appears 47 times
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: String function: 6D00F2F0 appears 47 times

Source: AX3-GUI-45.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-524O8.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-KA3P3.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: setup-ax3-driver.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: setup-ax3-driver.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: setup-ax3-driver.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: setup-ax3-driver.tmp.4.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-LFGHU.tmp.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-LFGHU.tmp.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-LFGHU.tmp.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-LFGHU.tmp.5.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: AX3-GUI-45.tmp.23.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: AX3-GUI-45.tmp.31.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: AX3-GUI-45.exe, 00000000.00000003.1095350311.000000007FE40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs AX3-GUI-45.exe
Source: AX3-GUI-45.exe, 00000000.00000003.1439175698.0000000000C08000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs AX3-GUI-45.exe
Source: AX3-GUI-45.exe, 00000000.00000000.1093429390.00000000004DD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs AX3-GUI-45.exe
Source: AX3-GUI-45.exe, 00000000.00000003.1094938915.0000000002774000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs AX3-GUI-45.exe
Source: AX3-GUI-45.exe, 00000017.00000003.1817995698.0000000002378000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs AX3-GUI-45.exe
Source: AX3-GUI-45.exe, 0000001F.00000003.1811571474.0000000002448000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs AX3-GUI-45.exe
Source: AX3-GUI-45.exe	Binary or memory string: OriginalFileName vs AX3-GUI-45.exe

Source: AX3-GUI-45.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: is-E9CM8.tmp.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: _RegDLL.tmp.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal64.expl.evad.winEXE@31/232@1/1

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_06B369EE AdjustTokenPrivileges,	16_2_06B369EE
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_06B369B7 AdjustTokenPrivileges,	16_2_06B369B7
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_074D692E AdjustTokenPrivileges,	37_2_074D692E
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_074D68F7 AdjustTokenPrivileges,	37_2_074D68F7

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Code function: 16_2_6D001610 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoUninitialize,SysAllocString,InterlockedDecrement,SysFreeString,CoUninitialize,CoSetProxyBlanket,_com_issue_error,_com_issue_error,

16_2_6D001610

Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp

File created: C:\Program Files (x86)\Open Movement

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Program Files\AX3-Driver\dpinst64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\DPINST_LOG_SCROLLER_MUTEX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:876:120:WilError_03
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\AX3-GUI-45.exe

File created: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp

Jump to behavior

Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\AX3-GUI-45.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{6c760311-7d3e-5f44-bbdb-3640e2127551} Global\{b1383f99-4876-844f-9d31-fe5ec27fdc7b} C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_msd_cdc.inf C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_MSD_CDC.cat

Source: AX3-GUI-45.exe

Virustotal: Detection: 6%

Source: AX3-GUI-45.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\AX3-GUI-45.exe

File read: C:\Users\user\Desktop\AX3-GUI-45.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\AX3-GUI-45.exe "C:\Users\user\Desktop\AX3-GUI-45.exe"
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp "C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp" /SL5="$60364,5170833,869888,C:\Users\user\Desktop\AX3-GUI-45.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process created: C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe "C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe"
Source: C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe	Process created: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp "C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp" /SL5="$20314,681477,54272,C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Process created: C:\Program Files\AX3-Driver\dpinst64.exe "C:\Program Files\AX3-Driver\DPInst64.exe" /F /SA /SE /SW
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{a893eec2-cde1-b844-a268-dd04a77ebb2a}\mchp_msd_cdc.inf" "9" "4987fa53f" "000000000000014C" "WinSta0\Default" "000000000000011C" "208" "c:\program files\ax3-driver"
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{6c760311-7d3e-5f44-bbdb-3640e2127551} Global\{b1383f99-4876-844f-9d31-fe5ec27fdc7b} C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_msd_cdc.inf C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_MSD_CDC.cat
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process created: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe "C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe"
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lj4v3otx.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA99A.tmp" "c:\Users\user\AppData\Local\Temp\CSCA999.tmp"
Source: unknown	Process created: C:\Users\user\Desktop\AX3-GUI-45.exe "C:\Users\user\Desktop\AX3-GUI-45.exe"
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp "C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp" /SL5="$20130,5170833,869888,C:\Users\user\Desktop\AX3-GUI-45.exe"
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Process created: C:\Users\user\Desktop\AX3-GUI-45.exe "C:\Users\user\Desktop\AX3-GUI-45.exe" /SPAWNWND=$502A0 /NOTIFYWND=$20130
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Process created: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp "C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp" /SL5="$6035A,5170833,869888,C:\Users\user\Desktop\AX3-GUI-45.exe" /SPAWNWND=$502A0 /NOTIFYWND=$20130
Source: unknown	Process created: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe "C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe"
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\6yss2uyv.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES431B.tmp" "c:\Users\user\AppData\Local\Temp\CSC431A.tmp"
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp "C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp" /SL5="$60364,5170833,869888,C:\Users\user\Desktop\AX3-GUI-45.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process created: C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe "C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process created: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe "C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe"	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe	Process created: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp "C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp" /SL5="$20314,681477,54272,C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Process created: C:\Program Files\AX3-Driver\dpinst64.exe "C:\Program Files\AX3-Driver\DPInst64.exe" /F /SA /SE /SW	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{6c760311-7d3e-5f44-bbdb-3640e2127551} Global\{b1383f99-4876-844f-9d31-fe5ec27fdc7b} C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_msd_cdc.inf C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_MSD_CDC.cat	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lj4v3otx.cmdline"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA99A.tmp" "c:\Users\user\AppData\Local\Temp\CSCA999.tmp"
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp "C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp" /SL5="$20130,5170833,869888,C:\Users\user\Desktop\AX3-GUI-45.exe"
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Process created: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp "C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp" /SL5="$6035A,5170833,869888,C:\Users\user\Desktop\AX3-GUI-45.exe" /SPAWNWND=$502A0 /NOTIFYWND=$20130
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\6yss2uyv.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES431B.tmp" "c:\Users\user\AppData\Local\Temp\CSC431A.tmp"

Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: pnpui.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: cscomp.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: cscomp.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: OmGui.lnk.1.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\Open Movement\OM GUI\OmGui.exe
Source: Uninstall OmGui.lnk.1.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\Open Movement\OM GUI\unins000.exe

Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver\is-LFGHU.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver\is-GPPIL.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver\is-VN62H.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver\is-PG9F3.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Directory created: C:\Program Files\AX3-Driver\is-SHR07.tmp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C12D7D33-3050-44D8-8ADA-8ADCFA9368A5}_is1

Jump to behavior

Source: AX3-GUI-45.exe

Static file information: File size 6029717 > 1048576

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: AX3-GUI-45.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: k0/C:\Users\user\AppData\Local\Temp\6yss2uyv.pdb source: OmGui.exe, 00000025.00000002.2102587867.0000000003AD6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Newcastle\Projects\openmovement\Software\OM\omgui\obj\x86\Release\OmGui.pdb source: OmGui.exe, 00000010.00000000.1431643900.0000000000C99000.00000002.00000001.01000000.00000011.sdmp, is-E9CM8.tmp.1.dr
Source:	Binary string: C:\Newcastle\Projects\Embedded\Bootloader.svn\Software\Booter\Release\booter.pdb source: is-MNQIV.tmp.1.dr
Source:	Binary string: C:\Newcastle\Projects\omconvert\src\omconvert\Release\omconvert.pdb source: is-83JS7.tmp.1.dr
Source:	Binary string: D:\Newcastle\Projects\openmovement\Software\OM\Release\libomapi.pdb source: OmGui.exe, 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmp, OmGui.exe, 00000025.00000002.2117056134.000000006FC7E000.00000002.00000001.01000000.00000017.sdmp, is-J5C8E.tmp.1.dr
Source:	Binary string: DpInst.pdbH source: dpinst64.exe, 00000007.00000000.1226780349.00007FF6AD951000.00000020.00000001.01000000.0000000F.sdmp, is-SHR07.tmp.5.dr
Source:	Binary string: D:\Newcastle\Projects\openmovement\Software\OM\omapinet\obj\x86\Release\OmApiNet.pdbD source: OmGui.exe, 00000010.00000002.1720028687.0000000007002000.00000002.00000001.01000000.00000016.sdmp, is-LC9GL.tmp.1.dr
Source:	Binary string: D:\Newcastle\Projects\openmovement\Software\OM\omapinet\obj\x86\Release\OmApiNet.pdb source: OmGui.exe, OmGui.exe, 00000010.00000002.1720028687.0000000007002000.00000002.00000001.01000000.00000016.sdmp, is-LC9GL.tmp.1.dr
Source:	Binary string: ISADMINLOGGEDONRelease\isunzlib.pdb source: AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.tmp, 00000005.00000003.1196979183.0000000003250000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.tmp, 00000005.00000003.1428996496.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, setup-ax3-driver.tmp, 00000005.00000003.1196938143.00000000022D0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr
Source:	Binary string: DpInst.pdb source: dpinst64.exe, 00000007.00000000.1226780349.00007FF6AD951000.00000020.00000001.01000000.0000000F.sdmp, is-PG9F3.tmp.5.dr, is-SHR07.tmp.5.dr
Source:	Binary string: DpInst.pdbp source: is-PG9F3.tmp.5.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: is-E9CM8.tmp.1.dr, ExportSvmForm.cs

.Net Code: InitializeComponent contains xor as well as GetObject

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lj4v3otx.cmdline"
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\6yss2uyv.cmdline"
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lj4v3otx.cmdline"	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\6yss2uyv.cmdline"

Source: AX3-GUI-45.exe	Static PE information: section name: .didata
Source: AX3-GUI-45.tmp.0.dr	Static PE information: section name: .didata
Source: is-524O8.tmp.1.dr	Static PE information: section name: .didata
Source: is-83JS7.tmp.1.dr	Static PE information: section name: _RDATA
Source: AX3-GUI-45.tmp.23.dr	Static PE information: section name: .didata
Source: AX3-GUI-45.tmp.31.dr	Static PE information: section name: .didata

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_07005637 push es; ret	16_2_07005946
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D00F336 push ecx; ret	16_2_6D00F349
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_0850B1E0 push esp; ret	16_2_0850B1E9
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC5F336 push ecx; ret	37_2_6FC5F349

Source: is-E9CM8.tmp.1.dr

Static PE information: section name: .text entropy: 7.187953763177532

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\drvinst.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656 Blob

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\OMPA Convertor.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	File created: C:\Program Files\AX3-Driver\is-SHR07.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\omconvert.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	File created: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CUPI4.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	File created: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	File created: C:\Program Files\AX3-Driver\dpinst32.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	File created: C:\Program Files\AX3-Driver\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-22EDB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	File created: C:\Users\user\AppData\Local\Temp\is-M04BE.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\OmApiNet.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\is-J5C8E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	File created: C:\Users\user\AppData\Local\Temp\is-M04BE.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	File created: C:\Program Files\AX3-Driver\is-PG9F3.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	File created: C:\Users\user\AppData\Local\Temp\6yss2uyv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	File created: C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	File created: C:\Users\user\AppData\Local\Temp\lj4v3otx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-7RMVQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\is-LC9GL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\is-524O8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\is-83JS7.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	File created: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\is-E9CM8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CUPI4.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	File created: C:\Program Files\AX3-Driver\is-LFGHU.tmp	Jump to dropped file
Source: C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe	File created: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	File created: C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	File created: C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	File created: C:\Program Files\AX3-Driver\dpinst64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\firmware\is-MNQIV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\is-KA3P3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\firmware\booter.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	File created: C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\cwa-convert.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\Program Files (x86)\Open Movement\OM GUI\libomapi.dll (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OmGui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OmGui\OmGui.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OmGui\Uninstall OmGui.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\AX3-Driver\dpinst64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AX3-GUI-45.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT PNPDeviceID, DeviceID FROM Win32_DiskDrive WHERE InterfaceType='USB'
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT PNPDeviceID, DeviceID FROM Win32_DiskDrive WHERE InterfaceType='USB'

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Memory allocated: 1580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Memory allocated: 3470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Memory allocated: 5470000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Memory allocated: 1DA0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Memory allocated: 3860000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Memory allocated: 5860000 memory commit \| memory reserve \| memory write watch

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\OMPA Convertor.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\omconvert.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CUPI4.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Dropped PE file which has not been started: C:\Program Files\AX3-Driver\dpinst32.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Dropped PE file which has not been started: C:\Program Files\AX3-Driver\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M04BE.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-22EDB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\OmApiNet.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\is-J5C8E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M04BE.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6yss2uyv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Dropped PE file which has not been started: C:\Program Files\AX3-Driver\is-PG9F3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lj4v3otx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-7RMVQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\is-LC9GL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\is-524O8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\is-83JS7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Dropped PE file which has not been started: C:\Program Files\AX3-Driver\is-LFGHU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CUPI4.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\firmware\is-MNQIV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\firmware\booter.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\cwa-convert.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Open Movement\OM GUI\libomapi.dll (copy)	Jump to dropped file

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe TID: 792	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe TID: 2848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe TID: 3932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D01EEDE FindFirstFileExA,		16_2_6D01EEDE
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC6EEDE FindFirstFileExA,		37_2_6FC6EEDE

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Code function: 16_2_06B33CD6 GetSystemInfo,

16_2_06B33CD6

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (16ms): HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: AX3-GUI-45.tmp, 00000001.00000003.1436842729.0000000000998000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\W
Source: is-E9CM8.tmp.1.dr	Binary or memory string: &Tools5svmToolStripMenuItem.Image)svmToolStripMenuItem#Calculate S&VM...AcutPointsToolStripMenuItem.Image5cutPointsToolStripMenuItem1Calculate &Cut Points...3wearTimeToolStripMenuItem/Calculate Wear &Time...%toolStripMenuItem21Calculate &Sleep Time...'toolStripSeparator11pluginsToolStripMenuItem
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (31ms): Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: AX3-GUI-45.tmp, 00000001.00000003.1436842729.0000000000998000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (15ms): HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:53 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.2364.cat
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:53 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.2364.cat
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.3393.cat
Source: is-E9CM8.tmp.1.dr	Binary or memory string: svmToolStripMenuItem
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: AX3-GUI-45.tmp, 00000018.00000002.1816112671.000000000080F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\i
Source: OmGui.exe, 00000010.00000002.1721430944.0000000009A10000.00000004.00000020.00020000.00000000.sdmp, OmGui.exe, 00000025.00000002.2113712294.0000000008030000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (16ms): HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (0ms): HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.3393.cat
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.3393.cat
Source: OmGui.exe, 00000025.00000002.2102587867.00000000038ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: svmToolStripMenuItem.Image
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: OmGui.exe, 00000025.00000002.2113712294.0000000008067000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: OmGui.exe, 00000010.00000002.1721430944.0000000009A10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
Source: OmGui.exe, 00000025.00000002.2096196339.0000000001608000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: AX3-GUI-45.tmp, 00000018.00000002.1816112671.000000000080F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: OmGui.exe, 00000010.00000002.1706338731.00000000012F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:53 06/10/2023: DONE Adding Catalog File (16ms): Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.2364.cat
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:53 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.2364.cat
Source: is-E9CM8.tmp.1.dr	Binary or memory string: 4svmToolStripMenuItem.Image
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.2728.cat
Source: OmGui.exe, 00000025.00000002.2096196339.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat
Source: is-E9CM8.tmp.1.dr	Binary or memory string: svmToolStripMenuItem_Click
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.3393.cat
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (15ms): Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: OmGui.exe, 00000025.00000002.2096196339.0000000001652000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: dberr.txt.9.dr	Binary or memory string: CatalogDB: 11:48:53 06/10/2023: DONE Adding Catalog File (15ms): Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.2364.cat

Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Code function: 16_2_6D00F170 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

16_2_6D00F170

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D017DEB mov eax, dword ptr fs:[00000030h]		16_2_6D017DEB
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC67DEB mov eax, dword ptr fs:[00000030h]		37_2_6FC67DEB

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Code function: 16_2_6D01FE76 GetProcessHeap,

16_2_6D01FE76

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D00E6D9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_6D00E6D9
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D00F170 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_6D00F170
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 16_2_6D015063 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_6D015063
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC5E6D9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_6FC5E6D9
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC5F170 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_6FC5F170
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Code function: 37_2_6FC65063 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_6FC65063

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lj4v3otx.cmdline"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA99A.tmp" "c:\Users\user\AppData\Local\Temp\CSCA999.tmp"
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\6yss2uyv.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES431B.tmp" "c:\Users\user\AppData\Local\Temp\CSC431A.tmp"

Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{6c760311-7d3e-5f44-bbdb-3640e2127551} global\{b1383f99-4876-844f-9d31-fe5ec27fdc7b} c:\windows\system32\driverstore\temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_msd_cdc.inf c:\windows\system32\driverstore\temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_msd_cdc.cat
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{6c760311-7d3e-5f44-bbdb-3640e2127551} global\{b1383f99-4876-844f-9d31-fe5ec27fdc7b} c:\windows\system32\driverstore\temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_msd_cdc.inf c:\windows\system32\driverstore\temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_msd_cdc.cat			Jump to behavior

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Code function: 16_2_6D00F34B cpuid

16_2_6D00F34B

Source: C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_MSD_CDC.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_MSD_CDC.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Program Files (x86)\Open Movement\OM GUI\OmApiNet.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Program Files (x86)\Open Movement\OM GUI\OmApiNet.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Program Files (x86)\Open Movement\OM GUI\OmApiNet.dll VolumeInformation
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Program Files (x86)\Open Movement\OM GUI\OmApiNet.dll VolumeInformation
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation
Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Code function: 16_2_6D01D78C GetSystemTimeAsFileTime,

16_2_6D01D78C

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Code function: 16_2_6D01E509 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

16_2_6D01E509

Source: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Code function: 16_2_6D00CDE0 OmGetVersion,OmCommand,

16_2_6D00CDE0

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\47CEB881EDB1AD96814903261E1BD7EFBFAA5AE6 Blob

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Windows Service	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Process Injection	1 Install Root Certificate	NTDS	135 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	12 Software Packing	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	23 Masquerading	Proc Filesystem	131 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	131 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Rundll32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AX3-GUI-45.exe	8%	ReversingLabs
AX3-GUI-45.exe	7%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Open Movement\OM GUI\OmApiNet.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\OMPA Convertor.exe (copy)	2%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\cwa-convert.exe (copy)	2%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-22EDB.tmp	2%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-7RMVQ.tmp	2%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\is-83JS7.tmp	0%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\omconvert.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\firmware\booter.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\firmware\is-MNQIV.tmp	0%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\is-524O8.tmp	5%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\is-E9CM8.tmp	0%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\is-J5C8E.tmp	0%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\is-KA3P3.tmp	0%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\is-LC9GL.tmp	0%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\libomapi.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Open Movement\OM GUI\unins000.exe (copy)	5%	ReversingLabs
C:\Program Files\AX3-Driver\dpinst32.exe (copy)	0%	ReversingLabs
C:\Program Files\AX3-Driver\dpinst64.exe (copy)	0%	ReversingLabs
C:\Program Files\AX3-Driver\is-LFGHU.tmp	4%	ReversingLabs
C:\Program Files\AX3-Driver\is-PG9F3.tmp	0%	ReversingLabs
C:\Program Files\AX3-Driver\is-SHR07.tmp	0%	ReversingLabs
C:\Program Files\AX3-Driver\unins000.exe (copy)	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_RegDLL.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CUPI4.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CUPI4.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-M04BE.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-M04BE.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp	4%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
raw.githubusercontent.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://twitter.github.com/bootstrap/javascript.html#popovers	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini	0%	Avira URL Cloud	safe
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	0%	Avira URL Cloud	safe
http://www.fontbureau.com/designers/?	0%	Avira URL Cloud	safe
http://www.fontbureau.com/designersG	0%	Avira URL Cloud	safe
http://crl.microsE	0%	Avira URL Cloud	safe
http://repository.certum.pl/cscasha2.cer0	0%	Avira URL Cloud	safe
http://twitter.github.com/bootstrap/javascript.html#popovers	0%	Virustotal		Browse
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	0%	Virustotal		Browse
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://repository.certum.pl/cscasha2.cer0	0%	Virustotal		Browse
http://www.fontbureau.com/designers/?	0%	Virustotal		Browse
http://ocsp.sectigo.com0	0%	Avira URL Cloud	safe
http://ocsp.verisi	0%	Avira URL Cloud	safe
http://www.fontbureau.com/designers?	0%	Avira URL Cloud	safe
http://twitter.github.com/bootstrap/javascript.html#affix	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini	1%	Virustotal		Browse
http://www.openmovement.co.ukq	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	Avira URL Cloud	safe
http://www.fontbureau.com/designersG	0%	Virustotal		Browse
http://twitter.github.com/bootstrap/javascript.html#affix	0%	Virustotal		Browse
http://www.fontbureau.com/designers?	0%	Virustotal		Browse
http://www.sajatypeworks.com	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	Avira URL Cloud	safe
http://twitter.github.com/bootstrap/javascript.html#transitions	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://www.microsoft.co	1%	Virustotal		Browse
http://www.goodfont.co.kr	0%	Virustotal		Browse
http://www.galapagosdesign.com/staff/dennis.htm	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://twitter.github.com/bootstrap/javascript.html#transitions	0%	Virustotal		Browse
http://twitter.github.com/bootstrap/javascript.html#scrollspy	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	Virustotal		Browse
http://www.tiro.com	0%	Virustotal		Browse
https://www.remobjects.com/ps	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com01	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	Virustotal		Browse
https://www.innosetup.com/	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	Virustotal		Browse
http://www.galapagosdesign.com/DPlease	0%	Avira URL Cloud	safe
http://twitter.github.com/bootstrap/javascript.html#collapse	0%	Avira URL Cloud	safe
https://jrsoftware.org0	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	Virustotal		Browse
http://twitter.github.com/bootstrap/javascript.html#scrollspy	0%	Virustotal		Browse
http://ocsp.verisign.co	0%	Avira URL Cloud	safe
https://www.remobjects.com/ps	0%	Virustotal		Browse
http://www.sandoll.co.kr	0%	Avira URL Cloud	safe
http://www.fonts.com	0%	Avira URL Cloud	safe
https://www.innosetup.com/	1%	Virustotal		Browse
https://jrsoftware.org/	0%	Avira URL Cloud	safe
http://twitter.github.com/bootstrap/javascript.html#collapse	0%	Virustotal		Browse
http://www.urwpp.deDPlease	0%	Avira URL Cloud	safe
http://ocsp.verisign.co	1%	Virustotal		Browse
http://www.galapagosdesign.com/DPlease	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	Virustotal		Browse
http://www.certum.pl/CPS0	0%	Avira URL Cloud	safe
http://www.fonts.com	0%	Virustotal		Browse
http://www.sakkal.com	0%	Avira URL Cloud	safe
https://sectigo.com/CPS05	0%	Avira URL Cloud	safe
http://twitter.github.com/bootstrap/javascript.html#carousel	0%	Avira URL Cloud	safe
http://csc3-2009-2-aia.ve.	0%	Avira URL Cloud	safe
https://jrsoftware.org/	0%	Virustotal		Browse
http://www.innosetup.com/	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
http://www.openmovement.co.uk	0%	Avira URL Cloud	safe
http://phrogz.net/JS/_ReuseLicense.txt	0%	Avira URL Cloud	safe
http://repository.certum.pl/ctnca.cer09	0%	Avira URL Cloud	safe
http://twitter.github.com/bootstrap/javascript.html#typeahead	0%	Avira URL Cloud	safe
http://crl.certum.pl/ctnca.crl0k	0%	Avira URL Cloud	safe
http://www.modernizr.com/)	0%	Avira URL Cloud	safe
http://ocsp.usertru	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/omgui.i	0%	Avira URL Cloud	safe
http://twitter.github.com/bootstrap/javascript.html#tooltips	0%	Avira URL Cloud	safe
http://go.microsoft.	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/AX3-GUI-28.zi	0%	Avira URL Cloud	safe
http://tinyurl.com/dotnet35setup	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini3UPD	0%	Avira URL Cloud	safe
https://www.certum.pl/CPS0	0%	Avira URL Cloud	safe
https://www.verisign.c	0%	Avira URL Cloud	safe
http://go.microsoft.LinkId=42127	0%	Avira URL Cloud	safe
http://twitter.github.com/bootstrap/javascript.html#buttons	0%	Avira URL Cloud	safe
https://openmovement.googlecode.com/svn/downloads/AX3/omgui.ini	0%	Avira URL Cloud	safe
http://twitter.github.com/bootstrap/javascript.html#dropdowns	0%	Avira URL Cloud	safe
http://crl.certum.pl/cscasha2.crl0q	0%	Avira URL Cloud	safe
http://cscasha2.ocsp-certum.com04	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	Avira URL Cloud	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	Avira URL Cloud	safe
http://www.openmovement.co.uka	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
http://www.fontbureau.com/designers/frere-jones.html	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
raw.githubusercontent.com	185.199.111.133	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	AX3-GUI-45.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://twitter.github.com/bootstrap/javascript.html#popovers	is-7QH66.tmp.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.microsE	OmGui.exe, 00000010.00000002.1721430944.0000000009A9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.certum.pl/cscasha2.cer0	AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.verisi	drvinst.exe, 00000009.00000002.1376663620.00000279D7A14000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://twitter.github.com/bootstrap/javascript.html#affix	is-7QH66.tmp.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.microsoft.co	OmGui.exe, 00000010.00000002.1721430944.0000000009A9C000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.openmovement.co.ukq	AX3-GUI-45.exe, 00000000.00000003.1439175698.0000000000C4A000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.exe, 00000017.00000003.1817995698.00000000023BA000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.exe, 0000001F.00000003.1811571474.000000000248A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.typography.netD	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://twitter.github.com/bootstrap/javascript.html#transitions	is-7QH66.tmp.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://fontfabrik.com	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://twitter.github.com/bootstrap/javascript.html#scrollspy	is-7QH66.tmp.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.remobjects.com/ps	AX3-GUI-45.exe, 00000000.00000003.1095350311.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.exe, 00000000.00000003.1094938915.0000000002670000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000000.1096792574.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AX3-GUI-45.tmp.31.dr, is-524O8.tmp.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com01	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	Avira URL Cloud: safe	unknown
https://www.innosetup.com/	AX3-GUI-45.exe, 00000000.00000003.1095350311.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.exe, 00000000.00000003.1094938915.0000000002670000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000000.1096792574.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AX3-GUI-45.tmp.31.dr, is-524O8.tmp.1.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0D	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://twitter.github.com/bootstrap/javascript.html#collapse	is-7QH66.tmp.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jrsoftware.org0	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.verisign.co	rundll32.exe, 0000000F.00000002.1324344949.0000025F700DE000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fonts.com	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sandoll.co.kr	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jrsoftware.org/	AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certum.pl/CPS0	AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS05	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://twitter.github.com/bootstrap/javascript.html#carousel	is-7QH66.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://csc3-2009-2-aia.ve.	rundll32.exe, 0000000F.00000002.1325076830.0000025F70419000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.innosetup.com/	setup-ax3-driver.exe, 00000004.00000003.1195303513.00000000021E8000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.exe, 00000004.00000003.1194866477.0000000002480000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.tmp, 00000005.00000000.1195968623.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp, is-7QH66.tmp.1.dr, is-QCCS6.tmp.1.dr, is-GA9GG.tmp.1.dr, is-R9IP2.tmp.1.dr, is-233P5.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.openmovement.co.uk	AX3-GUI-45.tmp, 00000020.00000003.1807041334.00000000026BA000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://phrogz.net/JS/_ReuseLicense.txt	is-0JOM7.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://repository.certum.pl/ctnca.cer09	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://twitter.github.com/bootstrap/javascript.html#typeahead	is-7QH66.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	OmGui.exe, 00000010.00000002.1708580813.0000000003471000.00000004.00000800.00020000.00000000.sdmp, OmGui.exe, 00000025.00000002.2102587867.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.certum.pl/ctnca.crl0k	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://www.modernizr.com/)	is-7QH66.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.usertru	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/omgui.i	OmGui.exe, 00000010.00000002.1721430944.0000000009A10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://twitter.github.com/bootstrap/javascript.html#tooltips	is-7QH66.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://go.microsoft.	OmGui.exe, 00000025.00000002.2096196339.0000000001652000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/AX3-GUI-28.zi	OmGui.exe, 00000025.00000002.2102587867.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tinyurl.com/dotnet35setup	AX3-GUI-45.tmp, 00000001.00000003.1098497033.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003894000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025EB000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000018.00000003.1814040575.00000000025FB000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.00000000025DB000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.dr	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini3UPD	OmGui.exe, 00000010.00000000.1431643900.0000000000B22000.00000002.00000001.01000000.00000011.sdmp, is-E9CM8.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://www.certum.pl/CPS0	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	Avira URL Cloud: safe	unknown
https://www.verisign.c	drvinst.exe, 00000009.00000002.1376663620.00000279D7A14000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://twitter.github.com/bootstrap/javascript.html#buttons	is-7QH66.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://go.microsoft.LinkId=42127	OmGui.exe, 00000025.00000002.2096196339.0000000001652000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://openmovement.googlecode.com/svn/downloads/AX3/omgui.ini	OmGui.exe, 00000025.00000002.2102587867.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://twitter.github.com/bootstrap/javascript.html#dropdowns	is-7QH66.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://crl.certum.pl/cscasha2.crl0q	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://cscasha2.ocsp-certum.com04	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.0000000002590000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openmovement.co.uka	AX3-GUI-45.tmp, 00000001.00000003.1435213202.00000000026CA000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1807041334.00000000026BA000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/psU	setup-ax3-driver.exe, 00000004.00000003.1195303513.00000000021E8000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.exe, 00000004.00000003.1194866477.0000000002480000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.tmp, 00000005.00000000.1195968623.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com	OmGui.exe, 00000010.00000002.1708580813.0000000003471000.00000004.00000800.00020000.00000000.sdmp, OmGui.exe, 00000025.00000002.2102587867.0000000003AF8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.0000000003614000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://twitter.github.com/bootstrap/javascript.html#alerts	is-7QH66.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://github.com/digitalinteraction/openmovement/releases/download/AX3-OmGui-v28/AX3-GUI-28.zip	OmGui.exe, 00000025.00000002.2102587867.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	OmGui.exe, 00000010.00000002.1708580813.0000000003471000.00000004.00000800.00020000.00000000.sdmp, OmGui.exe, 00000025.00000002.2102587867.0000000003AF8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	OmGui.exe, 00000010.00000002.1717835648.0000000006BB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://twitter.github.com/bootstrap/javascript.html#tabs	is-7QH66.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/ps	setup-ax3-driver.exe, 00000004.00000003.1195303513.00000000021E8000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.exe, 00000004.00000003.1194866477.0000000002480000.00000004.00001000.00020000.00000000.sdmp, setup-ax3-driver.tmp, 00000005.00000000.1195968623.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://twitter.github.com/bootstrap/javascript.html#modals	is-7QH66.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://www.openmovement.co.uk:http://www.openmovement.co.uk:http://www.openmovement.co.uk	AX3-GUI-45.exe, 00000000.00000003.1093771706.0000000002670000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000001.00000003.1098497033.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.certum.pl/cscasha	AX3-GUI-45.tmp, 00000001.00000003.1434841149.0000000003900000.00000004.00001000.00020000.00000000.sdmp, AX3-GUI-45.tmp, 00000020.00000003.1806633669.0000000003920000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.199.111.133	raw.githubusercontent.com	Netherlands		54113	FASTLYUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1509202
Start date and time:	2024-09-11 09:14:58 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AX3-GUI-45.exe
Detection:	MAL
Classification:	mal64.expl.evad.winEXE@31/232@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 266 Number of non-executed functions: 68
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, TextInputHost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fp.msedge.net, fs.microsoft.com, afdxtest.z01.azurefd.net, ocsp.digicert.com, slscr.update.microsoft.com, evoke-windowsservices-tas.msedge.net, wac-ring-fallback.msedge.net, 67ede7f7f8e13aca77453ee86d773752.clo.footprintdns.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:16:32	API Interceptor	1x Sleep call for process: OmGui.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.199.111.133	M 1votFC.eml	Get hash	malicious	Unknown	Browse
	https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bce%C2%ADsme%C2%ADdia%E2%80%8B.%C2%ADv%C2%ADn/.dev/tfbft0yf/ZGlhbmUuY3JhaWdAZ3JhY2VoZWFsdGhtaS5vcmc==$%E3%80%82	Get hash	malicious	Tycoon2FA	Browse
	http://xcelenergy.zonaclimber.com/json/activeBC/justin.l.billeter@xcelenergy.com	Get hash	malicious	HTMLPhisher	Browse
	https://eu-central-1.protection.sophos.com/?d=tiktok.com&u=aHR0cHM6Ly93d3cudGlrdG9rLmNvbS8vLy8vbGluay92Mj9haWQ9MTk4OCZsYW5nPWVuRlNtUFdnJnNjZW5lPWJpb191cmwmdGFyZ2V0PWdvb2dsZS5jb20uLy8vL2FtcC9zLyVFMiU4MCU4QmMlQzIlQUR0JUMyJUFEaCVFMiU4MCU4Qi4lQzIlQUR2JUMyJUFEbi8uZGV2L0tTcEhUaEhTL2JYZHZiMlJ6UUhOell5NXVjM2N1WjI5MkxtRjE9JCVFMyU4MCU4Mg==&p=m&i=NWQwN2ZmYzMzYTI2ZjgxNDIyYzk1ZDVl&t=TXBncTdKNVIxbE4vUUNSZkZsUHZnc3YwdDVHTUM0SVFZMHhFRHdsSEJmaz0=&h=4d6999c7166643fab3b2cf307a3e9237&s=AVNPUEhUT0NFTkNSWVBUSVb-GMTbEE4rTI_ViOGlBYY0py-Up8IV-uCS_drrL8K4og4uBbd_kdu_CfA_rJxO7PTPyV6BcVDiENaJLwZqW5J9rZ6Yqn61C4tBc2kHdTZ1bRzSSZJILq9JgtGCdbMh-j8	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/lemb4ic3/YnJhbmRpLnRyeW9uQGFwZGVncmVlcy5jb20==$%E3%80%82	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	https://github.com/gitextensions/gitextensions/releases/download/v4.2.1/GitExtensions-4.2.1.17611-b0c0b2848.msi	Get hash	malicious	Unknown	Browse
	https://href.li/?https://w1t92zr.pedbuores.com/jv8FND/	Get hash	malicious	HTMLPhisher	Browse
	https://sinintermediarios.uy/bc/blockchain.com/email/	Get hash	malicious	Unknown	Browse
	http://anikettiwari47.github.io/Netflix	Get hash	malicious	HTMLPhisher	Browse
	Bootstrapper_1725724037599_1sly5.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.githubusercontent.com	SecuriteInfo.com.Win64.MalwareX-gen.5183.18088.exe	Get hash	malicious	77Rootkit, AsyncRAT, DcRat	Browse	185.199.110.133
	VXLauncher.exe	Get hash	malicious	Empyrean, Discord Token Stealer	Browse	185.199.110.133
	Bootstrapper_1725724037599_1sly5.exe	Get hash	malicious	LummaC	Browse	185.199.111.133
	SecuriteInfo.com.Win64.PWSX-gen.14334.8980.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	scan_documet_027839.vbs	Get hash	malicious	Unknown	Browse	185.199.110.133
	Run First.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	Run First.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	SecuriteInfo.com.Win64.Evo-gen.25168.3752.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	SecuriteInfo.com.Win64.Evo-gen.25168.3752.exe	Get hash	malicious	Unknown	Browse	185.199.111.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://go.skimresources.com/?id=129857X1500501&url=https://www.freelansssssssssssssssscer.com/users/login-quick.php?token=30b3628412ea618dcc3f414b266ae263302b3e1b43e6d2d885225319dabe8e68&url=https://secure.adnxs.com/seg?redir=https://link.sbstck.com/redirect/45834840-3c14-4374-8f51-bbcadebab762?j=eyJ1IjoiNGRnZ2x2In0	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://tpsrentalsystemsgmbhcokg.freshdesk.com/support/solutions/articles/204000000107-tps-rental-systems-gmbh-co-kg	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://tpsrentalsystemsgmbhcokg.freshdesk.com/support/solutions/articles/204000000107-tps-rental-systems-gmbh-co-kg	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	http://rivestream.live	Get hash	malicious	Unknown	Browse	185.199.108.153
	https://padlet.com/julianhughes009/icm-group-rfq-flxgnyxvlatwoc3i	Get hash	malicious	Unknown	Browse	151.101.2.137
	http://gulf-uae.com/953442816569005250060051bi2sxgen-pgx-878723564006-ifxyeonkim-isxskyline-holt.comsf-1MC4w	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://spot-speckle-gardenia.glitch.me/public/rfyiyuki4342.html	Get hash	malicious	Unknown	Browse	151.101.130.137
	https://awaisni.github.io/awaisbab/index.html	Get hash	malicious	Unknown	Browse	199.232.188.159
	https://coenbseeprolgiin.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	151.101.2.188
	http://www.viundodal.serv00.net/	Get hash	malicious	Unknown	Browse	199.232.188.159

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	018292540-SuratTeguranPPI-20230814215304.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.111.133
	SecuriteInfo.com.Win32.CrypterX-gen.17091.2614.exe	Get hash	malicious	Snake Keylogger	Browse	185.199.111.133
	Enquiry.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	185.199.111.133
	Request for Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.111.133
	PO_20248099-1 12,300PCS.exe	Get hash	malicious	Snake Keylogger	Browse	185.199.111.133
	BASE OIL AND CHEMICAL PRICE INQUIRY.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.111.133
	Demande de devis.Quote Request.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	185.199.111.133
	RFQ-DL32035.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.111.133
	inquiry#60311.vbe	Get hash	malicious	Snake Keylogger	Browse	185.199.111.133
	SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20128.22369.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.111.133

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	30720
Entropy (8bit):	5.561090262634769
Encrypted:	false
SSDEEP:	768:G9ivcgdQIeVAOrajN/ccIjOBHaHi6ej0hQ:G9ikgd0Vt+h8FC6eYhQ
MD5:	5083DA882E58C045E46391E8AC35456F
SHA1:	9EAE2AA46772286D5ABA504009ED0492031BC102
SHA-256:	BB2B868D313942BAFEDF896F19C7BE8CA91725A44C29E916DB8FBFB837087EE2
SHA-512:	1CE7025532A3E98FD420A5EAF5BC0E2BCCCB1141AD803C01F8D286805029932DB41EDDDAFAF97FC6300061D6570980E4F79B219E89D3FD25DD6337923F63D304
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H`c...........!..0..n..........n.... ........... ....................................@.....................................O................................................................................... ............... ..H............text...tm... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B................P.......H........:...Q..........................................................^~....-.s.........~.....0...........s....}.....s....}.....(............s......}.......{....(.......{....~....(....&........s......}.......{....(.......{....~....(....&.l(....r...p(............s......}.......{....(.......{....~....(?...&...0............(.......(........................"..(........0..F........{....-=.&(....&...{....,....{....(.......{....,....{....(......}....F.(G...,...s....z.0..X...

C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1641984
Entropy (8bit):	7.012562124222005
Encrypted:	false
SSDEEP:	49152:s+4PCNQWsNQWsNQWsNQWsNQWsNQWh4NQW:sMuuuuuU
MD5:	12FEEE099449453BA386F8FBA6C72090
SHA1:	4BE776CF3F768BAD8F10CA885227494972CBCEBE
SHA-256:	E96445F1DEA2B0B630ADE704C5C478C0E50A71645473F11297FE7DED2D9F9197
SHA-512:	E21262C048DAA24BDAEF0F08D544CE06ADE5DF32D99D8D1967F76984AA8ED3780B8E8E03F2C0FE873D578BC52AA0A49F5A814D4B6146BCE13BC65CEEBEE6F95E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2H`c..............0......~........... ........@.. .......................`............@.....................................O.......8{...................@......t................................................ ............... ..H............text...\.... ...................... ..`.rsrc...8{.......\|..................@..@.reloc.......@......................@..B.......................H.......0>...;...........y...0............................................( ....0...........(.......(......................0..........~!.....~!.....i......~!.....o......-}...I...("...(#...tI...}....~!............($...-....J...("...(#...tJ...}....~!............($...-....K...("...(#...tK...}.......0..............7.....~....}........Yn(%...}.......}........Yn(%...}.......}...... .@. (&... ...._-..+. ...@`(&... ...._-..+. ....`}........('.....((...s....}.......}.......o....&*

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\64x64 converter.ico (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3527
Entropy (8bit):	7.81337128585813
Encrypted:	false
SSDEEP:	96:9Ss5YRxkYjabEg39Q5aS4iJ7fPWdSfCwIc31:9Ss5Yrjaob5/VJr+k9
MD5:	CED13F367E9FDF9CB2045DDBFC606D6B
SHA1:	7C872ABCF649631BA513C43621605610D9125E95
SHA-256:	27BC1E463A8F3FD3C193CC5E91A463C356E39D5E81EE45FEDC54BB070B5FC895
SHA-512:	D2F7A6FBE8AD134F2073AEB76BDBF4D06922193275F72CE8DD6288EE026E7EF66410377FEF45F22355A70FCCFBE198379F1D55C4BA5D041DE96CA088B0BBAD0D
Malicious:	false
Preview:	.PNG........IHDR...@...@......iq.... cHRM..z%..............u0...`..:....o._.F....bKGD.......C......pHYs.................vpAg...@...@....`....IDATx...k%wv.?.G..}..j..v.3....!.3a..`<.U..&.@..@.!x.E...l.....<..6.......n...-..V..nK.U../...RU....d ...z.U.\|..T..&4..MhB...&....I.\|..g.q.....E.R..B...!PJ....:q..{.....Zks.Zk.R...xzz...\.~.W_}.O>..w. .Sc.o.V.Ave.>N@..+{}..Y9..Z..`./..w...>.h.Z.....>@)..`0..(.^.>..XQ.Ya.pZ.....,......m..Mk..B......-.S.....O..jS.....g.b.......5..@.....B(.(..8..1f.Z..Q.-.q<..t.. ...d.y.....K.v..crfj.AJ9. ...>_....U^..&ss/...,.Q....Xk.t:...ju.T..!..p^.QsB..... ...c,R..69.x..f...Zbq.......H..!..!.V....!.y...Honn6...Og......oY..8..u.."E..D..k.V:.....0U.>q._\|H..36..+....8..^..c..s.....L....@DQtz...Y...f....{<....._..S.+ ....%..P.....[..l............\..>..\\|.,.\Fk.c........8...(...$.._1.~....$.}.8..8....=juK.\|...-..9......\Xy..2S.@Yp~f.\`.A.s.....G4.^......WQ,.S,,>......wx.w.s.....0...8N.g. [m.+,.h.a._x..[4[..Gq....R(3

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\OMPA Convertor.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563200
Entropy (8bit):	6.741829920311703
Encrypted:	false
SSDEEP:	12288:+l+vI0vyog/UpQ87Lx97MYpk62gSp01ldMIicFIz/Fa5wbevozdw1:+l+g6kUW8Xx9ogDSp01lXicFIDFa5jvo
MD5:	15B477AA57D8F81CD251D38CA7CB84C6
SHA1:	CA9A478EDE26638F0D881D1643CAC98C3AFE5F49
SHA-256:	822F9397A57EE1A5B4D2A25FE4031F5EB960166AC20F3FF7AA417259EF8F403E
SHA-512:	2B42BC91E3596F16C76D35C6C3DFFBB04735C6AB96ABC6C61E6FFE34BBB0EE5F791FFAA7D4ADB9C6CD15E74E42B67292F4CF940CF9222AE9DD515658DDE6FAF3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7+..Yx..Yx..Yx..x..Yx..x..Yx..x..Yx...x..Yx..Xx..Yx..x..Yx..x..YxRich..Yx................PE..L...#..O.........................................@..................................y....@..................................A..(................................2.................................8<..@............................................text............................... ..`.rdata..............................@..@.data...DC...P... ...<..............@....rsrc................\..............@..@.reloc...:.......:...^..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\OMPA Convertor.gif (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	GIF image data, version 89a, 128 x 128
Category:	dropped
Size (bytes):	7303
Entropy (8bit):	7.827464019436164
Encrypted:	false
SSDEEP:	192:b8yxqckNOgKtcKdAOs/GOR9nDyoQCl1xdjGTlD/uzcV/:bbx9bSKoHDyoQClExGi/
MD5:	BDFA0CCB43714B182B9EEE4A0CF0DC9A
SHA1:	14AE738BC83FE1004B9879F3BD72100E74E215C1
SHA-256:	ED334BA309B7DC4EB164B135E6EC95AC270767C528C7AB649B2AC8FD7EC5C8CA
SHA-512:	3925369D595CEC2693421FACDBDD76562AD75A56E74C87B41303944A85BECD22A133D3921B02E420E75D63D18953E278E18FB8E4A3CE0CD3FF6F5C7BE516ABC3
Malicious:	false
Preview:	GIF89a.....................xi~................................+5.MV.JU..(.'=.J].....!.3K.AW...)..+..5.8Q.C].DZ.Pg.CU.Zm.Vh.aq.`h.....3../..<..<..D.&L.$G.-Q.3V.:\.5R.>`.Dd.Hg.Ii.Ii.Ki.Kk.Lh.Mk.Ro.Sq.[v.e..w..p..}..t..v.....@d.Ae.Eh.Gk.Gi.Gh.Gk.Im.Ik.Im.Ik.Ko.Km.Kk.Lm.Nn.Or.Rs.Ut.Vx.]\|.Zw.k..`x....Ek.Lp.Jo.b.....e..m..{......z................................................................D.......M...Y....Y..e.5..L.h......2..=..G.Y..i........u..z..\|..~.....w...5..A..@.G.G..V.Q.._.P..o.f..u..u..{......w..v..{............#.~%..+..2..3..9..>.9.=..B..D..D..E..G..G..G.C..I..I.A..L..L..Q..R..V..T..[..c..g..m..s....`...u.q..k...4..B.{5..F..G..I..I..J..K..K..K..N..S..V..[.zO..{....u.........B..M....c.....................................!.......,...............H......\......z4.H.........c.. C...0...?`.@....Cp.....`..Sf.._........C..P../.0H@J..B..Vty...V..:../..]..k..;....A-.0..h.../.0..KX.[.0b...$H..E.K..E....t..C...CO..C.i.@..H.9....

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\OMPA Convertor.plugin (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.0566730094007655
Encrypted:	false
SSDEEP:	24:qTFLURr94A/4VqEQVC/YFTszIRuXgigDDNNbT1JxFK8:EiRr9T/4Vqp4AFMouXrYNpT1HFb
MD5:	C128D6CD61111599FCBE7BB46EDB1904
SHA1:	CDF9CEC9BA07708A12D0A02D50E0122385FA253F
SHA-256:	944D208A5720B207B61144149546F9F50FB48B7281DF8BCE33EB114E20BB95C6
SHA-512:	74E5A34E3A019D395D5E71BBB9629F6C4C9EE4233C79406898FBCFE673A2B3F753A9C75AA95A54821012EB3794AF1E880A8ACBBA31DB4899270C6DF0FD1D5E53
Malicious:	false
Preview:	<?xml version='1.0'?>.. This is a sample XML document -->..<Plugin>...<height>500</height>...<width>700</width>...<runFilePath>OMPA Convertor.exe</runFilePath>...<htmlFilePath>OMPA convertor.html</htmlFilePath>...<savedValuesFilePath>saved.xml</savedValuesFilePath>...<iconName>64x64 converter.ico</iconName>...<description>Converts binary .cwa files to application-friendly formats. Current version supports specifying a time-slice via the data preview pane. Optional output streams (battery, light, temperature). Multiple timestamp formats available.</description>...<fileName>Convert_CWA</fileName>...<readableName>Convert CWA</readableName>...<outputFile>.csv .wav .raw</outputFile>...<inputFile>.cwa</inputFile>...<wantMetadata>true</wantMetadata>...<outputExtensions>....<extension>csv</extension>...</outputExtensions>...<defaultValues>....<bodyMass>80</bodyMass>....<percentage>0.22</percentage>....<fileStart>fileStart</fileStart>....<fileEnd>fileEnd</fileEnd>...</defaultValues>...<crea

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\OMPA convertor.html (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	HTML document, ASCII text, with very long lines (381), with CRLF line terminators
Category:	dropped
Size (bytes):	11977
Entropy (8bit):	5.193366025833501
Encrypted:	false
SSDEEP:	192:kVsDIzjpambe4Ec4h25Uw4aCqtYoqy2qoglZQtpYGTmpo/8pWV9:qtq4Ec4hUr4aLYoqUCX
MD5:	1A82547F921A171DCF86F23191BFD318
SHA1:	1CBE6268FC5FFE12A4A707205D0FCC64866A7236
SHA-256:	E4BD06AA60D4577B6AA586E05EDB9D5B1250599C01C1140C6D88B614B9A0E103
SHA-512:	420651FDEFF17D16307E875CDD632B5CB7ED54E588BFB8D870AB43BC2E4B402913BE748334D431D5CC9F8663F6C680470E71E6BED297623560F09856E2BFDBEE
Malicious:	false
Preview:	<!DOCTYPE html> ..<html>..<meta http-equiv="X-UA-Compatible" content="IE=Edge" />..<meta charset="utf-8">...<title>OpenMovement Converter</title>...<link href="./css/bootstrap-responsive.css" rel="stylesheet">...<link href="./css/bootstrap.css" rel="stylesheet">...<link href="./css/page.css" rel="stylesheet">...<script type="text/javascript" src="./js/jquery.min.js"></script>...<script type="text/javascript" src="./js/bootstrap.js"></script> ...<script type="text/javascript" src="./js/bootstrap.min.js"></script>.....<script language="javascript">..function positionLogo() {...document.getElementById('logo').style.left = document.getElementById('content').offsetLeft + 'px';..}....</script>.... Leave this script as it is otherwise the program won't pick it up and it won't run. -->..<script language="javascript" type="text/javascript">.. //var $ = function (e) { return document.getElementById(e); }......var blockStart = -1;...var blockCount = -1;......function fillValues()...{....va

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\bootstrap-responsive.css (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23220
Entropy (8bit):	5.0206455590077885
Encrypted:	false
SSDEEP:	384:yM1758/eDV9grZKb5u5Ru11zNFnyQCglOfWwRnE+A6V22zHtTjg:/8GDV9grZKbgUzWQCglOfWwRnE+/DzNA
MD5:	E46CE2784F902577C2E2858BAF1536F0
SHA1:	B87C9AF4988D92BCFBA4CE80F1BBF267774E115F
SHA-256:	489239002725E88D06FFFC788210A60C249D401F00C2BE2254F130F6251D2002
SHA-512:	B822F632A842A070A2A7FB1CFC7A184CAE6219676273CE63B57096FB0C0F39DA7735EE240BB5652F1AE14238D3494AC930395D936EF5BCB6F7552053D375CDE0
Malicious:	false
Preview:	/!.. Bootstrap Responsive v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.....clearfix {.. zoom: 1;..}.....clearfix:before,...clearfix:after {.. display: table;.. line-height: 0;.. content: "";..}.....clearfix:after {.. clear: both;..}.....hide-text {.. font: 0/0 a;.. color: transparent;.. text-shadow: none;.. background-color: transparent;.. border: 0;..}.....input-block-level {.. display: block;.. width: 100%;.. min-height: 30px;.. -webkit-box-sizing: border-box;.. -moz-box-sizing: border-box;.. box-sizing: border-box;..}....@-ms-viewport {.. width: device-width;..}.....hidden {.. display: none;.. visibility: hidden;..}.....visible-phone {.. display: none !important;..}.....visible-tablet {.. display: none !important;..}.....hidden-desktop {.. display: none !important;..}....

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\bootstrap-responsive.min.css (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (16608), with CRLF line terminators
Category:	dropped
Size (bytes):	16858
Entropy (8bit):	5.2955772749108
Encrypted:	false
SSDEEP:	384:dd7eicOM8quuhu93fUacuMZoUCfl4UX94Vp1XP:dPcVDmfUac1ZQt4UX96L
MD5:	B0C3EF20C73BC861FF157EAB023DD09C
SHA1:	FEE31889CF7E7B1531BF61D8109BE2A6007853D6
SHA-256:	754073D316DAB747E1634E26EE4FB71EBF38314C24701946812C0E7506242560
SHA-512:	CB61A0F24025F2C702E0A5EEC5BA6E94AE108A543C21C61445188C4741DB66A27D7195234D8ED992BCE7793C667F7E4041E2E102C87C55C2070BD608CF8ED2A7
Malicious:	false
Preview:	/!.. Bootstrap Responsive v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.clearfix{zoom:1}.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}.hide-text{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.input-block-level{display:block;width:100%;min-height:30px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}@-ms-viewport{width:device-width}.hidden{display:none;visibility:hidden}.visible-phone{display:none!important}.visible-tablet{display:none!important}.hidden-desktop{display:none!important}.visible-desktop{display:inherit!important}@media(min-width:768px) and (max-width:979px){.hidden-desktop{display:inherit!important}.visible-desktop{display:none!important}.visible-tablet{display:inherit!importa

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\bootstrap.css (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	133405
Entropy (8bit):	5.11593362125808
Encrypted:	false
SSDEEP:	768:3ofP4Kjze9ROUT1aEXxUKPrsPHOR1sqY+R9Ef:3ofAh9kKHXYORmJf
MD5:	580599C144EF378851955472462F8602
SHA1:	477A15BEDFC71B900F7B623725FC2693E6304AAB
SHA-256:	4DA0DD04B0D7747EB30270FE7758BAC2CBF8371ECA251257553E9B489FD229FD
SHA-512:	4C4D00E70A7C0C6999B237D5466F7EC099B4445BF1A4A9561374D192422C4F41E7C60374BFA0C6DC8D6AF0C8866AE131DD29B82480B60DA93F22108760B1339A
Malicious:	false
Preview:	/!.. Bootstrap v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.....clearfix {.. zoom: 1;..}.....clearfix:before,...clearfix:after {.. display: table;.. line-height: 0;.. content: "";..}.....clearfix:after {.. clear: both;..}.....hide-text {.. font: 0/0 a;.. color: transparent;.. text-shadow: none;.. background-color: transparent;.. border: 0;..}.....input-block-level {.. display: block;.. width: 100%;.. min-height: 30px;.. -webkit-box-sizing: border-box;.. -moz-box-sizing: border-box;.. box-sizing: border-box;..}....article,..aside,..details,..figcaption,..figure,..footer,..header,..hgroup,..nav,..section {.. display: block;..}....audio,..canvas,..video {.. display: inline-block;.. display: inline;.. zoom: 1;..}....audio:not([controls]) {.. display: none;..}....html {.. font-

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\bootstrap.min.css (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (65299), with CRLF line terminators
Category:	dropped
Size (bytes):	105948
Entropy (8bit):	5.180897685194033
Encrypted:	false
SSDEEP:	768:X71A8XpW5b26LVcUFPaDGObYDUXyyRsPJGaPV4LolQdUONA4QFOfUcnvGcJwjuGR:28AHR7aD4DJhzPB2UONAxtjuGR
MD5:	016623C5E5773122D7C2AC3B524DD17C
SHA1:	1ABEFD404CDD720B275CDAFB97D3EE1C87FD97EF
SHA-256:	3349EBED31517ADA35DA5294A520C4A25CB778F58785726E4B0177120FE25501
SHA-512:	C36645B0648A21D7B6F4ABD9C315B5B82EBD3D21B48E8B2184D8333C800F0D9F9256FFC0D862AE9FDC6E15A24B3247251FCA9830869A54865255F2BC6DCCAA61
Malicious:	false
Preview:	/!.. Bootstrap v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.clearfix{zoom:1}.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}.hide-text{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.input-block-level{display:block;width:100%;min-height:30px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}article,aside,details,figcaption,figure,footer,header,hgroup,nav,section{display:block}audio,canvas,video{display:inline-block;display:inline;zoom:1}audio:not([controls]){display:none}html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}a:hover,a:active{outline:0}sub,sup{position:relative

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\is-93OIK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23220
Entropy (8bit):	5.0206455590077885
Encrypted:	false
SSDEEP:	384:yM1758/eDV9grZKb5u5Ru11zNFnyQCglOfWwRnE+A6V22zHtTjg:/8GDV9grZKbgUzWQCglOfWwRnE+/DzNA
MD5:	E46CE2784F902577C2E2858BAF1536F0
SHA1:	B87C9AF4988D92BCFBA4CE80F1BBF267774E115F
SHA-256:	489239002725E88D06FFFC788210A60C249D401F00C2BE2254F130F6251D2002
SHA-512:	B822F632A842A070A2A7FB1CFC7A184CAE6219676273CE63B57096FB0C0F39DA7735EE240BB5652F1AE14238D3494AC930395D936EF5BCB6F7552053D375CDE0
Malicious:	false
Preview:	/!.. Bootstrap Responsive v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.....clearfix {.. zoom: 1;..}.....clearfix:before,...clearfix:after {.. display: table;.. line-height: 0;.. content: "";..}.....clearfix:after {.. clear: both;..}.....hide-text {.. font: 0/0 a;.. color: transparent;.. text-shadow: none;.. background-color: transparent;.. border: 0;..}.....input-block-level {.. display: block;.. width: 100%;.. min-height: 30px;.. -webkit-box-sizing: border-box;.. -moz-box-sizing: border-box;.. box-sizing: border-box;..}....@-ms-viewport {.. width: device-width;..}.....hidden {.. display: none;.. visibility: hidden;..}.....visible-phone {.. display: none !important;..}.....visible-tablet {.. display: none !important;..}.....hidden-desktop {.. display: none !important;..}....

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\is-BVQ2P.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	assembler source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1804
Entropy (8bit):	5.09134159779664
Encrypted:	false
SSDEEP:	48:W/7d3J5Ozvk4QKhQoEXnZBC5UHsUMopRcZbBh:W/RD0HQK6oEXn/wUMLosZ
MD5:	404B511780FED84B57626F82B83CEF70
SHA1:	7AFEE211414F83080C7ABC1B32AC120F144E6681
SHA-256:	D2D92767B7A8743B89368CF353748DA2AAFAA6509375406BC56905F4FC4DAC54
SHA-512:	D210421D09224773EDC7BA6BC1CC1D0E134FDCBB00FB844B9BE8535588E0B8A58AF260B5530284D90DA19FCE74770F985C5E5D197BB0052A07DDD6FDAB4AB31C
Malicious:	false
Preview:	....body {...width: 100%;...height: 100%;...background-color: white;...margin: 0;...padding: 0;......}....div#header {...height: 106px;...background-color: white;...width: 100%;...margin: 0;...padding: 0;...background-image: url(../img/headerbackground.png);...background-repeat: repeat-x; ..}....div#header img {...position:relative;...top: 15px;...left:10px;...transition: left 1s;...-moz-transition: left 1s; /* Firefox 4 /...-webkit-transition: left 1s; / Safari and Chrome /...-o-transition: left 1s; / Opera */..}....div#header h1 {...margin: 0;..}....div#contentHolder {...position: relative;...width:100%;...height: 1000px;...padding-top: 7px;...background-color: rgb(70,70,70);...border-image: url(../img/innerglow.png) 210 / 210px stretch stretch;..}....div#content {...position: relative;...min-height: 750px;...max-height: 1200px;...width: 90%;...margin: 0px auto 0px auto;...-moz-border-radius: 8px;.. -webkit-border-radius: 8px;...border-radius: 8px;...background-color: white;..

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\is-GA9GG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (16608), with CRLF line terminators
Category:	dropped
Size (bytes):	16858
Entropy (8bit):	5.2955772749108
Encrypted:	false
SSDEEP:	384:dd7eicOM8quuhu93fUacuMZoUCfl4UX94Vp1XP:dPcVDmfUac1ZQt4UX96L
MD5:	B0C3EF20C73BC861FF157EAB023DD09C
SHA1:	FEE31889CF7E7B1531BF61D8109BE2A6007853D6
SHA-256:	754073D316DAB747E1634E26EE4FB71EBF38314C24701946812C0E7506242560
SHA-512:	CB61A0F24025F2C702E0A5EEC5BA6E94AE108A543C21C61445188C4741DB66A27D7195234D8ED992BCE7793C667F7E4041E2E102C87C55C2070BD608CF8ED2A7
Malicious:	false
Preview:	/!.. Bootstrap Responsive v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.clearfix{zoom:1}.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}.hide-text{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.input-block-level{display:block;width:100%;min-height:30px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}@-ms-viewport{width:device-width}.hidden{display:none;visibility:hidden}.visible-phone{display:none!important}.visible-tablet{display:none!important}.hidden-desktop{display:none!important}.visible-desktop{display:inherit!important}@media(min-width:768px) and (max-width:979px){.hidden-desktop{display:inherit!important}.visible-desktop{display:none!important}.visible-tablet{display:inherit!importa

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\is-JSF5T.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (65299), with CRLF line terminators
Category:	dropped
Size (bytes):	105948
Entropy (8bit):	5.180897685194033
Encrypted:	false
SSDEEP:	768:X71A8XpW5b26LVcUFPaDGObYDUXyyRsPJGaPV4LolQdUONA4QFOfUcnvGcJwjuGR:28AHR7aD4DJhzPB2UONAxtjuGR
MD5:	016623C5E5773122D7C2AC3B524DD17C
SHA1:	1ABEFD404CDD720B275CDAFB97D3EE1C87FD97EF
SHA-256:	3349EBED31517ADA35DA5294A520C4A25CB778F58785726E4B0177120FE25501
SHA-512:	C36645B0648A21D7B6F4ABD9C315B5B82EBD3D21B48E8B2184D8333C800F0D9F9256FFC0D862AE9FDC6E15A24B3247251FCA9830869A54865255F2BC6DCCAA61
Malicious:	false
Preview:	/!.. Bootstrap v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.clearfix{zoom:1}.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}.hide-text{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.input-block-level{display:block;width:100%;min-height:30px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}article,aside,details,figcaption,figure,footer,header,hgroup,nav,section{display:block}audio,canvas,video{display:inline-block;display:inline;zoom:1}audio:not([controls]){display:none}html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}a:hover,a:active{outline:0}sub,sup{position:relative

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\is-QCCS6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	133405
Entropy (8bit):	5.11593362125808
Encrypted:	false
SSDEEP:	768:3ofP4Kjze9ROUT1aEXxUKPrsPHOR1sqY+R9Ef:3ofAh9kKHXYORmJf
MD5:	580599C144EF378851955472462F8602
SHA1:	477A15BEDFC71B900F7B623725FC2693E6304AAB
SHA-256:	4DA0DD04B0D7747EB30270FE7758BAC2CBF8371ECA251257553E9B489FD229FD
SHA-512:	4C4D00E70A7C0C6999B237D5466F7EC099B4445BF1A4A9561374D192422C4F41E7C60374BFA0C6DC8D6AF0C8866AE131DD29B82480B60DA93F22108760B1339A
Malicious:	false
Preview:	/!.. Bootstrap v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.....clearfix {.. zoom: 1;..}.....clearfix:before,...clearfix:after {.. display: table;.. line-height: 0;.. content: "";..}.....clearfix:after {.. clear: both;..}.....hide-text {.. font: 0/0 a;.. color: transparent;.. text-shadow: none;.. background-color: transparent;.. border: 0;..}.....input-block-level {.. display: block;.. width: 100%;.. min-height: 30px;.. -webkit-box-sizing: border-box;.. -moz-box-sizing: border-box;.. box-sizing: border-box;..}....article,..aside,..details,..figcaption,..figure,..footer,..header,..hgroup,..nav,..section {.. display: block;..}....audio,..canvas,..video {.. display: inline-block;.. display: inline;.. zoom: 1;..}....audio:not([controls]) {.. display: none;..}....html {.. font-

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\page.css (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	assembler source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1804
Entropy (8bit):	5.09134159779664
Encrypted:	false
SSDEEP:	48:W/7d3J5Ozvk4QKhQoEXnZBC5UHsUMopRcZbBh:W/RD0HQK6oEXn/wUMLosZ
MD5:	404B511780FED84B57626F82B83CEF70
SHA1:	7AFEE211414F83080C7ABC1B32AC120F144E6681
SHA-256:	D2D92767B7A8743B89368CF353748DA2AAFAA6509375406BC56905F4FC4DAC54
SHA-512:	D210421D09224773EDC7BA6BC1CC1D0E134FDCBB00FB844B9BE8535588E0B8A58AF260B5530284D90DA19FCE74770F985C5E5D197BB0052A07DDD6FDAB4AB31C
Malicious:	false
Preview:	....body {...width: 100%;...height: 100%;...background-color: white;...margin: 0;...padding: 0;......}....div#header {...height: 106px;...background-color: white;...width: 100%;...margin: 0;...padding: 0;...background-image: url(../img/headerbackground.png);...background-repeat: repeat-x; ..}....div#header img {...position:relative;...top: 15px;...left:10px;...transition: left 1s;...-moz-transition: left 1s; /* Firefox 4 /...-webkit-transition: left 1s; / Safari and Chrome /...-o-transition: left 1s; / Opera */..}....div#header h1 {...margin: 0;..}....div#contentHolder {...position: relative;...width:100%;...height: 1000px;...padding-top: 7px;...background-color: rgb(70,70,70);...border-image: url(../img/innerglow.png) 210 / 210px stretch stretch;..}....div#content {...position: relative;...min-height: 750px;...max-height: 1200px;...width: 90%;...margin: 0px auto 0px auto;...-moz-border-radius: 8px;.. -webkit-border-radius: 8px;...border-radius: 8px;...background-color: white;..

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\cwa-convert.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	555520
Entropy (8bit):	6.7113933342053205
Encrypted:	false
SSDEEP:	12288:3nTww4skH2tol+VkVJrDHcSN+cfRf9JsFdwe:3n0nH2toYkVJrD9Z9Js
MD5:	33DD5633F19486728639D92992B080F2
SHA1:	BEDD5820CF9FC7285833AF533C3B08BFA1F4912E
SHA-256:	88CE021A699D591CBAFC1D1211399CB0E9543EB2A6843C4D07707EE374F3C7D5
SHA-512:	5DC1602F017AD27E6F36071AE6BE2A900F9C95AABA46A962AD27A62F70B175617840263D15E0CEB413F8513D2704FEE6CA2A7181D5F8BECD3027DCD15197DA03
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#..p..p..pLrQp..pLrSph.pLrRp..p.q..p.q..p.q..p.3p..p..p..p..q..p._p..p..q..pRich..p................PE..L...S..[.................:...N...............P....@.......................................@..................................3..(....p...........................6..`)..p............................)..@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...p$...@.......,..............@....rsrc........p.......@..............@..@.reloc...6.......8...B..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\cwa-convert.gif (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	GIF image data, version 89a, 128 x 128
Category:	dropped
Size (bytes):	7303
Entropy (8bit):	7.827464019436164
Encrypted:	false
SSDEEP:	192:b8yxqckNOgKtcKdAOs/GOR9nDyoQCl1xdjGTlD/uzcV/:bbx9bSKoHDyoQClExGi/
MD5:	BDFA0CCB43714B182B9EEE4A0CF0DC9A
SHA1:	14AE738BC83FE1004B9879F3BD72100E74E215C1
SHA-256:	ED334BA309B7DC4EB164B135E6EC95AC270767C528C7AB649B2AC8FD7EC5C8CA
SHA-512:	3925369D595CEC2693421FACDBDD76562AD75A56E74C87B41303944A85BECD22A133D3921B02E420E75D63D18953E278E18FB8E4A3CE0CD3FF6F5C7BE516ABC3
Malicious:	false
Preview:	GIF89a.....................xi~................................+5.MV.JU..(.'=.J].....!.3K.AW...)..+..5.8Q.C].DZ.Pg.CU.Zm.Vh.aq.`h.....3../..<..<..D.&L.$G.-Q.3V.:\.5R.>`.Dd.Hg.Ii.Ii.Ki.Kk.Lh.Mk.Ro.Sq.[v.e..w..p..}..t..v.....@d.Ae.Eh.Gk.Gi.Gh.Gk.Im.Ik.Im.Ik.Ko.Km.Kk.Lm.Nn.Or.Rs.Ut.Vx.]\|.Zw.k..`x....Ek.Lp.Jo.b.....e..m..{......z................................................................D.......M...Y....Y..e.5..L.h......2..=..G.Y..i........u..z..\|..~.....w...5..A..@.G.G..V.Q.._.P..o.f..u..u..{......w..v..{............#.~%..+..2..3..9..>.9.=..B..D..D..E..G..G..G.C..I..I.A..L..L..Q..R..V..T..[..c..g..m..s....`...u.q..k...4..B.{5..F..G..I..I..J..K..K..K..N..S..V..[.zO..{....u.........B..M....c.....................................!.......,...............H......\......z4.H.........c.. C...0...?`.@....Cp.....`..Sf.._........C..P../.0H@J..B..Vty...V..:../..]..k..;....A-.0..h.../.0..KX.[.0b...$H..E.K..E....t..C...CO..C.i.@..H.9....

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\cwa-convert.html (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	HTML document, ASCII text, with very long lines (381), with CRLF line terminators
Category:	dropped
Size (bytes):	11977
Entropy (8bit):	5.193366025833501
Encrypted:	false
SSDEEP:	192:kVsDIzjpambe4Ec4h25Uw4aCqtYoqy2qoglZQtpYGTmpo/8pWV9:qtq4Ec4hUr4aLYoqUCX
MD5:	1A82547F921A171DCF86F23191BFD318
SHA1:	1CBE6268FC5FFE12A4A707205D0FCC64866A7236
SHA-256:	E4BD06AA60D4577B6AA586E05EDB9D5B1250599C01C1140C6D88B614B9A0E103
SHA-512:	420651FDEFF17D16307E875CDD632B5CB7ED54E588BFB8D870AB43BC2E4B402913BE748334D431D5CC9F8663F6C680470E71E6BED297623560F09856E2BFDBEE
Malicious:	false
Preview:	<!DOCTYPE html> ..<html>..<meta http-equiv="X-UA-Compatible" content="IE=Edge" />..<meta charset="utf-8">...<title>OpenMovement Converter</title>...<link href="./css/bootstrap-responsive.css" rel="stylesheet">...<link href="./css/bootstrap.css" rel="stylesheet">...<link href="./css/page.css" rel="stylesheet">...<script type="text/javascript" src="./js/jquery.min.js"></script>...<script type="text/javascript" src="./js/bootstrap.js"></script> ...<script type="text/javascript" src="./js/bootstrap.min.js"></script>.....<script language="javascript">..function positionLogo() {...document.getElementById('logo').style.left = document.getElementById('content').offsetLeft + 'px';..}....</script>.... Leave this script as it is otherwise the program won't pick it up and it won't run. -->..<script language="javascript" type="text/javascript">.. //var $ = function (e) { return document.getElementById(e); }......var blockStart = -1;...var blockCount = -1;......function fillValues()...{....va

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\cwa-convert.ico (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3527
Entropy (8bit):	7.81337128585813
Encrypted:	false
SSDEEP:	96:9Ss5YRxkYjabEg39Q5aS4iJ7fPWdSfCwIc31:9Ss5Yrjaob5/VJr+k9
MD5:	CED13F367E9FDF9CB2045DDBFC606D6B
SHA1:	7C872ABCF649631BA513C43621605610D9125E95
SHA-256:	27BC1E463A8F3FD3C193CC5E91A463C356E39D5E81EE45FEDC54BB070B5FC895
SHA-512:	D2F7A6FBE8AD134F2073AEB76BDBF4D06922193275F72CE8DD6288EE026E7EF66410377FEF45F22355A70FCCFBE198379F1D55C4BA5D041DE96CA088B0BBAD0D
Malicious:	false
Preview:	.PNG........IHDR...@...@......iq.... cHRM..z%..............u0...`..:....o._.F....bKGD.......C......pHYs.................vpAg...@...@....`....IDATx...k%wv.?.G..}..j..v.3....!.3a..`<.U..&.@..@.!x.E...l.....<..6.......n...-..V..nK.U../...RU....d ...z.U.\|..T..&4..MhB...&....I.\|..g.q.....E.R..B...!PJ....:q..{.....Zks.Zk.R...xzz...\.~.W_}.O>..w. .Sc.o.V.Ave.>N@..+{}..Y9..Z..`./..w...>.h.Z.....>@)..`0..(.^.>..XQ.Ya.pZ.....,......m..Mk..B......-.S.....O..jS.....g.b.......5..@.....B(.(..8..1f.Z..Q.-.q<..t.. ...d.y.....K.v..crfj.AJ9. ...>_....U^..&ss/...,.Q....Xk.t:...ju.T..!..p^.QsB..... ...c,R..69.x..f...Zbq.......H..!..!.V....!.y...Honn6...Og......oY..8..u.."E..D..k.V:.....0U.>q._\|H..36..+....8..^..c..s.....L....@DQtz...Y...f....{<....._..S.+ ....%..P.....[..l............\..>..\\|.,.\Fk.c........8...(...$.._1.~....$.}.8..8....=juK.\|...-..9......\Xy..2S.@Yp~f.\`.A.s.....G4.^......WQ,.S,,>......wx.w.s.....0...8N.g. [m.+,.h.a._x..[4[..Gq....R(3

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\cwa-convert.plugin (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1031
Entropy (8bit):	4.980312923623659
Encrypted:	false
SSDEEP:	24:qTLjdsRyeK94A/4VqEQVC/YFTszIRuXgigDDNNjjjvTpxFK8:ELZsRyD9T/4Vqp4AFMouXrYNRjjvTnFb
MD5:	75220D8A8A097043744CC0C7DAE8A059
SHA1:	54BFEF1EEA080EF3343A84FE907462152EA16920
SHA-256:	FF7421F04B2E7E6BC63F319C14D72D9579997E7B0D0E2531998BB8720B629C1B
SHA-512:	F543E061AFF30C5156F79E7DD1AA3404EE6D7F80915746B9BDF87A99FF9084D04794487EF5043A89014833A79A048E2EC30F2F2FAC893D49C1675D5D1CDF3F18
Malicious:	false
Preview:	<?xml version='1.0'?>.. This is a sample XML document -->..<Plugin>...<height>500</height>...<width>700</width>...<runFilePath>cwa-convert.exe</runFilePath>...<htmlFilePath>cwa-convert.html</htmlFilePath>...<savedValuesFilePath>saved.xml</savedValuesFilePath>...<iconName>cwa-convert.ico</iconName>...<description>Converts binary .cwa files to application-friendly formats. Current version supports specifying a time-slice via the data preview pane. Optional output streams (battery, light, temperature). Multiple timestamp formats available.</description>...<fileName>Convert_CWA</fileName>...<readableName>Convert CWA</readableName>...<outputFile>.csv .wav .raw</outputFile>...<inputFile>.cwa</inputFile>...<wantMetadata>true</wantMetadata>...<outputExtensions>....<extension>csv</extension>....<extension>wav</extension>....<extension>raw</extension>...</outputExtensions>...<defaultValues>....<fileStart>fileStart</fileStart>....<fileEnd>fileEnd</fileEnd>...</defaultValues>...<createsOutput>

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\analyze.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 235 x 211, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	29667
Entropy (8bit):	7.9824063070829325
Encrypted:	false
SSDEEP:	768:a35VJEyIjCSfZCM+E0CrmlvyX9bHUQzSUNB:cEfj3t+oCxy9gsn
MD5:	E2750427F8F660E4A6C36328AC604037
SHA1:	67C00EF19383B9D55D403B6955A3D9FE2424A830
SHA-256:	1DA61C3C2417EED94DDA50EDC9809DBF1A81DEF8F8EEB1C577DA6D23B7327ABB
SHA-512:	C4FBC6895D60A661ECA3EEBF9CE93FB62F95D2AEBC281D9C8FA673E71F7541C64DBC1FC7DF661ABB9704473760DC31C42183583B873D774E01847D04BA395B94
Malicious:	false
Preview:	.PNG........IHDR.............`#......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\background left.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 270 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	10675
Entropy (8bit):	7.855792547882974
Encrypted:	false
SSDEEP:	192:QSDS0tKg9E05TV3AhGhrR2ER422yJGMSfGsxKhe:3JXE05/2ER3tSfGEEe
MD5:	6622F06BA0239A047BA5F75DE1E40935
SHA1:	CBBD0EBE6B97427789888EC9826490687B6705B2
SHA-256:	2B16813F80DEF0F4569B88FDE041FA58BCE96C24221436E994EE265801BF225D
SHA-512:	D7693BFBE7A5311D375EC8D6920D411F5FC0FFE63E3FF33F50526F095C986B33AA494060D0661EBC359C408DDEBEABC5484E3EFF79DB944563A1D0FDE7B499F1
Malicious:	false
Preview:	.PNG........IHDR.............ZF......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\background middle.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 787 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4140
Entropy (8bit):	5.514702010098084
Encrypted:	false
SSDEEP:	96:NxQY9fW/9RIAAssrTAdZR2zqq11AAssKAxaWsYecssHGGmqq11AAsssHGmqqq11r:NxU/DIAAss+ZR2zqq11AAssKAxaW1ss6
MD5:	C2E958A624B5FABD241277E3E693F4A2
SHA1:	BC3C845E83FB79EC5331090E3E634CC69F3E2B6A
SHA-256:	81C38EBE8D0C41BDCEBD42CD7A09F8537C1B0BD8131019C7C885ABBE94AEAA39
SHA-512:	2FAAE2695C6DD4386C0BD690364B54BD2E9F464BAFDECF05FD69E693941CD25BBD25A044827154308A8E39080AA2712D2451B34C6077229718FAF90D729FE33D
Malicious:	false
Preview:	.PNG........IHDR..............z.2....tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:BCF20EC0435BE211BC1DEA2D3863842E" xmpMM:DocumentID="xmp.did:D6A421B3609B11E2AFD8AC757B891629" xmpMM:InstanceID="xmp.iid:D6A421B2609B11E2AFD8AC757B891629" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A74E67B6215FE211AC06F9441A82FEFD" stRef:documentID="xmp.did:BCF20EC0435BE211BC1DEA2D3863842E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..A....\IDATx....m.P.E...M..'t....=R.d.)....>..\|>.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\background right.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 309 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11142
Entropy (8bit):	7.861240065287498
Encrypted:	false
SSDEEP:	192:WSDS0tKg9E05TevtvtvcApAc/oOv7H14UyaNsbpubpApApz/MKopuTPf+lPBXqvS:5JXE05C11OkSvaNsbhpuTPfSPg11Z11I
MD5:	B71602511773A60551F70AA9BC6049DE
SHA1:	D3EFDB13568ACD0AF71743B9CA24F7B3E3D0ABD3
SHA-256:	A1E56FB8C8357790AD47FD5A88C61148CF5F90E8586917F22EC3745B5069B503
SHA-512:	B7A1433310BCEA55234A64D9F2BBA5612BB0CFF1832490A7BF7CB604747030A3759F92CC121A5BFD1CD1AAAFE324C9183890CC9CDE74F6B070F8628DE3A5FDEE
Malicious:	false
Preview:	.PNG........IHDR...5..........Ugd....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\buttonbackground.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 79 x 24, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3829
Entropy (8bit):	7.9044616542640895
Encrypted:	false
SSDEEP:	96:/SDZ/I09Da01l+gmkyTt6Hk8nTCaFhlF27faJPeDVjj:/SDS0tKg9E05TTF2fCPcVjj
MD5:	E68A8E1C7F662733E05A9E19170BB9DA
SHA1:	7F54242A562B045DCEC592D42ABCA3C0CE684163
SHA-256:	62EEA2930A491164035CE649F74F9A726374BB206C3CC51872F0EBE312C178DD
SHA-512:	507C83791E4C4623396AE8143502D574600D2D1974087312C42D901ED744FA41F34366D31586C441B23A28CF3E68710C51244DB4B9ADA4014016E70BE743ECAF
Malicious:	false
Preview:	.PNG........IHDR...O.................pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\buttonshadow.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 233 x 103, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3665
Entropy (8bit):	7.900185350830456
Encrypted:	false
SSDEEP:	96:tSDZ/I09Da01l+gmkyTt6Hk8nTWRi4KxpbF1b:tSDS0tKg9E05TWRipbF1b
MD5:	431CAB7131EB26A7694DFDCE34ACDD8D
SHA1:	7081BAD951A7C71DF8D630AE550F6E1C52654FDE
SHA-256:	CC097EB188ED451F866F863A96C93B8B717EDB0D2C443C5AC0EDC8D6A74C8738
SHA-512:	18515EF1F5CFC6F285C0E7C21383C21B8A419A75FE050529531636CF2EB1B58C78344EE7DDC896A065EB73044A4D531223E2EA6C4862EDA209B4C1B3427F9111
Malicious:	false
Preview:	.PNG........IHDR.......g......eK....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\buttonshadows.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 815 x 103, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4880
Entropy (8bit):	7.84900618092586
Encrypted:	false
SSDEEP:	96:USDZ/I09Da01l+gmkyTt6Hk8nT8VcdaI9R8nG5dNG:USDS0tKg9E05T8lER8G1G
MD5:	A94D4D23AC6EA1919A7F5F19E99EDA99
SHA1:	EAC2FFD53CEFEAAF7BBAE0CAF8A65DCECEB0B6DD
SHA-256:	B3E58EE57FDBE008453B6E2D7F75A448754A99754D57FFFF9A8F02A020DB00FF
SHA-512:	028C38AB9D20AFC278C6E7BD6918483E9A42AE4BB55331310E74CABF65AA59753E191478EF348C8991A9E72FA858AA5FA4198D87791537A0EC5752955964CF0F
Malicious:	false
Preview:	.PNG........IHDR.../...g.......}.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\contentbackground.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1 x 390, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2924
Entropy (8bit):	7.875020015401922
Encrypted:	false
SSDEEP:	48:p/6DocieftI9G9f6A+FIDOWu0lDl+gm7QyTtctIInQSy6IVpqlnBcODezW:pSDZ/I09Da01l+gmkyTt6Hk8nTGW
MD5:	32E42A30831D0CCB44FF3C23F84D69FA
SHA1:	D5B884320A01E5C51E190FDD6E6ED1C8DBEEA7CE
SHA-256:	22C91ADA2FCF30B9CB358FF18347B7EFD79A5BA3F2AE3C24FD6B0FE9BD851E69
SHA-512:	BAA928F9B5E51885332B4BAED3C4CB0E6596422736E10600B817ACE0B3C1C3FB39DC16E0EAE70DC95F4EE8134643F8126BD7B43E418C34B79E56C064B9BDCEDA
Malicious:	false
Preview:	.PNG........IHDR.............5.\|.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\contentbackground428.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 2 x 1000, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3297
Entropy (8bit):	7.890112387496165
Encrypted:	false
SSDEEP:	96:dSDZ/I09Da01l+gmkyTt6Hk8nTDBdUEF5vczDo:dSDS0tKg9E05T3UE50g
MD5:	A4AB2D64E4DC771743B6293E303A1B60
SHA1:	883845E2D570FAFFE095D27940F9C081213665D9
SHA-256:	75499938CFBE25364B01DBCF686371BB2EB0ABEFB4AAEA2BB9EB8357B9140FA0
SHA-512:	DDC4098359F452FFFEBCF793597E1BA31AC9254ECE2BFD898BFD35236F342677A8436669AEB9F2F02EB8CDACDD9946052EB47FCEC3C61C50FD506D51059CA9C7
Malicious:	false
Preview:	.PNG........IHDR............../]....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\contentshadow.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 871 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4635
Entropy (8bit):	7.912550011635644
Encrypted:	false
SSDEEP:	96:qSDZ/I09Da01l+gmkyTt6Hk8nTilrjaHqiwp/9p3x:qSDS0tKg9E05Ti9jRVn
MD5:	490AB873EE03CA84F9D3DAB627B687EE
SHA1:	72EE8D63AC23FF7E01CE0512A3A04682B7B70A7A
SHA-256:	52B69E251F97C56B71B337A20086E99BB9C2F6538FDF9E7E531F97D9ED273672
SHA-512:	1E05174427162C75DE38FD27E0E8698A426646B1452A596BE54C6D466EBA9CF0A50BC4F744F027192EBBBE1BDCDCEE52C55AB990F7D3D212869DF6FFE2289CD7
Malicious:	false
Preview:	.PNG........IHDR...g..........Xdj....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\day.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 79 x 24, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4500
Entropy (8bit):	7.923978058897863
Encrypted:	false
SSDEEP:	96:/SDZ/I09Da01l+gmkyTt6Hk8nTvkQZlXRrwPgZVxV6bMY:/SDS0tKg9E05TvkQZlXxwIZVx0bMY
MD5:	009F1D5F8EF77487A8A0043816C4C995
SHA1:	D816A6017D610A005798FAE6B8139E2BC6006381
SHA-256:	C5F8B401CF15110E9EB4EC9EF28EC577A4A9A49F5744A0451D0E25F90B64467C
SHA-512:	88112FA3A1B44C8382B1CDAA9CEF69ED6DE83A50F190E9A55EF28B6B2C11AE3F6BB7C9B9E94E9E1F4999E8259A4B5F217F35BF043F22443713BBA16C9F51E3F2
Malicious:	false
Preview:	.PNG........IHDR...O.................pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\glyphicons-halflings-white.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 469 x 159, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	8777
Entropy (8bit):	7.923998391913574
Encrypted:	false
SSDEEP:	192:41MFu/STZChMGLw/LtI30ukSCeQm9F+xZdqdfQpTTTIyQY7thi7uWB:iMdZ/GLILBmWEiTTTIyQY5hi71
MD5:	9BBC6E9602998A385C2EA13DF56470FD
SHA1:	A25C4705320FD63C33790E666872910E702B9BF6
SHA-256:	F0E0D95A9C8ABCDFABF46348E2D4285829BB0491F5F6AF0E05AF52BFFB6324C4
SHA-512:	47853ECE55B43CB9CC33C8BBFAABF407389565A0FC1FD042FAC502EA96784B4CFC985EA536622843EF7FAB76AD503157C927BB57332D970AF9B3F092E4C9D5D8
Malicious:	false
Preview:	.PNG........IHDR...............{....PLTE........................mmm.................................................................................................................................................................ttt.........................bbb..................................................................eeeggg.....................................xxx...........................................................................................................................................................................................................................................................................................UUU...............................................................................................rO.....tRNS........#.._../.........o.S..?.....C..kD....O.S._........6..>4!~a..@1.._'o..n.....M...3.BQj..p&%!.l.."Xqr;... A[.<`.am}4.3/0I...PCM!6(*gK&YQ.GDP,..`.{.VP.-..x.)h.7.e1]...W..$..1..b.zS.c.O..].....U.;Zi<N#..).86pV.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\glyphicons-halflings.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 469 x 159, 8-bit gray+alpha, non-interlaced
Category:	dropped
Size (bytes):	12799
Entropy (8bit):	7.954371008999522
Encrypted:	false
SSDEEP:	192:CDrgTE80fO3w9Gw/gMmhqb/KEliZ5pjSWw5JTfvJRbNn1tgbn+qFynb21kt1kIhL:CfAc9GugMIQRl65AJzp1aoFt1gk
MD5:	2516339970D710819585F90773AEBE0A
SHA1:	84F613631B07D4FE22ACBAB50E551C0FE04BD78B
SHA-256:	D99E3FA32C641032F08149914B28C2DC6ACF2EC62F70987F2259EABBFA7FC0DE
SHA-512:	E1BB0066E619679B880F43E85C3367C57CD13411AB012A67E429B21E7FF80A1A5B8F1EB5BFAC4CC272EB2BB606341182E91FF1CF7D59CF8BD811D98EAFD71D5C
Malicious:	false
Preview:	.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<..1.IDATx..}ml\E..W..^..D$\|n.w'..;v...8.m0..k<f.8....<.h3$.. ...b,mn.... ........0...L Y`6s'.>...Q.........S......n.S.V.;1K.G...s...>Uo...TU.1c..Yu...c..a&...#C,p.....>k.......U.LW..-s.n.3V.q..~N....o...c...I.~L.....{..-....H8%_..M..w.B..6EW..,.p.......Y...2+.(Y....@..&..A./.......3kX.h....-.a.....A....<>P...'\...J.;(.}.#..Qz......:4..%m?nf.ntK.....l.9J...+.D..I..Yu1Y...Z^..(.]YYE..f@......lX..z].U.t......u...&..5-P...W.}..@t.\|.#L..Y..=..s.......,w#.+.R.+.?..a.x...X.0.."..ea).t.G....wV..w..V^...rf%xB.(.q..4>....W.G.#...lW.U<......XJV...l.....R...$k.DVr.I....7:.X<.s>%X.1...N..Ez....w...;y..9.z.9.O.%.~..~..u....*.=.....I..x.c.y}....Y(...o....u..N$.^..j......e\..iX...]..;Y-.r........&..>.!..zl.Y.aVHVN..9=..]..=.......mR..M......d...OU.C..J.UiT.}r.W...W'....u..).......F"YU.#..P......&......R.O....wyz..m..$...O.....s? +^.FT.....I.E.q.%..&.....~..>.M...}]......w..A...?.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\gradientgraph.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 947 x 390, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	117264
Entropy (8bit):	7.985263256233834
Encrypted:	false
SSDEEP:	1536:YtYlb2phWm3koaEMEYkgaV1zqVj8djBOqPl8s8lW0Yo7M3R4ZQ7higKwTIKuz1Md:E3TTWfkgYhqV2sqt8nW0Yo7+RYgwywk
MD5:	07C120F2FD1D279B30068C00AE5DC4EE
SHA1:	FB8F3101EDB6D41B6BEAAFDA7B6FCE100CA3E2C9
SHA-256:	0D13B0049DB8639F203B8A5DA7E4E8BFFCDE518CA0E87C6435C4293177AB5867
SHA-512:	BA62884DF4959FFFD26179047A16A1229098B6F7C37A6D735AD7942116D9AC7562B593875AF84C5726BFF80E9D91758DA52AEC07ED16CF2A0BC25CE57CB0D41E
Malicious:	false
Preview:	.PNG........IHDR..............6.X....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\gradientgraphsmall.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 250 x 103, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10489
Entropy (8bit):	7.965741081358159
Encrypted:	false
SSDEEP:	192:ASDS0tKg9E05Tantmof5IQV5UQbl/Ewe8k4vtX93UpauhqTNf1rPJf:nJXE05SthXRdEwWEVhKDar5
MD5:	6223ACD59C394F90D91F29CE41D70D83
SHA1:	061609B97F9027A00D5607C71041F77F4B62D458
SHA-256:	9F4ABA4B940439681C0499349F3BE94642C858FA548E152EBA13A107F8FDA772
SHA-512:	7BB4039670205454920DC3B2904F63A10E1A73FC8C0F02F4013619883A56A662E30F9232C7AB2B6891628F48BAED2DA7497B11C9FDEBD55DCE6381CB44D7EEB5
Malicious:	false
Preview:	.PNG........IHDR.......g.....)._.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\gridcontent.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 947 x 372, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	22359
Entropy (8bit):	7.7127315592693435
Encrypted:	false
SSDEEP:	384:QJXE05wJf+JX2w/e6iAWO9cDrMac3OkjlCqoPusVN3hIITl3rM3idF539dpXCxRT:M354o2w/e6iAfe/Ds7oPusL3hrTl3XZg
MD5:	931C86E8F1199B0F9E0F260E8D92E1F2
SHA1:	9A3DE2269005DCBFE6D420F522D2D72485B1D78B
SHA-256:	F79B831CBE2D4F37D5C6839513C9F8DA481CE6D463AFEECD77D72E36ECF85477
SHA-512:	47DF3058C52FFDE61B6B0C6AC721B0AD29A84805B6693DFC311DD1241AB43B6943B4BBA6D42D7554278582405A2AC55482FC4A69D01C87C31932354CC3702C59
Malicious:	false
Preview:	.PNG........IHDR.......t......lnJ....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\headerbackground.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1 x 106, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2852
Entropy (8bit):	7.867842123870298
Encrypted:	false
SSDEEP:	48:J/6DocieftI9G9f6A+FIDOWu0lDl+gm7QyTtctIInQSy6IVpqlnBcODK0:JSDZ/I09Da01l+gmkyTt6Hk8nTX
MD5:	AD8AB8C5E19A7B24E060E9C6B4A8C13D
SHA1:	3553B00745DB1BC65E8AD0A224BBC49ECCEECA6F
SHA-256:	117BD3E359D760CB12B5B3F6865FA125A801269523A851542989D91413DC7A3E
SHA-512:	1CD55120C2761ECF272466B6A2E4A9568A891D209ECDF5FA5EEA5307D4DB7105898F31C2C680C621657DF7CDB2F38D606CA13684184B3A301F2166329401878D
Malicious:	false
Preview:	.PNG........IHDR.......j......D.G....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\innerglow.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1366 x 1100, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	29493
Entropy (8bit):	7.392034002277657
Encrypted:	false
SSDEEP:	768:s35g9ZhweCCYKdYk1oMnG9GZNYlKU/KNs:dZFdYKYEoMnG9GZl0Ki
MD5:	12CAD92A07320280831AC634DEAE61FE
SHA1:	D0F827A47195F5D252F865B1E1E5A75367537027
SHA-256:	0D1C39FD6E82E138B9EEE5B7650A552C9ACBA2F39A6F17F987441CD7AF853E02
SHA-512:	29DFE8D6D9508E7E9698FAD768208526C1BDB2E5A1C0197D3989FA63BD7F44FB6071C7486CEED15FF87B86E0532643CE08A29B365EECB9FBA30033ED7EBBC5CF
Malicious:	false
Preview:	.PNG........IHDR...V...L......a_.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-0GHU4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 469 x 159, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	8777
Entropy (8bit):	7.923998391913574
Encrypted:	false
SSDEEP:	192:41MFu/STZChMGLw/LtI30ukSCeQm9F+xZdqdfQpTTTIyQY7thi7uWB:iMdZ/GLILBmWEiTTTIyQY5hi71
MD5:	9BBC6E9602998A385C2EA13DF56470FD
SHA1:	A25C4705320FD63C33790E666872910E702B9BF6
SHA-256:	F0E0D95A9C8ABCDFABF46348E2D4285829BB0491F5F6AF0E05AF52BFFB6324C4
SHA-512:	47853ECE55B43CB9CC33C8BBFAABF407389565A0FC1FD042FAC502EA96784B4CFC985EA536622843EF7FAB76AD503157C927BB57332D970AF9B3F092E4C9D5D8
Malicious:	false
Preview:	.PNG........IHDR...............{....PLTE........................mmm.................................................................................................................................................................ttt.........................bbb..................................................................eeeggg.....................................xxx...........................................................................................................................................................................................................................................................................................UUU...............................................................................................rO.....tRNS........#.._../.........o.S..?.....C..kD....O.S._........6..>4!~a..@1.._'o..n.....M...3.BQj..p&%!.l.."Xqr;... A[.<`.am}4.3/0I...PCM!6(*gK&YQ.GDP,..`.{.VP.-..x.)h.7.e1]...W..$..1..b.zS.c.O..].....U.;Zi<N#..).86pV.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-1SEG0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 79 x 24, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4500
Entropy (8bit):	7.923978058897863
Encrypted:	false
SSDEEP:	96:/SDZ/I09Da01l+gmkyTt6Hk8nTvkQZlXRrwPgZVxV6bMY:/SDS0tKg9E05TvkQZlXxwIZVx0bMY
MD5:	009F1D5F8EF77487A8A0043816C4C995
SHA1:	D816A6017D610A005798FAE6B8139E2BC6006381
SHA-256:	C5F8B401CF15110E9EB4EC9EF28EC577A4A9A49F5744A0451D0E25F90B64467C
SHA-512:	88112FA3A1B44C8382B1CDAA9CEF69ED6DE83A50F190E9A55EF28B6B2C11AE3F6BB7C9B9E94E9E1F4999E8259A4B5F217F35BF043F22443713BBA16C9F51E3F2
Malicious:	false
Preview:	.PNG........IHDR...O.................pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-46VU8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 301 x 55, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	7621
Entropy (8bit):	7.950162226593725
Encrypted:	false
SSDEEP:	192:/SDS0tKg9E05TLoQjvrVJ401yyFFuKacEsBK:qJXE05v3BuyyYFFEAK
MD5:	805B09E6CFFE2948E891319A5329B03B
SHA1:	C402A1E1C5C2C839E9E3AE444D452D6EBCFA863C
SHA-256:	E52721BF4652B39B3D017E26866E86320B76DC358214B157D86B3DC58334750B
SHA-512:	A23AC19A36D67242FF944B463A1B9695C4B6DE8362B3328A88E7E05DE812C3AAAD8E4D698E2CAEE6ADA0EB0BAB1F287248FF4C31CA80BBD2718FD5103179699B
Malicious:	false
Preview:	.PNG........IHDR...-...7.....Y.......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-640ON.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 815 x 103, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4880
Entropy (8bit):	7.84900618092586
Encrypted:	false
SSDEEP:	96:USDZ/I09Da01l+gmkyTt6Hk8nT8VcdaI9R8nG5dNG:USDS0tKg9E05T8lER8G1G
MD5:	A94D4D23AC6EA1919A7F5F19E99EDA99
SHA1:	EAC2FFD53CEFEAAF7BBAE0CAF8A65DCECEB0B6DD
SHA-256:	B3E58EE57FDBE008453B6E2D7F75A448754A99754D57FFFF9A8F02A020DB00FF
SHA-512:	028C38AB9D20AFC278C6E7BD6918483E9A42AE4BB55331310E74CABF65AA59753E191478EF348C8991A9E72FA858AA5FA4198D87791537A0EC5752955964CF0F
Malicious:	false
Preview:	.PNG........IHDR.../...g.......}.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-688IG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 79 x 24, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4680
Entropy (8bit):	7.929050221960049
Encrypted:	false
SSDEEP:	96:/SDZ/I09Da01l+gmkyTt6Hk8nT7XTm4V+UuyvTh1PUJY:/SDS0tKg9E05T7XTm8puyv1yJY
MD5:	69E0B7D8FAA49E5AD1A57D910A990C14
SHA1:	F6205CF0A72590EB48F1311C1A51623D054FA2AC
SHA-256:	96786E42B70A880F83143FF0D952354DE30B9B51B0F28D36381E49D7ADFE3464
SHA-512:	5936D03CC1CC302497A955F1388EEC3C73BBE12B42CAF124A5D0EA0808B67AD7E84C71D3BF06E0AF12E7AA56976CBC1ED1DCF25E6236FB88E0F962243604D0C5
Malicious:	false
Preview:	.PNG........IHDR...O.................pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-6K9NC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 947 x 372, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	22359
Entropy (8bit):	7.7127315592693435
Encrypted:	false
SSDEEP:	384:QJXE05wJf+JX2w/e6iAWO9cDrMac3OkjlCqoPusVN3hIITl3rM3idF539dpXCxRT:M354o2w/e6iAfe/Ds7oPusL3hrTl3XZg
MD5:	931C86E8F1199B0F9E0F260E8D92E1F2
SHA1:	9A3DE2269005DCBFE6D420F522D2D72485B1D78B
SHA-256:	F79B831CBE2D4F37D5C6839513C9F8DA481CE6D463AFEECD77D72E36ECF85477
SHA-512:	47DF3058C52FFDE61B6B0C6AC721B0AD29A84805B6693DFC311DD1241AB43B6943B4BBA6D42D7554278582405A2AC55482FC4A69D01C87C31932354CC3702C59
Malicious:	false
Preview:	.PNG........IHDR.......t......lnJ....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-7D19J.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 309 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11142
Entropy (8bit):	7.861240065287498
Encrypted:	false
SSDEEP:	192:WSDS0tKg9E05TevtvtvcApAc/oOv7H14UyaNsbpubpApApz/MKopuTPf+lPBXqvS:5JXE05C11OkSvaNsbhpuTPfSPg11Z11I
MD5:	B71602511773A60551F70AA9BC6049DE
SHA1:	D3EFDB13568ACD0AF71743B9CA24F7B3E3D0ABD3
SHA-256:	A1E56FB8C8357790AD47FD5A88C61148CF5F90E8586917F22EC3745B5069B503
SHA-512:	B7A1433310BCEA55234A64D9F2BBA5612BB0CFF1832490A7BF7CB604747030A3759F92CC121A5BFD1CD1AAAFE324C9183890CC9CDE74F6B070F8628DE3A5FDEE
Malicious:	false
Preview:	.PNG........IHDR...5..........Ugd....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-9RV6F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 270 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	10675
Entropy (8bit):	7.855792547882974
Encrypted:	false
SSDEEP:	192:QSDS0tKg9E05TV3AhGhrR2ER422yJGMSfGsxKhe:3JXE05/2ER3tSfGEEe
MD5:	6622F06BA0239A047BA5F75DE1E40935
SHA1:	CBBD0EBE6B97427789888EC9826490687B6705B2
SHA-256:	2B16813F80DEF0F4569B88FDE041FA58BCE96C24221436E994EE265801BF225D
SHA-512:	D7693BFBE7A5311D375EC8D6920D411F5FC0FFE63E3FF33F50526F095C986B33AA494060D0661EBC359C408DDEBEABC5484E3EFF79DB944563A1D0FDE7B499F1
Malicious:	false
Preview:	.PNG........IHDR.............ZF......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-CVCKM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 79 x 24, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4700
Entropy (8bit):	7.921737244447786
Encrypted:	false
SSDEEP:	96:/SDZ/I09Da01l+gmkyTt6Hk8nTz1fGKp/56ylQ4k5QqkchRUtWvfK9:/SDS0tKg9E05TZVpR64XnfOK9
MD5:	417EC14380DFA07363B746B85CAD5BCF
SHA1:	2E3605AEAFF77E9B82BA6E36081DFF575D72C1B3
SHA-256:	29346EF5C0DAEE9E69313CDE4AD321099E806B2A787AF225D84A758C4052C631
SHA-512:	F2677219735E6302C4390811B167A61721562FF76918A885DFE6D97DB9DA6D618FC98D277408876FD9A03F11CB5B3EB79F80C58650ED78A5EBB2F2460ECE1092
Malicious:	false
Preview:	.PNG........IHDR...O.................pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-DBMQR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 250 x 103, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10489
Entropy (8bit):	7.965741081358159
Encrypted:	false
SSDEEP:	192:ASDS0tKg9E05Tantmof5IQV5UQbl/Ewe8k4vtX93UpauhqTNf1rPJf:nJXE05SthXRdEwWEVhKDar5
MD5:	6223ACD59C394F90D91F29CE41D70D83
SHA1:	061609B97F9027A00D5607C71041F77F4B62D458
SHA-256:	9F4ABA4B940439681C0499349F3BE94642C858FA548E152EBA13A107F8FDA772
SHA-512:	7BB4039670205454920DC3B2904F63A10E1A73FC8C0F02F4013619883A56A662E30F9232C7AB2B6891628F48BAED2DA7497B11C9FDEBD55DCE6381CB44D7EEB5
Malicious:	false
Preview:	.PNG........IHDR.......g.....)._.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-F3LGB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 235 x 211, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	29667
Entropy (8bit):	7.9824063070829325
Encrypted:	false
SSDEEP:	768:a35VJEyIjCSfZCM+E0CrmlvyX9bHUQzSUNB:cEfj3t+oCxy9gsn
MD5:	E2750427F8F660E4A6C36328AC604037
SHA1:	67C00EF19383B9D55D403B6955A3D9FE2424A830
SHA-256:	1DA61C3C2417EED94DDA50EDC9809DBF1A81DEF8F8EEB1C577DA6D23B7327ABB
SHA-512:	C4FBC6895D60A661ECA3EEBF9CE93FB62F95D2AEBC281D9C8FA673E71F7541C64DBC1FC7DF661ABB9704473760DC31C42183583B873D774E01847D04BA395B94
Malicious:	false
Preview:	.PNG........IHDR.............`#......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-F62HD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 79 x 24, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3829
Entropy (8bit):	7.9044616542640895
Encrypted:	false
SSDEEP:	96:/SDZ/I09Da01l+gmkyTt6Hk8nTCaFhlF27faJPeDVjj:/SDS0tKg9E05TTF2fCPcVjj
MD5:	E68A8E1C7F662733E05A9E19170BB9DA
SHA1:	7F54242A562B045DCEC592D42ABCA3C0CE684163
SHA-256:	62EEA2930A491164035CE649F74F9A726374BB206C3CC51872F0EBE312C178DD
SHA-512:	507C83791E4C4623396AE8143502D574600D2D1974087312C42D901ED744FA41F34366D31586C441B23A28CF3E68710C51244DB4B9ADA4014016E70BE743ECAF
Malicious:	false
Preview:	.PNG........IHDR...O.................pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-GD1MQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1 x 390, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2924
Entropy (8bit):	7.875020015401922
Encrypted:	false
SSDEEP:	48:p/6DocieftI9G9f6A+FIDOWu0lDl+gm7QyTtctIInQSy6IVpqlnBcODezW:pSDZ/I09Da01l+gmkyTt6Hk8nTGW
MD5:	32E42A30831D0CCB44FF3C23F84D69FA
SHA1:	D5B884320A01E5C51E190FDD6E6ED1C8DBEEA7CE
SHA-256:	22C91ADA2FCF30B9CB358FF18347B7EFD79A5BA3F2AE3C24FD6B0FE9BD851E69
SHA-512:	BAA928F9B5E51885332B4BAED3C4CB0E6596422736E10600B817ACE0B3C1C3FB39DC16E0EAE70DC95F4EE8134643F8126BD7B43E418C34B79E56C064B9BDCEDA
Malicious:	false
Preview:	.PNG........IHDR.............5.\|.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-HG7KC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 947 x 390, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	117264
Entropy (8bit):	7.985263256233834
Encrypted:	false
SSDEEP:	1536:YtYlb2phWm3koaEMEYkgaV1zqVj8djBOqPl8s8lW0Yo7M3R4ZQ7higKwTIKuz1Md:E3TTWfkgYhqV2sqt8nW0Yo7+RYgwywk
MD5:	07C120F2FD1D279B30068C00AE5DC4EE
SHA1:	FB8F3101EDB6D41B6BEAAFDA7B6FCE100CA3E2C9
SHA-256:	0D13B0049DB8639F203B8A5DA7E4E8BFFCDE518CA0E87C6435C4293177AB5867
SHA-512:	BA62884DF4959FFFD26179047A16A1229098B6F7C37A6D735AD7942116D9AC7562B593875AF84C5726BFF80E9D91758DA52AEC07ED16CF2A0BC25CE57CB0D41E
Malicious:	false
Preview:	.PNG........IHDR..............6.X....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-HVIJA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1 x 106, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2852
Entropy (8bit):	7.867842123870298
Encrypted:	false
SSDEEP:	48:J/6DocieftI9G9f6A+FIDOWu0lDl+gm7QyTtctIInQSy6IVpqlnBcODK0:JSDZ/I09Da01l+gmkyTt6Hk8nTX
MD5:	AD8AB8C5E19A7B24E060E9C6B4A8C13D
SHA1:	3553B00745DB1BC65E8AD0A224BBC49ECCEECA6F
SHA-256:	117BD3E359D760CB12B5B3F6865FA125A801269523A851542989D91413DC7A3E
SHA-512:	1CD55120C2761ECF272466B6A2E4A9568A891D209ECDF5FA5EEA5307D4DB7105898F31C2C680C621657DF7CDB2F38D606CA13684184B3A301F2166329401878D
Malicious:	false
Preview:	.PNG........IHDR.......j......D.G....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-IKL64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 469 x 159, 8-bit gray+alpha, non-interlaced
Category:	dropped
Size (bytes):	12799
Entropy (8bit):	7.954371008999522
Encrypted:	false
SSDEEP:	192:CDrgTE80fO3w9Gw/gMmhqb/KEliZ5pjSWw5JTfvJRbNn1tgbn+qFynb21kt1kIhL:CfAc9GugMIQRl65AJzp1aoFt1gk
MD5:	2516339970D710819585F90773AEBE0A
SHA1:	84F613631B07D4FE22ACBAB50E551C0FE04BD78B
SHA-256:	D99E3FA32C641032F08149914B28C2DC6ACF2EC62F70987F2259EABBFA7FC0DE
SHA-512:	E1BB0066E619679B880F43E85C3367C57CD13411AB012A67E429B21E7FF80A1A5B8F1EB5BFAC4CC272EB2BB606341182E91FF1CF7D59CF8BD811D98EAFD71D5C
Malicious:	false
Preview:	.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<..1.IDATx..}ml\E..W..^..D$\|n.w'..;v...8.m0..k<f.8....<.h3$.. ...b,mn.... ........0...L Y`6s'.>...Q.........S......n.S.V.;1K.G...s...>Uo...TU.1c..Yu...c..a&...#C,p.....>k.......U.LW..-s.n.3V.q..~N....o...c...I.~L.....{..-....H8%_..M..w.B..6EW..,.p.......Y...2+.(Y....@..&..A./.......3kX.h....-.a.....A....<>P...'\...J.;(.}.#..Qz......:4..%m?nf.ntK.....l.9J...+.D..I..Yu1Y...Z^..(.]YYE..f@......lX..z].U.t......u...&..5-P...W.}..@t.\|.#L..Y..=..s.......,w#.+.R.+.?..a.x...X.0.."..ea).t.G....wV..w..V^...rf%xB.(.q..4>....W.G.#...lW.U<......XJV...l.....R...$k.DVr.I....7:.X<.s>%X.1...N..Ez....w...;y..9.z.9.O.%.~..~..u....*.=.....I..x.c.y}....Y(...o....u..N$.^..j......e\..iX...]..;Y-.r........&..>.!..zl.Y.aVHVN..9=..]..=.......mR..M......d...OU.C..J.UiT.}r.W...W'....u..).......F"YU.#..P......&......R.O....wyz..m..$...O.....s? +^.FT.....I.E.q.%..&.....~..>.M...}]......w..A...?.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-K9V90.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1366 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22421
Entropy (8bit):	7.382781405693069
Encrypted:	false
SSDEEP:	384:cJXE050vbwtRSQniH2Zn+4GjL1rGMNKc0BCEgsFzA0u:I35LCQznsjRrGMN90QEZZA0u
MD5:	CD3956C0B11967DE8DA88DA7C40ABD8F
SHA1:	28B3280D98E0FAEFBEEB824F66245D53F688367D
SHA-256:	4940060CEA6C1D1CF2B4E4F6E66DB8E30CA6452452F918B311E43915D55AA3DF
SHA-512:	D995A7ECFA327A108DDB303864E359364B7A3FFBD10BED96DC6F2113CA850C404F54968E3B416998A26F53097D4C9DBF7B19CA90586A6C43ED533328B9AF118A
Malicious:	false
Preview:	.PNG........IHDR...V.........@\......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-KNPI0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 201 x 85, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4778
Entropy (8bit):	7.839826633357473
Encrypted:	false
SSDEEP:	96:/Y2CknYxpCbPe2lWy4UT2fMZal+uAl1BqQ/DPWP9lsGXRTsqP:/hb22qUT2fwPuC/7OP/BRn
MD5:	9DC9BBECE8B76B1231348B0FD2FBDB88
SHA1:	C8F71D7F37F6A026E602E2DA0C44E2D9E4453112
SHA-256:	8F3956EEFD59CDD8E065C28052A7C41927EDC314539F07A38516CE0320356450
SHA-512:	42858EE60A99621E4DE1EC6D3C3D276FB466C577ABF05191CE119EC433663740196DB22469197CE07E726212269C1696F2C970BFAEAE7AE86A343472F7B67F27
Malicious:	false
Preview:	.PNG........IHDR.......U......b.=....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:631E073F90AD11E2B467D8F586F29896" xmpMM:DocumentID="xmp.did:631E074090AD11E2B467D8F586F29896"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:631E073D90AD11E2B467D8F586F29896" stRef:documentID="xmp.did:631E073E90AD11E2B467D8F586F29896"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.EW.....IDATx..]....... .......!....a..B..I.NX.`..D.w ..e...q.AD...H.....d.(h4.$.(..D.......O.KUwuM....S.].W......

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-L8D6O.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 233 x 103, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3665
Entropy (8bit):	7.900185350830456
Encrypted:	false
SSDEEP:	96:tSDZ/I09Da01l+gmkyTt6Hk8nTWRi4KxpbF1b:tSDS0tKg9E05TWRipbF1b
MD5:	431CAB7131EB26A7694DFDCE34ACDD8D
SHA1:	7081BAD951A7C71DF8D630AE550F6E1C52654FDE
SHA-256:	CC097EB188ED451F866F863A96C93B8B717EDB0D2C443C5AC0EDC8D6A74C8738
SHA-512:	18515EF1F5CFC6F285C0E7C21383C21B8A419A75FE050529531636CF2EB1B58C78344EE7DDC896A065EB73044A4D531223E2EA6C4862EDA209B4C1B3427F9111
Malicious:	false
Preview:	.PNG........IHDR.......g......eK....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-NER17.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1366 x 1100, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	29493
Entropy (8bit):	7.392034002277657
Encrypted:	false
SSDEEP:	768:s35g9ZhweCCYKdYk1oMnG9GZNYlKU/KNs:dZFdYKYEoMnG9GZl0Ki
MD5:	12CAD92A07320280831AC634DEAE61FE
SHA1:	D0F827A47195F5D252F865B1E1E5A75367537027
SHA-256:	0D1C39FD6E82E138B9EEE5B7650A552C9ACBA2F39A6F17F987441CD7AF853E02
SHA-512:	29DFE8D6D9508E7E9698FAD768208526C1BDB2E5A1C0197D3989FA63BD7F44FB6071C7486CEED15FF87B86E0532643CE08A29B365EECB9FBA30033ED7EBBC5CF
Malicious:	false
Preview:	.PNG........IHDR...V...L......a_.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-OHMJM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 79 x 24, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4472
Entropy (8bit):	7.920666209153228
Encrypted:	false
SSDEEP:	96:/SDZ/I09Da01l+gmkyTt6Hk8nT1f7miiCi6BgEkvmfwXh/so3t6H:/SDS0tKg9E05T1Siit0wXmoC
MD5:	F4ABDED60BBDC1A7F80B1AE87558087D
SHA1:	8118D40BE94EE3105AD06704F14697D6F4FB71F7
SHA-256:	ACBCEA1C5EC39151D6EFF46446B3658F74A57E920C83F0CCC4345B0E4825F501
SHA-512:	54CAE30E9D72908476FCDB9A2FFA5B878EFB923A6DC72F1A6C740965CE2E652386DF11A20B83281363ED104A4A10D79EAAE4FF662EB76E4153FAEB176620AA66
Malicious:	false
Preview:	.PNG........IHDR...O.................pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-P1A2E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 2 x 1000, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3297
Entropy (8bit):	7.890112387496165
Encrypted:	false
SSDEEP:	96:dSDZ/I09Da01l+gmkyTt6Hk8nTDBdUEF5vczDo:dSDS0tKg9E05T3UE50g
MD5:	A4AB2D64E4DC771743B6293E303A1B60
SHA1:	883845E2D570FAFFE095D27940F9C081213665D9
SHA-256:	75499938CFBE25364B01DBCF686371BB2EB0ABEFB4AAEA2BB9EB8357B9140FA0
SHA-512:	DDC4098359F452FFFEBCF793597E1BA31AC9254ECE2BFD898BFD35236F342677A8436669AEB9F2F02EB8CDACDD9946052EB47FCEC3C61C50FD506D51059CA9C7
Malicious:	false
Preview:	.PNG........IHDR............../]....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-R7E6Q.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 871 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4635
Entropy (8bit):	7.912550011635644
Encrypted:	false
SSDEEP:	96:qSDZ/I09Da01l+gmkyTt6Hk8nTilrjaHqiwp/9p3x:qSDS0tKg9E05Ti9jRVn
MD5:	490AB873EE03CA84F9D3DAB627B687EE
SHA1:	72EE8D63AC23FF7E01CE0512A3A04682B7B70A7A
SHA-256:	52B69E251F97C56B71B337A20086E99BB9C2F6538FDF9E7E531F97D9ED273672
SHA-512:	1E05174427162C75DE38FD27E0E8698A426646B1452A596BE54C6D466EBA9CF0A50BC4F744F027192EBBBE1BDCDCEE52C55AB990F7D3D212869DF6FFE2289CD7
Malicious:	false
Preview:	.PNG........IHDR...g..........Xdj....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-ROK32.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 235 x 211, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	28249
Entropy (8bit):	7.985529844753195
Encrypted:	false
SSDEEP:	384:aJXE05uNUCFxUePGYHl4qxT9peH2I9gGM+kwRDzQpdyDDaIJyFlSqhdHY89TGpFR:a35aUC9PT9E2I9hzkw1QuDW4ZVYThcxt
MD5:	44EB3F5893CD67857BEC32F8A05F399E
SHA1:	FB46AFC29BB80EA55CC9E5BE676D59BAF9EBD1A0
SHA-256:	843EEFF4CFE4F69F5EC98EEA3A76104B5224FCFADFE22A07B627872DA8E0E175
SHA-512:	0DA6AABDEF06F05C4456E2260E744EE58C354F86182CC3FC7DBF2568F85BA4A79C7C304D087879BF3B32F1DEF6B6BBA58CF8978C0FCCDE0CC4EADD72CF840403
Malicious:	false
Preview:	.PNG........IHDR.............`#......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-U8QG9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 787 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4140
Entropy (8bit):	5.514702010098084
Encrypted:	false
SSDEEP:	96:NxQY9fW/9RIAAssrTAdZR2zqq11AAssKAxaWsYecssHGGmqq11AAsssHGmqqq11r:NxU/DIAAss+ZR2zqq11AAssKAxaW1ss6
MD5:	C2E958A624B5FABD241277E3E693F4A2
SHA1:	BC3C845E83FB79EC5331090E3E634CC69F3E2B6A
SHA-256:	81C38EBE8D0C41BDCEBD42CD7A09F8537C1B0BD8131019C7C885ABBE94AEAA39
SHA-512:	2FAAE2695C6DD4386C0BD690364B54BD2E9F464BAFDECF05FD69E693941CD25BBD25A044827154308A8E39080AA2712D2451B34C6077229718FAF90D729FE33D
Malicious:	false
Preview:	.PNG........IHDR..............z.2....tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:BCF20EC0435BE211BC1DEA2D3863842E" xmpMM:DocumentID="xmp.did:D6A421B3609B11E2AFD8AC757B891629" xmpMM:InstanceID="xmp.iid:D6A421B2609B11E2AFD8AC757B891629" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A74E67B6215FE211AC06F9441A82FEFD" stRef:documentID="xmp.did:BCF20EC0435BE211BC1DEA2D3863842E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..A....\IDATx....m.P.E...M..'t....=R.d.)....>..\|>.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\is-UP928.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 235 x 211, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	22330
Entropy (8bit):	7.9810347758665445
Encrypted:	false
SSDEEP:	384:aJXE05HwtAKswap8oNDfSFBFm+/e36Uyj5SZv+woGSEzXCJTsS:a35HIANTNDSF7R/M2EzCTF
MD5:	B4FD985F20B0D373EF0D55E7ECFCD165
SHA1:	FD96A536C42FBCBD23CAFEADD9122A25A7A848FB
SHA-256:	9B53EC2BBDF169AF9CC2F4CFEA18A4EC984FFEABAA6A6CD01933E03FAD9C7E07
SHA-512:	8D64858D589D4BC047779146B595B578497AB2DC2AD883BC4DADA06A60D08C79524F060520F532BD7AF760CE9FEFCC9950D1708E7ABCB80C5B2757C73D3DBBDA
Malicious:	false
Preview:	.PNG........IHDR.............`#......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\logo.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 201 x 85, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4778
Entropy (8bit):	7.839826633357473
Encrypted:	false
SSDEEP:	96:/Y2CknYxpCbPe2lWy4UT2fMZal+uAl1BqQ/DPWP9lsGXRTsqP:/hb22qUT2fwPuC/7OP/BRn
MD5:	9DC9BBECE8B76B1231348B0FD2FBDB88
SHA1:	C8F71D7F37F6A026E602E2DA0C44E2D9E4453112
SHA-256:	8F3956EEFD59CDD8E065C28052A7C41927EDC314539F07A38516CE0320356450
SHA-512:	42858EE60A99621E4DE1EC6D3C3D276FB466C577ABF05191CE119EC433663740196DB22469197CE07E726212269C1696F2C970BFAEAE7AE86A343472F7B67F27
Malicious:	false
Preview:	.PNG........IHDR.......U......b.=....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:631E073F90AD11E2B467D8F586F29896" xmpMM:DocumentID="xmp.did:631E074090AD11E2B467D8F586F29896"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:631E073D90AD11E2B467D8F586F29896" stRef:documentID="xmp.did:631E073E90AD11E2B467D8F586F29896"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.EW.....IDATx..]....... .......!....a..B..I.NX.`..D.w ..e...q.AD...H.....d.(h4.$.(..D.......O.KUwuM....S.].W......

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\logoPA.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 301 x 55, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	7621
Entropy (8bit):	7.950162226593725
Encrypted:	false
SSDEEP:	192:/SDS0tKg9E05TLoQjvrVJ401yyFFuKacEsBK:qJXE05v3BuyyYFFEAK
MD5:	805B09E6CFFE2948E891319A5329B03B
SHA1:	C402A1E1C5C2C839E9E3AE444D452D6EBCFA863C
SHA-256:	E52721BF4652B39B3D017E26866E86320B76DC358214B157D86B3DC58334750B
SHA-512:	A23AC19A36D67242FF944B463A1B9695C4B6DE8362B3328A88E7E05DE812C3AAAD8E4D698E2CAEE6ADA0EB0BAB1F287248FF4C31CA80BBD2718FD5103179699B
Malicious:	false
Preview:	.PNG........IHDR...-...7.....Y.......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\month.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 79 x 24, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4700
Entropy (8bit):	7.921737244447786
Encrypted:	false
SSDEEP:	96:/SDZ/I09Da01l+gmkyTt6Hk8nTz1fGKp/56ylQ4k5QqkchRUtWvfK9:/SDS0tKg9E05TZVpR64XnfOK9
MD5:	417EC14380DFA07363B746B85CAD5BCF
SHA1:	2E3605AEAFF77E9B82BA6E36081DFF575D72C1B3
SHA-256:	29346EF5C0DAEE9E69313CDE4AD321099E806B2A787AF225D84A758C4052C631
SHA-512:	F2677219735E6302C4390811B167A61721562FF76918A885DFE6D97DB9DA6D618FC98D277408876FD9A03F11CB5B3EB79F80C58650ED78A5EBB2F2460ECE1092
Malicious:	false
Preview:	.PNG........IHDR...O.................pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\upload.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 235 x 211, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	28249
Entropy (8bit):	7.985529844753195
Encrypted:	false
SSDEEP:	384:aJXE05uNUCFxUePGYHl4qxT9peH2I9gGM+kwRDzQpdyDDaIJyFlSqhdHY89TGpFR:a35aUC9PT9E2I9hzkw1QuDW4ZVYThcxt
MD5:	44EB3F5893CD67857BEC32F8A05F399E
SHA1:	FB46AFC29BB80EA55CC9E5BE676D59BAF9EBD1A0
SHA-256:	843EEFF4CFE4F69F5EC98EEA3A76104B5224FCFADFE22A07B627872DA8E0E175
SHA-512:	0DA6AABDEF06F05C4456E2260E744EE58C354F86182CC3FC7DBF2568F85BA4A79C7C304D087879BF3B32F1DEF6B6BBA58CF8978C0FCCDE0CC4EADD72CF840403
Malicious:	false
Preview:	.PNG........IHDR.............`#......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\view.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 235 x 211, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	22330
Entropy (8bit):	7.9810347758665445
Encrypted:	false
SSDEEP:	384:aJXE05HwtAKswap8oNDfSFBFm+/e36Uyj5SZv+woGSEzXCJTsS:a35HIANTNDSF7R/M2EzCTF
MD5:	B4FD985F20B0D373EF0D55E7ECFCD165
SHA1:	FD96A536C42FBCBD23CAFEADD9122A25A7A848FB
SHA-256:	9B53EC2BBDF169AF9CC2F4CFEA18A4EC984FFEABAA6A6CD01933E03FAD9C7E07
SHA-512:	8D64858D589D4BC047779146B595B578497AB2DC2AD883BC4DADA06A60D08C79524F060520F532BD7AF760CE9FEFCC9950D1708E7ABCB80C5B2757C73D3DBBDA
Malicious:	false
Preview:	.PNG........IHDR.............`#......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\week.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 79 x 24, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4680
Entropy (8bit):	7.929050221960049
Encrypted:	false
SSDEEP:	96:/SDZ/I09Da01l+gmkyTt6Hk8nT7XTm4V+UuyvTh1PUJY:/SDS0tKg9E05T7XTm8puyv1yJY
MD5:	69E0B7D8FAA49E5AD1A57D910A990C14
SHA1:	F6205CF0A72590EB48F1311C1A51623D054FA2AC
SHA-256:	96786E42B70A880F83143FF0D952354DE30B9B51B0F28D36381E49D7ADFE3464
SHA-512:	5936D03CC1CC302497A955F1388EEC3C73BBE12B42CAF124A5D0EA0808B67AD7E84C71D3BF06E0AF12E7AA56976CBC1ED1DCF25E6236FB88E0F962243604D0C5
Malicious:	false
Preview:	.PNG........IHDR...O.................pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\whole-background.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1366 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22421
Entropy (8bit):	7.382781405693069
Encrypted:	false
SSDEEP:	384:cJXE050vbwtRSQniH2Zn+4GjL1rGMNKc0BCEgsFzA0u:I35LCQznsjRrGMN90QEZZA0u
MD5:	CD3956C0B11967DE8DA88DA7C40ABD8F
SHA1:	28B3280D98E0FAEFBEEB824F66245D53F688367D
SHA-256:	4940060CEA6C1D1CF2B4E4F6E66DB8E30CA6452452F918B311E43915D55AA3DF
SHA-512:	D995A7ECFA327A108DDB303864E359364B7A3FFBD10BED96DC6F2113CA850C404F54968E3B416998A26F53097D4C9DBF7B19CA90586A6C43ED533328B9AF118A
Malicious:	false
Preview:	.PNG........IHDR...V.........@\......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\img\year.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 79 x 24, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4472
Entropy (8bit):	7.920666209153228
Encrypted:	false
SSDEEP:	96:/SDZ/I09Da01l+gmkyTt6Hk8nT1f7miiCi6BgEkvmfwXh/so3t6H:/SDS0tKg9E05T1Siit0wXmoC
MD5:	F4ABDED60BBDC1A7F80B1AE87558087D
SHA1:	8118D40BE94EE3105AD06704F14697D6F4FB71F7
SHA-256:	ACBCEA1C5EC39151D6EFF46446B3658F74A57E920C83F0CCC4345B0E4825F501
SHA-512:	54CAE30E9D72908476FCDB9A2FFA5B878EFB923A6DC72F1A6C740965CE2E652386DF11A20B83281363ED104A4A10D79EAAE4FF662EB76E4153FAEB176620AA66
Malicious:	false
Preview:	.PNG........IHDR...O.................pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-0FISS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.0566730094007655
Encrypted:	false
SSDEEP:	24:qTFLURr94A/4VqEQVC/YFTszIRuXgigDDNNbT1JxFK8:EiRr9T/4Vqp4AFMouXrYNpT1HFb
MD5:	C128D6CD61111599FCBE7BB46EDB1904
SHA1:	CDF9CEC9BA07708A12D0A02D50E0122385FA253F
SHA-256:	944D208A5720B207B61144149546F9F50FB48B7281DF8BCE33EB114E20BB95C6
SHA-512:	74E5A34E3A019D395D5E71BBB9629F6C4C9EE4233C79406898FBCFE673A2B3F753A9C75AA95A54821012EB3794AF1E880A8ACBBA31DB4899270C6DF0FD1D5E53
Malicious:	false
Preview:	<?xml version='1.0'?>.. This is a sample XML document -->..<Plugin>...<height>500</height>...<width>700</width>...<runFilePath>OMPA Convertor.exe</runFilePath>...<htmlFilePath>OMPA convertor.html</htmlFilePath>...<savedValuesFilePath>saved.xml</savedValuesFilePath>...<iconName>64x64 converter.ico</iconName>...<description>Converts binary .cwa files to application-friendly formats. Current version supports specifying a time-slice via the data preview pane. Optional output streams (battery, light, temperature). Multiple timestamp formats available.</description>...<fileName>Convert_CWA</fileName>...<readableName>Convert CWA</readableName>...<outputFile>.csv .wav .raw</outputFile>...<inputFile>.cwa</inputFile>...<wantMetadata>true</wantMetadata>...<outputExtensions>....<extension>csv</extension>...</outputExtensions>...<defaultValues>....<bodyMass>80</bodyMass>....<percentage>0.22</percentage>....<fileStart>fileStart</fileStart>....<fileEnd>fileEnd</fileEnd>...</defaultValues>...<crea

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-22EDB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	563200
Entropy (8bit):	6.741829920311703
Encrypted:	false
SSDEEP:	12288:+l+vI0vyog/UpQ87Lx97MYpk62gSp01ldMIicFIz/Fa5wbevozdw1:+l+g6kUW8Xx9ogDSp01lXicFIDFa5jvo
MD5:	15B477AA57D8F81CD251D38CA7CB84C6
SHA1:	CA9A478EDE26638F0D881D1643CAC98C3AFE5F49
SHA-256:	822F9397A57EE1A5B4D2A25FE4031F5EB960166AC20F3FF7AA417259EF8F403E
SHA-512:	2B42BC91E3596F16C76D35C6C3DFFBB04735C6AB96ABC6C61E6FFE34BBB0EE5F791FFAA7D4ADB9C6CD15E74E42B67292F4CF940CF9222AE9DD515658DDE6FAF3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7+..Yx..Yx..Yx..x..Yx..x..Yx..x..Yx...x..Yx..Xx..Yx..x..Yx..x..YxRich..Yx................PE..L...#..O.........................................@..................................y....@..................................A..(................................2.................................8<..@............................................text............................... ..`.rdata..............................@..@.data...DC...P... ...<..............@....rsrc................\..............@..@.reloc...:.......:...^..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-2NOTD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	HTML document, ASCII text, with very long lines (381), with CRLF line terminators
Category:	dropped
Size (bytes):	11977
Entropy (8bit):	5.193366025833501
Encrypted:	false
SSDEEP:	192:kVsDIzjpambe4Ec4h25Uw4aCqtYoqy2qoglZQtpYGTmpo/8pWV9:qtq4Ec4hUr4aLYoqUCX
MD5:	1A82547F921A171DCF86F23191BFD318
SHA1:	1CBE6268FC5FFE12A4A707205D0FCC64866A7236
SHA-256:	E4BD06AA60D4577B6AA586E05EDB9D5B1250599C01C1140C6D88B614B9A0E103
SHA-512:	420651FDEFF17D16307E875CDD632B5CB7ED54E588BFB8D870AB43BC2E4B402913BE748334D431D5CC9F8663F6C680470E71E6BED297623560F09856E2BFDBEE
Malicious:	false
Preview:	<!DOCTYPE html> ..<html>..<meta http-equiv="X-UA-Compatible" content="IE=Edge" />..<meta charset="utf-8">...<title>OpenMovement Converter</title>...<link href="./css/bootstrap-responsive.css" rel="stylesheet">...<link href="./css/bootstrap.css" rel="stylesheet">...<link href="./css/page.css" rel="stylesheet">...<script type="text/javascript" src="./js/jquery.min.js"></script>...<script type="text/javascript" src="./js/bootstrap.js"></script> ...<script type="text/javascript" src="./js/bootstrap.min.js"></script>.....<script language="javascript">..function positionLogo() {...document.getElementById('logo').style.left = document.getElementById('content').offsetLeft + 'px';..}....</script>.... Leave this script as it is otherwise the program won't pick it up and it won't run. -->..<script language="javascript" type="text/javascript">.. //var $ = function (e) { return document.getElementById(e); }......var blockStart = -1;...var blockCount = -1;......function fillValues()...{....va

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-42V26.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	HTML document, ASCII text, with very long lines (381), with CRLF line terminators
Category:	dropped
Size (bytes):	11977
Entropy (8bit):	5.193366025833501
Encrypted:	false
SSDEEP:	192:kVsDIzjpambe4Ec4h25Uw4aCqtYoqy2qoglZQtpYGTmpo/8pWV9:qtq4Ec4hUr4aLYoqUCX
MD5:	1A82547F921A171DCF86F23191BFD318
SHA1:	1CBE6268FC5FFE12A4A707205D0FCC64866A7236
SHA-256:	E4BD06AA60D4577B6AA586E05EDB9D5B1250599C01C1140C6D88B614B9A0E103
SHA-512:	420651FDEFF17D16307E875CDD632B5CB7ED54E588BFB8D870AB43BC2E4B402913BE748334D431D5CC9F8663F6C680470E71E6BED297623560F09856E2BFDBEE
Malicious:	false
Preview:	<!DOCTYPE html> ..<html>..<meta http-equiv="X-UA-Compatible" content="IE=Edge" />..<meta charset="utf-8">...<title>OpenMovement Converter</title>...<link href="./css/bootstrap-responsive.css" rel="stylesheet">...<link href="./css/bootstrap.css" rel="stylesheet">...<link href="./css/page.css" rel="stylesheet">...<script type="text/javascript" src="./js/jquery.min.js"></script>...<script type="text/javascript" src="./js/bootstrap.js"></script> ...<script type="text/javascript" src="./js/bootstrap.min.js"></script>.....<script language="javascript">..function positionLogo() {...document.getElementById('logo').style.left = document.getElementById('content').offsetLeft + 'px';..}....</script>.... Leave this script as it is otherwise the program won't pick it up and it won't run. -->..<script language="javascript" type="text/javascript">.. //var $ = function (e) { return document.getElementById(e); }......var blockStart = -1;...var blockCount = -1;......function fillValues()...{....va

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-7RMVQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	555520
Entropy (8bit):	6.7113933342053205
Encrypted:	false
SSDEEP:	12288:3nTww4skH2tol+VkVJrDHcSN+cfRf9JsFdwe:3n0nH2toYkVJrD9Z9Js
MD5:	33DD5633F19486728639D92992B080F2
SHA1:	BEDD5820CF9FC7285833AF533C3B08BFA1F4912E
SHA-256:	88CE021A699D591CBAFC1D1211399CB0E9543EB2A6843C4D07707EE374F3C7D5
SHA-512:	5DC1602F017AD27E6F36071AE6BE2A900F9C95AABA46A962AD27A62F70B175617840263D15E0CEB413F8513D2704FEE6CA2A7181D5F8BECD3027DCD15197DA03
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#..p..p..pLrQp..pLrSph.pLrRp..p.q..p.q..p.q..p.3p..p..p..p..q..p._p..p..q..pRich..p................PE..L...S..[.................:...N...............P....@.......................................@..................................3..(....p...........................6..`)..p............................)..@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...p$...@.......,..............@....rsrc........p.......@..............@..@.reloc...6.......8...B..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-96GMM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3527
Entropy (8bit):	7.81337128585813
Encrypted:	false
SSDEEP:	96:9Ss5YRxkYjabEg39Q5aS4iJ7fPWdSfCwIc31:9Ss5Yrjaob5/VJr+k9
MD5:	CED13F367E9FDF9CB2045DDBFC606D6B
SHA1:	7C872ABCF649631BA513C43621605610D9125E95
SHA-256:	27BC1E463A8F3FD3C193CC5E91A463C356E39D5E81EE45FEDC54BB070B5FC895
SHA-512:	D2F7A6FBE8AD134F2073AEB76BDBF4D06922193275F72CE8DD6288EE026E7EF66410377FEF45F22355A70FCCFBE198379F1D55C4BA5D041DE96CA088B0BBAD0D
Malicious:	false
Preview:	.PNG........IHDR...@...@......iq.... cHRM..z%..............u0...`..:....o._.F....bKGD.......C......pHYs.................vpAg...@...@....`....IDATx...k%wv.?.G..}..j..v.3....!.3a..`<.U..&.@..@.!x.E...l.....<..6.......n...-..V..nK.U../...RU....d ...z.U.\|..T..&4..MhB...&....I.\|..g.q.....E.R..B...!PJ....:q..{.....Zks.Zk.R...xzz...\.~.W_}.O>..w. .Sc.o.V.Ave.>N@..+{}..Y9..Z..`./..w...>.h.Z.....>@)..`0..(.^.>..XQ.Ya.pZ.....,......m..Mk..B......-.S.....O..jS.....g.b.......5..@.....B(.(..8..1f.Z..Q.-.q<..t.. ...d.y.....K.v..crfj.AJ9. ...>_....U^..&ss/...,.Q....Xk.t:...ju.T..!..p^.QsB..... ...c,R..69.x..f...Zbq.......H..!..!.V....!.y...Honn6...Og......oY..8..u.."E..D..k.V:.....0U.>q._\|H..36..+....8..^..c..s.....L....@DQtz...Y...f....{<....._..S.+ ....%..P.....[..l............\..>..\\|.,.\Fk.c........8...(...$.._1.~....$.}.8..8....=juK.\|...-..9......\Xy..2S.@Yp~f.\`.A.s.....G4.^......WQ,.S,,>......wx.w.s.....0...8N.g. [m.+,.h.a._x..[4[..Gq....R(3

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-BLKB6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	GIF image data, version 89a, 128 x 128
Category:	dropped
Size (bytes):	7303
Entropy (8bit):	7.827464019436164
Encrypted:	false
SSDEEP:	192:b8yxqckNOgKtcKdAOs/GOR9nDyoQCl1xdjGTlD/uzcV/:bbx9bSKoHDyoQClExGi/
MD5:	BDFA0CCB43714B182B9EEE4A0CF0DC9A
SHA1:	14AE738BC83FE1004B9879F3BD72100E74E215C1
SHA-256:	ED334BA309B7DC4EB164B135E6EC95AC270767C528C7AB649B2AC8FD7EC5C8CA
SHA-512:	3925369D595CEC2693421FACDBDD76562AD75A56E74C87B41303944A85BECD22A133D3921B02E420E75D63D18953E278E18FB8E4A3CE0CD3FF6F5C7BE516ABC3
Malicious:	false
Preview:	GIF89a.....................xi~................................+5.MV.JU..(.'=.J].....!.3K.AW...)..+..5.8Q.C].DZ.Pg.CU.Zm.Vh.aq.`h.....3../..<..<..D.&L.$G.-Q.3V.:\.5R.>`.Dd.Hg.Ii.Ii.Ki.Kk.Lh.Mk.Ro.Sq.[v.e..w..p..}..t..v.....@d.Ae.Eh.Gk.Gi.Gh.Gk.Im.Ik.Im.Ik.Ko.Km.Kk.Lm.Nn.Or.Rs.Ut.Vx.]\|.Zw.k..`x....Ek.Lp.Jo.b.....e..m..{......z................................................................D.......M...Y....Y..e.5..L.h......2..=..G.Y..i........u..z..\|..~.....w...5..A..@.G.G..V.Q.._.P..o.f..u..u..{......w..v..{............#.~%..+..2..3..9..>.9.=..B..D..D..E..G..G..G.C..I..I.A..L..L..Q..R..V..T..[..c..g..m..s....`...u.q..k...4..B.{5..F..G..I..I..J..K..K..K..N..S..V..[.zO..{....u.........B..M....c.....................................!.......,...............H......\......z4.H.........c.. C...0...?`.@....Cp.....`..Sf.._........C..P../.0H@J..B..Vty...V..:../..]..k..;....A-.0..h.../.0..KX.[.0b...$H..E.K..E....t..C...CO..C.i.@..H.9....

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-CAKCE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1031
Entropy (8bit):	4.980312923623659
Encrypted:	false
SSDEEP:	24:qTLjdsRyeK94A/4VqEQVC/YFTszIRuXgigDDNNjjjvTpxFK8:ELZsRyD9T/4Vqp4AFMouXrYNRjjvTnFb
MD5:	75220D8A8A097043744CC0C7DAE8A059
SHA1:	54BFEF1EEA080EF3343A84FE907462152EA16920
SHA-256:	FF7421F04B2E7E6BC63F319C14D72D9579997E7B0D0E2531998BB8720B629C1B
SHA-512:	F543E061AFF30C5156F79E7DD1AA3404EE6D7F80915746B9BDF87A99FF9084D04794487EF5043A89014833A79A048E2EC30F2F2FAC893D49C1675D5D1CDF3F18
Malicious:	false
Preview:	<?xml version='1.0'?>.. This is a sample XML document -->..<Plugin>...<height>500</height>...<width>700</width>...<runFilePath>cwa-convert.exe</runFilePath>...<htmlFilePath>cwa-convert.html</htmlFilePath>...<savedValuesFilePath>saved.xml</savedValuesFilePath>...<iconName>cwa-convert.ico</iconName>...<description>Converts binary .cwa files to application-friendly formats. Current version supports specifying a time-slice via the data preview pane. Optional output streams (battery, light, temperature). Multiple timestamp formats available.</description>...<fileName>Convert_CWA</fileName>...<readableName>Convert CWA</readableName>...<outputFile>.csv .wav .raw</outputFile>...<inputFile>.cwa</inputFile>...<wantMetadata>true</wantMetadata>...<outputExtensions>....<extension>csv</extension>....<extension>wav</extension>....<extension>raw</extension>...</outputExtensions>...<defaultValues>....<fileStart>fileStart</fileStart>....<fileEnd>fileEnd</fileEnd>...</defaultValues>...<createsOutput>

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-D5UN3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	GIF image data, version 89a, 128 x 128
Category:	dropped
Size (bytes):	7303
Entropy (8bit):	7.827464019436164
Encrypted:	false
SSDEEP:	192:b8yxqckNOgKtcKdAOs/GOR9nDyoQCl1xdjGTlD/uzcV/:bbx9bSKoHDyoQClExGi/
MD5:	BDFA0CCB43714B182B9EEE4A0CF0DC9A
SHA1:	14AE738BC83FE1004B9879F3BD72100E74E215C1
SHA-256:	ED334BA309B7DC4EB164B135E6EC95AC270767C528C7AB649B2AC8FD7EC5C8CA
SHA-512:	3925369D595CEC2693421FACDBDD76562AD75A56E74C87B41303944A85BECD22A133D3921B02E420E75D63D18953E278E18FB8E4A3CE0CD3FF6F5C7BE516ABC3
Malicious:	false
Preview:	GIF89a.....................xi~................................+5.MV.JU..(.'=.J].....!.3K.AW...)..+..5.8Q.C].DZ.Pg.CU.Zm.Vh.aq.`h.....3../..<..<..D.&L.$G.-Q.3V.:\.5R.>`.Dd.Hg.Ii.Ii.Ki.Kk.Lh.Mk.Ro.Sq.[v.e..w..p..}..t..v.....@d.Ae.Eh.Gk.Gi.Gh.Gk.Im.Ik.Im.Ik.Ko.Km.Kk.Lm.Nn.Or.Rs.Ut.Vx.]\|.Zw.k..`x....Ek.Lp.Jo.b.....e..m..{......z................................................................D.......M...Y....Y..e.5..L.h......2..=..G.Y..i........u..z..\|..~.....w...5..A..@.G.G..V.Q.._.P..o.f..u..u..{......w..v..{............#.~%..+..2..3..9..>.9.=..B..D..D..E..G..G..G.C..I..I.A..L..L..Q..R..V..T..[..c..g..m..s....`...u.q..k...4..B.{5..F..G..I..I..J..K..K..K..N..S..V..[.zO..{....u.........B..M....c.....................................!.......,...............H......\......z4.H.........c.. C...0...?`.@....Cp.....`..Sf.._........C..P../.0H@J..B..Vty...V..:../..]..k..;....A-.0..h.../.0..KX.[.0b...$H..E.K..E....t..C...CO..C.i.@..H.9....

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\is-IB0RV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3527
Entropy (8bit):	7.81337128585813
Encrypted:	false
SSDEEP:	96:9Ss5YRxkYjabEg39Q5aS4iJ7fPWdSfCwIc31:9Ss5Yrjaob5/VJr+k9
MD5:	CED13F367E9FDF9CB2045DDBFC606D6B
SHA1:	7C872ABCF649631BA513C43621605610D9125E95
SHA-256:	27BC1E463A8F3FD3C193CC5E91A463C356E39D5E81EE45FEDC54BB070B5FC895
SHA-512:	D2F7A6FBE8AD134F2073AEB76BDBF4D06922193275F72CE8DD6288EE026E7EF66410377FEF45F22355A70FCCFBE198379F1D55C4BA5D041DE96CA088B0BBAD0D
Malicious:	false
Preview:	.PNG........IHDR...@...@......iq.... cHRM..z%..............u0...`..:....o._.F....bKGD.......C......pHYs.................vpAg...@...@....`....IDATx...k%wv.?.G..}..j..v.3....!.3a..`<.U..&.@..@.!x.E...l.....<..6.......n...-..V..nK.U../...RU....d ...z.U.\|..T..&4..MhB...&....I.\|..g.q.....E.R..B...!PJ....:q..{.....Zks.Zk.R...xzz...\.~.W_}.O>..w. .Sc.o.V.Ave.>N@..+{}..Y9..Z..`./..w...>.h.Z.....>@)..`0..(.^.>..XQ.Ya.pZ.....,......m..Mk..B......-.S.....O..jS.....g.b.......5..@.....B(.(..8..1f.Z..Q.-.q<..t.. ...d.y.....K.v..crfj.AJ9. ...>_....U^..&ss/...,.Q....Xk.t:...ju.T..!..p^.QsB..... ...c,R..69.x..f...Zbq.......H..!..!.V....!.y...Honn6...Og......oY..8..u.."E..D..k.V:.....0U.>q._\|H..36..+....8..^..c..s.....L....@DQtz...Y...f....{<....._..S.+ ....%..P.....[..l............\..>..\\|.,.\Fk.c........8...(...$.._1.~....$.}.8..8....=juK.\|...-..9......\Xy..2S.@Yp~f.\`.A.s.....G4.^......WQ,.S,,>......wx.w.s.....0...8N.g. [m.+,.h.a._x..[4[..Gq....R(3

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\js\bootstrap.js (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	64027
Entropy (8bit):	4.836305483874431
Encrypted:	false
SSDEEP:	1536:Y0/ZYwdtLLrK7tXuLJAlC0NEojHweGy8VEfrUiOl3ST0uMU:xZ79L2kJmzNvjHwlR+UT3STD7
MD5:	4D269F4999A9D6766EBA116A79B22F6C
SHA1:	982A75004C32B52BFADB0D296867780DBA232543
SHA-256:	CA0B58099DB982806828D46FAAAE6B53FF51BD5207912379BE0B20FF96ED6ADA
SHA-512:	198D5C7E6D0E274002B25B9F905E52AFFB09E1EDC76480D03D78FD35824C0A62B0F36EC2144A62ECEA8A4B1A6ACC4A455B83AAB8B3512B670A37944276619507
Malicious:	false
Preview:	/* ===================================================.. * bootstrap-transition.js v2.3.1.. * http://twitter.github.com/bootstrap/javascript.html#transitions.. * ===================================================.. * Copyright 2012 Twitter, Inc... .. Licensed under the Apache License, Version 2.0 (the "License");.. * you may not use this file except in compliance with the License... * You may obtain a copy of the License at.. .. http://www.apache.org/licenses/LICENSE-2.0.. .. Unless required by applicable law or agreed to in writing, software.. * distributed under the License is distributed on an "AS IS" BASIS,.. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied... * See the License for the specific language governing permissions and.. * limitations under the License... * ========================================================== /......!function ($) {.... "use strict"; // jshint ;_;...... / CSS TRANSITION SUPPORT (http://www.modernizr.com/).. *

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\js\bootstrap.min.js (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (28421), with CRLF line terminators
Category:	dropped
Size (bytes):	28543
Entropy (8bit):	5.002712804901758
Encrypted:	false
SSDEEP:	768:I7S57QFwmPK40INVIPcr8gCBQcqYn0SUs8q:t0OANsz0WT
MD5:	4D2217E6EF811750EF429614897722F7
SHA1:	81354DCFC6D99A1A43678DD9719D0D279271A02E
SHA-256:	96708C6D8E2D1D3E2CD83C34B4E30311C6C6BB405CAEF24C66D9C7A336B4BED2
SHA-512:	648E210FE2C1414EAFB340E2C5522294A47D17734F7840D73C4283140BCE1EC1D42B32C7BEBEDEB7AE791F2B15EB1B601E724126D521B223576DDFBBA2E44DBE
Malicious:	false
Preview:	/!.. Bootstrap.js by @fat & @mdo..* Copyright 2012 Twitter, Inc...* http://www.apache.org/licenses/LICENSE-2.0.txt../..!function(e){"use strict";e(function(){e.support.transition=function(){var e=function(){var e=document.createElement("bootstrap"),t={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"},n;for(n in t)if(e.style[n]!==undefined)return t[n]}();return e&&{end:e}}()})}(window.jQuery),!function(e){"use strict";var t='[data-dismiss="alert"]',n=function(n){e(n).on("click",t,this.close)};n.prototype.close=function(t){function s(){i.trigger("closed").remove()}var n=e(this),r=n.attr("data-target"),i;r\|\|(r=n.attr("href"),r=r&&r.replace(/.(?=#[^\s]*$)/,"")),i=e(r),t&&t.preventDefault(),i.length\|\|(i=n.hasClass("alert")?n:n.parent()),i.trigger(t=e.Event("close"));if(t.isDefaultPrevented())return;i.removeClass("in"),e.support.transition&&i.hasClass("fade")?i.on(e.support.transition.end,s):s()};v

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\js\is-7MGCB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	64027
Entropy (8bit):	4.836305483874431
Encrypted:	false
SSDEEP:	1536:Y0/ZYwdtLLrK7tXuLJAlC0NEojHweGy8VEfrUiOl3ST0uMU:xZ79L2kJmzNvjHwlR+UT3STD7
MD5:	4D269F4999A9D6766EBA116A79B22F6C
SHA1:	982A75004C32B52BFADB0D296867780DBA232543
SHA-256:	CA0B58099DB982806828D46FAAAE6B53FF51BD5207912379BE0B20FF96ED6ADA
SHA-512:	198D5C7E6D0E274002B25B9F905E52AFFB09E1EDC76480D03D78FD35824C0A62B0F36EC2144A62ECEA8A4B1A6ACC4A455B83AAB8B3512B670A37944276619507
Malicious:	false
Preview:	/* ===================================================.. * bootstrap-transition.js v2.3.1.. * http://twitter.github.com/bootstrap/javascript.html#transitions.. * ===================================================.. * Copyright 2012 Twitter, Inc... .. Licensed under the Apache License, Version 2.0 (the "License");.. * you may not use this file except in compliance with the License... * You may obtain a copy of the License at.. .. http://www.apache.org/licenses/LICENSE-2.0.. .. Unless required by applicable law or agreed to in writing, software.. * distributed under the License is distributed on an "AS IS" BASIS,.. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied... * See the License for the specific language governing permissions and.. * limitations under the License... * ========================================================== /......!function ($) {.... "use strict"; // jshint ;_;...... / CSS TRANSITION SUPPORT (http://www.modernizr.com/).. *

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\js\is-ELE31.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (32089), with CRLF line terminators
Category:	dropped
Size (bytes):	92635
Entropy (8bit):	5.304097832737613
Encrypted:	false
SSDEEP:	1536:pnu00HWWaRxkqJg09pYxoxDKLXJrg8hXXO4dK3kyfiLJBhdSZE+I+Qz7rbaN1RUg:pdkWgoBecZRQzmW42qf
MD5:	874082B265651D732B1E8A97CE2517A6
SHA1:	EEE9A5B74FA1B59692E17A0420D989D3F82CBE2C
SHA-256:	7933FF01DB5BE57CA6677DAAAD6BF5009D38D294AB5AA5D998DE3BA47E89CA0E
SHA-512:	086C1AE8648EE00511C5F4FBC21122A0BCA45B62F4C0D8CC9AEEA147EBB0807A9C3B9EAE3145DFBC2666A8F80D2A80A7A4A04290ABEC496B5524D32A657C1FDE
Malicious:	false
Preview:	/! jQuery v1.9.1 \| (c) 2005, 2012 jQuery Foundation, Inc. \| jquery.org/license..//@ sourceMappingURL=jquery.min.map../(function(e,t){var n,r,i=typeof t,o=e.document,a=e.location,s=e.jQuery,u=e.$,l={},c=[],p="1.9.1",f=c.concat,d=c.push,h=c.slice,g=c.indexOf,m=l.toString,y=l.hasOwnProperty,v=p.trim,b=function(e,t){return new b.fn.init(e,t,r)},x=/[+-]?(?:\d\.\|)\d+(?:[eE][+-]?\d+\|)/.source,w=/\S+/g,T=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,N=/^(?:(<[\w\W]+>)[^>]\|#([\w-]))$/,C=/^<(\w+)\s\/?>(?:<\/\1>\|)$/,k=/^[\],:{}\s]$/,E=/(?:^\|:\|,)(?:\s\[)+/g,S=/\\(?:["\\\/bfnrt]\|u[\da-fA-F]{4})/g,A=/"[^"\\\r\n]*"\|true\|false\|null\|-?(?:\d+\.\|)\d+(?:[eE][+-]?\d+\|)/g,j=/^-ms-/,D=/-([\da-z])/gi,L=function(e,t){return t.toUpperCase()},H=function(e){(o.addEventListener\|\|"load"===e.type\|\|"complete"===o.readyState)&&(q(),b.ready())},q=function(){o.addEventListener?(o.removeEventListener("DOMContentLoaded",H,!1),e.removeEventListener("load",H,!1)):(o.detachEvent("onreadystatechange",H),e.detachEvent("onload",

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\js\is-HGINT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (28421), with CRLF line terminators
Category:	dropped
Size (bytes):	28543
Entropy (8bit):	5.002712804901758
Encrypted:	false
SSDEEP:	768:I7S57QFwmPK40INVIPcr8gCBQcqYn0SUs8q:t0OANsz0WT
MD5:	4D2217E6EF811750EF429614897722F7
SHA1:	81354DCFC6D99A1A43678DD9719D0D279271A02E
SHA-256:	96708C6D8E2D1D3E2CD83C34B4E30311C6C6BB405CAEF24C66D9C7A336B4BED2
SHA-512:	648E210FE2C1414EAFB340E2C5522294A47D17734F7840D73C4283140BCE1EC1D42B32C7BEBEDEB7AE791F2B15EB1B601E724126D521B223576DDFBBA2E44DBE
Malicious:	false
Preview:	/!.. Bootstrap.js by @fat & @mdo..* Copyright 2012 Twitter, Inc...* http://www.apache.org/licenses/LICENSE-2.0.txt../..!function(e){"use strict";e(function(){e.support.transition=function(){var e=function(){var e=document.createElement("bootstrap"),t={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"},n;for(n in t)if(e.style[n]!==undefined)return t[n]}();return e&&{end:e}}()})}(window.jQuery),!function(e){"use strict";var t='[data-dismiss="alert"]',n=function(n){e(n).on("click",t,this.close)};n.prototype.close=function(t){function s(){i.trigger("closed").remove()}var n=e(this),r=n.attr("data-target"),i;r\|\|(r=n.attr("href"),r=r&&r.replace(/.(?=#[^\s]*$)/,"")),i=e(r),t&&t.preventDefault(),i.length\|\|(i=n.hasClass("alert")?n:n.parent()),i.trigger(t=e.Event("close"));if(t.isDefaultPrevented())return;i.removeClass("in"),e.support.transition&&i.hasClass("fade")?i.on(e.support.transition.end,s):s()};v

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\js\jquery.min.js (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (32089), with CRLF line terminators
Category:	dropped
Size (bytes):	92635
Entropy (8bit):	5.304097832737613
Encrypted:	false
SSDEEP:	1536:pnu00HWWaRxkqJg09pYxoxDKLXJrg8hXXO4dK3kyfiLJBhdSZE+I+Qz7rbaN1RUg:pdkWgoBecZRQzmW42qf
MD5:	874082B265651D732B1E8A97CE2517A6
SHA1:	EEE9A5B74FA1B59692E17A0420D989D3F82CBE2C
SHA-256:	7933FF01DB5BE57CA6677DAAAD6BF5009D38D294AB5AA5D998DE3BA47E89CA0E
SHA-512:	086C1AE8648EE00511C5F4FBC21122A0BCA45B62F4C0D8CC9AEEA147EBB0807A9C3B9EAE3145DFBC2666A8F80D2A80A7A4A04290ABEC496B5524D32A657C1FDE
Malicious:	false
Preview:	/! jQuery v1.9.1 \| (c) 2005, 2012 jQuery Foundation, Inc. \| jquery.org/license..//@ sourceMappingURL=jquery.min.map../(function(e,t){var n,r,i=typeof t,o=e.document,a=e.location,s=e.jQuery,u=e.$,l={},c=[],p="1.9.1",f=c.concat,d=c.push,h=c.slice,g=c.indexOf,m=l.toString,y=l.hasOwnProperty,v=p.trim,b=function(e,t){return new b.fn.init(e,t,r)},x=/[+-]?(?:\d\.\|)\d+(?:[eE][+-]?\d+\|)/.source,w=/\S+/g,T=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,N=/^(?:(<[\w\W]+>)[^>]\|#([\w-]))$/,C=/^<(\w+)\s\/?>(?:<\/\1>\|)$/,k=/^[\],:{}\s]$/,E=/(?:^\|:\|,)(?:\s\[)+/g,S=/\\(?:["\\\/bfnrt]\|u[\da-fA-F]{4})/g,A=/"[^"\\\r\n]*"\|true\|false\|null\|-?(?:\d+\.\|)\d+(?:[eE][+-]?\d+\|)/g,j=/^-ms-/,D=/-([\da-z])/gi,L=function(e,t){return t.toUpperCase()},H=function(e){(o.addEventListener\|\|"load"===e.type\|\|"complete"===o.readyState)&&(q(),b.ready())},q=function(){o.addEventListener?(o.removeEventListener("DOMContentLoaded",H,!1),e.removeEventListener("load",H,!1)):(o.detachEvent("onreadystatechange",H),e.detachEvent("onload",

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\64x64 converter.ico (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	MS Windows icon resource - 1 icon, 64x64, 24 bits/pixel
Category:	dropped
Size (bytes):	12862
Entropy (8bit):	0.2567213546428736
Encrypted:	false
SSDEEP:	3:vZll/ltl/c/lpRD:ojD
MD5:	1356714D30EB63F260CEFB0936C6E55E
SHA1:	79C25404E942D1646AAF2705DCE34D12AF9E5790
SHA-256:	E99E3672F8699E1E5251EF154B4272AAD404B5190570934E21191C128CD6F586
SHA-512:	326472320D36763A0C0E069F3CA1A63FF993E5795684233771D12A2834749FBDAE0AED77C0C30DE4B73A40FC1D6ABF54C59D6190940EAD2CDCBE8158F0C8CBCF
Malicious:	false
Preview:	......@@......(2......(...@................0............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\AX_OMConvert.gif (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	GIF image data, version 89a, 128 x 128
Category:	dropped
Size (bytes):	1010
Entropy (8bit):	2.29292695215194
Encrypted:	false
SSDEEP:	6:GH2laYz39WzJzdoaFUix1qyP5WKISI+pEwY+/dUpyP8ace:GHCx3mJp3F5x1qc7eva/6pyP8av
MD5:	EF53B728B8C0C9E76885A88C29577F1F
SHA1:	486CEB0CC0653C13B2D4582EC326342DF7E58EB5
SHA-256:	BFF343B1A887C6C81A6945C87AC56A5D51106ED6041A5AF5F79F8E02246A460C
SHA-512:	59B7CB51D03BE5FA06BBDBFC15A9B3AB12B50ADA520A45CACD8C7B4A480E1D6F25980D744568CDD85B899D65C4D0D8172E9D6C745E605A1FD49719C2157343BA
Malicious:	false
Preview:	GIF89a.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,...............H......\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.]...P.J.J...X.j....`..K...h.]...p..K...x..........L.....+^....#K.L....3!k.....C..M....S.^....

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\AX_OMConvert.html (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6712
Entropy (8bit):	5.165428689402844
Encrypted:	false
SSDEEP:	192:BVsDIzEaAbe4Ec4hTzI/biCuRiCbazmQH74axuqbMp:kDq4Ec4hTzI/biCiiCGzmQH74axuj
MD5:	4479F570ECD29B6C975D5A403379F747
SHA1:	9A69865844209FB972A56C15E15851873B35A838
SHA-256:	09EB74ACFCE780F4B726CCE8827544DA75C43ABC54D12CC32F95E14B904A63CB
SHA-512:	DF5D09E68B77E4E4C6FC3604A40F8B9BFE65CD7921FFAD31C8321846DBFBD237D161D4D0EC17AE461258083D4D746A38F580B620AD9D27301D2BBCA2F3DA7927
Malicious:	false
Preview:	<!DOCTYPE html> ..<html>..<meta http-equiv="X-UA-Compatible" content="IE=Edge" />..<meta charset="utf-8">...<title>AX OmConvert Converter</title>...<link href="./css/bootstrap-responsive.css" rel="stylesheet">...<link href="./css/bootstrap.css" rel="stylesheet">...<link href="./css/page.css" rel="stylesheet">...<script type="text/javascript" src="./js/jquery.min.js"></script>...<script type="text/javascript" src="./js/bootstrap.min.js"></script>.....<script language="javascript">..function positionLogo() {...document.getElementById('logo').style.left = document.getElementById('content').offsetLeft + 'px';..}....</script>.... Leave this script as it is otherwise the program won't pick it up and it won't run. -->..<script language="javascript" type="text/javascript">.. //var $ = function (e) { return document.getElementById(e); }......var blockStart = -1;...var blockCount = -1;......var rawInput1;...var rawInput2;......function fillValues()...{....var url = document.URL;........va

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\AX_OMConvert.plugin (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	629
Entropy (8bit):	5.100605671646762
Encrypted:	false
SSDEEP:	12:TM3TSmrk4+mG/17LkzYP5r9AfLxvBGGtD/NKWHvD/ifFuIEZe1Q9+Q92S:qTARr9AvNPTKBEQ1FxS
MD5:	BCD9CF8B8A41D6DB97A9CE6584602C09
SHA1:	8A0BBF3A5D1DECA2C64C7669B5CAF05161D437D2
SHA-256:	4382C6B263C873B5A3564951D54542DEDC5B17D9BBBA5B234BFBF90EB8CF25F2
SHA-512:	2E68F626FFDADB6BB0CB5975057210A70823ECA16CB22EE6DD184FF782EC56D4EEBB5F96F6048215D3485425A36866A09124D61507EF8C6D49E18843944AFD50
Malicious:	false
Preview:	<?xml version='1.0'?>.. This is a sample XML document -->..<Plugin>...<height>500</height>...<width>700</width>...<runFilePath>run-omconvert.cmd</runFilePath>...<htmlFilePath>AX_OMConvert.html</htmlFilePath>...<savedValuesFilePath>saved.xml</savedValuesFilePath>...<iconName>64x64 converter.ico</iconName>...<description>OMConvert</description>...<fileName>OMConvert</fileName>...<readableName>OMConvert</readableName>...<outputExtensions>....<extension></extension>...</outputExtensions>...<numberOfInputFiles>1</numberOfInputFiles>...<wantMetadata>false</wantMetadata>...<requiresCWANames>true</requiresCWANames>..</Plugin>

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\css\bootstrap-responsive.css (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23220
Entropy (8bit):	5.0206455590077885
Encrypted:	false
SSDEEP:	384:yM1758/eDV9grZKb5u5Ru11zNFnyQCglOfWwRnE+A6V22zHtTjg:/8GDV9grZKbgUzWQCglOfWwRnE+/DzNA
MD5:	E46CE2784F902577C2E2858BAF1536F0
SHA1:	B87C9AF4988D92BCFBA4CE80F1BBF267774E115F
SHA-256:	489239002725E88D06FFFC788210A60C249D401F00C2BE2254F130F6251D2002
SHA-512:	B822F632A842A070A2A7FB1CFC7A184CAE6219676273CE63B57096FB0C0F39DA7735EE240BB5652F1AE14238D3494AC930395D936EF5BCB6F7552053D375CDE0
Malicious:	false
Preview:	/!.. Bootstrap Responsive v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.....clearfix {.. zoom: 1;..}.....clearfix:before,...clearfix:after {.. display: table;.. line-height: 0;.. content: "";..}.....clearfix:after {.. clear: both;..}.....hide-text {.. font: 0/0 a;.. color: transparent;.. text-shadow: none;.. background-color: transparent;.. border: 0;..}.....input-block-level {.. display: block;.. width: 100%;.. min-height: 30px;.. -webkit-box-sizing: border-box;.. -moz-box-sizing: border-box;.. box-sizing: border-box;..}....@-ms-viewport {.. width: device-width;..}.....hidden {.. display: none;.. visibility: hidden;..}.....visible-phone {.. display: none !important;..}.....visible-tablet {.. display: none !important;..}.....hidden-desktop {.. display: none !important;..}....

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\css\bootstrap-responsive.min.css (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (16608), with CRLF line terminators
Category:	dropped
Size (bytes):	16858
Entropy (8bit):	5.2955772749108
Encrypted:	false
SSDEEP:	384:dd7eicOM8quuhu93fUacuMZoUCfl4UX94Vp1XP:dPcVDmfUac1ZQt4UX96L
MD5:	B0C3EF20C73BC861FF157EAB023DD09C
SHA1:	FEE31889CF7E7B1531BF61D8109BE2A6007853D6
SHA-256:	754073D316DAB747E1634E26EE4FB71EBF38314C24701946812C0E7506242560
SHA-512:	CB61A0F24025F2C702E0A5EEC5BA6E94AE108A543C21C61445188C4741DB66A27D7195234D8ED992BCE7793C667F7E4041E2E102C87C55C2070BD608CF8ED2A7
Malicious:	false
Preview:	/!.. Bootstrap Responsive v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.clearfix{zoom:1}.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}.hide-text{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.input-block-level{display:block;width:100%;min-height:30px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}@-ms-viewport{width:device-width}.hidden{display:none;visibility:hidden}.visible-phone{display:none!important}.visible-tablet{display:none!important}.hidden-desktop{display:none!important}.visible-desktop{display:inherit!important}@media(min-width:768px) and (max-width:979px){.hidden-desktop{display:inherit!important}.visible-desktop{display:none!important}.visible-tablet{display:inherit!importa

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\css\bootstrap.css (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	133405
Entropy (8bit):	5.11593362125808
Encrypted:	false
SSDEEP:	768:3ofP4Kjze9ROUT1aEXxUKPrsPHOR1sqY+R9Ef:3ofAh9kKHXYORmJf
MD5:	580599C144EF378851955472462F8602
SHA1:	477A15BEDFC71B900F7B623725FC2693E6304AAB
SHA-256:	4DA0DD04B0D7747EB30270FE7758BAC2CBF8371ECA251257553E9B489FD229FD
SHA-512:	4C4D00E70A7C0C6999B237D5466F7EC099B4445BF1A4A9561374D192422C4F41E7C60374BFA0C6DC8D6AF0C8866AE131DD29B82480B60DA93F22108760B1339A
Malicious:	false
Preview:	/!.. Bootstrap v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.....clearfix {.. zoom: 1;..}.....clearfix:before,...clearfix:after {.. display: table;.. line-height: 0;.. content: "";..}.....clearfix:after {.. clear: both;..}.....hide-text {.. font: 0/0 a;.. color: transparent;.. text-shadow: none;.. background-color: transparent;.. border: 0;..}.....input-block-level {.. display: block;.. width: 100%;.. min-height: 30px;.. -webkit-box-sizing: border-box;.. -moz-box-sizing: border-box;.. box-sizing: border-box;..}....article,..aside,..details,..figcaption,..figure,..footer,..header,..hgroup,..nav,..section {.. display: block;..}....audio,..canvas,..video {.. display: inline-block;.. display: inline;.. zoom: 1;..}....audio:not([controls]) {.. display: none;..}....html {.. font-

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\css\bootstrap.min.css (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (65299), with CRLF line terminators
Category:	dropped
Size (bytes):	105948
Entropy (8bit):	5.180897685194033
Encrypted:	false
SSDEEP:	768:X71A8XpW5b26LVcUFPaDGObYDUXyyRsPJGaPV4LolQdUONA4QFOfUcnvGcJwjuGR:28AHR7aD4DJhzPB2UONAxtjuGR
MD5:	016623C5E5773122D7C2AC3B524DD17C
SHA1:	1ABEFD404CDD720B275CDAFB97D3EE1C87FD97EF
SHA-256:	3349EBED31517ADA35DA5294A520C4A25CB778F58785726E4B0177120FE25501
SHA-512:	C36645B0648A21D7B6F4ABD9C315B5B82EBD3D21B48E8B2184D8333C800F0D9F9256FFC0D862AE9FDC6E15A24B3247251FCA9830869A54865255F2BC6DCCAA61
Malicious:	false
Preview:	/!.. Bootstrap v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.clearfix{zoom:1}.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}.hide-text{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.input-block-level{display:block;width:100%;min-height:30px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}article,aside,details,figcaption,figure,footer,header,hgroup,nav,section{display:block}audio,canvas,video{display:inline-block;display:inline;zoom:1}audio:not([controls]){display:none}html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}a:hover,a:active{outline:0}sub,sup{position:relative

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\css\is-233P5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23220
Entropy (8bit):	5.0206455590077885
Encrypted:	false
SSDEEP:	384:yM1758/eDV9grZKb5u5Ru11zNFnyQCglOfWwRnE+A6V22zHtTjg:/8GDV9grZKbgUzWQCglOfWwRnE+/DzNA
MD5:	E46CE2784F902577C2E2858BAF1536F0
SHA1:	B87C9AF4988D92BCFBA4CE80F1BBF267774E115F
SHA-256:	489239002725E88D06FFFC788210A60C249D401F00C2BE2254F130F6251D2002
SHA-512:	B822F632A842A070A2A7FB1CFC7A184CAE6219676273CE63B57096FB0C0F39DA7735EE240BB5652F1AE14238D3494AC930395D936EF5BCB6F7552053D375CDE0
Malicious:	false
Preview:	/!.. Bootstrap Responsive v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.....clearfix {.. zoom: 1;..}.....clearfix:before,...clearfix:after {.. display: table;.. line-height: 0;.. content: "";..}.....clearfix:after {.. clear: both;..}.....hide-text {.. font: 0/0 a;.. color: transparent;.. text-shadow: none;.. background-color: transparent;.. border: 0;..}.....input-block-level {.. display: block;.. width: 100%;.. min-height: 30px;.. -webkit-box-sizing: border-box;.. -moz-box-sizing: border-box;.. box-sizing: border-box;..}....@-ms-viewport {.. width: device-width;..}.....hidden {.. display: none;.. visibility: hidden;..}.....visible-phone {.. display: none !important;..}.....visible-tablet {.. display: none !important;..}.....hidden-desktop {.. display: none !important;..}....

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\css\is-HVUGF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	assembler source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1840
Entropy (8bit):	5.102392171860436
Encrypted:	false
SSDEEP:	48:W/9d3J5Ozvk4eKhQGbADUnJ5UjsUMopRcZbBh:W/HD0HeK6GbAonTUwLosZ
MD5:	AB3E585DB835356D281F3D0F99543096
SHA1:	3C8A9D6A0848292AACBB37AD1D2E978CD95B8718
SHA-256:	9846020C95FE0913EAC566A7056C7AF5390D342D76EA7B4451989A39D9ACC9C4
SHA-512:	6E853AF69AD050F54DBEF55BBB94EDBB248FC580820EF86B1AF145FD103EF1531A3CEBA8A236E348F7E7F119E009AB091C0094A5818A761889A8318B60312F19
Malicious:	false
Preview:	....body {...width: 100%;...height: 100%;.../background-color: white;/...background-color: #888888;...margin: 0;...padding: 0;......}....div#header {...height: 106px;...background-color: white;...width: 100%;...margin: 0;...padding: 0;...background-image: url(../img/headerbackground.png);...background-repeat: repeat-x; ..}....div#header img {...position:relative;...top: 15px;...left:10px;...transition: left 1s;...-moz-transition: left 1s; /* Firefox 4 /...-webkit-transition: left 1s; / Safari and Chrome /...-o-transition: left 1s; / Opera /..}....div#header h1 {...margin: 0;..}..../..div#contentHolder {...position: relative;...width:100%;...height: 1000px;...padding-top: 7px;...background-color: #E3E3E3;...border-image: url(../img/innerglow.png) 210 / 210px stretch stretch;..}../....div#content {...position: relative;.../min-height: 750px;...max-height: 1200px;*/...width: 90%;...margin: 0px auto 0px auto;...-moz-border-radius: 8px;.. -webkit-border-radius: 8px;...border-ra

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\css\is-IB7QQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	5.17412998780235
Encrypted:	false
SSDEEP:	96:VlX/iDPh0QKHB4n0qYCKPumYlAnE8FZz6aAkGTh6HO99HOii3ia3NpiQD/w:raOBm0T72mYlAnrFApP6Hg9H3iSa9piD
MD5:	8694D89D8D9E003E08597E65E94A4D87
SHA1:	4699F6F73633A89CC279F3FEC2A7E112B73FC6E8
SHA-256:	9E15360AE6FA9224A20328F881A94CB45351CF10A1E04D038711E1CD8D9E617C
SHA-512:	5051CAFC944F6AF977CD0A89F7FBF298DD246CD6DE3C6C38B92FD60781178294ADB1196EA4686CBAADA81A0663B780B37D2BBD7613B8FE517BCB4ECCFCAFEA97
Malicious:	false
Preview:	..<style>..@font-face { .. .font-family: Bebas; .. .src: url("./svg/font_bebas.svg#BebasNeueRegular") format("svg");...}...h2 { font-family: "Bebas";}....body {...width: 100%;...background-color: white;...margin: 0;...padding: 0;..}....div#header {...height: 106px;...background-color: white;...width: 100%;...margin: 0;...padding: 0;...background-image: url('../images/headerbackground.png');...background-repeat: repeat-x; ..}....div#header img {...position:relative;...top: 34px;...left:10px;...transition: left 1s;...-moz-transition: left 1s; /* Firefox 4 /...-webkit-transition: left 1s; / Safari and Chrome /...-o-transition: left 1s; / Opera */..}....div#header h1 {...margin: 0;..}....div#contentHolder {...position: relative;...width:100%;...height: 390px;...padding-top: 20px;...background-color: rgb(227,227,227);...border-image: url('../images/innerglow.png') 211 / 220px stretch stretch;..}....div#content {...position: relative;...max-height: 428px;...width: 950px;...margin: 0px

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\css\is-R9IP2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (65299), with CRLF line terminators
Category:	dropped
Size (bytes):	105948
Entropy (8bit):	5.180897685194033
Encrypted:	false
SSDEEP:	768:X71A8XpW5b26LVcUFPaDGObYDUXyyRsPJGaPV4LolQdUONA4QFOfUcnvGcJwjuGR:28AHR7aD4DJhzPB2UONAxtjuGR
MD5:	016623C5E5773122D7C2AC3B524DD17C
SHA1:	1ABEFD404CDD720B275CDAFB97D3EE1C87FD97EF
SHA-256:	3349EBED31517ADA35DA5294A520C4A25CB778F58785726E4B0177120FE25501
SHA-512:	C36645B0648A21D7B6F4ABD9C315B5B82EBD3D21B48E8B2184D8333C800F0D9F9256FFC0D862AE9FDC6E15A24B3247251FCA9830869A54865255F2BC6DCCAA61
Malicious:	false
Preview:	/!.. Bootstrap v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.clearfix{zoom:1}.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}.hide-text{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.input-block-level{display:block;width:100%;min-height:30px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}article,aside,details,figcaption,figure,footer,header,hgroup,nav,section{display:block}audio,canvas,video{display:inline-block;display:inline;zoom:1}audio:not([controls]){display:none}html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}a:hover,a:active{outline:0}sub,sup{position:relative

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\css\is-VDCRK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	133405
Entropy (8bit):	5.11593362125808
Encrypted:	false
SSDEEP:	768:3ofP4Kjze9ROUT1aEXxUKPrsPHOR1sqY+R9Ef:3ofAh9kKHXYORmJf
MD5:	580599C144EF378851955472462F8602
SHA1:	477A15BEDFC71B900F7B623725FC2693E6304AAB
SHA-256:	4DA0DD04B0D7747EB30270FE7758BAC2CBF8371ECA251257553E9B489FD229FD
SHA-512:	4C4D00E70A7C0C6999B237D5466F7EC099B4445BF1A4A9561374D192422C4F41E7C60374BFA0C6DC8D6AF0C8866AE131DD29B82480B60DA93F22108760B1339A
Malicious:	false
Preview:	/!.. Bootstrap v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.....clearfix {.. zoom: 1;..}.....clearfix:before,...clearfix:after {.. display: table;.. line-height: 0;.. content: "";..}.....clearfix:after {.. clear: both;..}.....hide-text {.. font: 0/0 a;.. color: transparent;.. text-shadow: none;.. background-color: transparent;.. border: 0;..}.....input-block-level {.. display: block;.. width: 100%;.. min-height: 30px;.. -webkit-box-sizing: border-box;.. -moz-box-sizing: border-box;.. box-sizing: border-box;..}....article,..aside,..details,..figcaption,..figure,..footer,..header,..hgroup,..nav,..section {.. display: block;..}....audio,..canvas,..video {.. display: inline-block;.. display: inline;.. zoom: 1;..}....audio:not([controls]) {.. display: none;..}....html {.. font-

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\css\is-VHON6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (16608), with CRLF line terminators
Category:	dropped
Size (bytes):	16858
Entropy (8bit):	5.2955772749108
Encrypted:	false
SSDEEP:	384:dd7eicOM8quuhu93fUacuMZoUCfl4UX94Vp1XP:dPcVDmfUac1ZQt4UX96L
MD5:	B0C3EF20C73BC861FF157EAB023DD09C
SHA1:	FEE31889CF7E7B1531BF61D8109BE2A6007853D6
SHA-256:	754073D316DAB747E1634E26EE4FB71EBF38314C24701946812C0E7506242560
SHA-512:	CB61A0F24025F2C702E0A5EEC5BA6E94AE108A543C21C61445188C4741DB66A27D7195234D8ED992BCE7793C667F7E4041E2E102C87C55C2070BD608CF8ED2A7
Malicious:	false
Preview:	/!.. Bootstrap Responsive v2.3.1.. .. Copyright 2012 Twitter, Inc.. * Licensed under the Apache License v2.0.. * http://www.apache.org/licenses/LICENSE-2.0.. .. Designed and built with all the love in the world @twitter by @mdo and @fat... /.clearfix{zoom:1}.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}.hide-text{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.input-block-level{display:block;width:100%;min-height:30px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}@-ms-viewport{width:device-width}.hidden{display:none;visibility:hidden}.visible-phone{display:none!important}.visible-tablet{display:none!important}.hidden-desktop{display:none!important}.visible-desktop{display:inherit!important}@media(min-width:768px) and (max-width:979px){.hidden-desktop{display:inherit!important}.visible-desktop{display:none!important}.visible-tablet{display:inherit!importa

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\css\page.css (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	assembler source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1840
Entropy (8bit):	5.102392171860436
Encrypted:	false
SSDEEP:	48:W/9d3J5Ozvk4eKhQGbADUnJ5UjsUMopRcZbBh:W/HD0HeK6GbAonTUwLosZ
MD5:	AB3E585DB835356D281F3D0F99543096
SHA1:	3C8A9D6A0848292AACBB37AD1D2E978CD95B8718
SHA-256:	9846020C95FE0913EAC566A7056C7AF5390D342D76EA7B4451989A39D9ACC9C4
SHA-512:	6E853AF69AD050F54DBEF55BBB94EDBB248FC580820EF86B1AF145FD103EF1531A3CEBA8A236E348F7E7F119E009AB091C0094A5818A761889A8318B60312F19
Malicious:	false
Preview:	....body {...width: 100%;...height: 100%;.../background-color: white;/...background-color: #888888;...margin: 0;...padding: 0;......}....div#header {...height: 106px;...background-color: white;...width: 100%;...margin: 0;...padding: 0;...background-image: url(../img/headerbackground.png);...background-repeat: repeat-x; ..}....div#header img {...position:relative;...top: 15px;...left:10px;...transition: left 1s;...-moz-transition: left 1s; /* Firefox 4 /...-webkit-transition: left 1s; / Safari and Chrome /...-o-transition: left 1s; / Opera /..}....div#header h1 {...margin: 0;..}..../..div#contentHolder {...position: relative;...width:100%;...height: 1000px;...padding-top: 7px;...background-color: #E3E3E3;...border-image: url(../img/innerglow.png) 210 / 210px stretch stretch;..}../....div#content {...position: relative;.../min-height: 750px;...max-height: 1200px;*/...width: 90%;...margin: 0px auto 0px auto;...-moz-border-radius: 8px;.. -webkit-border-radius: 8px;...border-ra

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\css\viewer.css (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	5.17412998780235
Encrypted:	false
SSDEEP:	96:VlX/iDPh0QKHB4n0qYCKPumYlAnE8FZz6aAkGTh6HO99HOii3ia3NpiQD/w:raOBm0T72mYlAnrFApP6Hg9H3iSa9piD
MD5:	8694D89D8D9E003E08597E65E94A4D87
SHA1:	4699F6F73633A89CC279F3FEC2A7E112B73FC6E8
SHA-256:	9E15360AE6FA9224A20328F881A94CB45351CF10A1E04D038711E1CD8D9E617C
SHA-512:	5051CAFC944F6AF977CD0A89F7FBF298DD246CD6DE3C6C38B92FD60781178294ADB1196EA4686CBAADA81A0663B780B37D2BBD7613B8FE517BCB4ECCFCAFEA97
Malicious:	false
Preview:	..<style>..@font-face { .. .font-family: Bebas; .. .src: url("./svg/font_bebas.svg#BebasNeueRegular") format("svg");...}...h2 { font-family: "Bebas";}....body {...width: 100%;...background-color: white;...margin: 0;...padding: 0;..}....div#header {...height: 106px;...background-color: white;...width: 100%;...margin: 0;...padding: 0;...background-image: url('../images/headerbackground.png');...background-repeat: repeat-x; ..}....div#header img {...position:relative;...top: 34px;...left:10px;...transition: left 1s;...-moz-transition: left 1s; /* Firefox 4 /...-webkit-transition: left 1s; / Safari and Chrome /...-o-transition: left 1s; / Opera */..}....div#header h1 {...margin: 0;..}....div#contentHolder {...position: relative;...width:100%;...height: 390px;...padding-top: 20px;...background-color: rgb(227,227,227);...border-image: url('../images/innerglow.png') 211 / 220px stretch stretch;..}....div#content {...position: relative;...max-height: 428px;...width: 950px;...margin: 0px

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\background left.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 270 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	10675
Entropy (8bit):	7.855792547882974
Encrypted:	false
SSDEEP:	192:QSDS0tKg9E05TV3AhGhrR2ER422yJGMSfGsxKhe:3JXE05/2ER3tSfGEEe
MD5:	6622F06BA0239A047BA5F75DE1E40935
SHA1:	CBBD0EBE6B97427789888EC9826490687B6705B2
SHA-256:	2B16813F80DEF0F4569B88FDE041FA58BCE96C24221436E994EE265801BF225D
SHA-512:	D7693BFBE7A5311D375EC8D6920D411F5FC0FFE63E3FF33F50526F095C986B33AA494060D0661EBC359C408DDEBEABC5484E3EFF79DB944563A1D0FDE7B499F1
Malicious:	false
Preview:	.PNG........IHDR.............ZF......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\background middle.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 787 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4140
Entropy (8bit):	5.514702010098084
Encrypted:	false
SSDEEP:	96:NxQY9fW/9RIAAssrTAdZR2zqq11AAssKAxaWsYecssHGGmqq11AAsssHGmqqq11r:NxU/DIAAss+ZR2zqq11AAssKAxaW1ss6
MD5:	C2E958A624B5FABD241277E3E693F4A2
SHA1:	BC3C845E83FB79EC5331090E3E634CC69F3E2B6A
SHA-256:	81C38EBE8D0C41BDCEBD42CD7A09F8537C1B0BD8131019C7C885ABBE94AEAA39
SHA-512:	2FAAE2695C6DD4386C0BD690364B54BD2E9F464BAFDECF05FD69E693941CD25BBD25A044827154308A8E39080AA2712D2451B34C6077229718FAF90D729FE33D
Malicious:	false
Preview:	.PNG........IHDR..............z.2....tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:BCF20EC0435BE211BC1DEA2D3863842E" xmpMM:DocumentID="xmp.did:D6A421B3609B11E2AFD8AC757B891629" xmpMM:InstanceID="xmp.iid:D6A421B2609B11E2AFD8AC757B891629" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A74E67B6215FE211AC06F9441A82FEFD" stRef:documentID="xmp.did:BCF20EC0435BE211BC1DEA2D3863842E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..A....\IDATx....m.P.E...M..'t....=R.d.)....>..\|>.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\background right.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 309 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11142
Entropy (8bit):	7.861240065287498
Encrypted:	false
SSDEEP:	192:WSDS0tKg9E05TevtvtvcApAc/oOv7H14UyaNsbpubpApApz/MKopuTPf+lPBXqvS:5JXE05C11OkSvaNsbhpuTPfSPg11Z11I
MD5:	B71602511773A60551F70AA9BC6049DE
SHA1:	D3EFDB13568ACD0AF71743B9CA24F7B3E3D0ABD3
SHA-256:	A1E56FB8C8357790AD47FD5A88C61148CF5F90E8586917F22EC3745B5069B503
SHA-512:	B7A1433310BCEA55234A64D9F2BBA5612BB0CFF1832490A7BF7CB604747030A3759F92CC121A5BFD1CD1AAAFE324C9183890CC9CDE74F6B070F8628DE3A5FDEE
Malicious:	false
Preview:	.PNG........IHDR...5..........Ugd....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\buttondivider.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1 x 34, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2856
Entropy (8bit):	7.87078826366413
Encrypted:	false
SSDEEP:	48:O/6DocieftI9G9f6A+FIDOWu0lDl+gm7QyTtctIInQSy6IVpqlnBcODdF:OSDZ/I09Da01l+gmkyTt6Hk8nTdF
MD5:	3D4F3A59BE46F9075AB045C3A3ED04CB
SHA1:	12531CA08CCE65ACCFE8463EC517D9B26EB95278
SHA-256:	AA5D027475B1F6EC88DFDCD84C57D19E20DD86CEEA61BF42D66B3E09D68638E9
SHA-512:	20FF97F577904E2246A78913DC40CAB1511F8C4D11A722EAF2FFFC065844FC92A2DDBCE69E67C736C73EF58DC9878B8919599EAD4EAFD73A0B050B854FB57F7A
Malicious:	false
Preview:	.PNG........IHDR......."......O$F....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\contentbackground.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1 x 390, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2924
Entropy (8bit):	7.875020015401922
Encrypted:	false
SSDEEP:	48:p/6DocieftI9G9f6A+FIDOWu0lDl+gm7QyTtctIInQSy6IVpqlnBcODezW:pSDZ/I09Da01l+gmkyTt6Hk8nTGW
MD5:	32E42A30831D0CCB44FF3C23F84D69FA
SHA1:	D5B884320A01E5C51E190FDD6E6ED1C8DBEEA7CE
SHA-256:	22C91ADA2FCF30B9CB358FF18347B7EFD79A5BA3F2AE3C24FD6B0FE9BD851E69
SHA-512:	BAA928F9B5E51885332B4BAED3C4CB0E6596422736E10600B817ACE0B3C1C3FB39DC16E0EAE70DC95F4EE8134643F8126BD7B43E418C34B79E56C064B9BDCEDA
Malicious:	false
Preview:	.PNG........IHDR.............5.\|.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\contentbackground428.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 2 x 1000, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3297
Entropy (8bit):	7.890112387496165
Encrypted:	false
SSDEEP:	96:dSDZ/I09Da01l+gmkyTt6Hk8nTDBdUEF5vczDo:dSDS0tKg9E05T3UE50g
MD5:	A4AB2D64E4DC771743B6293E303A1B60
SHA1:	883845E2D570FAFFE095D27940F9C081213665D9
SHA-256:	75499938CFBE25364B01DBCF686371BB2EB0ABEFB4AAEA2BB9EB8357B9140FA0
SHA-512:	DDC4098359F452FFFEBCF793597E1BA31AC9254ECE2BFD898BFD35236F342677A8436669AEB9F2F02EB8CDACDD9946052EB47FCEC3C61C50FD506D51059CA9C7
Malicious:	false
Preview:	.PNG........IHDR............../]....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\contentshadow.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 871 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4635
Entropy (8bit):	7.912550011635644
Encrypted:	false
SSDEEP:	96:qSDZ/I09Da01l+gmkyTt6Hk8nTilrjaHqiwp/9p3x:qSDS0tKg9E05Ti9jRVn
MD5:	490AB873EE03CA84F9D3DAB627B687EE
SHA1:	72EE8D63AC23FF7E01CE0512A3A04682B7B70A7A
SHA-256:	52B69E251F97C56B71B337A20086E99BB9C2F6538FDF9E7E531F97D9ED273672
SHA-512:	1E05174427162C75DE38FD27E0E8698A426646B1452A596BE54C6D466EBA9CF0A50BC4F744F027192EBBBE1BDCDCEE52C55AB990F7D3D212869DF6FFE2289CD7
Malicious:	false
Preview:	.PNG........IHDR...g..........Xdj....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\glyphicons-halflings-white.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 469 x 159, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	8777
Entropy (8bit):	7.923998391913574
Encrypted:	false
SSDEEP:	192:41MFu/STZChMGLw/LtI30ukSCeQm9F+xZdqdfQpTTTIyQY7thi7uWB:iMdZ/GLILBmWEiTTTIyQY5hi71
MD5:	9BBC6E9602998A385C2EA13DF56470FD
SHA1:	A25C4705320FD63C33790E666872910E702B9BF6
SHA-256:	F0E0D95A9C8ABCDFABF46348E2D4285829BB0491F5F6AF0E05AF52BFFB6324C4
SHA-512:	47853ECE55B43CB9CC33C8BBFAABF407389565A0FC1FD042FAC502EA96784B4CFC985EA536622843EF7FAB76AD503157C927BB57332D970AF9B3F092E4C9D5D8
Malicious:	false
Preview:	.PNG........IHDR...............{....PLTE........................mmm.................................................................................................................................................................ttt.........................bbb..................................................................eeeggg.....................................xxx...........................................................................................................................................................................................................................................................................................UUU...............................................................................................rO.....tRNS........#.._../.........o.S..?.....C..kD....O.S._........6..>4!~a..@1.._'o..n.....M...3.BQj..p&%!.l.."Xqr;... A[.<`.am}4.3/0I...PCM!6(*gK&YQ.GDP,..`.{.VP.-..x.)h.7.e1]...W..$..1..b.zS.c.O..].....U.;Zi<N#..).86pV.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\glyphicons-halflings.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 469 x 159, 8-bit gray+alpha, non-interlaced
Category:	dropped
Size (bytes):	12799
Entropy (8bit):	7.954371008999522
Encrypted:	false
SSDEEP:	192:CDrgTE80fO3w9Gw/gMmhqb/KEliZ5pjSWw5JTfvJRbNn1tgbn+qFynb21kt1kIhL:CfAc9GugMIQRl65AJzp1aoFt1gk
MD5:	2516339970D710819585F90773AEBE0A
SHA1:	84F613631B07D4FE22ACBAB50E551C0FE04BD78B
SHA-256:	D99E3FA32C641032F08149914B28C2DC6ACF2EC62F70987F2259EABBFA7FC0DE
SHA-512:	E1BB0066E619679B880F43E85C3367C57CD13411AB012A67E429B21E7FF80A1A5B8F1EB5BFAC4CC272EB2BB606341182E91FF1CF7D59CF8BD811D98EAFD71D5C
Malicious:	false
Preview:	.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<..1.IDATx..}ml\E..W..^..D$\|n.w'..;v...8.m0..k<f.8....<.h3$.. ...b,mn.... ........0...L Y`6s'.>...Q.........S......n.S.V.;1K.G...s...>Uo...TU.1c..Yu...c..a&...#C,p.....>k.......U.LW..-s.n.3V.q..~N....o...c...I.~L.....{..-....H8%_..M..w.B..6EW..,.p.......Y...2+.(Y....@..&..A./.......3kX.h....-.a.....A....<>P...'\...J.;(.}.#..Qz......:4..%m?nf.ntK.....l.9J...+.D..I..Yu1Y...Z^..(.]YYE..f@......lX..z].U.t......u...&..5-P...W.}..@t.\|.#L..Y..=..s.......,w#.+.R.+.?..a.x...X.0.."..ea).t.G....wV..w..V^...rf%xB.(.q..4>....W.G.#...lW.U<......XJV...l.....R...$k.DVr.I....7:.X<.s>%X.1...N..Ez....w...;y..9.z.9.O.%.~..~..u....*.=.....I..x.c.y}....Y(...o....u..N$.^..j......e\..iX...]..;Y-.r........&..>.!..zl.Y.aVHVN..9=..]..=.......mR..M......d...OU.C..J.UiT.}r.W...W'....u..).......F"YU.#..P......&......R.O....wyz..m..$...O.....s? +^.FT.....I.E.q.%..&.....~..>.M...}]......w..A...?.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\gradientgraph.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 947 x 390, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	117264
Entropy (8bit):	7.985263256233834
Encrypted:	false
SSDEEP:	1536:YtYlb2phWm3koaEMEYkgaV1zqVj8djBOqPl8s8lW0Yo7M3R4ZQ7higKwTIKuz1Md:E3TTWfkgYhqV2sqt8nW0Yo7+RYgwywk
MD5:	07C120F2FD1D279B30068C00AE5DC4EE
SHA1:	FB8F3101EDB6D41B6BEAAFDA7B6FCE100CA3E2C9
SHA-256:	0D13B0049DB8639F203B8A5DA7E4E8BFFCDE518CA0E87C6435C4293177AB5867
SHA-512:	BA62884DF4959FFFD26179047A16A1229098B6F7C37A6D735AD7942116D9AC7562B593875AF84C5726BFF80E9D91758DA52AEC07ED16CF2A0BC25CE57CB0D41E
Malicious:	false
Preview:	.PNG........IHDR..............6.X....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\gradientgraphsmall.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 250 x 103, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10489
Entropy (8bit):	7.965741081358159
Encrypted:	false
SSDEEP:	192:ASDS0tKg9E05Tantmof5IQV5UQbl/Ewe8k4vtX93UpauhqTNf1rPJf:nJXE05SthXRdEwWEVhKDar5
MD5:	6223ACD59C394F90D91F29CE41D70D83
SHA1:	061609B97F9027A00D5607C71041F77F4B62D458
SHA-256:	9F4ABA4B940439681C0499349F3BE94642C858FA548E152EBA13A107F8FDA772
SHA-512:	7BB4039670205454920DC3B2904F63A10E1A73FC8C0F02F4013619883A56A662E30F9232C7AB2B6891628F48BAED2DA7497B11C9FDEBD55DCE6381CB44D7EEB5
Malicious:	false
Preview:	.PNG........IHDR.......g.....)._.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\gridcontent.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 947 x 372, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	22359
Entropy (8bit):	7.7127315592693435
Encrypted:	false
SSDEEP:	384:QJXE05wJf+JX2w/e6iAWO9cDrMac3OkjlCqoPusVN3hIITl3rM3idF539dpXCxRT:M354o2w/e6iAfe/Ds7oPusL3hrTl3XZg
MD5:	931C86E8F1199B0F9E0F260E8D92E1F2
SHA1:	9A3DE2269005DCBFE6D420F522D2D72485B1D78B
SHA-256:	F79B831CBE2D4F37D5C6839513C9F8DA481CE6D463AFEECD77D72E36ECF85477
SHA-512:	47DF3058C52FFDE61B6B0C6AC721B0AD29A84805B6693DFC311DD1241AB43B6943B4BBA6D42D7554278582405A2AC55482FC4A69D01C87C31932354CC3702C59
Malicious:	false
Preview:	.PNG........IHDR.......t......lnJ....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\headerbackground.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1 x 106, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2852
Entropy (8bit):	7.867842123870298
Encrypted:	false
SSDEEP:	48:J/6DocieftI9G9f6A+FIDOWu0lDl+gm7QyTtctIInQSy6IVpqlnBcODK0:JSDZ/I09Da01l+gmkyTt6Hk8nTX
MD5:	AD8AB8C5E19A7B24E060E9C6B4A8C13D
SHA1:	3553B00745DB1BC65E8AD0A224BBC49ECCEECA6F
SHA-256:	117BD3E359D760CB12B5B3F6865FA125A801269523A851542989D91413DC7A3E
SHA-512:	1CD55120C2761ECF272466B6A2E4A9568A891D209ECDF5FA5EEA5307D4DB7105898F31C2C680C621657DF7CDB2F38D606CA13684184B3A301F2166329401878D
Malicious:	false
Preview:	.PNG........IHDR.......j......D.G....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\innerglow.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1366 x 1100, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	29493
Entropy (8bit):	7.392034002277657
Encrypted:	false
SSDEEP:	768:s35g9ZhweCCYKdYk1oMnG9GZNYlKU/KNs:dZFdYKYEoMnG9GZl0Ki
MD5:	12CAD92A07320280831AC634DEAE61FE
SHA1:	D0F827A47195F5D252F865B1E1E5A75367537027
SHA-256:	0D1C39FD6E82E138B9EEE5B7650A552C9ACBA2F39A6F17F987441CD7AF853E02
SHA-512:	29DFE8D6D9508E7E9698FAD768208526C1BDB2E5A1C0197D3989FA63BD7F44FB6071C7486CEED15FF87B86E0532643CE08A29B365EECB9FBA30033ED7EBBC5CF
Malicious:	false
Preview:	.PNG........IHDR...V...L......a_.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-0CJ1G.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1 x 390, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2924
Entropy (8bit):	7.875020015401922
Encrypted:	false
SSDEEP:	48:p/6DocieftI9G9f6A+FIDOWu0lDl+gm7QyTtctIInQSy6IVpqlnBcODezW:pSDZ/I09Da01l+gmkyTt6Hk8nTGW
MD5:	32E42A30831D0CCB44FF3C23F84D69FA
SHA1:	D5B884320A01E5C51E190FDD6E6ED1C8DBEEA7CE
SHA-256:	22C91ADA2FCF30B9CB358FF18347B7EFD79A5BA3F2AE3C24FD6B0FE9BD851E69
SHA-512:	BAA928F9B5E51885332B4BAED3C4CB0E6596422736E10600B817ACE0B3C1C3FB39DC16E0EAE70DC95F4EE8134643F8126BD7B43E418C34B79E56C064B9BDCEDA
Malicious:	false
Preview:	.PNG........IHDR.............5.\|.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-0DV0E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1 x 106, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2852
Entropy (8bit):	7.867842123870298
Encrypted:	false
SSDEEP:	48:J/6DocieftI9G9f6A+FIDOWu0lDl+gm7QyTtctIInQSy6IVpqlnBcODK0:JSDZ/I09Da01l+gmkyTt6Hk8nTX
MD5:	AD8AB8C5E19A7B24E060E9C6B4A8C13D
SHA1:	3553B00745DB1BC65E8AD0A224BBC49ECCEECA6F
SHA-256:	117BD3E359D760CB12B5B3F6865FA125A801269523A851542989D91413DC7A3E
SHA-512:	1CD55120C2761ECF272466B6A2E4A9568A891D209ECDF5FA5EEA5307D4DB7105898F31C2C680C621657DF7CDB2F38D606CA13684184B3A301F2166329401878D
Malicious:	false
Preview:	.PNG........IHDR.......j......D.G....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-26BKE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 2 x 1000, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3297
Entropy (8bit):	7.890112387496165
Encrypted:	false
SSDEEP:	96:dSDZ/I09Da01l+gmkyTt6Hk8nTDBdUEF5vczDo:dSDS0tKg9E05T3UE50g
MD5:	A4AB2D64E4DC771743B6293E303A1B60
SHA1:	883845E2D570FAFFE095D27940F9C081213665D9
SHA-256:	75499938CFBE25364B01DBCF686371BB2EB0ABEFB4AAEA2BB9EB8357B9140FA0
SHA-512:	DDC4098359F452FFFEBCF793597E1BA31AC9254ECE2BFD898BFD35236F342677A8436669AEB9F2F02EB8CDACDD9946052EB47FCEC3C61C50FD506D51059CA9C7
Malicious:	false
Preview:	.PNG........IHDR............../]....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-48V0M.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 510 x 64, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	421
Entropy (8bit):	5.424079850413463
Encrypted:	false
SSDEEP:	12:6v/7K2x/o/Gv6EKye3Kye3Kye3Kye3Kye3Kye3Kye3Kyo2c:wO5EKy+Ky+Ky+Ky+Ky+Ky+Ky+Kyhc
MD5:	5B3377A8D99FA9152876FD03173135C1
SHA1:	EC4FD8EA4C4D0A2E2BE1D7A321651C20C707FC90
SHA-256:	CD0D90488118A8F73E8CAF4BB031CFFD3DF09FC8A5F00A5B42747C7F438E1B01
SHA-512:	A6061C2A861E5E667C26A0B9427401A666050464CC416497EA0926892693FBA0B5B1EAC8AF7169E53C6B6E3A48A4794906B6994C31C51F6ADBB09909EA4D2426
Malicious:	false
Preview:	.PNG........IHDR.......@.............sRGB.........gAMA......a.....pHYs...t...t..f.x....tEXtSoftware.Paint.NET v3.5.11G.B7....IDATx^..1..@....o.b`.L(hxw....L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3...{......i.....IEND.B`.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-7NUFU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 309 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11142
Entropy (8bit):	7.861240065287498
Encrypted:	false
SSDEEP:	192:WSDS0tKg9E05TevtvtvcApAc/oOv7H14UyaNsbpubpApApz/MKopuTPf+lPBXqvS:5JXE05C11OkSvaNsbhpuTPfSPg11Z11I
MD5:	B71602511773A60551F70AA9BC6049DE
SHA1:	D3EFDB13568ACD0AF71743B9CA24F7B3E3D0ABD3
SHA-256:	A1E56FB8C8357790AD47FD5A88C61148CF5F90E8586917F22EC3745B5069B503
SHA-512:	B7A1433310BCEA55234A64D9F2BBA5612BB0CFF1832490A7BF7CB604747030A3759F92CC121A5BFD1CD1AAAFE324C9183890CC9CDE74F6B070F8628DE3A5FDEE
Malicious:	false
Preview:	.PNG........IHDR...5..........Ugd....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-B562V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 469 x 159, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	8777
Entropy (8bit):	7.923998391913574
Encrypted:	false
SSDEEP:	192:41MFu/STZChMGLw/LtI30ukSCeQm9F+xZdqdfQpTTTIyQY7thi7uWB:iMdZ/GLILBmWEiTTTIyQY5hi71
MD5:	9BBC6E9602998A385C2EA13DF56470FD
SHA1:	A25C4705320FD63C33790E666872910E702B9BF6
SHA-256:	F0E0D95A9C8ABCDFABF46348E2D4285829BB0491F5F6AF0E05AF52BFFB6324C4
SHA-512:	47853ECE55B43CB9CC33C8BBFAABF407389565A0FC1FD042FAC502EA96784B4CFC985EA536622843EF7FAB76AD503157C927BB57332D970AF9B3F092E4C9D5D8
Malicious:	false
Preview:	.PNG........IHDR...............{....PLTE........................mmm.................................................................................................................................................................ttt.........................bbb..................................................................eeeggg.....................................xxx...........................................................................................................................................................................................................................................................................................UUU...............................................................................................rO.....tRNS........#.._../.........o.S..?.....C..kD....O.S._........6..>4!~a..@1.._'o..n.....M...3.BQj..p&%!.l.."Xqr;... A[.<`.am}4.3/0I...PCM!6(*gK&YQ.GDP,..`.{.VP.-..x.)h.7.e1]...W..$..1..b.zS.c.O..].....U.;Zi<N#..).86pV.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-G888U.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 947 x 372, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	22359
Entropy (8bit):	7.7127315592693435
Encrypted:	false
SSDEEP:	384:QJXE05wJf+JX2w/e6iAWO9cDrMac3OkjlCqoPusVN3hIITl3rM3idF539dpXCxRT:M354o2w/e6iAfe/Ds7oPusL3hrTl3XZg
MD5:	931C86E8F1199B0F9E0F260E8D92E1F2
SHA1:	9A3DE2269005DCBFE6D420F522D2D72485B1D78B
SHA-256:	F79B831CBE2D4F37D5C6839513C9F8DA481CE6D463AFEECD77D72E36ECF85477
SHA-512:	47DF3058C52FFDE61B6B0C6AC721B0AD29A84805B6693DFC311DD1241AB43B6943B4BBA6D42D7554278582405A2AC55482FC4A69D01C87C31932354CC3702C59
Malicious:	false
Preview:	.PNG........IHDR.......t......lnJ....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-HTD7T.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1366 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22421
Entropy (8bit):	7.382781405693069
Encrypted:	false
SSDEEP:	384:cJXE050vbwtRSQniH2Zn+4GjL1rGMNKc0BCEgsFzA0u:I35LCQznsjRrGMN90QEZZA0u
MD5:	CD3956C0B11967DE8DA88DA7C40ABD8F
SHA1:	28B3280D98E0FAEFBEEB824F66245D53F688367D
SHA-256:	4940060CEA6C1D1CF2B4E4F6E66DB8E30CA6452452F918B311E43915D55AA3DF
SHA-512:	D995A7ECFA327A108DDB303864E359364B7A3FFBD10BED96DC6F2113CA850C404F54968E3B416998A26F53097D4C9DBF7B19CA90586A6C43ED533328B9AF118A
Malicious:	false
Preview:	.PNG........IHDR...V.........@\......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-I15N5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1 x 34, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2856
Entropy (8bit):	7.87078826366413
Encrypted:	false
SSDEEP:	48:O/6DocieftI9G9f6A+FIDOWu0lDl+gm7QyTtctIInQSy6IVpqlnBcODdF:OSDZ/I09Da01l+gmkyTt6Hk8nTdF
MD5:	3D4F3A59BE46F9075AB045C3A3ED04CB
SHA1:	12531CA08CCE65ACCFE8463EC517D9B26EB95278
SHA-256:	AA5D027475B1F6EC88DFDCD84C57D19E20DD86CEEA61BF42D66B3E09D68638E9
SHA-512:	20FF97F577904E2246A78913DC40CAB1511F8C4D11A722EAF2FFFC065844FC92A2DDBCE69E67C736C73EF58DC9878B8919599EAD4EAFD73A0B050B854FB57F7A
Malicious:	false
Preview:	.PNG........IHDR......."......O$F....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-IR97F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 469 x 159, 8-bit gray+alpha, non-interlaced
Category:	dropped
Size (bytes):	12799
Entropy (8bit):	7.954371008999522
Encrypted:	false
SSDEEP:	192:CDrgTE80fO3w9Gw/gMmhqb/KEliZ5pjSWw5JTfvJRbNn1tgbn+qFynb21kt1kIhL:CfAc9GugMIQRl65AJzp1aoFt1gk
MD5:	2516339970D710819585F90773AEBE0A
SHA1:	84F613631B07D4FE22ACBAB50E551C0FE04BD78B
SHA-256:	D99E3FA32C641032F08149914B28C2DC6ACF2EC62F70987F2259EABBFA7FC0DE
SHA-512:	E1BB0066E619679B880F43E85C3367C57CD13411AB012A67E429B21E7FF80A1A5B8F1EB5BFAC4CC272EB2BB606341182E91FF1CF7D59CF8BD811D98EAFD71D5C
Malicious:	false
Preview:	.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<..1.IDATx..}ml\E..W..^..D$\|n.w'..;v...8.m0..k<f.8....<.h3$.. ...b,mn.... ........0...L Y`6s'.>...Q.........S......n.S.V.;1K.G...s...>Uo...TU.1c..Yu...c..a&...#C,p.....>k.......U.LW..-s.n.3V.q..~N....o...c...I.~L.....{..-....H8%_..M..w.B..6EW..,.p.......Y...2+.(Y....@..&..A./.......3kX.h....-.a.....A....<>P...'\...J.;(.}.#..Qz......:4..%m?nf.ntK.....l.9J...+.D..I..Yu1Y...Z^..(.]YYE..f@......lX..z].U.t......u...&..5-P...W.}..@t.\|.#L..Y..=..s.......,w#.+.R.+.?..a.x...X.0.."..ea).t.G....wV..w..V^...rf%xB.(.q..4>....W.G.#...lW.U<......XJV...l.....R...$k.DVr.I....7:.X<.s>%X.1...N..Ez....w...;y..9.z.9.O.%.~..~..u....*.=.....I..x.c.y}....Y(...o....u..N$.^..j......e\..iX...]..;Y-.r........&..>.!..zl.Y.aVHVN..9=..]..=.......mR..M......d...OU.C..J.UiT.}r.W...W'....u..).......F"YU.#..P......&......R.O....wyz..m..$...O.....s? +^.FT.....I.E.q.%..&.....~..>.M...}]......w..A...?.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-K93D3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1366 x 1100, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	29493
Entropy (8bit):	7.392034002277657
Encrypted:	false
SSDEEP:	768:s35g9ZhweCCYKdYk1oMnG9GZNYlKU/KNs:dZFdYKYEoMnG9GZl0Ki
MD5:	12CAD92A07320280831AC634DEAE61FE
SHA1:	D0F827A47195F5D252F865B1E1E5A75367537027
SHA-256:	0D1C39FD6E82E138B9EEE5B7650A552C9ACBA2F39A6F17F987441CD7AF853E02
SHA-512:	29DFE8D6D9508E7E9698FAD768208526C1BDB2E5A1C0197D3989FA63BD7F44FB6071C7486CEED15FF87B86E0532643CE08A29B365EECB9FBA30033ED7EBBC5CF
Malicious:	false
Preview:	.PNG........IHDR...V...L......a_.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-KO61U.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 787 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4140
Entropy (8bit):	5.514702010098084
Encrypted:	false
SSDEEP:	96:NxQY9fW/9RIAAssrTAdZR2zqq11AAssKAxaWsYecssHGGmqq11AAsssHGmqqq11r:NxU/DIAAss+ZR2zqq11AAssKAxaW1ss6
MD5:	C2E958A624B5FABD241277E3E693F4A2
SHA1:	BC3C845E83FB79EC5331090E3E634CC69F3E2B6A
SHA-256:	81C38EBE8D0C41BDCEBD42CD7A09F8537C1B0BD8131019C7C885ABBE94AEAA39
SHA-512:	2FAAE2695C6DD4386C0BD690364B54BD2E9F464BAFDECF05FD69E693941CD25BBD25A044827154308A8E39080AA2712D2451B34C6077229718FAF90D729FE33D
Malicious:	false
Preview:	.PNG........IHDR..............z.2....tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:BCF20EC0435BE211BC1DEA2D3863842E" xmpMM:DocumentID="xmp.did:D6A421B3609B11E2AFD8AC757B891629" xmpMM:InstanceID="xmp.iid:D6A421B2609B11E2AFD8AC757B891629" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A74E67B6215FE211AC06F9441A82FEFD" stRef:documentID="xmp.did:BCF20EC0435BE211BC1DEA2D3863842E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..A....\IDATx....m.P.E...M..'t....=R.d.)....>..\|>.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-M0097.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 947 x 390, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	117264
Entropy (8bit):	7.985263256233834
Encrypted:	false
SSDEEP:	1536:YtYlb2phWm3koaEMEYkgaV1zqVj8djBOqPl8s8lW0Yo7M3R4ZQ7higKwTIKuz1Md:E3TTWfkgYhqV2sqt8nW0Yo7+RYgwywk
MD5:	07C120F2FD1D279B30068C00AE5DC4EE
SHA1:	FB8F3101EDB6D41B6BEAAFDA7B6FCE100CA3E2C9
SHA-256:	0D13B0049DB8639F203B8A5DA7E4E8BFFCDE518CA0E87C6435C4293177AB5867
SHA-512:	BA62884DF4959FFFD26179047A16A1229098B6F7C37A6D735AD7942116D9AC7562B593875AF84C5726BFF80E9D91758DA52AEC07ED16CF2A0BC25CE57CB0D41E
Malicious:	false
Preview:	.PNG........IHDR..............6.X....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-MA7OQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 270 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	10675
Entropy (8bit):	7.855792547882974
Encrypted:	false
SSDEEP:	192:QSDS0tKg9E05TV3AhGhrR2ER422yJGMSfGsxKhe:3JXE05/2ER3tSfGEEe
MD5:	6622F06BA0239A047BA5F75DE1E40935
SHA1:	CBBD0EBE6B97427789888EC9826490687B6705B2
SHA-256:	2B16813F80DEF0F4569B88FDE041FA58BCE96C24221436E994EE265801BF225D
SHA-512:	D7693BFBE7A5311D375EC8D6920D411F5FC0FFE63E3FF33F50526F095C986B33AA494060D0661EBC359C408DDEBEABC5484E3EFF79DB944563A1D0FDE7B499F1
Malicious:	false
Preview:	.PNG........IHDR.............ZF......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-MHSFA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 871 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4635
Entropy (8bit):	7.912550011635644
Encrypted:	false
SSDEEP:	96:qSDZ/I09Da01l+gmkyTt6Hk8nTilrjaHqiwp/9p3x:qSDS0tKg9E05Ti9jRVn
MD5:	490AB873EE03CA84F9D3DAB627B687EE
SHA1:	72EE8D63AC23FF7E01CE0512A3A04682B7B70A7A
SHA-256:	52B69E251F97C56B71B337A20086E99BB9C2F6538FDF9E7E531F97D9ED273672
SHA-512:	1E05174427162C75DE38FD27E0E8698A426646B1452A596BE54C6D466EBA9CF0A50BC4F744F027192EBBBE1BDCDCEE52C55AB990F7D3D212869DF6FFE2289CD7
Malicious:	false
Preview:	.PNG........IHDR...g..........Xdj....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\is-RQ0AA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 250 x 103, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10489
Entropy (8bit):	7.965741081358159
Encrypted:	false
SSDEEP:	192:ASDS0tKg9E05Tantmof5IQV5UQbl/Ewe8k4vtX93UpauhqTNf1rPJf:nJXE05SthXRdEwWEVhKDar5
MD5:	6223ACD59C394F90D91F29CE41D70D83
SHA1:	061609B97F9027A00D5607C71041F77F4B62D458
SHA-256:	9F4ABA4B940439681C0499349F3BE94642C858FA548E152EBA13A107F8FDA772
SHA-512:	7BB4039670205454920DC3B2904F63A10E1A73FC8C0F02F4013619883A56A662E30F9232C7AB2B6891628F48BAED2DA7497B11C9FDEBD55DCE6381CB44D7EEB5
Malicious:	false
Preview:	.PNG........IHDR.......g.....)._.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\logoOMConvert.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 510 x 64, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	421
Entropy (8bit):	5.424079850413463
Encrypted:	false
SSDEEP:	12:6v/7K2x/o/Gv6EKye3Kye3Kye3Kye3Kye3Kye3Kye3Kyo2c:wO5EKy+Ky+Ky+Ky+Ky+Ky+Ky+Kyhc
MD5:	5B3377A8D99FA9152876FD03173135C1
SHA1:	EC4FD8EA4C4D0A2E2BE1D7A321651C20C707FC90
SHA-256:	CD0D90488118A8F73E8CAF4BB031CFFD3DF09FC8A5F00A5B42747C7F438E1B01
SHA-512:	A6061C2A861E5E667C26A0B9427401A666050464CC416497EA0926892693FBA0B5B1EAC8AF7169E53C6B6E3A48A4794906B6994C31C51F6ADBB09909EA4D2426
Malicious:	false
Preview:	.PNG........IHDR.......@.............sRGB.........gAMA......a.....pHYs...t...t..f.x....tEXtSoftware.Paint.NET v3.5.11G.B7....IDATx^..1..@....o.b`.L(hxw....L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3.....@.L..i&..4..h...4....f..M3...{......i.....IEND.B`.

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\img\whole-background.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PNG image data, 1366 x 768, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22421
Entropy (8bit):	7.382781405693069
Encrypted:	false
SSDEEP:	384:cJXE050vbwtRSQniH2Zn+4GjL1rGMNKc0BCEgsFzA0u:I35LCQznsjRrGMN90QEZZA0u
MD5:	CD3956C0B11967DE8DA88DA7C40ABD8F
SHA1:	28B3280D98E0FAEFBEEB824F66245D53F688367D
SHA-256:	4940060CEA6C1D1CF2B4E4F6E66DB8E30CA6452452F918B311E43915D55AA3DF
SHA-512:	D995A7ECFA327A108DDB303864E359364B7A3FFBD10BED96DC6F2113CA850C404F54968E3B416998A26F53097D4C9DBF7B19CA90586A6C43ED533328B9AF118A
Malicious:	false
Preview:	.PNG........IHDR...V.........@\......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\is-1I6M7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6712
Entropy (8bit):	5.165428689402844
Encrypted:	false
SSDEEP:	192:BVsDIzEaAbe4Ec4hTzI/biCuRiCbazmQH74axuqbMp:kDq4Ec4hTzI/biCiiCGzmQH74axuj
MD5:	4479F570ECD29B6C975D5A403379F747
SHA1:	9A69865844209FB972A56C15E15851873B35A838
SHA-256:	09EB74ACFCE780F4B726CCE8827544DA75C43ABC54D12CC32F95E14B904A63CB
SHA-512:	DF5D09E68B77E4E4C6FC3604A40F8B9BFE65CD7921FFAD31C8321846DBFBD237D161D4D0EC17AE461258083D4D746A38F580B620AD9D27301D2BBCA2F3DA7927
Malicious:	false
Preview:	<!DOCTYPE html> ..<html>..<meta http-equiv="X-UA-Compatible" content="IE=Edge" />..<meta charset="utf-8">...<title>AX OmConvert Converter</title>...<link href="./css/bootstrap-responsive.css" rel="stylesheet">...<link href="./css/bootstrap.css" rel="stylesheet">...<link href="./css/page.css" rel="stylesheet">...<script type="text/javascript" src="./js/jquery.min.js"></script>...<script type="text/javascript" src="./js/bootstrap.min.js"></script>.....<script language="javascript">..function positionLogo() {...document.getElementById('logo').style.left = document.getElementById('content').offsetLeft + 'px';..}....</script>.... Leave this script as it is otherwise the program won't pick it up and it won't run. -->..<script language="javascript" type="text/javascript">.. //var $ = function (e) { return document.getElementById(e); }......var blockStart = -1;...var blockCount = -1;......var rawInput1;...var rawInput2;......function fillValues()...{....var url = document.URL;........va

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\is-63P50.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	GIF image data, version 89a, 128 x 128
Category:	dropped
Size (bytes):	1010
Entropy (8bit):	2.29292695215194
Encrypted:	false
SSDEEP:	6:GH2laYz39WzJzdoaFUix1qyP5WKISI+pEwY+/dUpyP8ace:GHCx3mJp3F5x1qc7eva/6pyP8av
MD5:	EF53B728B8C0C9E76885A88C29577F1F
SHA1:	486CEB0CC0653C13B2D4582EC326342DF7E58EB5
SHA-256:	BFF343B1A887C6C81A6945C87AC56A5D51106ED6041A5AF5F79F8E02246A460C
SHA-512:	59B7CB51D03BE5FA06BBDBFC15A9B3AB12B50ADA520A45CACD8C7B4A480E1D6F25980D744568CDD85B899D65C4D0D8172E9D6C745E605A1FD49719C2157343BA
Malicious:	false
Preview:	GIF89a.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,...............H......\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.]...P.J.J...X.j....`..K...h.]...p..K...x..........L.....+^....#K.L....3!k.....C..M....S.^....

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\is-83JS7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	213504
Entropy (8bit):	6.709248017183754
Encrypted:	false
SSDEEP:	6144:ZxGwK8gQiqm4NvHRZVJOqQ1EFO1VxkJlof0jFjzyYdsmSLfTN/oOuusrn4HJ:ZxGwK8gQiqm4NvHRZVJOqQ1EFO1VxkJ8
MD5:	D05718285DF704EED58EF4B1FE6761A0
SHA1:	4FA2A4F16B998C0F553EE6B57A780E39323E6A85
SHA-256:	E5FA5DE8F79FA702C8D2B1164D2E319CB6F597AD700EA9FF04D2273311505943
SHA-512:	C6F3F2C36FCBE0AA43124716D49D119399E8D1B0D6F61F2DE3A23B8775EE45E7DC5F304B90A0AAE51883E7F7928DB4A04ECCBCEF60EB46CC5B74DD3BD3229BF0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]q>*..Py..Py..Py...y..Py...y..Py...y..Py...y..Py.vSx..Py.vUx:.Py.vTx..Py.h.y..Py..Qyz.Py%wXx..Py%w.y..Py%wRx..PyRich..Py........................PE..L......[.................l..........A.............@.......................................@.....................................(....`.......................p..........p...............................@...............4............................text....k.......l.................. ..`.rdata...............p..............@..@.data........0......................@..._RDATA.......P......................@..@.rsrc........`.......$..............@..@.reloc.......p.......&..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\is-HJCGQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	MS Windows icon resource - 1 icon, 64x64, 24 bits/pixel
Category:	dropped
Size (bytes):	12862
Entropy (8bit):	0.2567213546428736
Encrypted:	false
SSDEEP:	3:vZll/ltl/c/lpRD:ojD
MD5:	1356714D30EB63F260CEFB0936C6E55E
SHA1:	79C25404E942D1646AAF2705DCE34D12AF9E5790
SHA-256:	E99E3672F8699E1E5251EF154B4272AAD404B5190570934E21191C128CD6F586
SHA-512:	326472320D36763A0C0E069F3CA1A63FF993E5795684233771D12A2834749FBDAE0AED77C0C30DE4B73A40FC1D6ABF54C59D6190940EAD2CDCBE8158F0C8CBCF
Malicious:	false
Preview:	......@@......(2......(...@................0............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\is-HSQ9G.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	629
Entropy (8bit):	5.100605671646762
Encrypted:	false
SSDEEP:	12:TM3TSmrk4+mG/17LkzYP5r9AfLxvBGGtD/NKWHvD/ifFuIEZe1Q9+Q92S:qTARr9AvNPTKBEQ1FxS
MD5:	BCD9CF8B8A41D6DB97A9CE6584602C09
SHA1:	8A0BBF3A5D1DECA2C64C7669B5CAF05161D437D2
SHA-256:	4382C6B263C873B5A3564951D54542DEDC5B17D9BBBA5B234BFBF90EB8CF25F2
SHA-512:	2E68F626FFDADB6BB0CB5975057210A70823ECA16CB22EE6DD184FF782EC56D4EEBB5F96F6048215D3485425A36866A09124D61507EF8C6D49E18843944AFD50
Malicious:	false
Preview:	<?xml version='1.0'?>.. This is a sample XML document -->..<Plugin>...<height>500</height>...<width>700</width>...<runFilePath>run-omconvert.cmd</runFilePath>...<htmlFilePath>AX_OMConvert.html</htmlFilePath>...<savedValuesFilePath>saved.xml</savedValuesFilePath>...<iconName>64x64 converter.ico</iconName>...<description>OMConvert</description>...<fileName>OMConvert</fileName>...<readableName>OMConvert</readableName>...<outputExtensions>....<extension></extension>...</outputExtensions>...<numberOfInputFiles>1</numberOfInputFiles>...<wantMetadata>false</wantMetadata>...<requiresCWANames>true</requiresCWANames>..</Plugin>

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\is-ROHL0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1400
Entropy (8bit):	5.326275339578517
Encrypted:	false
SSDEEP:	24:LLiOeidBLv0ZdCla1ONH2KNC2Ip1vv4lbS9q4HvUHH83HSaSlHlRB4L43bdD43aA:fiOeidB3y1wm88iaSvnJbMaA
MD5:	8F25B67F5F848AD2BF34B0E8465A683C
SHA1:	58B67E0D5A0A371B111D03FC45BD8D891CBF5878
SHA-256:	E60CACD6F47040008D07AA8BAF516D116420149E373FE8F23C9AFF4F157C903F
SHA-512:	EA48B245C95D3482EB97CC82AF6750D890CB46CBC2800EFB82EE289148175315FFFC75F200CC98C79B876AE2C14CE36E063B0CD05E77F799DD518A478A6E04B2
Malicious:	false
Preview:	@echo off..cd /d %~dp0....::: Check arguments..if "%~1"=="" goto ERROR_NO_SOURCE..rem if not "%~2"=="" goto ERROR_TOO_MANY_ARGS..if not exist "%~1" goto ERROR_SOURCE_NOT_FOUND..set INPUT=%~f1..set OUTPUT=%~dpn1....::: Choose a temporary output folder..set TEMPDIR=%TEMP%\CBR-%RANDOM%..mkdir "%TEMPDIR%"....::: Run the script..echo OMCONVERT: INPUT: %INPUT%..rem echo INPUT: %INPUT% 1>&2..echo OMCONVERT: OUTPUT: %OUTPUT%..rem echo OUTPUT: %OUTPUT% 1>&2..echo OMCONVERT: TEMPORARY: %TEMPDIR%..rem echo TEMPORARY: %TEMPDIR% 1>&2..echo OMCONVERT: Running: omconvert.exe "%INPUT%" "%TEMPDIR%"..if not exist omconvert.exe echo OMCONVERT: Executable not found.....if exist omconvert.exe omconvert.exe "%INPUT%" -out "%TEMPDIR%\file.wav" -svm-file "%TEMPDIR%\file.svm.csv" -wtv-file "%TEMPDIR%\file.wtv.csv" -paee-file "%TEMPDIR%\file.paee.csv"....::: Move files from the temporary folder..move "%TEMPDIR%\file.wav" "%OUTPUT%.wav" >nul..move "%TEMPDIR%\file.svm.csv" "%OUTPUT%.svm.csv" >nul..move "%TE

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\js\bootstrap.js (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	64027
Entropy (8bit):	4.836305483874431
Encrypted:	false
SSDEEP:	1536:Y0/ZYwdtLLrK7tXuLJAlC0NEojHweGy8VEfrUiOl3ST0uMU:xZ79L2kJmzNvjHwlR+UT3STD7
MD5:	4D269F4999A9D6766EBA116A79B22F6C
SHA1:	982A75004C32B52BFADB0D296867780DBA232543
SHA-256:	CA0B58099DB982806828D46FAAAE6B53FF51BD5207912379BE0B20FF96ED6ADA
SHA-512:	198D5C7E6D0E274002B25B9F905E52AFFB09E1EDC76480D03D78FD35824C0A62B0F36EC2144A62ECEA8A4B1A6ACC4A455B83AAB8B3512B670A37944276619507
Malicious:	false
Preview:	/* ===================================================.. * bootstrap-transition.js v2.3.1.. * http://twitter.github.com/bootstrap/javascript.html#transitions.. * ===================================================.. * Copyright 2012 Twitter, Inc... .. Licensed under the Apache License, Version 2.0 (the "License");.. * you may not use this file except in compliance with the License... * You may obtain a copy of the License at.. .. http://www.apache.org/licenses/LICENSE-2.0.. .. Unless required by applicable law or agreed to in writing, software.. * distributed under the License is distributed on an "AS IS" BASIS,.. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied... * See the License for the specific language governing permissions and.. * limitations under the License... * ========================================================== /......!function ($) {.... "use strict"; // jshint ;_;...... / CSS TRANSITION SUPPORT (http://www.modernizr.com/).. *

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\js\bootstrap.min.js (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (28421), with CRLF line terminators
Category:	dropped
Size (bytes):	28543
Entropy (8bit):	5.002712804901758
Encrypted:	false
SSDEEP:	768:I7S57QFwmPK40INVIPcr8gCBQcqYn0SUs8q:t0OANsz0WT
MD5:	4D2217E6EF811750EF429614897722F7
SHA1:	81354DCFC6D99A1A43678DD9719D0D279271A02E
SHA-256:	96708C6D8E2D1D3E2CD83C34B4E30311C6C6BB405CAEF24C66D9C7A336B4BED2
SHA-512:	648E210FE2C1414EAFB340E2C5522294A47D17734F7840D73C4283140BCE1EC1D42B32C7BEBEDEB7AE791F2B15EB1B601E724126D521B223576DDFBBA2E44DBE
Malicious:	false
Preview:	/!.. Bootstrap.js by @fat & @mdo..* Copyright 2012 Twitter, Inc...* http://www.apache.org/licenses/LICENSE-2.0.txt../..!function(e){"use strict";e(function(){e.support.transition=function(){var e=function(){var e=document.createElement("bootstrap"),t={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"},n;for(n in t)if(e.style[n]!==undefined)return t[n]}();return e&&{end:e}}()})}(window.jQuery),!function(e){"use strict";var t='[data-dismiss="alert"]',n=function(n){e(n).on("click",t,this.close)};n.prototype.close=function(t){function s(){i.trigger("closed").remove()}var n=e(this),r=n.attr("data-target"),i;r\|\|(r=n.attr("href"),r=r&&r.replace(/.(?=#[^\s]*$)/,"")),i=e(r),t&&t.preventDefault(),i.length\|\|(i=n.hasClass("alert")?n:n.parent()),i.trigger(t=e.Event("close"));if(t.isDefaultPrevented())return;i.removeClass("in"),e.support.transition&&i.hasClass("fade")?i.on(e.support.transition.end,s):s()};v

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\js\formatDateTime.js (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4637
Entropy (8bit):	5.283122109416986
Encrypted:	false
SSDEEP:	96:JzqhusqHcm22mclSXcgEmYiMqca8UnbXxsUiYisGeGEFt4ly+b52ixBBukB20bLV:Jzqhuj8m2vrcgEmYiMqca80bxsUiYisM
MD5:	4DE79723652420E759270FDA9C507915
SHA1:	705C2D98CB777504EAFCA979D907717E9631DF7A
SHA-256:	D2D4888A6BA0CE82090782138F1DE42221D35FB5EB566105B2FB3BF5629E533B
SHA-512:	9727127B58160F3D8CBFC4782F09FCEEE0486C08BCCBAE5D0A94CF81B6598DC7DA1DECA179FC3ABF2588D71A8D994439A7235CF937B0395E8F63A333864F28AC
Malicious:	false
Preview:	//* This code is copyright 2002-2003 by Gavin Kistner, !@phrogz.net..//* It is covered under the license viewable at http://phrogz.net/JS/_ReuseLicense.txt..//* Reuse or modification is free provided you abide by the terms of that license...//* (Including the first two lines above in your source code satisfies the conditions.)....// Include this code (with notice above ;) in your library; read below for how to use it.....Date.prototype.customFormat = function(formatString){...var YYYY,YY,MMMM,MMM,MM,M,DDDD,DDD,DD,D,hhh,hh,h,mm,m,ss,s,ampm,AMPM,dMod,th;...var dateObject = this;...YY = ((YYYY=dateObject.getFullYear())+"").slice(-2);...MM = (M=dateObject.getMonth()+1)<10?('0'+M):M;...MMM = (MMMM=["January","February","March","April","May","June","July","August","September","October","November","December"][M-1]).substring(0,3);...DD = (D=dateObject.getDate())<10?('0'+D):D;...DDD = (DDDD=["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"][dateObject.getDay()]).s

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\js\is-03IME.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1809656
Entropy (8bit):	4.209663989639158
Encrypted:	false
SSDEEP:	3072:R23rm6ZJ2D+lXqBmp4u6gzgSmZwJSxT6Ycey7RtgigsL:K9t
MD5:	ACFBA1BAD17C2BC4DBAC9F78F326525E
SHA1:	EACA1E718802059FFC51F9944368268BBBBA265B
SHA-256:	DFB1A880DA3B66ECFCC7C95B1E3BE91E7A4C46DE268BC786AB0800D50EA5D380
SHA-512:	04E2D9D3EEE43B2921022A821C33082B890059267E0997DBE107CEBFDCA03F2DE8DB5578D0987D470936F7A9DF7F9B64CE2CF0108FEF43302F2A0438742F425F
Malicious:	false
Preview:	function readData() {.. var data = ..{..."PAjson": {...."Device": {....."Type": "AX3",....."Model": "17",....."ID": "12345",....."Firmware": "R36",....."Calibration": "0,0,0"....},...."Recording": {....."StartTime": "2000-14-10 12:34:56:789",....."StopTime": "2000-15-10 12:34:56:789",....."LocationSite": "wrist",....."LocationSide": "left",....."TimeZone": "GMT+1"....},...."Subject": {....."Code": "Participant1",....."DOB": "1981-14-10",....."Sex": "male",....."Heightcm": "183",....."Weightkg": "78",....."Handedness": "right",....."Notes": "Neque porro quisquam est qui dolorem"....},...."Study": {....."Centre": "Newcastle",....."Code": "Study #1",....."Investigator": "A Apple",....."ExerciseType": "Daily Living",....."ConfigOperator": "B Bannana",....."ConfigTime": "2000-14-10 00:00:00:000",....."ConfigNotes": "Ipsum quia dolor sit amet, consectetur"....},...."Extract": {....."Operator": "C Cherry",....."Time": "2000-16-10 12:34:56:789",....."Notes": "Lorem ipsum dolor sit amet, con

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\js\is-0JOM7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4637
Entropy (8bit):	5.283122109416986
Encrypted:	false
SSDEEP:	96:JzqhusqHcm22mclSXcgEmYiMqca8UnbXxsUiYisGeGEFt4ly+b52ixBBukB20bLV:Jzqhuj8m2vrcgEmYiMqca80bxsUiYisM
MD5:	4DE79723652420E759270FDA9C507915
SHA1:	705C2D98CB777504EAFCA979D907717E9631DF7A
SHA-256:	D2D4888A6BA0CE82090782138F1DE42221D35FB5EB566105B2FB3BF5629E533B
SHA-512:	9727127B58160F3D8CBFC4782F09FCEEE0486C08BCCBAE5D0A94CF81B6598DC7DA1DECA179FC3ABF2588D71A8D994439A7235CF937B0395E8F63A333864F28AC
Malicious:	false
Preview:	//* This code is copyright 2002-2003 by Gavin Kistner, !@phrogz.net..//* It is covered under the license viewable at http://phrogz.net/JS/_ReuseLicense.txt..//* Reuse or modification is free provided you abide by the terms of that license...//* (Including the first two lines above in your source code satisfies the conditions.)....// Include this code (with notice above ;) in your library; read below for how to use it.....Date.prototype.customFormat = function(formatString){...var YYYY,YY,MMMM,MMM,MM,M,DDDD,DDD,DD,D,hhh,hh,h,mm,m,ss,s,ampm,AMPM,dMod,th;...var dateObject = this;...YY = ((YYYY=dateObject.getFullYear())+"").slice(-2);...MM = (M=dateObject.getMonth()+1)<10?('0'+M):M;...MMM = (MMMM=["January","February","March","April","May","June","July","August","September","October","November","December"][M-1]).substring(0,3);...DD = (D=dateObject.getDate())<10?('0'+D):D;...DDD = (DDDD=["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"][dateObject.getDay()]).s

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\js\is-39DII.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (32089), with CRLF line terminators
Category:	dropped
Size (bytes):	92635
Entropy (8bit):	5.304097832737613
Encrypted:	false
SSDEEP:	1536:pnu00HWWaRxkqJg09pYxoxDKLXJrg8hXXO4dK3kyfiLJBhdSZE+I+Qz7rbaN1RUg:pdkWgoBecZRQzmW42qf
MD5:	874082B265651D732B1E8A97CE2517A6
SHA1:	EEE9A5B74FA1B59692E17A0420D989D3F82CBE2C
SHA-256:	7933FF01DB5BE57CA6677DAAAD6BF5009D38D294AB5AA5D998DE3BA47E89CA0E
SHA-512:	086C1AE8648EE00511C5F4FBC21122A0BCA45B62F4C0D8CC9AEEA147EBB0807A9C3B9EAE3145DFBC2666A8F80D2A80A7A4A04290ABEC496B5524D32A657C1FDE
Malicious:	false
Preview:	/! jQuery v1.9.1 \| (c) 2005, 2012 jQuery Foundation, Inc. \| jquery.org/license..//@ sourceMappingURL=jquery.min.map../(function(e,t){var n,r,i=typeof t,o=e.document,a=e.location,s=e.jQuery,u=e.$,l={},c=[],p="1.9.1",f=c.concat,d=c.push,h=c.slice,g=c.indexOf,m=l.toString,y=l.hasOwnProperty,v=p.trim,b=function(e,t){return new b.fn.init(e,t,r)},x=/[+-]?(?:\d\.\|)\d+(?:[eE][+-]?\d+\|)/.source,w=/\S+/g,T=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,N=/^(?:(<[\w\W]+>)[^>]\|#([\w-]))$/,C=/^<(\w+)\s\/?>(?:<\/\1>\|)$/,k=/^[\],:{}\s]$/,E=/(?:^\|:\|,)(?:\s\[)+/g,S=/\\(?:["\\\/bfnrt]\|u[\da-fA-F]{4})/g,A=/"[^"\\\r\n]*"\|true\|false\|null\|-?(?:\d+\.\|)\d+(?:[eE][+-]?\d+\|)/g,j=/^-ms-/,D=/-([\da-z])/gi,L=function(e,t){return t.toUpperCase()},H=function(e){(o.addEventListener\|\|"load"===e.type\|\|"complete"===o.readyState)&&(q(),b.ready())},q=function(){o.addEventListener?(o.removeEventListener("DOMContentLoaded",H,!1),e.removeEventListener("load",H,!1)):(o.detachEvent("onreadystatechange",H),e.detachEvent("onload",

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\js\is-7QH66.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	64027
Entropy (8bit):	4.836305483874431
Encrypted:	false
SSDEEP:	1536:Y0/ZYwdtLLrK7tXuLJAlC0NEojHweGy8VEfrUiOl3ST0uMU:xZ79L2kJmzNvjHwlR+UT3STD7
MD5:	4D269F4999A9D6766EBA116A79B22F6C
SHA1:	982A75004C32B52BFADB0D296867780DBA232543
SHA-256:	CA0B58099DB982806828D46FAAAE6B53FF51BD5207912379BE0B20FF96ED6ADA
SHA-512:	198D5C7E6D0E274002B25B9F905E52AFFB09E1EDC76480D03D78FD35824C0A62B0F36EC2144A62ECEA8A4B1A6ACC4A455B83AAB8B3512B670A37944276619507
Malicious:	false
Preview:	/* ===================================================.. * bootstrap-transition.js v2.3.1.. * http://twitter.github.com/bootstrap/javascript.html#transitions.. * ===================================================.. * Copyright 2012 Twitter, Inc... .. Licensed under the Apache License, Version 2.0 (the "License");.. * you may not use this file except in compliance with the License... * You may obtain a copy of the License at.. .. http://www.apache.org/licenses/LICENSE-2.0.. .. Unless required by applicable law or agreed to in writing, software.. * distributed under the License is distributed on an "AS IS" BASIS,.. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied... * See the License for the specific language governing permissions and.. * limitations under the License... * ========================================================== /......!function ($) {.... "use strict"; // jshint ;_;...... / CSS TRANSITION SUPPORT (http://www.modernizr.com/).. *

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\js\is-90T0Q.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (28421), with CRLF line terminators
Category:	dropped
Size (bytes):	28543
Entropy (8bit):	5.002712804901758
Encrypted:	false
SSDEEP:	768:I7S57QFwmPK40INVIPcr8gCBQcqYn0SUs8q:t0OANsz0WT
MD5:	4D2217E6EF811750EF429614897722F7
SHA1:	81354DCFC6D99A1A43678DD9719D0D279271A02E
SHA-256:	96708C6D8E2D1D3E2CD83C34B4E30311C6C6BB405CAEF24C66D9C7A336B4BED2
SHA-512:	648E210FE2C1414EAFB340E2C5522294A47D17734F7840D73C4283140BCE1EC1D42B32C7BEBEDEB7AE791F2B15EB1B601E724126D521B223576DDFBBA2E44DBE
Malicious:	false
Preview:	/!.. Bootstrap.js by @fat & @mdo..* Copyright 2012 Twitter, Inc...* http://www.apache.org/licenses/LICENSE-2.0.txt../..!function(e){"use strict";e(function(){e.support.transition=function(){var e=function(){var e=document.createElement("bootstrap"),t={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"},n;for(n in t)if(e.style[n]!==undefined)return t[n]}();return e&&{end:e}}()})}(window.jQuery),!function(e){"use strict";var t='[data-dismiss="alert"]',n=function(n){e(n).on("click",t,this.close)};n.prototype.close=function(t){function s(){i.trigger("closed").remove()}var n=e(this),r=n.attr("data-target"),i;r\|\|(r=n.attr("href"),r=r&&r.replace(/.(?=#[^\s]*$)/,"")),i=e(r),t&&t.preventDefault(),i.length\|\|(i=n.hasClass("alert")?n:n.parent()),i.trigger(t=e.Event("close"));if(t.isDefaultPrevented())return;i.removeClass("in"),e.support.transition&&i.hasClass("fade")?i.on(e.support.transition.end,s):s()};v

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\js\jquery.min.js (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with very long lines (32089), with CRLF line terminators
Category:	dropped
Size (bytes):	92635
Entropy (8bit):	5.304097832737613
Encrypted:	false
SSDEEP:	1536:pnu00HWWaRxkqJg09pYxoxDKLXJrg8hXXO4dK3kyfiLJBhdSZE+I+Qz7rbaN1RUg:pdkWgoBecZRQzmW42qf
MD5:	874082B265651D732B1E8A97CE2517A6
SHA1:	EEE9A5B74FA1B59692E17A0420D989D3F82CBE2C
SHA-256:	7933FF01DB5BE57CA6677DAAAD6BF5009D38D294AB5AA5D998DE3BA47E89CA0E
SHA-512:	086C1AE8648EE00511C5F4FBC21122A0BCA45B62F4C0D8CC9AEEA147EBB0807A9C3B9EAE3145DFBC2666A8F80D2A80A7A4A04290ABEC496B5524D32A657C1FDE
Malicious:	false
Preview:	/! jQuery v1.9.1 \| (c) 2005, 2012 jQuery Foundation, Inc. \| jquery.org/license..//@ sourceMappingURL=jquery.min.map../(function(e,t){var n,r,i=typeof t,o=e.document,a=e.location,s=e.jQuery,u=e.$,l={},c=[],p="1.9.1",f=c.concat,d=c.push,h=c.slice,g=c.indexOf,m=l.toString,y=l.hasOwnProperty,v=p.trim,b=function(e,t){return new b.fn.init(e,t,r)},x=/[+-]?(?:\d\.\|)\d+(?:[eE][+-]?\d+\|)/.source,w=/\S+/g,T=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,N=/^(?:(<[\w\W]+>)[^>]\|#([\w-]))$/,C=/^<(\w+)\s\/?>(?:<\/\1>\|)$/,k=/^[\],:{}\s]$/,E=/(?:^\|:\|,)(?:\s\[)+/g,S=/\\(?:["\\\/bfnrt]\|u[\da-fA-F]{4})/g,A=/"[^"\\\r\n]*"\|true\|false\|null\|-?(?:\d+\.\|)\d+(?:[eE][+-]?\d+\|)/g,j=/^-ms-/,D=/-([\da-z])/gi,L=function(e,t){return t.toUpperCase()},H=function(e){(o.addEventListener\|\|"load"===e.type\|\|"complete"===o.readyState)&&(q(),b.ready())},q=function(){o.addEventListener?(o.removeEventListener("DOMContentLoaded",H,!1),e.removeEventListener("load",H,!1)):(o.detachEvent("onreadystatechange",H),e.detachEvent("onload",

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\js\p5.js (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1809656
Entropy (8bit):	4.209663989639158
Encrypted:	false
SSDEEP:	3072:R23rm6ZJ2D+lXqBmp4u6gzgSmZwJSxT6Ycey7RtgigsL:K9t
MD5:	ACFBA1BAD17C2BC4DBAC9F78F326525E
SHA1:	EACA1E718802059FFC51F9944368268BBBBA265B
SHA-256:	DFB1A880DA3B66ECFCC7C95B1E3BE91E7A4C46DE268BC786AB0800D50EA5D380
SHA-512:	04E2D9D3EEE43B2921022A821C33082B890059267E0997DBE107CEBFDCA03F2DE8DB5578D0987D470936F7A9DF7F9B64CE2CF0108FEF43302F2A0438742F425F
Malicious:	false
Preview:	function readData() {.. var data = ..{..."PAjson": {...."Device": {....."Type": "AX3",....."Model": "17",....."ID": "12345",....."Firmware": "R36",....."Calibration": "0,0,0"....},...."Recording": {....."StartTime": "2000-14-10 12:34:56:789",....."StopTime": "2000-15-10 12:34:56:789",....."LocationSite": "wrist",....."LocationSide": "left",....."TimeZone": "GMT+1"....},...."Subject": {....."Code": "Participant1",....."DOB": "1981-14-10",....."Sex": "male",....."Heightcm": "183",....."Weightkg": "78",....."Handedness": "right",....."Notes": "Neque porro quisquam est qui dolorem"....},...."Study": {....."Centre": "Newcastle",....."Code": "Study #1",....."Investigator": "A Apple",....."ExerciseType": "Daily Living",....."ConfigOperator": "B Bannana",....."ConfigTime": "2000-14-10 00:00:00:000",....."ConfigNotes": "Ipsum quia dolor sit amet, consectetur"....},...."Extract": {....."Operator": "C Cherry",....."Time": "2000-16-10 12:34:56:789",....."Notes": "Lorem ipsum dolor sit amet, con

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\omconvert.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	213504
Entropy (8bit):	6.709248017183754
Encrypted:	false
SSDEEP:	6144:ZxGwK8gQiqm4NvHRZVJOqQ1EFO1VxkJlof0jFjzyYdsmSLfTN/oOuusrn4HJ:ZxGwK8gQiqm4NvHRZVJOqQ1EFO1VxkJ8
MD5:	D05718285DF704EED58EF4B1FE6761A0
SHA1:	4FA2A4F16B998C0F553EE6B57A780E39323E6A85
SHA-256:	E5FA5DE8F79FA702C8D2B1164D2E319CB6F597AD700EA9FF04D2273311505943
SHA-512:	C6F3F2C36FCBE0AA43124716D49D119399E8D1B0D6F61F2DE3A23B8775EE45E7DC5F304B90A0AAE51883E7F7928DB4A04ECCBCEF60EB46CC5B74DD3BD3229BF0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]q>*..Py..Py..Py...y..Py...y..Py...y..Py...y..Py.vSx..Py.vUx:.Py.vTx..Py.h.y..Py..Qyz.Py%wXx..Py%w.y..Py%wRx..PyRich..Py........................PE..L......[.................l..........A.............@.......................................@.....................................(....`.......................p..........p...............................@...............4............................text....k.......l.................. ..`.rdata...............p..............@..@.data........0......................@..._RDATA.......P......................@..@.rsrc........`.......$..............@..@.reloc.......p.......&..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\OmConvertPlugin\run-omconvert.cmd (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1400
Entropy (8bit):	5.326275339578517
Encrypted:	false
SSDEEP:	24:LLiOeidBLv0ZdCla1ONH2KNC2Ip1vv4lbS9q4HvUHH83HSaSlHlRB4L43bdD43aA:fiOeidB3y1wm88iaSvnJbMaA
MD5:	8F25B67F5F848AD2BF34B0E8465A683C
SHA1:	58B67E0D5A0A371B111D03FC45BD8D891CBF5878
SHA-256:	E60CACD6F47040008D07AA8BAF516D116420149E373FE8F23C9AFF4F157C903F
SHA-512:	EA48B245C95D3482EB97CC82AF6750D890CB46CBC2800EFB82EE289148175315FFFC75F200CC98C79B876AE2C14CE36E063B0CD05E77F799DD518A478A6E04B2
Malicious:	false
Preview:	@echo off..cd /d %~dp0....::: Check arguments..if "%~1"=="" goto ERROR_NO_SOURCE..rem if not "%~2"=="" goto ERROR_TOO_MANY_ARGS..if not exist "%~1" goto ERROR_SOURCE_NOT_FOUND..set INPUT=%~f1..set OUTPUT=%~dpn1....::: Choose a temporary output folder..set TEMPDIR=%TEMP%\CBR-%RANDOM%..mkdir "%TEMPDIR%"....::: Run the script..echo OMCONVERT: INPUT: %INPUT%..rem echo INPUT: %INPUT% 1>&2..echo OMCONVERT: OUTPUT: %OUTPUT%..rem echo OUTPUT: %OUTPUT% 1>&2..echo OMCONVERT: TEMPORARY: %TEMPDIR%..rem echo TEMPORARY: %TEMPDIR% 1>&2..echo OMCONVERT: Running: omconvert.exe "%INPUT%" "%TEMPDIR%"..if not exist omconvert.exe echo OMCONVERT: Executable not found.....if exist omconvert.exe omconvert.exe "%INPUT%" -out "%TEMPDIR%\file.wav" -svm-file "%TEMPDIR%\file.svm.csv" -wtv-file "%TEMPDIR%\file.wtv.csv" -paee-file "%TEMPDIR%\file.paee.csv"....::: Move files from the temporary folder..move "%TEMPDIR%\file.wav" "%OUTPUT%.wav" >nul..move "%TEMPDIR%\file.svm.csv" "%OUTPUT%.svm.csv" >nul..move "%TE

C:\Program Files (x86)\Open Movement\OM GUI\firmware\AX664_51.cmd (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.7796597855256095
Encrypted:	false
SSDEEP:	3:mKDDVBFFyvDvDAb+fRFUK2v9XVFoq98zNCIv:hevbDJXi9XVFoqqRCS
MD5:	AD509AD20E7A48AB060D8433483AD9B5
SHA1:	0E566D999A2CE33DCD6FCA3206E4D54A1EAD0A4C
SHA-256:	047AA251D846EE9179299A5591DBEE119D71DB4EA20F15D45CFCC338D0AB3695
SHA-512:	7F2CF5636B8138128F150681F3B4FA84F8355620435BB80233D7C9960A0C3EBFC47AF4B507D35EEE324E1F75E02E24D609C505BF35A63C4F5CD90731F41C6BA2
Malicious:	false
Preview:	@echo off..cd /d %~dp0..echo AX6 Bootload: %~n0..booter.exe -copy 0x3A800 8 -timeout 15 "%~n0.hex"..

C:\Program Files (x86)\Open Movement\OM GUI\firmware\AX664_51.hex (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	741679
Entropy (8bit):	3.3787652271328286
Encrypted:	false
SSDEEP:	12288:Pz13L3BiigW2i2uqhMSIY/hSsQLqwH/g+mgl6HOCZn:Pzaf
MD5:	BD5E717AEFD02037723B196D249CC183
SHA1:	8CB2BEB61F61984E0CBDBDE94E22089C7383AC84
SHA-256:	7A8946F7E2F96DBC2DED5C97B5558F4277BB26A47023A30F8B156F03F7CFCC22
SHA-512:	43D4A9661D92ACB584B03E2514B84D699430ED74E4D61DFF45C1B8CE066CE9CDB27C8BCA66C653BEC58AFF491D95BD57EBA066626B9E6618DC81EB08CB16AB64
Malicious:	false
Preview:	:020000040000fa..:0800000090350400000000002f..:020000040000fa..:1000080004300000083000000c3000001030000000..:1000180014300000183000001c30000020300000b0..:1000280024300000283000002c3000003030000060..:1000380034300000383000003c3000004030000010..:1000480044300000483000004c30000050300000c0..:1000580054300000583000005c3000006030000070..:1000680064300000683000006c3000007030000020..:1000780074300000783000007c30000080300000d0..:1000880084300000883000008c3000009030000080..:1000980094300000983000009c300000a030000030..:1000a800a4300000a8300000ac300000b0300000e0..:1000b800b4300000b8300000bc300000c030000090..:1000c800c4300000c8300000cc300000d030000040..:1000d800d4300000d8300000dc300000e0300000f0..:1000e800e4300000e8300000ec300000f0300000a0..:1000f800f4300000f8300000fc300000003100004f..:1001080004310000083100000c31000010310000fb..:1001180014310000183100001c31000020310000ab..:1001280024310000283100002c310000303100005b..:1001380034310000383100003c310000403100000b..:1001480044310000483100004c3100005031

C:\Program Files (x86)\Open Movement\OM GUI\firmware\CWA17_45.cmd (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.758242691024847
Encrypted:	false
SSDEEP:	3:mKDDVBFFyvkZAb+fRFUK2vOVPFt98zNCIv:hevgJXi6PPqRCS
MD5:	B3E5875611A7950F56A82EE3CD1E271B
SHA1:	52CDD253F4E142D4E834B359B2FFABE5C126DCAA
SHA-256:	7B87569B590F6D6E434638EB5242785F6F5A1EF98EB63ECF93FA8408BEC9CB42
SHA-512:	AA7034EBBD36BD064C4C18624B98F185EEA277EAE728CF33E4DD9451A439D37C5652D2440668C97669E8F77889AD7DFB263974BE01F1B8F1ADE8BC3E55EB0E5D
Malicious:	false
Preview:	@echo off..cd /d %~dp0..echo AX3 Bootload: %~n0..booter.exe -copy 0x2A000 8 -timeout 15 "%~n0.hex"..

C:\Program Files (x86)\Open Movement\OM GUI\firmware\CWA17_45.hex (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	334821
Entropy (8bit):	3.296637841715141
Encrypted:	false
SSDEEP:	1536:bS1CmtHqiix2BwOTY3+oG2FO6s7CdrUpaX9zNhREz3YEwE58ab2Us+HSOluMWX5w:/H89x6fZdZphcAUfgOAnAGQRl7
MD5:	32ADB156B64D4A3BF8EA9E521769C683
SHA1:	3E8D4C14296BD395AA84FE8CD311B3217E4553C0
SHA-256:	FBBE84FE5450F1D1BEC9A7B830FB2C0830E77EC19B85C4D1BAF7809B61FDC9E3
SHA-512:	38A1741EDB7283C3AF7142BA6A844A4FFA4459F53F61D56C9BEA31A4B8AA26DF05F4D6C04A387A3D48C8B31942A75CAC0D05D64C8770A1F02110D4B25EC379BE
Malicious:	false
Preview:	:020000040000fa..:080000001015040000000000cf..:020000040000fa..:102a20006fe522000e7f24000e01880000000000e8..:102a30000c00070040992e00010020001100070043..:102a4000000020000000e000020032000000020050..:102a500000000000e6ca0200000000000040da00aa..:102a60000000fe004440a900603021000000e000aa..:102a70000300320000002000a00188004440a800ac..:102a80000000060091018800800078000000eb0043..:102a900015003700e280400032a0b4009101ba0076..:102aa000e280400032a0b4009102ba00e28040000f..:102ab00032a0b4000002eb00472bde00f507b200a5..:102ac000602ce10004003a000059eb008301e900aa..:102ad000fdff3e00040037006128e10001003200e4..:102ae0000082eb00040007001101ba000200e000c0..:102af000e8ff3a00000006003159ba008301e900fe..:102b00000c0032002159ba008301e90008003200ac..:102b10000400e00003003a00e280400032a0b4006c..:102b2000f5ff370011d9ba008301e900faff3a0036..:102b30008100e800e180400032a0b40000000600ff..:102b400096f404000000000060fa04000000000099..:102b5000dcf9040000000000daf9040000000000c5..:102b6000ccf90400000000001efa04000000

C:\Program Files (x86)\Open Movement\OM GUI\firmware\CWA17_48.cmd (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.758242691024847
Encrypted:	false
SSDEEP:	3:mKDDVBFFyvkZAb+fRFUK2vOVPFt98zNCIv:hevgJXi6PPqRCS
MD5:	B3E5875611A7950F56A82EE3CD1E271B
SHA1:	52CDD253F4E142D4E834B359B2FFABE5C126DCAA
SHA-256:	7B87569B590F6D6E434638EB5242785F6F5A1EF98EB63ECF93FA8408BEC9CB42
SHA-512:	AA7034EBBD36BD064C4C18624B98F185EEA277EAE728CF33E4DD9451A439D37C5652D2440668C97669E8F77889AD7DFB263974BE01F1B8F1ADE8BC3E55EB0E5D
Malicious:	false
Preview:	@echo off..cd /d %~dp0..echo AX3 Bootload: %~n0..booter.exe -copy 0x2A000 8 -timeout 15 "%~n0.hex"..

C:\Program Files (x86)\Open Movement\OM GUI\firmware\CWA17_48.hex (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	337121
Entropy (8bit):	3.2902188223876294
Encrypted:	false
SSDEEP:	1536:yt54CmtVuiuZ21w/TgADOWzt8AuC/B8IImIIUIPv/MnQueAtc35pMXgrget6o+F3:cxzUk5QO3fkHqbUxd8JSb7
MD5:	79D2A921B36F8D8BA223C1693D1BFFBF
SHA1:	8E5A13D2D094A08A108A25C690C29F9637D6C124
SHA-256:	E482F652BDAC3396FC27BF75424206E2CBFC8F856593D8D764121C0BD820ED19
SHA-512:	E87B6975C11F1A7AC146E9EA2C20D10FB89EB379E992D85B7AF336672BB430C3424292DB5A8505CFEAECC4977D79C4E4028073F115BA6F5A8B228C365E1714A5
Malicious:	false
Preview:	:020000040000fa..:080000001015040000000000cf..:020000040000fa..:102a20000fe422000e7f24000e0188000000000049..:102a30000c000700c0a92e000100200011000700b3..:102a4000000020000000e000020032000000020050..:102a50000000000088cb0200000000000040da0007..:102a60000000fe004440a900a03121000000e00069..:102a70000300320000002000a00188004440a800ac..:102a80000000060091018800800078000000eb0043..:102a900015003700e280400032a0b4009101ba0076..:102aa000e280400032a0b4009102ba00e28040000f..:102ab00032a0b4000002eb00472bde00f507b200a5..:102ac000602ce10004003a000059eb008301e900aa..:102ad000fdff3e00040037006128e10001003200e4..:102ae0000082eb00040007001101ba000200e000c0..:102af000e8ff3a00000006003159ba008301e900fe..:102b00000c0032002159ba008301e90008003200ac..:102b10000400e00003003a00e280400032a0b4006c..:102b2000f5ff370011d9ba008301e900faff3a0036..:102b30008100e800e180400032a0b40000000600ff..:102b40008cf504000000000060fc040000000000a0..:102b5000dcfb040000000000dafb040000000000c1..:102b6000ccfb0400000000001efc04000000

C:\Program Files (x86)\Open Movement\OM GUI\firmware\booter.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115200
Entropy (8bit):	6.4799426777001425
Encrypted:	false
SSDEEP:	3072:OZN2VprpIak+a4uTSnEFH+IkoSQMjP7e:CsPIBlmESQ0K
MD5:	162874F2AC02AE9D085356139523D079
SHA1:	52DABDCFF93FCC80C6A60AEB92C8E6D552557F78
SHA-256:	A9B24E41BA27B039E0E2C75A0EE5FCC837B8694DCCD130175A69DE3A84C0A8E0
SHA-512:	7B93C3D83E7F00C1B16314920EE18E09D7EE32B18F84EEF28AF268B1D02F2B3906EB206AE76FCB4126E436B59F6A19E000C16FEAD9DB2FD071E933721F018687
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2..yvn.vn.vn.{<eQn.{<[an.{<d.n....sn.vn..n.S.`rn.S.Xwn.{<_wn.S.Zwn.Richvn.................PE..L.....*T.................2...........Y.......P....@..........................0............@....................................<....................................Q..8...........................@...@............P..h............................text....1.......2.................. ..`.rdata...c...P...d...6..............@..@.data...h2..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\firmware\bootload.ini (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	Generic INItialization configuration [AX664]
Category:	dropped
Size (bytes):	935
Entropy (8bit):	5.133101727156174
Encrypted:	false
SSDEEP:	24:cPhJF/3LiRkFwYFy7Fqd6rupVPo2dk9yc:cJJxiR08S6ypVPldk0c
MD5:	56F0ECE0585EAE72AD15E40E21D1D2C2
SHA1:	E6D28934D8E754717DCBC98376D0B3DCFD4C7AA5
SHA-256:	79FE0C6E5783FAD4B04AE72AE35B3B56D9D74D182238A9E4E48AD4D7FF916F60
SHA-512:	87DE83E5A1D337E81F3D9A88D97CB880000BB1AFE3AEC4C10A49757FC02B2EE2BD658A8BE36C9FC93209A056855975DB1C4FA300C57947AAF163C85EC1D0800A
Malicious:	false
Preview:	; Bootload configuration file....; V36 base version..; V42 added Spansion NAND to whitelist, had incorrect optimizer setting (size)..; V44 fix for optimizer setting (speed)..; V45 added Micro NAND to whitelist..; V46 USB descriptors changed for Linux and Mac compatibility..; V47 removed main code pre-charge loop (retains bootloader pre-charge)..; V48 extended serial number from 16- to 32-bits....[CWA17].._version=CWA17_45.._executable=firmware\CWA17_45.cmd..CWA17_42=V42 is known to have a potential problem which can limit the recording duration...;CWA17_44=V44 is temporarily marked for upgrade just for debugging.....[AX664].._version=AX664_51.._executable=firmware\AX664_51.cmd..;AX664_10=V10 (internal) is out of date...;AX664_46=V46 (internal) is out of date...;AX664_47=V47 (internal) is out of date...;AX664_48=V48 (internal) is out of date...;AX664_49=V49 (internal) is out of date...;AX664_50=V50 (beta) is out of date...

C:\Program Files (x86)\Open Movement\OM GUI\firmware\is-8FFFL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	741679
Entropy (8bit):	3.3787652271328286
Encrypted:	false
SSDEEP:	12288:Pz13L3BiigW2i2uqhMSIY/hSsQLqwH/g+mgl6HOCZn:Pzaf
MD5:	BD5E717AEFD02037723B196D249CC183
SHA1:	8CB2BEB61F61984E0CBDBDE94E22089C7383AC84
SHA-256:	7A8946F7E2F96DBC2DED5C97B5558F4277BB26A47023A30F8B156F03F7CFCC22
SHA-512:	43D4A9661D92ACB584B03E2514B84D699430ED74E4D61DFF45C1B8CE066CE9CDB27C8BCA66C653BEC58AFF491D95BD57EBA066626B9E6618DC81EB08CB16AB64
Malicious:	false
Preview:	:020000040000fa..:0800000090350400000000002f..:020000040000fa..:1000080004300000083000000c3000001030000000..:1000180014300000183000001c30000020300000b0..:1000280024300000283000002c3000003030000060..:1000380034300000383000003c3000004030000010..:1000480044300000483000004c30000050300000c0..:1000580054300000583000005c3000006030000070..:1000680064300000683000006c3000007030000020..:1000780074300000783000007c30000080300000d0..:1000880084300000883000008c3000009030000080..:1000980094300000983000009c300000a030000030..:1000a800a4300000a8300000ac300000b0300000e0..:1000b800b4300000b8300000bc300000c030000090..:1000c800c4300000c8300000cc300000d030000040..:1000d800d4300000d8300000dc300000e0300000f0..:1000e800e4300000e8300000ec300000f0300000a0..:1000f800f4300000f8300000fc300000003100004f..:1001080004310000083100000c31000010310000fb..:1001180014310000183100001c31000020310000ab..:1001280024310000283100002c310000303100005b..:1001380034310000383100003c310000403100000b..:1001480044310000483100004c3100005031

C:\Program Files (x86)\Open Movement\OM GUI\firmware\is-8KMIL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.7796597855256095
Encrypted:	false
SSDEEP:	3:mKDDVBFFyvDvDAb+fRFUK2v9XVFoq98zNCIv:hevbDJXi9XVFoqqRCS
MD5:	AD509AD20E7A48AB060D8433483AD9B5
SHA1:	0E566D999A2CE33DCD6FCA3206E4D54A1EAD0A4C
SHA-256:	047AA251D846EE9179299A5591DBEE119D71DB4EA20F15D45CFCC338D0AB3695
SHA-512:	7F2CF5636B8138128F150681F3B4FA84F8355620435BB80233D7C9960A0C3EBFC47AF4B507D35EEE324E1F75E02E24D609C505BF35A63C4F5CD90731F41C6BA2
Malicious:	false
Preview:	@echo off..cd /d %~dp0..echo AX6 Bootload: %~n0..booter.exe -copy 0x3A800 8 -timeout 15 "%~n0.hex"..

C:\Program Files (x86)\Open Movement\OM GUI\firmware\is-C10ED.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	337121
Entropy (8bit):	3.2902188223876294
Encrypted:	false
SSDEEP:	1536:yt54CmtVuiuZ21w/TgADOWzt8AuC/B8IImIIUIPv/MnQueAtc35pMXgrget6o+F3:cxzUk5QO3fkHqbUxd8JSb7
MD5:	79D2A921B36F8D8BA223C1693D1BFFBF
SHA1:	8E5A13D2D094A08A108A25C690C29F9637D6C124
SHA-256:	E482F652BDAC3396FC27BF75424206E2CBFC8F856593D8D764121C0BD820ED19
SHA-512:	E87B6975C11F1A7AC146E9EA2C20D10FB89EB379E992D85B7AF336672BB430C3424292DB5A8505CFEAECC4977D79C4E4028073F115BA6F5A8B228C365E1714A5
Malicious:	false
Preview:	:020000040000fa..:080000001015040000000000cf..:020000040000fa..:102a20000fe422000e7f24000e0188000000000049..:102a30000c000700c0a92e000100200011000700b3..:102a4000000020000000e000020032000000020050..:102a50000000000088cb0200000000000040da0007..:102a60000000fe004440a900a03121000000e00069..:102a70000300320000002000a00188004440a800ac..:102a80000000060091018800800078000000eb0043..:102a900015003700e280400032a0b4009101ba0076..:102aa000e280400032a0b4009102ba00e28040000f..:102ab00032a0b4000002eb00472bde00f507b200a5..:102ac000602ce10004003a000059eb008301e900aa..:102ad000fdff3e00040037006128e10001003200e4..:102ae0000082eb00040007001101ba000200e000c0..:102af000e8ff3a00000006003159ba008301e900fe..:102b00000c0032002159ba008301e90008003200ac..:102b10000400e00003003a00e280400032a0b4006c..:102b2000f5ff370011d9ba008301e900faff3a0036..:102b30008100e800e180400032a0b40000000600ff..:102b40008cf504000000000060fc040000000000a0..:102b5000dcfb040000000000dafb040000000000c1..:102b6000ccfb0400000000001efc04000000

C:\Program Files (x86)\Open Movement\OM GUI\firmware\is-E82UN.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	Generic INItialization configuration [AX664]
Category:	dropped
Size (bytes):	935
Entropy (8bit):	5.133101727156174
Encrypted:	false
SSDEEP:	24:cPhJF/3LiRkFwYFy7Fqd6rupVPo2dk9yc:cJJxiR08S6ypVPldk0c
MD5:	56F0ECE0585EAE72AD15E40E21D1D2C2
SHA1:	E6D28934D8E754717DCBC98376D0B3DCFD4C7AA5
SHA-256:	79FE0C6E5783FAD4B04AE72AE35B3B56D9D74D182238A9E4E48AD4D7FF916F60
SHA-512:	87DE83E5A1D337E81F3D9A88D97CB880000BB1AFE3AEC4C10A49757FC02B2EE2BD658A8BE36C9FC93209A056855975DB1C4FA300C57947AAF163C85EC1D0800A
Malicious:	false
Preview:	; Bootload configuration file....; V36 base version..; V42 added Spansion NAND to whitelist, had incorrect optimizer setting (size)..; V44 fix for optimizer setting (speed)..; V45 added Micro NAND to whitelist..; V46 USB descriptors changed for Linux and Mac compatibility..; V47 removed main code pre-charge loop (retains bootloader pre-charge)..; V48 extended serial number from 16- to 32-bits....[CWA17].._version=CWA17_45.._executable=firmware\CWA17_45.cmd..CWA17_42=V42 is known to have a potential problem which can limit the recording duration...;CWA17_44=V44 is temporarily marked for upgrade just for debugging.....[AX664].._version=AX664_51.._executable=firmware\AX664_51.cmd..;AX664_10=V10 (internal) is out of date...;AX664_46=V46 (internal) is out of date...;AX664_47=V47 (internal) is out of date...;AX664_48=V48 (internal) is out of date...;AX664_49=V49 (internal) is out of date...;AX664_50=V50 (beta) is out of date...

C:\Program Files (x86)\Open Movement\OM GUI\firmware\is-KASPV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	334821
Entropy (8bit):	3.296637841715141
Encrypted:	false
SSDEEP:	1536:bS1CmtHqiix2BwOTY3+oG2FO6s7CdrUpaX9zNhREz3YEwE58ab2Us+HSOluMWX5w:/H89x6fZdZphcAUfgOAnAGQRl7
MD5:	32ADB156B64D4A3BF8EA9E521769C683
SHA1:	3E8D4C14296BD395AA84FE8CD311B3217E4553C0
SHA-256:	FBBE84FE5450F1D1BEC9A7B830FB2C0830E77EC19B85C4D1BAF7809B61FDC9E3
SHA-512:	38A1741EDB7283C3AF7142BA6A844A4FFA4459F53F61D56C9BEA31A4B8AA26DF05F4D6C04A387A3D48C8B31942A75CAC0D05D64C8770A1F02110D4B25EC379BE
Malicious:	false
Preview:	:020000040000fa..:080000001015040000000000cf..:020000040000fa..:102a20006fe522000e7f24000e01880000000000e8..:102a30000c00070040992e00010020001100070043..:102a4000000020000000e000020032000000020050..:102a500000000000e6ca0200000000000040da00aa..:102a60000000fe004440a900603021000000e000aa..:102a70000300320000002000a00188004440a800ac..:102a80000000060091018800800078000000eb0043..:102a900015003700e280400032a0b4009101ba0076..:102aa000e280400032a0b4009102ba00e28040000f..:102ab00032a0b4000002eb00472bde00f507b200a5..:102ac000602ce10004003a000059eb008301e900aa..:102ad000fdff3e00040037006128e10001003200e4..:102ae0000082eb00040007001101ba000200e000c0..:102af000e8ff3a00000006003159ba008301e900fe..:102b00000c0032002159ba008301e90008003200ac..:102b10000400e00003003a00e280400032a0b4006c..:102b2000f5ff370011d9ba008301e900faff3a0036..:102b30008100e800e180400032a0b40000000600ff..:102b400096f404000000000060fa04000000000099..:102b5000dcf9040000000000daf9040000000000c5..:102b6000ccf90400000000001efa04000000

C:\Program Files (x86)\Open Movement\OM GUI\firmware\is-KT91N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.758242691024847
Encrypted:	false
SSDEEP:	3:mKDDVBFFyvkZAb+fRFUK2vOVPFt98zNCIv:hevgJXi6PPqRCS
MD5:	B3E5875611A7950F56A82EE3CD1E271B
SHA1:	52CDD253F4E142D4E834B359B2FFABE5C126DCAA
SHA-256:	7B87569B590F6D6E434638EB5242785F6F5A1EF98EB63ECF93FA8408BEC9CB42
SHA-512:	AA7034EBBD36BD064C4C18624B98F185EEA277EAE728CF33E4DD9451A439D37C5652D2440668C97669E8F77889AD7DFB263974BE01F1B8F1ADE8BC3E55EB0E5D
Malicious:	false
Preview:	@echo off..cd /d %~dp0..echo AX3 Bootload: %~n0..booter.exe -copy 0x2A000 8 -timeout 15 "%~n0.hex"..

C:\Program Files (x86)\Open Movement\OM GUI\firmware\is-MNQIV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115200
Entropy (8bit):	6.4799426777001425
Encrypted:	false
SSDEEP:	3072:OZN2VprpIak+a4uTSnEFH+IkoSQMjP7e:CsPIBlmESQ0K
MD5:	162874F2AC02AE9D085356139523D079
SHA1:	52DABDCFF93FCC80C6A60AEB92C8E6D552557F78
SHA-256:	A9B24E41BA27B039E0E2C75A0EE5FCC837B8694DCCD130175A69DE3A84C0A8E0
SHA-512:	7B93C3D83E7F00C1B16314920EE18E09D7EE32B18F84EEF28AF268B1D02F2B3906EB206AE76FCB4126E436B59F6A19E000C16FEAD9DB2FD071E933721F018687
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2..yvn.vn.vn.{<eQn.{<[an.{<d.n....sn.vn..n.S.`rn.S.Xwn.{<_wn.S.Zwn.Richvn.................PE..L.....*T.................2...........Y.......P....@..........................0............@....................................<....................................Q..8...........................@...@............P..h............................text....1.......2.................. ..`.rdata...c...P...d...6..............@..@.data...h2..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\firmware\is-QII1G.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.758242691024847
Encrypted:	false
SSDEEP:	3:mKDDVBFFyvkZAb+fRFUK2vOVPFt98zNCIv:hevgJXi6PPqRCS
MD5:	B3E5875611A7950F56A82EE3CD1E271B
SHA1:	52CDD253F4E142D4E834B359B2FFABE5C126DCAA
SHA-256:	7B87569B590F6D6E434638EB5242785F6F5A1EF98EB63ECF93FA8408BEC9CB42
SHA-512:	AA7034EBBD36BD064C4C18624B98F185EEA277EAE728CF33E4DD9451A439D37C5652D2440668C97669E8F77889AD7DFB263974BE01F1B8F1ADE8BC3E55EB0E5D
Malicious:	false
Preview:	@echo off..cd /d %~dp0..echo AX3 Bootload: %~n0..booter.exe -copy 0x2A000 8 -timeout 15 "%~n0.hex"..

C:\Program Files (x86)\Open Movement\OM GUI\is-524O8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3227197
Entropy (8bit):	6.289855362233436
Encrypted:	false
SSDEEP:	49152:+dx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjK333yD:/HDYsqiPRhINnq95FoHVBK3338
MD5:	B507E2C856B2EE24E3E2142B831E0B9F
SHA1:	44CA805FCF65745FAA403F35E61FBFB7DAEEE850
SHA-256:	F827E6209A340544E4986DA98747AC822D52F88A6C7811872DDC2E3CCB4D3E72
SHA-512:	B96644A7FEDAD50244FFC25D77DE0527980A350E60B9D9B24372838B19D983A890E189A01A6ADECEDE6B0940AA611C7EE8A7D623CC1264DBAB01C513B7D3E59B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................1...........@......@....................-.......-..9............................................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

C:\Program Files (x86)\Open Movement\OM GUI\is-E9CM8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1641984
Entropy (8bit):	7.012562124222005
Encrypted:	false
SSDEEP:	49152:s+4PCNQWsNQWsNQWsNQWsNQWsNQWh4NQW:sMuuuuuU
MD5:	12FEEE099449453BA386F8FBA6C72090
SHA1:	4BE776CF3F768BAD8F10CA885227494972CBCEBE
SHA-256:	E96445F1DEA2B0B630ADE704C5C478C0E50A71645473F11297FE7DED2D9F9197
SHA-512:	E21262C048DAA24BDAEF0F08D544CE06ADE5DF32D99D8D1967F76984AA8ED3780B8E8E03F2C0FE873D578BC52AA0A49F5A814D4B6146BCE13BC65CEEBEE6F95E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2H`c..............0......~........... ........@.. .......................`............@.....................................O.......8{...................@......t................................................ ............... ..H............text...\.... ...................... ..`.rsrc...8{.......\|..................@..@.reloc.......@......................@..B.......................H.......0>...;...........y...0............................................( ....0...........(.......(......................0..........~!.....~!.....i......~!.....o......-}...I...("...(#...tI...}....~!............($...-....J...("...(#...tJ...}....~!............($...-....K...("...(#...tK...}.......0..............7.....~....}........Yn(%...}.......}........Yn(%...}.......}...... .@. (&... ...._-..+. ...@`(&... ...._-..+. ....`}........('.....((...s....}.......}.......o....&*

C:\Program Files (x86)\Open Movement\OM GUI\is-J5C8E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	206848
Entropy (8bit):	6.617501453617938
Encrypted:	false
SSDEEP:	6144:McgtGETY7RhzLkLS8smeiOe/Tg18j/zyC:sTYzzLkLSmeiL/Tk8zGC
MD5:	5B075AE6C4F10D56EF8D6A8B275DC3ED
SHA1:	F3159D2A45C7373A790CB118B0D534F53DF18333
SHA-256:	7B87B238F6AB12DE618BF86EC10B71481E30529EA6F06A102C004BEBD488DE02
SHA-512:	4B50E32D484D3A0894192E6137AC96C99BAABEE4B49DAC6E442B1963AA7517E2D4BF75FCBC781A0C8BFE300FDAD77B4A376BE3528CA0E63B51959DFB1151E99C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r..!..!..!h.r!..!h.p!D..!h.q!..!B+D!..!.. ..!.. ..!.. ...!...!..!...!..!..!...!y. ..!y. ..!y.\|!..!y. ..!Rich..!........PE..L....H`c...........!.....Z..........;........p...............................`............@.........................`...t............0.......................@..........p...........................0...@............p..H............................text....Y.......Z.................. ..`.rdata..\....p.......^..............@..@.data...............................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\is-KA3P3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	930090
Entropy (8bit):	7.977011759378819
Encrypted:	false
SSDEEP:	24576:5naARrEWuWdE8cb6IcDVPK6O8XwYJGQJxkTC:5a978y6bDVPKkZh
MD5:	0ABD9CF2D191036D778F6F1FBE25FAE1
SHA1:	89D8721A34C9DD33DBE3E84D88CF74E7B5C48499
SHA-256:	8274A7E0259278A1CE04260115E6C96AD0917A37971E8CA58ABEEB6D92AB2615
SHA-512:	17BDA1DE1606B554C7030E5210DD97148AE20819CAFC1B142721937D5C9784F3FF1E735E31BB608DEF81F0352A0A59CF6843617F2B802EAA11933086D954B8A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F......@.............@..........................@...................@..............................P........,..........................................................................................................CODE....d........................... ..`DATA....L...........................@...BSS.....L................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\is-LC9GL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	30720
Entropy (8bit):	5.561090262634769
Encrypted:	false
SSDEEP:	768:G9ivcgdQIeVAOrajN/ccIjOBHaHi6ej0hQ:G9ikgd0Vt+h8FC6eYhQ
MD5:	5083DA882E58C045E46391E8AC35456F
SHA1:	9EAE2AA46772286D5ABA504009ED0492031BC102
SHA-256:	BB2B868D313942BAFEDF896F19C7BE8CA91725A44C29E916DB8FBFB837087EE2
SHA-512:	1CE7025532A3E98FD420A5EAF5BC0E2BCCCB1141AD803C01F8D286805029932DB41EDDDAFAF97FC6300061D6570980E4F79B219E89D3FD25DD6337923F63D304
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H`c...........!..0..n..........n.... ........... ....................................@.....................................O................................................................................... ............... ..H............text...tm... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B................P.......H........:...Q..........................................................^~....-.s.........~.....0...........s....}.....s....}.....(............s......}.......{....(.......{....~....(....&........s......}.......{....(.......{....~....(....&.l(....r...p(............s......}.......{....(.......{....~....(?...&...0............(.......(........................"..(........0..F........{....-=.&(....&...{....,....{....(.......{....,....{....(......}....F.(G...,...s....z.0..X...

C:\Program Files (x86)\Open Movement\OM GUI\is-U15J5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	MS Windows icon resource - 12 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	29926
Entropy (8bit):	5.218447102517391
Encrypted:	false
SSDEEP:	384:+nBHx5lVcxQSv2Kf9KKUnuA8YQV/xCs3gKJZAUL4p1zKX311o6C:6B7tSUKUuA8YQVpCs3ggSS4p1zq11TC
MD5:	875539C4A4049BDD4D3AB2A7C7499438
SHA1:	8F3155CA9A39CCCD0620894BFF19DB0E44DEB742
SHA-256:	CAAAF43617BA6F896E7347CC239CE95BC5CA2CF31DAE225B827371DD71D3FEB2
SHA-512:	6EA74CB7011E2291015704E258C03FEAC75CE20B8B6FD8F0C60684A77D0488D5D80834DA24A07E8F8EC4AB90F32B4FDD734C7F8259F56273EBE17E0B8A06A204
Malicious:	false
Preview:	......00......h....... ......................................(.......00..........&... ..........................v$..........h...>+..00.... ..%...0.. .... .....NV........ ......f........ .h...~p..(...0...`.................................................................................................................................................................................................................................................................................x............................................{x..x.....................{x....................w{......................;y.{x...................y.{.............................................sx.{....................;{w.{....................{{77......................w.7s..................{{z..3{.....................z.sx..................{.....................{{..z...p................w......................w......z.p.................x.....x..............{xx...z.zz..............x..x....................s.....;.j{`.......

C:\Program Files (x86)\Open Movement\OM GUI\libomapi.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	206848
Entropy (8bit):	6.617501453617938
Encrypted:	false
SSDEEP:	6144:McgtGETY7RhzLkLS8smeiOe/Tg18j/zyC:sTYzzLkLSmeiL/Tk8zGC
MD5:	5B075AE6C4F10D56EF8D6A8B275DC3ED
SHA1:	F3159D2A45C7373A790CB118B0D534F53DF18333
SHA-256:	7B87B238F6AB12DE618BF86EC10B71481E30529EA6F06A102C004BEBD488DE02
SHA-512:	4B50E32D484D3A0894192E6137AC96C99BAABEE4B49DAC6E442B1963AA7517E2D4BF75FCBC781A0C8BFE300FDAD77B4A376BE3528CA0E63B51959DFB1151E99C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r..!..!..!h.r!..!h.p!D..!h.q!..!B+D!..!.. ..!.. ..!.. ...!...!..!...!..!..!...!y. ..!y. ..!y.\|!..!y. ..!Rich..!........PE..L....H`c...........!.....Z..........;........p...............................`............@.........................`...t............0.......................@..........p...........................0...@............p..H............................text....Y.......Z.................. ..`.rdata..\....p.......^..............@..@.data...............................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	930090
Entropy (8bit):	7.977011759378819
Encrypted:	false
SSDEEP:	24576:5naARrEWuWdE8cb6IcDVPK6O8XwYJGQJxkTC:5a978y6bDVPKkZh
MD5:	0ABD9CF2D191036D778F6F1FBE25FAE1
SHA1:	89D8721A34C9DD33DBE3E84D88CF74E7B5C48499
SHA-256:	8274A7E0259278A1CE04260115E6C96AD0917A37971E8CA58ABEEB6D92AB2615
SHA-512:	17BDA1DE1606B554C7030E5210DD97148AE20819CAFC1B142721937D5C9784F3FF1E735E31BB608DEF81F0352A0A59CF6843617F2B802EAA11933086D954B8A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F......@.............@..........................@...................@..............................P........,..........................................................................................................CODE....d........................... ..`DATA....L...........................@...BSS.....L................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

C:\Program Files (x86)\Open Movement\OM GUI\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	InnoSetup Log OmGui {8CDD410D-4556-4A8A-BF86-D67276A10EA5}, version 0x418, 26449 bytes, 376483\37\user\37, C:\Program Files (x86)\Open Movement\OM GU
Category:	dropped
Size (bytes):	26449
Entropy (8bit):	3.674967140919137
Encrypted:	false
SSDEEP:	768:g/qDfb0zaQv/4pnYyS3z3M8JiIKerbFgxJOZ8FDFFVdpsZwVSpoZR9KV0pHL2Zqi:gy0zaQv/4pnYyS3z3M8JiIKerbFgxJO/
MD5:	861EF31D849EB6BAF16CB8B47F12F557
SHA1:	8D4C571F5114243849ED80677933AD4D0C945445
SHA-256:	A41A159EAD13679F27F9093FEC2B68BA2BCEBEB39EC7A77CC3133D87AB6F506C
SHA-512:	4966F44D132C42B9D688856B7E777DB4342BAB795799A572C09119238F4CC0A31E4537C4E1D5B7BA3A2BB2E79FF57DEDE5061D488F627F142D78115397585E95
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................{8CDD410D-4556-4A8A-BF86-D67276A10EA5}..........................................................................................OmGui...............................................................................................................................p...Qg....................................................................................................................#.........u/+................3.7.6.4.8.3......t.o.r.r.e.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.p.e.n. .M.o.v.e.m.e.n.t.\.O.M. .G.U.I..................&.... .....8........IFPS....#........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TMSGBOXTYPE.........TEXECWAIT....

C:\Program Files (x86)\Open Movement\OM GUI\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3227197
Entropy (8bit):	6.289855362233436
Encrypted:	false
SSDEEP:	49152:+dx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjK333yD:/HDYsqiPRhINnq95FoHVBK3338
MD5:	B507E2C856B2EE24E3E2142B831E0B9F
SHA1:	44CA805FCF65745FAA403F35E61FBFB7DAEEE850
SHA-256:	F827E6209A340544E4986DA98747AC822D52F88A6C7811872DDC2E3CCB4D3E72
SHA-512:	B96644A7FEDAD50244FFC25D77DE0527980A350E60B9D9B24372838B19D983A890E189A01A6ADECEDE6B0940AA611C7EE8A7D623CC1264DBAB01C513B7D3E59B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................1...........@......@....................-.......-..9............................................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

C:\Program Files (x86)\Open Movement\OM GUI\uninstall.ico (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	MS Windows icon resource - 12 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	29926
Entropy (8bit):	5.218447102517391
Encrypted:	false
SSDEEP:	384:+nBHx5lVcxQSv2Kf9KKUnuA8YQV/xCs3gKJZAUL4p1zKX311o6C:6B7tSUKUuA8YQVpCs3ggSS4p1zq11TC
MD5:	875539C4A4049BDD4D3AB2A7C7499438
SHA1:	8F3155CA9A39CCCD0620894BFF19DB0E44DEB742
SHA-256:	CAAAF43617BA6F896E7347CC239CE95BC5CA2CF31DAE225B827371DD71D3FEB2
SHA-512:	6EA74CB7011E2291015704E258C03FEAC75CE20B8B6FD8F0C60684A77D0488D5D80834DA24A07E8F8EC4AB90F32B4FDD734C7F8259F56273EBE17E0B8A06A204
Malicious:	false
Preview:	......00......h....... ......................................(.......00..........&... ..........................v$..........h...>+..00.... ..%...0.. .... .....NV........ ......f........ .h...~p..(...0...`.................................................................................................................................................................................................................................................................................x............................................{x..x.....................{x....................w{......................;y.{x...................y.{.............................................sx.{....................;{w.{....................{{77......................w.7s..................{{z..3{.....................z.sx..................{.....................{{..z...p................w......................w......z.p.................x.....x..............{xx...z.zz..............x..x....................s.....;.j{`.......

C:\Program Files\AX3-Driver\dpinst32.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	921992
Entropy (8bit):	5.698587665358091
Encrypted:	false
SSDEEP:	6144:EZtaKSpwmx5ATm/LC3fwf3OoU9xkYSr/mdBTRhKWIjsRP/1HHm/hHAM8i6r+LyIU:EZxSpwmxvL/f3vCN1PMaLi6rAyIQjF
MD5:	30A0AFEE4AEA59772DB6434F1C0511AB
SHA1:	5D5C2D9B7736E018D2B36963E834D1AA0E32AF09
SHA-256:	D84149976BC94A21B21AA0BC99FCBDEE9D1AD4F3387D8B62B90F805AC300BA05
SHA-512:	5E8A85E2D028AD351BE255AE2C39BB518A10A4A467FD656E2472286FEE504EED87AFE7D4A728D7F8BC4261245C1DB8577DEEEE2388F39EB7EE48298E37949F53
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p..o4..<4..<4..<=.`<"..<=.v<...<=.f<)..<4..<@..<=.q<o..<=.a<5..<=.d<5..<Rich4..<................PE..L......J................. ..........j........0...............................0......p.....@...... ..............................,....p..lY......................XC...................................=..@...............L............................text............ .................. ..`.data...`>...0.......$..............@....rsrc....`...p...Z...<..............@..@.reloc..._.......`..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AX3-Driver\dpinst64.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1050104
Entropy (8bit):	5.617498652730841
Encrypted:	false
SSDEEP:	12288:uIId79EaUTvwieMozMEcOigSpuPMaLium:xIdqaWw1MsbTScP0
MD5:	BE3C79033FA8302002D9D3A6752F2263
SHA1:	A01147731F2E500282ECA5ECE149BCC5423B59D6
SHA-256:	181BF85D3B5900FF8ABED34BC415AFC37FC322D9D7702E14D144F96A908F5CAB
SHA-512:	77097F220CC6D22112B314D3E42B6EEDB9CCD72BEB655B34656326C2C63FB9209977DDAC20E9C53C4EC7CCC8EA6910F400F050F4B0CB98C9F42F89617965AAEA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g9I.#X'.#X'.#X'.* ..!X'.* ..7X'.* ..<X'.#X&.Y'.* ..fX'.* ...X'...Y."X'.* .."X'.* .."X'.Rich#X'.................PE..d......J..........".......................................................................@.......... ......................................H...@.......pY...0..\m.......%...........................................................................................text............................... ..`.data... ...........................@....pdata..\m...0...n..................@..@.rsrc....`.......Z...v..............@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files\AX3-Driver\is-GPPIL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	3468
Entropy (8bit):	5.026026054397683
Encrypted:	false
SSDEEP:	48:IfDVHdohChj9ISWF4h33bAcyIi03O4h33VAcyHUb6RZSi02CZ4NfFnf19T:ADN+0gSDhHFy/0xhH/yO6XSitNfB19T
MD5:	CCC987FA45B80FCD65BAB524EB913371
SHA1:	65AAB45EEEB0C8388DDEC4C9CE6983BB4E21967F
SHA-256:	F55FAFACB061FF437B7B616989027993A2F8EB7D9E641F4BC3B8FBDB75912C41
SHA-512:	E196455FB122DB0ACC249250527A343E35E35B0613D94C9113F967D5967F3BAC07B9DCF7625BC1B0D24F7B85ACA2196295A083D6BC75D65875B6D70C3D6393BF
Malicious:	false
Preview:	..; Microchip Composite Device MSD+CDC..; This driver is required only by the CDC part of a composite device. ..; The MSD part does not require any driver...;..;..; Copyright (c) 2000 Microsoft Corporation..; Copyright (C) 2007 Microchip Technology Inc.....[Version] ..Signature="$Windows NT$" ..Class=Ports..ClassGuid={4D36E978-E325-11CE-BFC1-08002BE10318} ..Provider=%MFGNAME% ..LayoutFile=layout.inf..CatalogFile=mchp_MSD_CDC.cat..DriverVer=03/12/2010,5.1.2600.2....[Manufacturer] ..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs] ..DefaultDestDir=12 ......;------------------------------------------------------------------------------..; Windows 2000/XP/Vista/7-32bit Sections..;------------------------------------------------------------------------------....[DriverInstall.nt] ..include=mdmcpq.inf..CopyFiles=DriverCopyFiles.nt..AddReg=DriverInstall.nt.AddReg ....[DriverCopyFiles.nt]..usbser.sys,,,0x20....[DriverInstall.nt.AddReg] ..HKR,,DevLoader,,*ntkern ..HKR,,NTMPDriver,,%DRIVERFIL

C:\Program Files\AX3-Driver\is-LFGHU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	715038
Entropy (8bit):	6.506108541840392
Encrypted:	false
SSDEEP:	12288:RRObekMtkfohrPUs37uzHnA6zgpKq35eERXprNrHIR3+j1vGgZpDExycl:LObekYkfohrP337uzHnA6cgqpeEFHR9+
MD5:	4E28A215B82F587828879C6B4252617E
SHA1:	7AE5C9C4816AA1E1B2F112D25167E39C6F2F24C8
SHA-256:	8AB70A2820EF47EF5D97AE7B4F41FA9F4FAB3C4273893E8A0908A36FD0DD8F13
SHA-512:	97AD579FFCB7D11B5CB1F1EB9FCAEA83F889E504C187592424381980F9B951B928091B8E587979B9CB68A2BE4A01D7B757D616A667BE7D651F6846AD4341C0CE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f..........pr............@..............................................@...............................%..................................................................................................................CODE.....d.......f.................. ..`DATA.................j..............@...BSS..................\|...................idata...%.......&...\|..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................

C:\Program Files\AX3-Driver\is-PG9F3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	921992
Entropy (8bit):	5.698587665358091
Encrypted:	false
SSDEEP:	6144:EZtaKSpwmx5ATm/LC3fwf3OoU9xkYSr/mdBTRhKWIjsRP/1HHm/hHAM8i6r+LyIU:EZxSpwmxvL/f3vCN1PMaLi6rAyIQjF
MD5:	30A0AFEE4AEA59772DB6434F1C0511AB
SHA1:	5D5C2D9B7736E018D2B36963E834D1AA0E32AF09
SHA-256:	D84149976BC94A21B21AA0BC99FCBDEE9D1AD4F3387D8B62B90F805AC300BA05
SHA-512:	5E8A85E2D028AD351BE255AE2C39BB518A10A4A467FD656E2472286FEE504EED87AFE7D4A728D7F8BC4261245C1DB8577DEEEE2388F39EB7EE48298E37949F53
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p..o4..<4..<4..<=.`<"..<=.v<...<=.f<)..<4..<@..<=.q<o..<=.a<5..<=.d<5..<Rich4..<................PE..L......J................. ..........j........0...............................0......p.....@...... ..............................,....p..lY......................XC...................................=..@...............L............................text............ .................. ..`.data...`>...0.......$..............@....rsrc....`...p...Z...<..............@..@.reloc..._.......`..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AX3-Driver\is-SHR07.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1050104
Entropy (8bit):	5.617498652730841
Encrypted:	false
SSDEEP:	12288:uIId79EaUTvwieMozMEcOigSpuPMaLium:xIdqaWw1MsbTScP0
MD5:	BE3C79033FA8302002D9D3A6752F2263
SHA1:	A01147731F2E500282ECA5ECE149BCC5423B59D6
SHA-256:	181BF85D3B5900FF8ABED34BC415AFC37FC322D9D7702E14D144F96A908F5CAB
SHA-512:	77097F220CC6D22112B314D3E42B6EEDB9CCD72BEB655B34656326C2C63FB9209977DDAC20E9C53C4EC7CCC8EA6910F400F050F4B0CB98C9F42F89617965AAEA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g9I.#X'.#X'.#X'.* ..!X'.* ..7X'.* ..<X'.#X&.Y'.* ..fX'.* ...X'...Y."X'.* .."X'.* .."X'.Rich#X'.................PE..d......J..........".......................................................................@.......... ......................................H...@.......pY...0..\m.......%...........................................................................................text............................... ..`.data... ...........................@....pdata..\m...0...n..................@..@.rsrc....`.......Z...v..............@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files\AX3-Driver\is-VN62H.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	data
Category:	dropped
Size (bytes):	6348
Entropy (8bit):	7.054306729661913
Encrypted:	false
SSDEEP:	192:9TAEOwPKDyowJL/8Qpkqs1INID+ebCfMFJ:FSwyYJLu11VbCUJ
MD5:	8BE6BB8DC016993546D42E7DE1B9B050
SHA1:	B0BCB2A49C2C94044835868516C7C74DAD3F0344
SHA-256:	52C1051AC76AFE162DA3D764BF4C44E25D6D565D070BAADF7E638A563C37B04E
SHA-512:	47FCBA277BBE3E21DB144AD54A6315750E475E7264366D7AA89EAF24BB99C72BD066EE0C7838BA4DE8780761AA2B9BF8C64D4B764C84E68BC44FFED5E6F5741C
Malicious:	false
Preview:	0.....*.H..........0......1.0...+......0.....+.....7......0...0...+.....7.....P.d-&k.H.4^.[.....100313001938Z0...+.....7.....0...0....R6.5.A.A.B.4.5.E.E.E.B.0.C.8.3.8.8.D.D.E.C.4.C.9.C.E.6.9.8.3.B.B.4.E.2.1.9.6.7.F...1..s0D..+.....7...1604...F.i.l.e......."m.c.h.p._.m.s.d._.c.d.c...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........e..^..8.....i..N!..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.......0...0.....+.....7......0.....O.S.........2.0.0.0.,.X.P.X.8.6.,.X.P.X.6.4.,.S.e.r.v.e.r.2.0.0.3.X.8.6.,.S.e.r.v.e.r.2.0.0.3.X.6.4.,.V.i.s.t.a.X.8.6.,.V.i.s.t.a.X.6.4.,.S.e.r.v.e.r.2.0.0.8.X.8.6.,.S.e.r.v.e.r.2.0.0.8.X.6.4.,.7.X.8.6.,.7.X.6.4.,.S.e.r.v.e.r.2.0.0.8.R.2.X.6.4...0P..+.....7....B0@...H.W.I.D.2.......,u.s.b.\.v.i.d._.0.4.d.8.&.p.i.d._.0.0.0.a...0\..+.....7....N0L...H.W.I.D.1.......8u.s.b.\.v

C:\Program Files\AX3-Driver\mchp_MSD_CDC.inf (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	3468
Entropy (8bit):	5.026026054397683
Encrypted:	false
SSDEEP:	48:IfDVHdohChj9ISWF4h33bAcyIi03O4h33VAcyHUb6RZSi02CZ4NfFnf19T:ADN+0gSDhHFy/0xhH/yO6XSitNfB19T
MD5:	CCC987FA45B80FCD65BAB524EB913371
SHA1:	65AAB45EEEB0C8388DDEC4C9CE6983BB4E21967F
SHA-256:	F55FAFACB061FF437B7B616989027993A2F8EB7D9E641F4BC3B8FBDB75912C41
SHA-512:	E196455FB122DB0ACC249250527A343E35E35B0613D94C9113F967D5967F3BAC07B9DCF7625BC1B0D24F7B85ACA2196295A083D6BC75D65875B6D70C3D6393BF
Malicious:	false
Preview:	..; Microchip Composite Device MSD+CDC..; This driver is required only by the CDC part of a composite device. ..; The MSD part does not require any driver...;..;..; Copyright (c) 2000 Microsoft Corporation..; Copyright (C) 2007 Microchip Technology Inc.....[Version] ..Signature="$Windows NT$" ..Class=Ports..ClassGuid={4D36E978-E325-11CE-BFC1-08002BE10318} ..Provider=%MFGNAME% ..LayoutFile=layout.inf..CatalogFile=mchp_MSD_CDC.cat..DriverVer=03/12/2010,5.1.2600.2....[Manufacturer] ..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs] ..DefaultDestDir=12 ......;------------------------------------------------------------------------------..; Windows 2000/XP/Vista/7-32bit Sections..;------------------------------------------------------------------------------....[DriverInstall.nt] ..include=mdmcpq.inf..CopyFiles=DriverCopyFiles.nt..AddReg=DriverInstall.nt.AddReg ....[DriverCopyFiles.nt]..usbser.sys,,,0x20....[DriverInstall.nt.AddReg] ..HKR,,DevLoader,,*ntkern ..HKR,,NTMPDriver,,%DRIVERFIL

C:\Program Files\AX3-Driver\mchp_msd_cdc.cat (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	data
Category:	dropped
Size (bytes):	6348
Entropy (8bit):	7.054306729661913
Encrypted:	false
SSDEEP:	192:9TAEOwPKDyowJL/8Qpkqs1INID+ebCfMFJ:FSwyYJLu11VbCUJ
MD5:	8BE6BB8DC016993546D42E7DE1B9B050
SHA1:	B0BCB2A49C2C94044835868516C7C74DAD3F0344
SHA-256:	52C1051AC76AFE162DA3D764BF4C44E25D6D565D070BAADF7E638A563C37B04E
SHA-512:	47FCBA277BBE3E21DB144AD54A6315750E475E7264366D7AA89EAF24BB99C72BD066EE0C7838BA4DE8780761AA2B9BF8C64D4B764C84E68BC44FFED5E6F5741C
Malicious:	false
Preview:	0.....*.H..........0......1.0...+......0.....+.....7......0...0...+.....7.....P.d-&k.H.4^.[.....100313001938Z0...+.....7.....0...0....R6.5.A.A.B.4.5.E.E.E.B.0.C.8.3.8.8.D.D.E.C.4.C.9.C.E.6.9.8.3.B.B.4.E.2.1.9.6.7.F...1..s0D..+.....7...1604...F.i.l.e......."m.c.h.p._.m.s.d._.c.d.c...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........e..^..8.....i..N!..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.......0...0.....+.....7......0.....O.S.........2.0.0.0.,.X.P.X.8.6.,.X.P.X.6.4.,.S.e.r.v.e.r.2.0.0.3.X.8.6.,.S.e.r.v.e.r.2.0.0.3.X.6.4.,.V.i.s.t.a.X.8.6.,.V.i.s.t.a.X.6.4.,.S.e.r.v.e.r.2.0.0.8.X.8.6.,.S.e.r.v.e.r.2.0.0.8.X.6.4.,.7.X.8.6.,.7.X.6.4.,.S.e.r.v.e.r.2.0.0.8.R.2.X.6.4...0P..+.....7....B0@...H.W.I.D.2.......,u.s.b.\.v.i.d._.0.4.d.8.&.p.i.d._.0.0.0.a...0\..+.....7....N0L...H.W.I.D.1.......8u.s.b.\.v

C:\Program Files\AX3-Driver\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	InnoSetup Log 64-bit AX3-Driver {C12D7D33-3050-44D8-8ADA-8ADCFA9368A5}, version 0x30, 1802 bytes, 376483\user, "C:\Program Files\AX3-Driver"
Category:	dropped
Size (bytes):	1802
Entropy (8bit):	4.682725354394425
Encrypted:	false
SSDEEP:	24:tCwwJbtRg9B30VM+EZVRURyRSIRsGXYgIK/dJSFb7ObKV3aMUbuJs:tjwJhyq4Z7ICSssGIgIK8O2C3
MD5:	7000C0EE3439C5F32C11CE0DCF6604E5
SHA1:	F9943A6179E770223ED9FE96315E8C472FB825BA
SHA-256:	D2376A4F1649F396D97F84F2EA7012008EFE16D74305DB5F6F604519B0E2CD58
SHA-512:	4E49F38200263C00C11A92567297305AFEB752F4652C371EB9AB1DA99C25E38362BFCE31E265459B155BA03A8C72E42FACBA38EACCEA6F8B50A69E25E5F49269
Malicious:	false
Preview:	Inno Setup Uninstall Log (b) 64-bit.............................{C12D7D33-3050-44D8-8ADA-8ADCFA9368A5}..........................................................................................AX3-Driver......................................................................................................................0...........%.................................................................................................................=.>........xIB......<....376483.user.C:\Program Files\AX3-Driver.............,.... ..........IFPS.............................................................................................................BOOLEAN......................!MAIN....-1..IS64BITINSTALLMODE...... .................................C:\Program Files\AX3-Driver>C:\ProgramData\Microsoft\Windows\Start Menu\Programs\(Default).(Default).english...........NameAndVersion....%1 version %2....AdditionalIcons....Additional icons:....CreateDesktopIcon....Create a &desktop icon....Creat

C:\Program Files\AX3-Driver\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	715038
Entropy (8bit):	6.506108541840392
Encrypted:	false
SSDEEP:	12288:RRObekMtkfohrPUs37uzHnA6zgpKq35eERXprNrHIR3+j1vGgZpDExycl:LObekYkfohrP337uzHnA6cgqpeEFHR9+
MD5:	4E28A215B82F587828879C6B4252617E
SHA1:	7AE5C9C4816AA1E1B2F112D25167E39C6F2F24C8
SHA-256:	8AB70A2820EF47EF5D97AE7B4F41FA9F4FAB3C4273893E8A0908A36FD0DD8F13
SHA-512:	97AD579FFCB7D11B5CB1F1EB9FCAEA83F889E504C187592424381980F9B951B928091B8E587979B9CB68A2BE4A01D7B757D616A667BE7D651F6846AD4341C0CE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f..........pr............@..............................................@...............................%..................................................................................................................CODE.....d.......f.................. ..`DATA.................j..............@...BSS..................\|...................idata...%.......&...\|..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OmGui\OmGui.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Sep 11 06:15:38 2024, mtime=Wed Sep 11 06:15:38 2024, atime=Tue Nov 1 01:12:02 2022, length=1641984, window=hide
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	4.623486380883102
Encrypted:	false
SSDEEP:	24:8m/1bXl/v3KE+dOEscgjHcmcC1AXfqdqACdZdjqtdZdjhVUUVz/qygm:8mNb539+dOTcycmcCeP9dZdutdZdFWbX
MD5:	FA7B4D485760072335897E8035EB26CE
SHA1:	66DD5CDCB968C502047A490172E1091E92317768
SHA-256:	25AB00DC0D713667430DC1C64A9E1EE0FBEC2EC2F450E31BEDEBAEEEA0EAECE9
SHA-512:	4F0D2D30AACA702D4591C2BFC02135F73C0D0B38672C4C8E5ADE5B6951299433E05A256C20BB47A714A94FF2A2FC55A4AC3558D61DD34B3A9CCB9730B79BB434
Malicious:	false
Preview:	L..................F.... .....dg......fg......qT.................................P.O. .:i.....+00.../C:\.....................1.....+Y.9..PROGRA~2.........O.I+Y.9....................V.......q.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....d.1.....+Y.9..OPENMO~1..L......+Y.9+Y.9....~.........................O.p.e.n. .M.o.v.e.m.e.n.t.....T.1.....+Y.9..OMGUI~1.>......+Y.9+Y.9...........................y0.O.M. .G.U.I.....\.2.....aU.. .OmGui.exe.D......+Y.9+Y.9..............................O.m.G.u.i...e.x.e.......d...............-.......c.............9n.....C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe..D.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.p.e.n. .M.o.v.e.m.e.n.t.\.O.M. .G.U.I.\.O.m.G.u.i...e.x.e.+.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.p.e.n. .M.o.v.e.m.e.n.t.\.O.M. .G.U.I.........*................@Z\|...K.J.........`.......X.......376483...........hT..CrF.f4... ...F...../....%..hT..CrF.f4..

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OmGui\Uninstall OmGui.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Sep 11 06:15:38 2024, mtime=Wed Sep 11 06:15:38 2024, atime=Wed Sep 11 06:15:31 2024, length=3227197, window=hide
Category:	dropped
Size (bytes):	1252
Entropy (8bit):	4.6327218944167425
Encrypted:	false
SSDEEP:	24:8mNCtRIETdOEscaHcecQNCyAkfqdqAe+dZdjHudZdjhVUUVznqygm:8mstRbTdOTcmceckCRQx+dZdDudZdFWr
MD5:	B74A051A4CB1B0208AD16C54D90DF33F
SHA1:	29D3735BF8176A1274A31676E6DE97D9E95BB9E8
SHA-256:	6D9EB4BDFF77F0B2B47163C110D943AE12FFA1370230EF7CFC69C4D1F0370FB1
SHA-512:	719FC7FC54B7AE764BB02AA7223EB7410E6EFD58F0F6C24CC5F4D9A38CCC74286CB911EC5053DA98DE26B04431A04B433E6BDA9C87CFD41A205BA3C8E9809AE2
Malicious:	false
Preview:	L..................F.... .....Xg....P.Yg......Pc....=>1..........................P.O. .:i.....+00.../C:\.....................1.....+Y.9..PROGRA~2.........O.I+Y.9....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....d.1.....+Y.9..OPENMO~1..L......+Y.9+Y.9....~.....................q...O.p.e.n. .M.o.v.e.m.e.n.t.....T.1.....+Y.9..OMGUI~1.>......+Y.9+Y.9...........................y0.O.M. .G.U.I.....f.2.=>1.+Y.9 .unins000.exe..J......+Y.9+Y.9..........................F...u.n.i.n.s.0.0.0...e.x.e.......g...............-.......f.............9n.....C:\Program Files (x86)\Open Movement\OM GUI\unins000.exe..G.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.p.e.n. .M.o.v.e.m.e.n.t.\.O.M. .G.U.I.\.u.n.i.n.s.0.0.0...e.x.e.+.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.p.e.n. .M.o.v.e.m.e.n.t.\.O.M. .G.U.I.........*................@Z\|...K.J.........`.......X.......376483...........hT..CrF.f4... ...F...../

C:\Users\user\AppData\Local\Temp\6yss2uyv.0.cs

Download File

Process:	C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	8629
Entropy (8bit):	4.321054307696951
Encrypted:	false
SSDEEP:	192:FilEaRaIaNpFREakaZayAEakaZa6paktUbnXrPGUceB8jacvqp48jadvzc89aZa5:YlEaRaIaNpFREakaZaTEakaZa6pBtUvu
MD5:	5C98605D245F865758B32AEF66DC051D
SHA1:	D1B385392AD4349876EFA2D118B6BA0D0A39BC2A
SHA-256:	E005307639CC3641B1E47EE59C66D3B2B1C9B6F9D47709654A2DBD4F6427B340
SHA-512:	B2ABCC8F00449F15C0AA013A3D6B7114751F4C214D2B0E02D553325E98BF65E8B1E9E64297CBC3DD38319601C1AF466F179EDC1399F9959B307A65154C71C67A
Malicious:	false
Preview:	.#if _DYNAMIC_XMLSERIALIZER_COMPILATION..[assembly:System.Security.AllowPartiallyTrustedCallers()]..[assembly:System.Security.SecurityTransparent()]..#endif..[assembly:System.Reflection.AssemblyVersionAttribute("2.0.0.0")]..namespace Microsoft.Xml.Serialization.GeneratedAssembly {.... public class XmlSerializationWriterStringCollection : System.Xml.Serialization.XmlSerializationWriter {.... public void Write1_ArrayOfString(object o) {.. WriteStartDocument();.. if (o == null) {.. WriteNullTagLiteral(@"ArrayOfString", @"");.. return;.. }.. TopLevelElement();.. {.. global::System.Collections.Specialized.StringCollection a = (global::System.Collections.Specialized.StringCollection)((global::System.Collections.Specialized.StringCollection)o);.. if ((object)(a) == null) {.. WriteNullTagLiteral(@"ArrayOfString", @"");.. }..

C:\Users\user\AppData\Local\Temp\6yss2uyv.cmdline

Download File

Process:	C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (424), with no line terminators
Category:	dropped
Size (bytes):	427
Entropy (8bit):	5.503562225276064
Encrypted:	false
SSDEEP:	12:p3rknoT7UNvvz5THViHUrHc9ow16PrHVA:Vgn8Yzl1iKW1cr1A
MD5:	0CAB2B4BE90417B68FC219C24EF990CE
SHA1:	470508F4BCE4DF72816A5612BFB850887D1F9841
SHA-256:	EBCDC1327CD415B3817559A2B52A830A092A4E64EFAE9C2C696DCC7E2AF61B4F
SHA-512:	2E8AB3D2F27A238DFC648B83CD2EA397715DFEE3F922FBE3A0D2FE2820060733823BFC95902124C68B19715D3CABFEF7352298F79114953D68FE93A651D4FD81
Malicious:	false
Preview:	./t:library /utf8output /R:"C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll" /R:"C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll" /R:"C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll" /out:"C:\Users\user\AppData\Local\Temp\6yss2uyv.dll" /debug- /optimize+ /nostdlib /D:_DYNAMIC_XMLSERIALIZER_COMPILATION "C:\Users\user\AppData\Local\Temp\6yss2uyv.0.cs"

C:\Users\user\AppData\Local\Temp\6yss2uyv.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	4.3815626165900925
Encrypted:	false
SSDEEP:	96:znCPBUXHU8HZyqmTljdAc+0idfLT+Xw7YhamgyaPN2I50dPS9KiqI2wW9K:iGk8HcT3i0kLaw7YAmfa1ZCUp
MD5:	86375BF0D6EB5474F9B3A9F83F80F857
SHA1:	8F526AF776FE48CE37C423DE1D93691D4B4DB2EC
SHA-256:	57C26E715A43E24AEFC099F9719C48012C300518372FA4E9052E56BB9F0F0EC9
SHA-512:	2C314BD02C87921AA2C4E7BFFDFFB88CA38ADAC34B3E1A53CF728E44840115B3203E0D90EF3CC529E840B1721F6866D57DD101210A5043256127691799A99701
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.f...........!................~1... ...@....@.. ....................................@.................................$1..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`1......H.......$$...............................................................0..\|........(.....-..r...pr...p(.....(.....t......-..r...pr...p(.....r...pr...p..(......+..r...pr...p..o....(......X...o....2..(.......(....*...0.............(....o....&.(....o.....@S....(....o.....{....@6....(....o.....{....@ ....(....:.....-.s......t......(....o....,..(....o....8.....(....o.....(....o....&...(.....8.....(....o.....3Z.(....o.....{....39.(....o.....{....3&.(....,...o....&+...(....o..

C:\Users\user\AppData\Local\Temp\6yss2uyv.out

Download File

Process:	C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (525), with CRLF line terminators
Category:	modified
Size (bytes):	732
Entropy (8bit):	5.589237205740964
Encrypted:	false
SSDEEP:	12:vbqwSqAs/nzR3rknoT7UNvvz5THViHUrHc9ow16PrHV1Kai3SGzKIMBj6I5BFR5y:TqdqAenzdgn8Yzl1iKW1cr11Kai3SGzT
MD5:	7C2B90BF109D8B45B24B6D8B2802C0C1
SHA1:	26B42945F6763192BF3FD244497A00AE7694D0E4
SHA-256:	A82B16A644B761C968B0613CAB4D7CBBB302A9B534B44C1E9E2BBF968140D826
SHA-512:	EFB0EB9601336ED7E6FCD812C9E4BA4B87D642A0D3B29F48BA2A41FBF886C70E57B3588C5412A53310142A957DDB6DF8EE4FAC7F2438B15F98E6AB85808D5610
Malicious:	false
Preview:	.C:\Program Files (x86)\Open Movement\OM GUI> "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /t:library /utf8output /R:"C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll" /R:"C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll" /R:"C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll" /out:"C:\Users\user\AppData\Local\Temp\6yss2uyv.dll" /debug- /optimize+ /nostdlib /D:_DYNAMIC_XMLSERIALIZER_COMPILATION "C:\Users\user\AppData\Local\Temp\6yss2uyv.0.cs"......Microsoft (R) Visual C# 2005 Compiler version 8.00.50727.9149..for Microsoft (R) Windows (R) 2005 Framework version 2.0.50727..Copyright (C) Microsoft Corporation 2001-2005. All rights reserved.....

C:\Users\user\AppData\Local\Temp\CSC431A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1401704935013934
Encrypted:	false
SSDEEP:	12:DXt4Ii3nYAHia5YA49aUGiqMZAiN52ryw+ak7YnqqLfPN5Rlq5z:+RI+ycuZhNI+akSLfPNdqt
MD5:	6FC6FBDEDC4ABC8FC9D2C9721FB8B628
SHA1:	1012C3BC6EA3FFBA94B7BCF0A8696D0A9B92DBCB
SHA-256:	07D0F11B1B91A72750C5B2CAC0B66023E1E3195AE93C0CF5A64E38E387E6277A
SHA-512:	1F0BD8DC46A14504B245BACD2F22F43F4FB822E183094622DBC316F3234A92A7C7DEAD3106143EB783123C90B162A5E2F65421B985A33CA36F86B55417CE259B
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....2...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...6.y.s.s.2.u.y.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...6.y.s.s.2.u.y.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...2...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...2...0...0...0...

C:\Users\user\AppData\Local\Temp\CSCA999.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.14623682322256
Encrypted:	false
SSDEEP:	12:DXt4Ii3nYAHia5YA49aUGiqMZAiN52ryyak7YnqqQPN5Rlq5z:+RI+ycuZhNaakSQPNdqt
MD5:	C9CC3C62D2C50347D8CFFF59E426E193
SHA1:	7FE9AD4FE344557163FE5AB7F4C07673E94C931E
SHA-256:	653207577F06683A5D6C12E9B59D08070B830D9BBDB98CAB2F2FC6DF277F7554
SHA-512:	41850A81E68B04C64568E454988E3ECF20D7EA766CD702BABF6A4A8FEA733B635C5948C867200D799035978ECB0DEC9402371FB491297BCF8F1F5025CC2CFE8A
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....2...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.j.4.v.3.o.t.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.j.4.v.3.o.t.x...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...2...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...2...0...0...0...

C:\Users\user\AppData\Local\Temp\RES431B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x406, 9 symbols, created Wed Sep 11 07:16:46 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1196
Entropy (8bit):	3.6647528391090125
Encrypted:	false
SSDEEP:	24:HUJ9YerW1L45dd1HhTUnhKLI+ycuZhNI+akSLfPNdq9td:VeruL4bzmnhKL1ulI+a3L9U9H
MD5:	A09B9A8EE8CE8A7DD1616BA8A88E0549
SHA1:	B85854719C2BF0816E07374F4DFCD39EBBB66EB6
SHA-256:	1C7B3A1FC1D802AFB6F47CCE1C0D15826A41B1C9CC99B1E7774ED2DC781E2707
SHA-512:	4DC6EC72178C54781C3E6518179098ECCBF0D774B80F562ACEEEF76C2680C148844D499D0AD138F5B700DD7C839DDE4553940064B8C8AD9090934669623F4BF8
Malicious:	false
Preview:	L....C.f.............debug$S............................@..B.rsrc$01........X...T...............@..@.rsrc$02........P...................@..@........0....c:\Users\user\AppData\Local\Temp\CSC431A.tmp...............o....J.....r...(......d...5.......C:\Users\user\AppData\Local\Temp\RES431B.tmp.+...................'.Microsoft (R) CVTRES...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....2...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...6.y.s.s.2.u.y.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...6.y.s.s.2.u.y.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...2...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.

C:\Users\user\AppData\Local\Temp\RESA99A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x406, 9 symbols, created Wed Sep 11 07:16:07 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1196
Entropy (8bit):	3.675317133679297
Encrypted:	false
SSDEEP:	24:HbJ9YerW1Zad1HvUnhKLI+ycuZhNaakSQPNdq9td:0eruwzsnhKL1ulaa3IU9H
MD5:	6F46E49920D6CC16DEB99CF85D3C5CF2
SHA1:	E614BA64FC963E23F1F17C31638A9EC6809BD5B1
SHA-256:	D307AC4EEC2A7972BF36D7EE12D257D96092995AA406CF23948D50B5AC30BEC6
SHA-512:	90D63AB28CFC156641A25FEBB47F340DC2797D48AF44BAA912C5C8C58ED95BEB806D86DA259699621F84F88B7FCB678D6DFA2E2505D7D8B3E6DEAF3E04269934
Malicious:	false
Preview:	L....C.f.............debug$S............................@..B.rsrc$01........X...T...............@..@.rsrc$02........P...................@..@........0....c:\Users\user\AppData\Local\Temp\CSCA999.tmp.................<b...G...Y.&.......d...5.......C:\Users\user\AppData\Local\Temp\RESA99A.tmp.+...................'.Microsoft (R) CVTRES...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....2...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.j.4.v.3.o.t.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.j.4.v.3.o.t.x...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...2...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.

C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_RegDLL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.026670007889822
Encrypted:	false
SSDEEP:	48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
MD5:	0EE914C6F0BB93996C75941E1AD629C6
SHA1:	12E2CB05506EE3E82046C41510F39A258A5E5549
SHA-256:	4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
SHA-512:	A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................\|.......\|.......\|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.745960477552938
Encrypted:	false
SSDEEP:	384:BXvhMwoSitz/bjx7yxnbdn+EHvbsHoOODCg:BZ7FEAbd+EDsIO
MD5:	A813D18268AFFD4763DDE940246DC7E5
SHA1:	C7366E1FD925C17CC6068001BD38EAEF5B42852F
SHA-256:	E19781AABE466DD8779CB9C8FA41BBB73375447066BB34E876CF388A6ED63C64
SHA-512:	B310ED4CD2E94381C00A6A370FCB7CC867EBE425D705B69CAAAAFFDAFBAB91F72D357966916053E72E68ECF712F2AF7585500C58BB53EC3E1D539179FCB45FB4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(............................@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-AABR8.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp

Download File

Process:	C:\Users\user\Desktop\AX3-GUI-45.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3203072
Entropy (8bit):	6.302566626610392
Encrypted:	false
SSDEEP:	49152:mdx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjK333yD:nHDYsqiPRhINnq95FoHVBK333K
MD5:	48C6508A6FD96E62F8796701A0200C8F
SHA1:	833063ABFD008C67C79083AEEC9EACED8434ADB7
SHA-256:	E50218793C873317287BB8FC52099F1C474DB16ECCB3F21741C36AC2FF275132
SHA-512:	68252C1F34599BF74FEB1EBE885B08F3A9B88335ED1BE09FF74324B5E95B184170275014B9F53E2DC0FD9866BD4B65E53B3E43C4D242C40B2F2166EEBFA99859
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................1...........@......@....................-.......-..9............................................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-CUPI4.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29472
Entropy (8bit):	7.042110181107409
Encrypted:	false
SSDEEP:	768:BD7FEAbd+EDsIOmF+OiR9rikW/F+M9OAriXiRQU:M07sIOYRiPWkWNl9WXil
MD5:	077CB4461A2767383B317EB0C50F5F13
SHA1:	584E64F1D162398B7F377CE55A6B5740379C4282
SHA-256:	8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
SHA-512:	B1FCB0265697561EF497E6A60FCEE99DC5EA0CF02B4010DA9F5ED93BCE88BDFEA6BFE823A017487B8059158464EA29636AAD8E5F9DD1E8B8A1B6EAAAB670E547
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(....................4.. ?...@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-CUPI4.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp

Download File

Process:	C:\Users\user\Desktop\AX3-GUI-45.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3203072
Entropy (8bit):	6.302566626610392
Encrypted:	false
SSDEEP:	49152:mdx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjK333yD:nHDYsqiPRhINnq95FoHVBK333K
MD5:	48C6508A6FD96E62F8796701A0200C8F
SHA1:	833063ABFD008C67C79083AEEC9EACED8434ADB7
SHA-256:	E50218793C873317287BB8FC52099F1C474DB16ECCB3F21741C36AC2FF275132
SHA-512:	68252C1F34599BF74FEB1EBE885B08F3A9B88335ED1BE09FF74324B5E95B184170275014B9F53E2DC0FD9866BD4B65E53B3E43C4D242C40B2F2166EEBFA99859
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................1...........@......@....................-.......-..9............................................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-M04BE.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29472
Entropy (8bit):	7.042110181107409
Encrypted:	false
SSDEEP:	768:BD7FEAbd+EDsIOmF+OiR9rikW/F+M9OAriXiRQU:M07sIOYRiPWkWNl9WXil
MD5:	077CB4461A2767383B317EB0C50F5F13
SHA1:	584E64F1D162398B7F377CE55A6B5740379C4282
SHA-256:	8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
SHA-512:	B1FCB0265697561EF497E6A60FCEE99DC5EA0CF02B4010DA9F5ED93BCE88BDFEA6BFE823A017487B8059158464EA29636AAD8E5F9DD1E8B8A1B6EAAAB670E547
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(....................4.. ?...@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-M04BE.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp

Download File

Process:	C:\Users\user\Desktop\AX3-GUI-45.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3203072
Entropy (8bit):	6.302566626610392
Encrypted:	false
SSDEEP:	49152:mdx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjK333yD:nHDYsqiPRhINnq95FoHVBK333K
MD5:	48C6508A6FD96E62F8796701A0200C8F
SHA1:	833063ABFD008C67C79083AEEC9EACED8434ADB7
SHA-256:	E50218793C873317287BB8FC52099F1C474DB16ECCB3F21741C36AC2FF275132
SHA-512:	68252C1F34599BF74FEB1EBE885B08F3A9B88335ED1BE09FF74324B5E95B184170275014B9F53E2DC0FD9866BD4B65E53B3E43C4D242C40B2F2166EEBFA99859
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................1...........@......@....................-.......-..9............................................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp

Download File

Process:	C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	704512
Entropy (8bit):	6.498037567890168
Encrypted:	false
SSDEEP:	12288:ZRObekMtkfohrPUs37uzHnA6zgpKq35eERXprNrHIR3+j1vGgZpDExyc:jObekYkfohrP337uzHnA6cgqpeEFHR9A
MD5:	67C5A4F36E1C91A3B85E440EDD7AD026
SHA1:	E49EA0E558ED682498CC61B3070E4C402FBF0912
SHA-256:	99C299D6565AB53D9AF66E0146737DC0ECFBC52ECF4740825B552DB0CC4210C6
SHA-512:	40522D4645ECE0DB9888EA40D1A11356AA5EFC191184A0B97CB54A6C243532B1FC306E9095BBFA1F5DC02C8E52B709650230D1383532136E56CAEA3DC19A973E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f..........pr............@..............................................@...............................%..................................................................................................................CODE.....d.......f.................. ..`DATA.................j..............@...BSS..................\|...................idata...%.......&...\|..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\lj4v3otx.0.cs

Download File

Process:	C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	8629
Entropy (8bit):	4.321054307696951
Encrypted:	false
SSDEEP:	192:FilEaRaIaNpFREakaZayAEakaZa6paktUbnXrPGUceB8jacvqp48jadvzc89aZa5:YlEaRaIaNpFREakaZaTEakaZa6pBtUvu
MD5:	5C98605D245F865758B32AEF66DC051D
SHA1:	D1B385392AD4349876EFA2D118B6BA0D0A39BC2A
SHA-256:	E005307639CC3641B1E47EE59C66D3B2B1C9B6F9D47709654A2DBD4F6427B340
SHA-512:	B2ABCC8F00449F15C0AA013A3D6B7114751F4C214D2B0E02D553325E98BF65E8B1E9E64297CBC3DD38319601C1AF466F179EDC1399F9959B307A65154C71C67A
Malicious:	false
Preview:	.#if _DYNAMIC_XMLSERIALIZER_COMPILATION..[assembly:System.Security.AllowPartiallyTrustedCallers()]..[assembly:System.Security.SecurityTransparent()]..#endif..[assembly:System.Reflection.AssemblyVersionAttribute("2.0.0.0")]..namespace Microsoft.Xml.Serialization.GeneratedAssembly {.... public class XmlSerializationWriterStringCollection : System.Xml.Serialization.XmlSerializationWriter {.... public void Write1_ArrayOfString(object o) {.. WriteStartDocument();.. if (o == null) {.. WriteNullTagLiteral(@"ArrayOfString", @"");.. return;.. }.. TopLevelElement();.. {.. global::System.Collections.Specialized.StringCollection a = (global::System.Collections.Specialized.StringCollection)((global::System.Collections.Specialized.StringCollection)o);.. if ((object)(a) == null) {.. WriteNullTagLiteral(@"ArrayOfString", @"");.. }..

C:\Users\user\AppData\Local\Temp\lj4v3otx.cmdline

Download File

Process:	C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (424), with no line terminators
Category:	dropped
Size (bytes):	427
Entropy (8bit):	5.5378613057295825
Encrypted:	false
SSDEEP:	12:p3rknoT7UNvvz5THVDaKsrHc9ow16PrHVDaKJ:Vgn8Yzl1DyW1cr1DJ
MD5:	AFE89C6C6817F1FF40C976D871E04717
SHA1:	97481F2537593E2F1DF84ED7A393342FD7DDE4A5
SHA-256:	F5DFCF969100910AF1DCC9CBB451F03D847AD8D0E0379BDBFAB7152820932701
SHA-512:	674E1683E455369B28AF281A7478C165B182DDACF86A88DBC73DCAF23F2E99570AC978508B23D0B8A7B9CBB6B2F64998FFEC4687836CAF0FE2009115CCB39CAC
Malicious:	true
Preview:	./t:library /utf8output /R:"C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll" /R:"C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll" /R:"C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll" /out:"C:\Users\user\AppData\Local\Temp\lj4v3otx.dll" /debug- /optimize+ /nostdlib /D:_DYNAMIC_XMLSERIALIZER_COMPILATION "C:\Users\user\AppData\Local\Temp\lj4v3otx.0.cs"

C:\Users\user\AppData\Local\Temp\lj4v3otx.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	4.379707746838247
Encrypted:	false
SSDEEP:	96:mnCPBUXHU8HZyqmTljdAc+0idfLQ+Xw7Yham7yaPN2I50dPS9KiqI2bWsK:JGk8HcT3i0kLrw7YAmua1ZCUh
MD5:	1D0D8A7F38F1C24554801DB963D0C75E
SHA1:	F34EE82BBD54E74462FD4A72539E69BABD6A4D94
SHA-256:	9117356E664A8D9D0D61C572D22138B6C30B52F25453E7BECCF27652D6A0C150
SHA-512:	448660E7335814E89FB23C222D7AB4DA8962939A8B51C95BB690B3EAF70F2268BED1BB5B49DCD709506326599C7B67DFF1989F6A0BE66F50248444F34A3A995F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.f...........!................~1... ...@....@.. ....................................@.................................$1..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`1......H.......$$...............................................................0..\|........(.....-..r...pr...p(.....(.....t......-..r...pr...p(.....r...pr...p..(......+..r...pr...p..o....(......X...o....2..(.......(....*...0.............(....o....&.(....o.....@S....(....o.....{....@6....(....o.....{....@ ....(....:.....-.s......t......(....o....,..(....o....8.....(....o.....(....o....&...(.....8.....(....o.....3Z.(....o.....{....39.(....o.....{....3&.(....,...o....&+...(....o..

C:\Users\user\AppData\Local\Temp\lj4v3otx.out

Download File

Process:	C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (525), with CRLF line terminators
Category:	modified
Size (bytes):	732
Entropy (8bit):	5.606955890770966
Encrypted:	false
SSDEEP:	12:vbqwSqAs/nzR3rknoT7UNvvz5THVDaKsrHc9ow16PrHVDaKMKai3SGzKIMBj6I5G:TqdqAenzdgn8Yzl1DyW1cr1DMKai3SGX
MD5:	1415767DAE82ACE6A8757F1FCC9CCC99
SHA1:	54DDA987846883F34EC05C32814E02B326BDBFE6
SHA-256:	14CAA972F172CCFCB2E9830D78B7366F21FFF27BB3ADB04FF2D250C93D0AE01C
SHA-512:	93385877455B46D9C3929CC3FFA71E1459C7FE1FD302755F0D5C937223695B7A0A2E87394F3EE325DD12CE9DBE1B24CCD67F63D80D02EC8E897F0B9A719B9A48
Malicious:	false
Preview:	.C:\Program Files (x86)\Open Movement\OM GUI> "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /t:library /utf8output /R:"C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll" /R:"C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll" /R:"C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll" /out:"C:\Users\user\AppData\Local\Temp\lj4v3otx.dll" /debug- /optimize+ /nostdlib /D:_DYNAMIC_XMLSERIALIZER_COMPILATION "C:\Users\user\AppData\Local\Temp\lj4v3otx.0.cs"......Microsoft (R) Visual C# 2005 Compiler version 8.00.50727.9149..for Microsoft (R) Windows (R) 2005 Framework version 2.0.50727..Copyright (C) Microsoft Corporation 2001-2005. All rights reserved.....

C:\Users\user\AppData\Local\Temp\{a893eec2-cde1-b844-a268-dd04a77ebb2a}\SET584D.tmp

Download File

Process:	C:\Program Files\AX3-Driver\dpinst64.exe
File Type:	data
Category:	dropped
Size (bytes):	6348
Entropy (8bit):	7.054306729661913
Encrypted:	false
SSDEEP:	192:9TAEOwPKDyowJL/8Qpkqs1INID+ebCfMFJ:FSwyYJLu11VbCUJ
MD5:	8BE6BB8DC016993546D42E7DE1B9B050
SHA1:	B0BCB2A49C2C94044835868516C7C74DAD3F0344
SHA-256:	52C1051AC76AFE162DA3D764BF4C44E25D6D565D070BAADF7E638A563C37B04E
SHA-512:	47FCBA277BBE3E21DB144AD54A6315750E475E7264366D7AA89EAF24BB99C72BD066EE0C7838BA4DE8780761AA2B9BF8C64D4B764C84E68BC44FFED5E6F5741C
Malicious:	false
Preview:	0.....*.H..........0......1.0...+......0.....+.....7......0...0...+.....7.....P.d-&k.H.4^.[.....100313001938Z0...+.....7.....0...0....R6.5.A.A.B.4.5.E.E.E.B.0.C.8.3.8.8.D.D.E.C.4.C.9.C.E.6.9.8.3.B.B.4.E.2.1.9.6.7.F...1..s0D..+.....7...1604...F.i.l.e......."m.c.h.p._.m.s.d._.c.d.c...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........e..^..8.....i..N!..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.......0...0.....+.....7......0.....O.S.........2.0.0.0.,.X.P.X.8.6.,.X.P.X.6.4.,.S.e.r.v.e.r.2.0.0.3.X.8.6.,.S.e.r.v.e.r.2.0.0.3.X.6.4.,.V.i.s.t.a.X.8.6.,.V.i.s.t.a.X.6.4.,.S.e.r.v.e.r.2.0.0.8.X.8.6.,.S.e.r.v.e.r.2.0.0.8.X.6.4.,.7.X.8.6.,.7.X.6.4.,.S.e.r.v.e.r.2.0.0.8.R.2.X.6.4...0P..+.....7....B0@...H.W.I.D.2.......,u.s.b.\.v.i.d._.0.4.d.8.&.p.i.d._.0.0.0.a...0\..+.....7....N0L...H.W.I.D.1.......8u.s.b.\.v

C:\Users\user\AppData\Local\Temp\{a893eec2-cde1-b844-a268-dd04a77ebb2a}\SET58CB.tmp

Download File

Process:	C:\Program Files\AX3-Driver\dpinst64.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	3468
Entropy (8bit):	5.026026054397683
Encrypted:	false
SSDEEP:	48:IfDVHdohChj9ISWF4h33bAcyIi03O4h33VAcyHUb6RZSi02CZ4NfFnf19T:ADN+0gSDhHFy/0xhH/yO6XSitNfB19T
MD5:	CCC987FA45B80FCD65BAB524EB913371
SHA1:	65AAB45EEEB0C8388DDEC4C9CE6983BB4E21967F
SHA-256:	F55FAFACB061FF437B7B616989027993A2F8EB7D9E641F4BC3B8FBDB75912C41
SHA-512:	E196455FB122DB0ACC249250527A343E35E35B0613D94C9113F967D5967F3BAC07B9DCF7625BC1B0D24F7B85ACA2196295A083D6BC75D65875B6D70C3D6393BF
Malicious:	false
Preview:	..; Microchip Composite Device MSD+CDC..; This driver is required only by the CDC part of a composite device. ..; The MSD part does not require any driver...;..;..; Copyright (c) 2000 Microsoft Corporation..; Copyright (C) 2007 Microchip Technology Inc.....[Version] ..Signature="$Windows NT$" ..Class=Ports..ClassGuid={4D36E978-E325-11CE-BFC1-08002BE10318} ..Provider=%MFGNAME% ..LayoutFile=layout.inf..CatalogFile=mchp_MSD_CDC.cat..DriverVer=03/12/2010,5.1.2600.2....[Manufacturer] ..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs] ..DefaultDestDir=12 ......;------------------------------------------------------------------------------..; Windows 2000/XP/Vista/7-32bit Sections..;------------------------------------------------------------------------------....[DriverInstall.nt] ..include=mdmcpq.inf..CopyFiles=DriverCopyFiles.nt..AddReg=DriverInstall.nt.AddReg ....[DriverCopyFiles.nt]..usbser.sys,,,0x20....[DriverInstall.nt.AddReg] ..HKR,,DevLoader,,*ntkern ..HKR,,NTMPDriver,,%DRIVERFIL

C:\Users\user\AppData\Local\Temp\{a893eec2-cde1-b844-a268-dd04a77ebb2a}\mchp_MSD_CDC.cat (copy)

Download File

Process:	C:\Program Files\AX3-Driver\dpinst64.exe
File Type:	data
Category:	dropped
Size (bytes):	6348
Entropy (8bit):	7.054306729661913
Encrypted:	false
SSDEEP:	192:9TAEOwPKDyowJL/8Qpkqs1INID+ebCfMFJ:FSwyYJLu11VbCUJ
MD5:	8BE6BB8DC016993546D42E7DE1B9B050
SHA1:	B0BCB2A49C2C94044835868516C7C74DAD3F0344
SHA-256:	52C1051AC76AFE162DA3D764BF4C44E25D6D565D070BAADF7E638A563C37B04E
SHA-512:	47FCBA277BBE3E21DB144AD54A6315750E475E7264366D7AA89EAF24BB99C72BD066EE0C7838BA4DE8780761AA2B9BF8C64D4B764C84E68BC44FFED5E6F5741C
Malicious:	false
Preview:	0.....*.H..........0......1.0...+......0.....+.....7......0...0...+.....7.....P.d-&k.H.4^.[.....100313001938Z0...+.....7.....0...0....R6.5.A.A.B.4.5.E.E.E.B.0.C.8.3.8.8.D.D.E.C.4.C.9.C.E.6.9.8.3.B.B.4.E.2.1.9.6.7.F...1..s0D..+.....7...1604...F.i.l.e......."m.c.h.p._.m.s.d._.c.d.c...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........e..^..8.....i..N!..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.......0...0.....+.....7......0.....O.S.........2.0.0.0.,.X.P.X.8.6.,.X.P.X.6.4.,.S.e.r.v.e.r.2.0.0.3.X.8.6.,.S.e.r.v.e.r.2.0.0.3.X.6.4.,.V.i.s.t.a.X.8.6.,.V.i.s.t.a.X.6.4.,.S.e.r.v.e.r.2.0.0.8.X.8.6.,.S.e.r.v.e.r.2.0.0.8.X.6.4.,.7.X.8.6.,.7.X.6.4.,.S.e.r.v.e.r.2.0.0.8.R.2.X.6.4...0P..+.....7....B0@...H.W.I.D.2.......,u.s.b.\.v.i.d._.0.4.d.8.&.p.i.d._.0.0.0.a...0\..+.....7....N0L...H.W.I.D.1.......8u.s.b.\.v

C:\Users\user\AppData\Local\Temp\{a893eec2-cde1-b844-a268-dd04a77ebb2a}\mchp_msd_cdc.inf (copy)

Download File

Process:	C:\Program Files\AX3-Driver\dpinst64.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	3468
Entropy (8bit):	5.026026054397683
Encrypted:	false
SSDEEP:	48:IfDVHdohChj9ISWF4h33bAcyIi03O4h33VAcyHUb6RZSi02CZ4NfFnf19T:ADN+0gSDhHFy/0xhH/yO6XSitNfB19T
MD5:	CCC987FA45B80FCD65BAB524EB913371
SHA1:	65AAB45EEEB0C8388DDEC4C9CE6983BB4E21967F
SHA-256:	F55FAFACB061FF437B7B616989027993A2F8EB7D9E641F4BC3B8FBDB75912C41
SHA-512:	E196455FB122DB0ACC249250527A343E35E35B0613D94C9113F967D5967F3BAC07B9DCF7625BC1B0D24F7B85ACA2196295A083D6BC75D65875B6D70C3D6393BF
Malicious:	false
Preview:	..; Microchip Composite Device MSD+CDC..; This driver is required only by the CDC part of a composite device. ..; The MSD part does not require any driver...;..;..; Copyright (c) 2000 Microsoft Corporation..; Copyright (C) 2007 Microchip Technology Inc.....[Version] ..Signature="$Windows NT$" ..Class=Ports..ClassGuid={4D36E978-E325-11CE-BFC1-08002BE10318} ..Provider=%MFGNAME% ..LayoutFile=layout.inf..CatalogFile=mchp_MSD_CDC.cat..DriverVer=03/12/2010,5.1.2600.2....[Manufacturer] ..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs] ..DefaultDestDir=12 ......;------------------------------------------------------------------------------..; Windows 2000/XP/Vista/7-32bit Sections..;------------------------------------------------------------------------------....[DriverInstall.nt] ..include=mdmcpq.inf..CopyFiles=DriverCopyFiles.nt..AddReg=DriverInstall.nt.AddReg ....[DriverCopyFiles.nt]..usbser.sys,,,0x20....[DriverInstall.nt.AddReg] ..HKR,,DevLoader,,*ntkern ..HKR,,NTMPDriver,,%DRIVERFIL

C:\Windows\DPINST.LOG

Download File

Process:	C:\Program Files\AX3-Driver\dpinst64.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4174
Entropy (8bit):	3.6684530638546686
Encrypted:	false
SSDEEP:	96:ZiXRC8653Q6GBYRQ63rgU97sIgJ7sI7j9Ha:l96a
MD5:	E66B4361C8F7AF9767DB1865607FCB92
SHA1:	DA3BB0BDA848A82453ADAAE0B0714A4B9E8DAD70
SHA-256:	D21F5BB78D6EB6EF69B8DAAD9CCBB327562E2A006AD8467FFBD5683C7BFFE43B
SHA-512:	A5C0941FB017E04D1A77B8CC848931E98720D22322B5647271D1AABB9337EFF08117B7C3EEFA6CD741D4B3FA205BCCB5BB22F02DBFF90F00736581CC621F3E91
Malicious:	false
Preview:	..I.N.F.O.:. . . .............................................I.N.F.O.:. . . .0.9./.1.1./.2.0.2.4. .0.3.:.1.5.:.4.5.....I.N.F.O.:. . . .P.r.o.d.u.c.t. .V.e.r.s.i.o.n. .2...1...0...0.......I.N.F.O.:. . . .V.e.r.s.i.o.n.:. .6...0...6.0.0.0. .....I.N.F.O.:. . . .P.l.a.t.f.o.r.m. .I.D.:. .2. .(.N.T.).....I.N.F.O.:. . . .S.e.r.v.i.c.e. .P.a.c.k.:. .0...0.....I.N.F.O.:. . . .S.u.i.t.e.:. .0.x.0.1.0.0.,. .P.r.o.d.u.c.t. .T.y.p.e.:. .1.....I.N.F.O.:. . . .A.r.c.h.i.t.e.c.t.u.r.e.:. .A.M.D.6.4.......I.N.F.O.:. . . .I.n.t.e.r.a.c.t.i.v.e. .W.i.n.d.o.w.s. .S.t.a.t.i.o.n.....I.N.F.O.:. . . .C.o.m.m.a.n.d. .L.i.n.e.:. .'.".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.A.X.3.-.D.r.i.v.e.r.\.D.P.I.n.s.t.6.4...e.x.e.". ./.F. ./.S.A. ./.S.E. ./.S.W.'.....I.N.F.O.:. . . .D.P.I.n.s.t. .i.s. .n.o.t. .m.u.l.t.i.-.l.i.n.g.u.a.l.......I.N.F.O.:. . . .............................................I.N.F.O.:. . . .C.u.r.r.e.n.t. .w.o.r.k.i.n.g. .

C:\Windows\INF\oem4.inf

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	3468
Entropy (8bit):	5.026026054397683
Encrypted:	false
SSDEEP:	48:IfDVHdohChj9ISWF4h33bAcyIi03O4h33VAcyHUb6RZSi02CZ4NfFnf19T:ADN+0gSDhHFy/0xhH/yO6XSitNfB19T
MD5:	CCC987FA45B80FCD65BAB524EB913371
SHA1:	65AAB45EEEB0C8388DDEC4C9CE6983BB4E21967F
SHA-256:	F55FAFACB061FF437B7B616989027993A2F8EB7D9E641F4BC3B8FBDB75912C41
SHA-512:	E196455FB122DB0ACC249250527A343E35E35B0613D94C9113F967D5967F3BAC07B9DCF7625BC1B0D24F7B85ACA2196295A083D6BC75D65875B6D70C3D6393BF
Malicious:	false
Preview:	..; Microchip Composite Device MSD+CDC..; This driver is required only by the CDC part of a composite device. ..; The MSD part does not require any driver...;..;..; Copyright (c) 2000 Microsoft Corporation..; Copyright (C) 2007 Microchip Technology Inc.....[Version] ..Signature="$Windows NT$" ..Class=Ports..ClassGuid={4D36E978-E325-11CE-BFC1-08002BE10318} ..Provider=%MFGNAME% ..LayoutFile=layout.inf..CatalogFile=mchp_MSD_CDC.cat..DriverVer=03/12/2010,5.1.2600.2....[Manufacturer] ..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs] ..DefaultDestDir=12 ......;------------------------------------------------------------------------------..; Windows 2000/XP/Vista/7-32bit Sections..;------------------------------------------------------------------------------....[DriverInstall.nt] ..include=mdmcpq.inf..CopyFiles=DriverCopyFiles.nt..AddReg=DriverInstall.nt.AddReg ....[DriverCopyFiles.nt]..usbser.sys,,,0x20....[DriverInstall.nt.AddReg] ..HKR,,DevLoader,,*ntkern ..HKR,,NTMPDriver,,%DRIVERFIL

C:\Windows\INF\setupapi.dev.log

Download File

Process:	C:\Program Files\AX3-Driver\dpinst64.exe
File Type:	Generic INItialization configuration [BeginLog]
Category:	dropped
Size (bytes):	2495830
Entropy (8bit):	5.219308505321447
Encrypted:	false
SSDEEP:	12288:O+5cge9m9jVuWs22GZRvV3V6hcGZ0s2mC:sGZRqcGZA
MD5:	17B3DBAE174C4E67345BCC217D8FDC76
SHA1:	D01DB505D00D90168F390430D16A3DD1175EE410
SHA-256:	6209DD377187F875DBCEA45A667AE62CF9B7FD0C147391A39B1CB164C33B1ABE
SHA-512:	7AF9FDC5E492878331538F1F97C45857BE275EAD6EAD24C84583C7BA072422D0C3520C41622C2EDF91FB3579E24CDE963D180684995AAB00F4AA861B6C1EFF44
Malicious:	false
Preview:	[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\SET6126.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	6348
Entropy (8bit):	7.054306729661913
Encrypted:	false
SSDEEP:	192:9TAEOwPKDyowJL/8Qpkqs1INID+ebCfMFJ:FSwyYJLu11VbCUJ
MD5:	8BE6BB8DC016993546D42E7DE1B9B050
SHA1:	B0BCB2A49C2C94044835868516C7C74DAD3F0344
SHA-256:	52C1051AC76AFE162DA3D764BF4C44E25D6D565D070BAADF7E638A563C37B04E
SHA-512:	47FCBA277BBE3E21DB144AD54A6315750E475E7264366D7AA89EAF24BB99C72BD066EE0C7838BA4DE8780761AA2B9BF8C64D4B764C84E68BC44FFED5E6F5741C
Malicious:	false
Preview:	0.....*.H..........0......1.0...+......0.....+.....7......0...0...+.....7.....P.d-&k.H.4^.[.....100313001938Z0...+.....7.....0...0....R6.5.A.A.B.4.5.E.E.E.B.0.C.8.3.8.8.D.D.E.C.4.C.9.C.E.6.9.8.3.B.B.4.E.2.1.9.6.7.F...1..s0D..+.....7...1604...F.i.l.e......."m.c.h.p._.m.s.d._.c.d.c...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........e..^..8.....i..N!..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.......0...0.....+.....7......0.....O.S.........2.0.0.0.,.X.P.X.8.6.,.X.P.X.6.4.,.S.e.r.v.e.r.2.0.0.3.X.8.6.,.S.e.r.v.e.r.2.0.0.3.X.6.4.,.V.i.s.t.a.X.8.6.,.V.i.s.t.a.X.6.4.,.S.e.r.v.e.r.2.0.0.8.X.8.6.,.S.e.r.v.e.r.2.0.0.8.X.6.4.,.7.X.8.6.,.7.X.6.4.,.S.e.r.v.e.r.2.0.0.8.R.2.X.6.4...0P..+.....7....B0@...H.W.I.D.2.......,u.s.b.\.v.i.d._.0.4.d.8.&.p.i.d._.0.0.0.a...0\..+.....7....N0L...H.W.I.D.1.......8u.s.b.\.v

C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\SET61A4.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	3468
Entropy (8bit):	5.026026054397683
Encrypted:	false
SSDEEP:	48:IfDVHdohChj9ISWF4h33bAcyIi03O4h33VAcyHUb6RZSi02CZ4NfFnf19T:ADN+0gSDhHFy/0xhH/yO6XSitNfB19T
MD5:	CCC987FA45B80FCD65BAB524EB913371
SHA1:	65AAB45EEEB0C8388DDEC4C9CE6983BB4E21967F
SHA-256:	F55FAFACB061FF437B7B616989027993A2F8EB7D9E641F4BC3B8FBDB75912C41
SHA-512:	E196455FB122DB0ACC249250527A343E35E35B0613D94C9113F967D5967F3BAC07B9DCF7625BC1B0D24F7B85ACA2196295A083D6BC75D65875B6D70C3D6393BF
Malicious:	false
Preview:	..; Microchip Composite Device MSD+CDC..; This driver is required only by the CDC part of a composite device. ..; The MSD part does not require any driver...;..;..; Copyright (c) 2000 Microsoft Corporation..; Copyright (C) 2007 Microchip Technology Inc.....[Version] ..Signature="$Windows NT$" ..Class=Ports..ClassGuid={4D36E978-E325-11CE-BFC1-08002BE10318} ..Provider=%MFGNAME% ..LayoutFile=layout.inf..CatalogFile=mchp_MSD_CDC.cat..DriverVer=03/12/2010,5.1.2600.2....[Manufacturer] ..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs] ..DefaultDestDir=12 ......;------------------------------------------------------------------------------..; Windows 2000/XP/Vista/7-32bit Sections..;------------------------------------------------------------------------------....[DriverInstall.nt] ..include=mdmcpq.inf..CopyFiles=DriverCopyFiles.nt..AddReg=DriverInstall.nt.AddReg ....[DriverCopyFiles.nt]..usbser.sys,,,0x20....[DriverInstall.nt.AddReg] ..HKR,,DevLoader,,*ntkern ..HKR,,NTMPDriver,,%DRIVERFIL

C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_MSD_CDC.cat (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	6348
Entropy (8bit):	7.054306729661913
Encrypted:	false
SSDEEP:	192:9TAEOwPKDyowJL/8Qpkqs1INID+ebCfMFJ:FSwyYJLu11VbCUJ
MD5:	8BE6BB8DC016993546D42E7DE1B9B050
SHA1:	B0BCB2A49C2C94044835868516C7C74DAD3F0344
SHA-256:	52C1051AC76AFE162DA3D764BF4C44E25D6D565D070BAADF7E638A563C37B04E
SHA-512:	47FCBA277BBE3E21DB144AD54A6315750E475E7264366D7AA89EAF24BB99C72BD066EE0C7838BA4DE8780761AA2B9BF8C64D4B764C84E68BC44FFED5E6F5741C
Malicious:	false
Preview:	0.....*.H..........0......1.0...+......0.....+.....7......0...0...+.....7.....P.d-&k.H.4^.[.....100313001938Z0...+.....7.....0...0....R6.5.A.A.B.4.5.E.E.E.B.0.C.8.3.8.8.D.D.E.C.4.C.9.C.E.6.9.8.3.B.B.4.E.2.1.9.6.7.F...1..s0D..+.....7...1604...F.i.l.e......."m.c.h.p._.m.s.d._.c.d.c...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........e..^..8.....i..N!..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.......0...0.....+.....7......0.....O.S.........2.0.0.0.,.X.P.X.8.6.,.X.P.X.6.4.,.S.e.r.v.e.r.2.0.0.3.X.8.6.,.S.e.r.v.e.r.2.0.0.3.X.6.4.,.V.i.s.t.a.X.8.6.,.V.i.s.t.a.X.6.4.,.S.e.r.v.e.r.2.0.0.8.X.8.6.,.S.e.r.v.e.r.2.0.0.8.X.6.4.,.7.X.8.6.,.7.X.6.4.,.S.e.r.v.e.r.2.0.0.8.R.2.X.6.4...0P..+.....7....B0@...H.W.I.D.2.......,u.s.b.\.v.i.d._.0.4.d.8.&.p.i.d._.0.0.0.a...0\..+.....7....N0L...H.W.I.D.1.......8u.s.b.\.v

C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_msd_cdc.inf (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	3468
Entropy (8bit):	5.026026054397683
Encrypted:	false
SSDEEP:	48:IfDVHdohChj9ISWF4h33bAcyIi03O4h33VAcyHUb6RZSi02CZ4NfFnf19T:ADN+0gSDhHFy/0xhH/yO6XSitNfB19T
MD5:	CCC987FA45B80FCD65BAB524EB913371
SHA1:	65AAB45EEEB0C8388DDEC4C9CE6983BB4E21967F
SHA-256:	F55FAFACB061FF437B7B616989027993A2F8EB7D9E641F4BC3B8FBDB75912C41
SHA-512:	E196455FB122DB0ACC249250527A343E35E35B0613D94C9113F967D5967F3BAC07B9DCF7625BC1B0D24F7B85ACA2196295A083D6BC75D65875B6D70C3D6393BF
Malicious:	false
Preview:	..; Microchip Composite Device MSD+CDC..; This driver is required only by the CDC part of a composite device. ..; The MSD part does not require any driver...;..;..; Copyright (c) 2000 Microsoft Corporation..; Copyright (C) 2007 Microchip Technology Inc.....[Version] ..Signature="$Windows NT$" ..Class=Ports..ClassGuid={4D36E978-E325-11CE-BFC1-08002BE10318} ..Provider=%MFGNAME% ..LayoutFile=layout.inf..CatalogFile=mchp_MSD_CDC.cat..DriverVer=03/12/2010,5.1.2600.2....[Manufacturer] ..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs] ..DefaultDestDir=12 ......;------------------------------------------------------------------------------..; Windows 2000/XP/Vista/7-32bit Sections..;------------------------------------------------------------------------------....[DriverInstall.nt] ..include=mdmcpq.inf..CopyFiles=DriverCopyFiles.nt..AddReg=DriverInstall.nt.AddReg ....[DriverCopyFiles.nt]..usbser.sys,,,0x20....[DriverInstall.nt.AddReg] ..HKR,,DevLoader,,*ntkern ..HKR,,NTMPDriver,,%DRIVERFIL

C:\Windows\System32\catroot2\dberr.txt

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	74101
Entropy (8bit):	5.389756393367153
Encrypted:	false
SSDEEP:	1536:9btHoTB7cIxsw9pmDNHSJrR459D0w/smToijZQB4XKdJEBbWwSYcoMwVU5KaOsNN:94
MD5:	7D34B22169DC3D570DC34B37099FFF85
SHA1:	F5AE75F3B62A94329B7562FE6AB4BA88E3DD6E75
SHA-256:	6EA071CE62716BEB13CD8DF5A52201350E7FB92B94CA7B04E0A1588A04757F27
SHA-512:	3F023FBCD639FF72450200CBBB79F954D185857C02ACB4B4AFD1B9990083F7707ECFCD68A036F67855563D4E2D8F24A3AE8B5B7F18C04CC87794A4E09C035224
Malicious:	false
Preview:	CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9038059369412474
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	AX3-GUI-45.exe
File size:	6'029'717 bytes
MD5:	ae4414edd46c7769589c35beeee7d0de
SHA1:	e0885269d15b87afb2b3b8e570c7c06fc28db7eb
SHA256:	00de5f7503d19911ff05e808f91cd24b6a1ac2394048fd83e7061d531cd66b11
SHA512:	215eb60c81fb8e9fa26911fde1d6eb234627260d8cf9de69ce492ed6e5f8a44b2798acd8195c5fb5b4ec54e0ee3840e1439a55fc8e1e8f68a8681b6366291bcb
SSDEEP:	98304:ikLp6NF9h6jlYWrPEVFNXFEUUnUowrE3vh30ZsEqPfjnRSUYTVBfqYYGW:tEijlpEhVLUMrEfhEZsPjnRlYTVhYGW
TLSH:	4956123FB268613FC5AE1B3105B392509A7B7E52B81B8C2E17F0344DCF765601E3A696
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	cc97331129330e00

Static PE Info

General

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6258476F [Thu Apr 14 16:10:23 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	e569e6f445d32ba23766ad67d1e3787f

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B14B8h
call 00007FEAD0E19615h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007FEAD0EBC107h
call 00007FEAD0EBBC5Ah
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FEAD0E2F0B4h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007FEAD0E14207h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004238ECh]
call 00007FEAD0E30237h
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FEAD0EBC18Fh
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FEAD0EC23AAh
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007FEAD0E30B2Ch
mov edx, dword ptr [004C1D90h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xfdc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x1a0ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22f4	0x254	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb39e4	0xb3a00	43af0a9476ca224d8e8461f1e22c94da	False	0.34525867693110646	data	6.357635049994181	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	185e04b9a1f554e31f7f848515dc890c	False	0.54443359375	data	5.971425428435973	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	cab2107c933b696aa5cf0cc6c3fd3980	False	0.36097935267857145	data	5.048648594372454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xbb000	0x6de8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc2000	0xfdc	0x1000	e7d1635e2624b124cfdce6c360ac21cd	False	0.3798828125	data	5.029087481102678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xc3000	0x1a4	0x200	8ced971d8a7705c98b173e255d8c9aa7	False	0.345703125	data	2.7509822285969876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xc4000	0x9a	0x200	8d4e1e508031afe235bf121c80fd7d5f	False	0.2578125	data	1.877162954504408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc6000	0x5d	0x200	8f2f090acd9622c88a6a852e72f94e96	False	0.189453125	data	1.3838943752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x1a0ac	0x1a200	5874f8d3cdfe29832b62cc8daacb1b4e	False	0.19075209330143542	data	3.210472332173836	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7558	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.476985559566787
RT_ICON	0xc7e00	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.296908315565032
RT_ICON	0xc8ca8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.19508738781294285
RT_ICON	0xcced0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.1331923577428132
RT_ICON	0xdd6f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	United States	0.46283783783783783
RT_ICON	0xdd820	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4046242774566474
RT_ICON	0xddd88	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 768	English	United States	0.5665137614678899
RT_STRING	0xde0f0	0x360	data			0.34375
RT_STRING	0xde450	0x260	data			0.3256578947368421
RT_STRING	0xde6b0	0x45c	data			0.4068100358422939
RT_STRING	0xdeb0c	0x40c	data			0.3754826254826255
RT_STRING	0xdef18	0x2d4	data			0.39226519337016574
RT_STRING	0xdf1ec	0xb8	data			0.6467391304347826
RT_STRING	0xdf2a4	0x9c	data			0.6410256410256411
RT_STRING	0xdf340	0x374	data			0.4230769230769231
RT_STRING	0xdf6b4	0x398	data			0.3358695652173913
RT_STRING	0xdfa4c	0x368	data			0.3795871559633027
RT_STRING	0xdfdb4	0x2a4	data			0.4275147928994083
RT_RCDATA	0xe0058	0x10	data			1.5
RT_RCDATA	0xe0068	0x2c4	data			0.6384180790960452
RT_RCDATA	0xe032c	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0xe0358	0x68	data	English	United States	0.7596153846153846
RT_VERSION	0xe03c0	0x584	data	English	United States	0.25920679886685555
RT_MANIFEST	0xe0944	0x765	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.39091389329107235

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4541a8
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 11, 2024 09:16:09.441071987 CEST	49710	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:09.441122055 CEST	443	49710	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:09.441382885 CEST	49710	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:09.464828968 CEST	49710	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:09.464868069 CEST	443	49710	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:09.929363012 CEST	443	49710	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:09.929442883 CEST	49710	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:09.933008909 CEST	49710	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:09.933018923 CEST	443	49710	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:09.933470011 CEST	443	49710	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:09.973927021 CEST	49710	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:10.019408941 CEST	443	49710	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:10.274333000 CEST	443	49710	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:10.274447918 CEST	443	49710	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:10.274507999 CEST	49710	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:10.276155949 CEST	49710	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:48.778985023 CEST	49716	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:48.779082060 CEST	443	49716	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:48.779201031 CEST	49716	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:48.799818993 CEST	49716	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:48.799856901 CEST	443	49716	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:49.281727076 CEST	443	49716	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:49.281930923 CEST	49716	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:49.283492088 CEST	49716	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:49.283545017 CEST	443	49716	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:49.284063101 CEST	443	49716	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:49.325598001 CEST	49716	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:49.333540916 CEST	49716	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:49.375447989 CEST	443	49716	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:49.435369968 CEST	443	49716	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:49.435656071 CEST	443	49716	185.199.111.133	192.168.2.17
Sep 11, 2024 09:16:49.435730934 CEST	49716	443	192.168.2.17	185.199.111.133
Sep 11, 2024 09:16:49.436368942 CEST	49716	443	192.168.2.17	185.199.111.133

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 11, 2024 09:16:09.419996023 CEST	56011	53	192.168.2.17	1.1.1.1
Sep 11, 2024 09:16:09.431025028 CEST	53	56011	1.1.1.1	192.168.2.17

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 11, 2024 09:16:09.419996023 CEST	192.168.2.17	1.1.1.1	0x642b	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 11, 2024 09:16:09.431025028 CEST	1.1.1.1	192.168.2.17	0x642b	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false
Sep 11, 2024 09:16:09.431025028 CEST	1.1.1.1	192.168.2.17	0x642b	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Sep 11, 2024 09:16:09.431025028 CEST	1.1.1.1	192.168.2.17	0x642b	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
Sep 11, 2024 09:16:09.431025028 CEST	1.1.1.1	192.168.2.17	0x642b	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

raw.githubusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.17	49710	185.199.111.133	443	2088	C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-11 07:16:09 UTC	137	OUT	GET /digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-09-11 07:16:10 UTC	902	IN	HTTP/1.1 200 OK Connection: close Content-Length: 533 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "8f51619e3b2b10325b8bc736cd1b8a2c9f35bd2561ddf38a0142af3742c99742" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 36BE:38E07E:213BD1F:24D67A5:66E143B9 Accept-Ranges: bytes Date: Wed, 11 Sep 2024 07:16:10 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740077-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1726038970.026281,VS0,VE201 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 1d97b0f12f21964ee349fb3bdffe8a41d03411a8 Expires: Wed, 11 Sep 2024 07:21:10 GMT Source-Age: 0
2024-09-11 07:16:10 UTC	533	IN	Data Raw: 3b 55 50 44 41 54 45 0d 0a 3b 20 68 74 74 70 73 3a 2f 2f 6f 70 65 6e 6d 6f 76 65 6d 65 6e 74 2e 67 6f 6f 67 6c 65 63 6f 64 65 2e 63 6f 6d 2f 73 76 6e 2f 64 6f 77 6e 6c 6f 61 64 73 2f 41 58 33 2f 6f 6d 67 75 69 2e 69 6e 69 0d 0a 3b 20 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 69 67 69 74 61 6c 69 6e 74 65 72 61 63 74 69 6f 6e 2f 6f 70 65 6e 6d 6f 76 65 6d 65 6e 74 2f 6d 61 73 74 65 72 2f 44 6f 77 6e 6c 6f 61 64 73 2f 41 58 33 2f 6f 6d 67 75 69 2e 69 6e 69 0d 0a 0d 0a 5b 69 6e 73 74 61 6c 6c 5d 0d 0a 76 65 72 73 69 6f 6e 3d 31 2e 30 2e 30 2e 32 38 0d 0a 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 69 67 69 74 61 6c 69 6e Data Ascii: ;UPDATE; https://openmovement.googlecode.com/svn/downloads/AX3/omgui.ini; https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini[install]version=1.0.0.28;url=https://raw.githubusercontent.com/digitalin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.17	49716	185.199.111.133	443	3580	C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-11 07:16:49 UTC	137	OUT	GET /digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-09-11 07:16:49 UTC	900	IN	HTTP/1.1 200 OK Connection: close Content-Length: 533 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "8f51619e3b2b10325b8bc736cd1b8a2c9f35bd2561ddf38a0142af3742c99742" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 36BE:38E07E:213BD1F:24D67A5:66E143B9 Accept-Ranges: bytes Date: Wed, 11 Sep 2024 07:16:49 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740074-EWR X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1726039009.390470,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 3941e781b251e34b734092baf2e77a43f220adaf Expires: Wed, 11 Sep 2024 07:21:49 GMT Source-Age: 39
2024-09-11 07:16:49 UTC	533	IN	Data Raw: 3b 55 50 44 41 54 45 0d 0a 3b 20 68 74 74 70 73 3a 2f 2f 6f 70 65 6e 6d 6f 76 65 6d 65 6e 74 2e 67 6f 6f 67 6c 65 63 6f 64 65 2e 63 6f 6d 2f 73 76 6e 2f 64 6f 77 6e 6c 6f 61 64 73 2f 41 58 33 2f 6f 6d 67 75 69 2e 69 6e 69 0d 0a 3b 20 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 69 67 69 74 61 6c 69 6e 74 65 72 61 63 74 69 6f 6e 2f 6f 70 65 6e 6d 6f 76 65 6d 65 6e 74 2f 6d 61 73 74 65 72 2f 44 6f 77 6e 6c 6f 61 64 73 2f 41 58 33 2f 6f 6d 67 75 69 2e 69 6e 69 0d 0a 0d 0a 5b 69 6e 73 74 61 6c 6c 5d 0d 0a 76 65 72 73 69 6f 6e 3d 31 2e 30 2e 30 2e 32 38 0d 0a 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 69 67 69 74 61 6c 69 6e Data Ascii: ;UPDATE; https://openmovement.googlecode.com/svn/downloads/AX3/omgui.ini; https://raw.githubusercontent.com/digitalinteraction/openmovement/master/Downloads/AX3/omgui.ini[install]version=1.0.0.28;url=https://raw.githubusercontent.com/digitalin

Target ID:	0
Start time:	03:15:31
Start date:	11/09/2024
Path:	C:\Users\user\Desktop\AX3-GUI-45.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AX3-GUI-45.exe"
Imagebase:	0x400000
File size:	6'029'717 bytes
MD5 hash:	AE4414EDD46C7769589C35BEEEE7D0DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:15:32
Start date:	11/09/2024
Path:	C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-OCGFL.tmp\AX3-GUI-45.tmp" /SL5="$60364,5170833,869888,C:\Users\user\Desktop\AX3-GUI-45.exe"
Imagebase:	0x400000
File size:	3'203'072 bytes
MD5 hash:	48C6508A6FD96E62F8796701A0200C8F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:15:41
Start date:	11/09/2024
Path:	C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe"
Imagebase:	0x400000
File size:	930'090 bytes
MD5 hash:	0ABD9CF2D191036D778F6F1FBE25FAE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:15:42
Start date:	11/09/2024
Path:	C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-QAI77.tmp\setup-ax3-driver.tmp" /SL5="$20314,681477,54272,C:\Program Files (x86)\Open Movement\OM GUI\setup-ax3-driver.exe"
Imagebase:	0x400000
File size:	704'512 bytes
MD5 hash:	67C5A4F36E1C91A3B85E440EDD7AD026
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:15:45
Start date:	11/09/2024
Path:	C:\Program Files\AX3-Driver\dpinst64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\AX3-Driver\DPInst64.exe" /F /SA /SE /SW
Imagebase:	0x7ff6ad950000
File size:	1'050'104 bytes
MD5 hash:	BE3C79033FA8302002D9D3A6752F2263
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:15:47
Start date:	11/09/2024
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{a893eec2-cde1-b844-a268-dd04a77ebb2a}\mchp_msd_cdc.inf" "9" "4987fa53f" "000000000000014C" "WinSta0\Default" "000000000000011C" "208" "c:\program files\ax3-driver"
Imagebase:	0x7ff702d10000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:15:51
Start date:	11/09/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{6c760311-7d3e-5f44-bbdb-3640e2127551} Global\{b1383f99-4876-844f-9d31-fe5ec27fdc7b} C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_msd_cdc.inf C:\Windows\System32\DriverStore\Temp\{d703d72a-d621-3e4f-8659-93124b367091}\mchp_MSD_CDC.cat
Imagebase:	0x7ff7dc2c0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:16:05
Start date:	11/09/2024
Path:	C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe"
Imagebase:	0xb20000
File size:	1'641'984 bytes
MD5 hash:	12FEEE099449453BA386F8FBA6C72090
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:16:07
Start date:	11/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lj4v3otx.cmdline"
Imagebase:	0x400000
File size:	80'296 bytes
MD5 hash:	2B9482EB5D3AF71029277E18F6C656C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:16:07
Start date:	11/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff772470000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:16:07
Start date:	11/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA99A.tmp" "c:\Users\user\AppData\Local\Temp\CSCA999.tmp"
Imagebase:	0x400000
File size:	35'296 bytes
MD5 hash:	E118330B4629B12368D91B9DF6488BE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:16:37
Start date:	11/09/2024
Path:	C:\Users\user\Desktop\AX3-GUI-45.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AX3-GUI-45.exe"
Imagebase:	0x400000
File size:	6'029'717 bytes
MD5 hash:	AE4414EDD46C7769589C35BEEEE7D0DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:16:37
Start date:	11/09/2024
Path:	C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-BHTIU.tmp\AX3-GUI-45.tmp" /SL5="$20130,5170833,869888,C:\Users\user\Desktop\AX3-GUI-45.exe"
Imagebase:	0x400000
File size:	3'203'072 bytes
MD5 hash:	48C6508A6FD96E62F8796701A0200C8F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	03:16:38
Start date:	11/09/2024
Path:	C:\Users\user\Desktop\AX3-GUI-45.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AX3-GUI-45.exe" /SPAWNWND=$502A0 /NOTIFYWND=$20130
Imagebase:	0x400000
File size:	6'029'717 bytes
MD5 hash:	AE4414EDD46C7769589C35BEEEE7D0DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	03:16:38
Start date:	11/09/2024
Path:	C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-JA730.tmp\AX3-GUI-45.tmp" /SL5="$6035A,5170833,869888,C:\Users\user\Desktop\AX3-GUI-45.exe" /SPAWNWND=$502A0 /NOTIFYWND=$20130
Imagebase:	0x400000
File size:	3'203'072 bytes
MD5 hash:	48C6508A6FD96E62F8796701A0200C8F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	03:16:46
Start date:	11/09/2024
Path:	C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe"
Imagebase:	0xfc0000
File size:	1'641'984 bytes
MD5 hash:	12FEEE099449453BA386F8FBA6C72090
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	03:16:46
Start date:	11/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\6yss2uyv.cmdline"
Imagebase:	0x400000
File size:	80'296 bytes
MD5 hash:	2B9482EB5D3AF71029277E18F6C656C0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	03:16:46
Start date:	11/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff772470000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	03:16:46
Start date:	11/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES431B.tmp" "c:\Users\user\AppData\Local\Temp\CSC431A.tmp"
Imagebase:	0x400000
File size:	35'296 bytes
MD5 hash:	E118330B4629B12368D91B9DF6488BE0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	34.7%
Signature Coverage:	15.6%
Total number of Nodes:	556
Total number of Limit Nodes:	22

Executed Functions

Function 018218B0 Relevance: 68.8, Strings: 49, Instructions: 7599
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tqxk, xrefs: 01827A51
Tqxk, xrefs: 0182505E
Tqxk, xrefs: 0182890C
Tqxk, xrefs: 018262F1
Tqxk, xrefs: 01824C6A
Tjj, xrefs: 01822D49
Tqxk, xrefs: 01825265
Tqxk, xrefs: 01823665
Tqxk, xrefs: 01828739
Tqxk, xrefs: 0182378C
Tqxk, xrefs: 01828615
Tqxk, xrefs: 0182570D
Tqxk, xrefs: 01826C68
Tqxk, xrefs: 01823B55
Tqxk, xrefs: 01827EA1
Tqxk, xrefs: 01824A86
Tqxk, xrefs: 01825344
Tqxk, xrefs: 01827C79
Tqxk, xrefs: 018242F3
Tqxk, xrefs: 01827D8D
Tqxk, xrefs: 018266F3
Tqxk, xrefs: 018280D5
Tqxk, xrefs: 018238B3
Tqxk, xrefs: 01825410
Tqxk, xrefs: 01829511
Tqxk, xrefs: 01824FA2
Tqxk, xrefs: 01823A2E
Tqxk, xrefs: 01824099
Tqxk, xrefs: 01826F39
Tqxk, xrefs: 0182448B
Tqxk, xrefs: 01828DAC
Tjj, xrefs: 01829373
Tqxk, xrefs: 01823CBD
Tqxk, xrefs: 018273D2
Tqxk, xrefs: 01827B65
Tqxk, xrefs: 018254DC
Tqxk, xrefs: 01827FA2
Tqxk, xrefs: 01826B2E
Tqxk, xrefs: 018243BF
Tqxk, xrefs: 01824D4A
Tqxk, xrefs: 0182820B
Tqxk, xrefs: 01824E2A
Tqxk, xrefs: 0182793D
Tqxk, xrefs: 01824EE6
Tqxk, xrefs: 01825869
Tqxk, xrefs: 01824589
Tqxk, xrefs: 01826D8F
Tqxk, xrefs: 018255DA
Tqxk, xrefs: 01822C0D

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: Tjj$Tjj$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk
API String ID: 0-1285754964
Opcode ID: 02d5b324d24dc72bdfb2e4cb92aa5416173c222b4c150977ca4a9d7921e2b34e
Instruction ID: 3f67542d83d1b0ee424be4acdc7be0d1725d51c0561dd2f1bb8b7e9b84db38a4
Opcode Fuzzy Hash: 02d5b324d24dc72bdfb2e4cb92aa5416173c222b4c150977ca4a9d7921e2b34e
Instruction Fuzzy Hash: E0F33934A01614CFDB25DB34C898A9AB7B2FF89308F5144ADD51AAB3A1CF35AD85CF41

Function 01821900 Relevance: 68.8, Strings: 49, Instructions: 7566
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tqxk, xrefs: 01827A51
Tqxk, xrefs: 0182505E
Tqxk, xrefs: 0182890C
Tqxk, xrefs: 018262F1
Tqxk, xrefs: 01824C6A
Tjj, xrefs: 01822D49
Tqxk, xrefs: 01825265
Tqxk, xrefs: 01823665
Tqxk, xrefs: 01828739
Tqxk, xrefs: 0182378C
Tqxk, xrefs: 01828615
Tqxk, xrefs: 0182570D
Tqxk, xrefs: 01826C68
Tqxk, xrefs: 01823B55
Tqxk, xrefs: 01827EA1
Tqxk, xrefs: 01824A86
Tqxk, xrefs: 01825344
Tqxk, xrefs: 01827C79
Tqxk, xrefs: 018242F3
Tqxk, xrefs: 01827D8D
Tqxk, xrefs: 018266F3
Tqxk, xrefs: 018280D5
Tqxk, xrefs: 018238B3
Tqxk, xrefs: 01825410
Tqxk, xrefs: 01829511
Tqxk, xrefs: 01824FA2
Tqxk, xrefs: 01823A2E
Tqxk, xrefs: 01824099
Tqxk, xrefs: 01826F39
Tqxk, xrefs: 0182448B
Tqxk, xrefs: 01828DAC
Tjj, xrefs: 01829373
Tqxk, xrefs: 01823CBD
Tqxk, xrefs: 018273D2
Tqxk, xrefs: 01827B65
Tqxk, xrefs: 018254DC
Tqxk, xrefs: 01827FA2
Tqxk, xrefs: 01826B2E
Tqxk, xrefs: 018243BF
Tqxk, xrefs: 01824D4A
Tqxk, xrefs: 0182820B
Tqxk, xrefs: 01824E2A
Tqxk, xrefs: 0182793D
Tqxk, xrefs: 01824EE6
Tqxk, xrefs: 01825869
Tqxk, xrefs: 01824589
Tqxk, xrefs: 01826D8F
Tqxk, xrefs: 018255DA
Tqxk, xrefs: 01822C0D

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: Tjj$Tjj$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk
API String ID: 0-1285754964
Opcode ID: a497e79a74f3796cf8ab9f636082a2f5418b6ee6bfe5bfa552b519770a8a22d2
Instruction ID: d0ade029b6bd56d8abebe222baea77223ea37c4e2ceeda4dac5443ac0960b021
Opcode Fuzzy Hash: a497e79a74f3796cf8ab9f636082a2f5418b6ee6bfe5bfa552b519770a8a22d2
Instruction Fuzzy Hash: 02F33934A01614CFDB25DB34C898A9AB7B2FF89308F5144ADD51AAB3A1CF35AD85CF41

Function 0182A320 Relevance: 51.0, Strings: 39, Instructions: 2265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tqxk, xrefs: 0182B6FC
Tqxk, xrefs: 0182BB10
:, xrefs: 0182C6A0
A, xrefs: 0182B606
Tqxk, xrefs: 0182BFBA
Tqxk, xrefs: 0182A978
Tqxk, xrefs: 0182AAA3
Tqxk, xrefs: 0182C704
1, xrefs: 0182BD8B
Tqxk, xrefs: 0182C13D
Tqxk, xrefs: 0182C24B
Tqxk, xrefs: 0182B3FC
P, xrefs: 0182A72E
:, xrefs: 0182BF0E
Tqxk, xrefs: 0182B9B4
,, xrefs: 0182B69B
Tqxk, xrefs: 0182B57C
7, xrefs: 0182B51B
L, xrefs: 0182A843
L, xrefs: 0182B0F7
Tqxk, xrefs: 0182BF72
8, xrefs: 0182BAAF
Tqxk, xrefs: 0182C581
,, xrefs: 0182B486
8, xrefs: 0182B953
:, xrefs: 0182C51D
Tqxk, xrefs: 0182C1DF
Tqxk, xrefs: 0182BDEF
Tqxk, xrefs: 0182C173
7, xrefs: 0182B39B
k, xrefs: 0182B8BE
Tqxk, xrefs: 0182B27C
V, xrefs: 0182B762
), xrefs: 0182ADBE
7, xrefs: 0182BC0B
Tqxk, xrefs: 0182B858
Tqxk, xrefs: 0182BC6C
7, xrefs: 0182B21B
1, xrefs: 0182B7F7

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: )$,$,$1$1$7$7$7$7$8$8$:$:$:$A$L$L$P$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$V$k
API String ID: 0-279571417
Opcode ID: f135fb0112830f8e48d3a4bd5e64d7554d0c50d5c158c60078f8e86144b4f72b
Instruction ID: cdefffcc051dd049ab1a841ac50802652b7b1cfd53802e59cc54e09829052ee1
Opcode Fuzzy Hash: f135fb0112830f8e48d3a4bd5e64d7554d0c50d5c158c60078f8e86144b4f72b
Instruction Fuzzy Hash: 27330434A01614CFDB29DB34C854BAAB7F2AF89304F5144ACD55AAB3A1CF36AD81DF41

Function 0182A310 Relevance: 51.0, Strings: 39, Instructions: 2263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tqxk, xrefs: 0182B6FC
Tqxk, xrefs: 0182BB10
:, xrefs: 0182C6A0
A, xrefs: 0182B606
Tqxk, xrefs: 0182BFBA
Tqxk, xrefs: 0182A978
Tqxk, xrefs: 0182AAA3
Tqxk, xrefs: 0182C704
1, xrefs: 0182BD8B
Tqxk, xrefs: 0182C13D
Tqxk, xrefs: 0182C24B
Tqxk, xrefs: 0182B3FC
P, xrefs: 0182A72E
:, xrefs: 0182BF0E
Tqxk, xrefs: 0182B9B4
,, xrefs: 0182B69B
Tqxk, xrefs: 0182B57C
7, xrefs: 0182B51B
L, xrefs: 0182A843
L, xrefs: 0182B0F7
Tqxk, xrefs: 0182BF72
8, xrefs: 0182BAAF
Tqxk, xrefs: 0182C581
,, xrefs: 0182B486
8, xrefs: 0182B953
:, xrefs: 0182C51D
Tqxk, xrefs: 0182C1DF
Tqxk, xrefs: 0182BDEF
Tqxk, xrefs: 0182C173
7, xrefs: 0182B39B
k, xrefs: 0182B8BE
Tqxk, xrefs: 0182B27C
V, xrefs: 0182B762
), xrefs: 0182ADBE
7, xrefs: 0182BC0B
Tqxk, xrefs: 0182B858
Tqxk, xrefs: 0182BC6C
7, xrefs: 0182B21B
1, xrefs: 0182B7F7

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: )$,$,$1$1$7$7$7$7$8$8$:$:$:$A$L$L$P$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$Tqxk$V$k
API String ID: 0-279571417
Opcode ID: 40a9f2bcad45cbcc5ae9ac75553fe023fe77d8016fefa9f5e727601b5d3e781c
Instruction ID: 21dfb61abdfa8067f38aa58d0461b4b20791cdb7ca01aec7cbd99aa03b865da0
Opcode Fuzzy Hash: 40a9f2bcad45cbcc5ae9ac75553fe023fe77d8016fefa9f5e727601b5d3e781c
Instruction Fuzzy Hash: 72330334A01614CFDB29DB34C854BAAB7F2AF89304F5144ACD55AAB3A1CF36AD81DF41

Function 6D001610 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 230
commemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000,73BCE995,?,?,?,?,00000000,6D0263D7,000000FF,?,6D0024AF,?,73BCE995,00000000,?), ref: 6D001668
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00000000,6D0263D7,000000FF), ref: 6D0016B4
CoCreateInstance.OLE32(6D0273D4,00000000,00000001,6D027304,00000000,?,?,?,?,00000000,6D0263D7,000000FF,?,6D0024AF,?,73BCE995), ref: 6D0016DD
CoUninitialize.OLE32(00000000,?,00000000), ref: 6D0016F7
SysAllocString.OLEAUT32(ROOT\CIMV2), ref: 6D00173E
InterlockedDecrement.KERNEL32(00000008), ref: 6D001793
SysFreeString.OLEAUT32 ref: 6D0017A4
CoUninitialize.OLE32 ref: 6D0017F7
CoSetProxyBlanket.COMBASE(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 6D001822
_com_issue_error.COMSUPP ref: 6D001859
_com_issue_error.COMSUPP ref: 6D001863

Strings

ERROR: Could not connect to WMI ROOT\CIMV2: 0x%08x, xrefs: 6D0017DA
NOTE: Initialize security result: 0x%08x, xrefs: 6D0016BF
ERROR: Failed to initialize COM library: 0x%08x, xrefs: 6D00167F
WARNING: Could not set proxy blanket: 0x%08x, xrefs: 6D00182D
ERROR: Failed to create IWbemLocator object: 0x%08x, xrefs: 6D0016E8
ROOT\CIMV2, xrefs: 6D00172B
`-u, xrefs: 6D0017A4

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: InitializeStringUninitialize_com_issue_error$AllocBlanketCreateDecrementFreeInstanceInterlockedProxySecurity
String ID: ERROR: Could not connect to WMI ROOT\CIMV2: 0x%08x$ERROR: Failed to create IWbemLocator object: 0x%08x$ERROR: Failed to initialize COM library: 0x%08x$NOTE: Initialize security result: 0x%08x$ROOT\CIMV2$WARNING: Could not set proxy blanket: 0x%08x$`-u
API String ID: 1624489225-2628047805
Opcode ID: 3643aada33a2a247efba592a26f1764fbbfc317d836b27fa923470c305e50b2e
Instruction ID: 51159f6e82380bf99ce80ac3585f7739cf05d0c65a193374086bd2342781d6b1
Opcode Fuzzy Hash: 3643aada33a2a247efba592a26f1764fbbfc317d836b27fa923470c305e50b2e
Instruction Fuzzy Hash: F871D571A49705BFFB208F54DC45F6AB7B8EF01B18F204659FA18EB2C0D7B2A5048796

Function 6D002440 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WQL, xrefs: 6D002501
[USBSTOR->DEVICEID->DEVICENUMBER] %s -> %s -> %u, xrefs: 6D00279E
DeviceID, xrefs: 6D0026CF
PNPDeviceID, xrefs: 6D002671
SELECT PNPDeviceID, DeviceID FROM Win32_DiskDrive WHERE InterfaceType='USB', xrefs: 6D0024EF
`-u, xrefs: 6D002555

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Initialize
String ID: DeviceID$PNPDeviceID$SELECT PNPDeviceID, DeviceID FROM Win32_DiskDrive WHERE InterfaceType='USB'$WQL$[USBSTOR->DEVICEID->DEVICENUMBER] %s -> %s -> %u$`-u
API String ID: 2538663250-1704204250
Opcode ID: 8931b1ebebc5b94bbf955311c7c0e7b93977a4f539a2dad4966ab6c905ae3857
Instruction ID: 39f58081239178752c712cb77ea7223ba3d33f0e991c1cb984f8ef3c5e586a72
Opcode Fuzzy Hash: 8931b1ebebc5b94bbf955311c7c0e7b93977a4f539a2dad4966ab6c905ae3857
Instruction Fuzzy Hash: CDC15071A05219AFFB20DF64CC89BADB7B9EF48714F2041D9E519A7290D770AA84CF50

Function 6D003C20 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 303
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,000000EB,00000008), ref: 6D003EAF
GetWindowLongW.USER32(?,000000EB), ref: 6D003EBA
DefWindowProcW.USER32(?,?,?,?,?,00000008,00000000), ref: 6D003ECF
PostQuitMessage.USER32(?), ref: 6D003F08
RegisterDeviceNotificationW.USER32 ref: 6D003F47
MessageBoxA.USER32(00000000,Error registering device finder device interface,Error,00000000), ref: 6D003F68
UnregisterDeviceNotification.USER32(?), ref: 6D003F78
KiUserCallbackDispatcher.NTDLL(?,?,00000008,00000000), ref: 6D003F7F
DefWindowProcW.USER32(?,?,?,?,?,00000008,00000000), ref: 6D003FA0

Strings

Error, xrefs: 6D003F5D
, xrefs: 6D003F32
Error registering device finder device interface, xrefs: 6D003F62

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Window$DeviceLongMessageNotificationProc$CallbackDispatcherPostQuitRegisterUnregisterUser
String ID: $Error$Error registering device finder device interface
API String ID: 3722141207-1522381284
Opcode ID: f69d658b9215d2b629e8e6524a98ab1e4f290472154d914c2c2988ffb8096f3f
Instruction ID: 07acd52a5308a31a068296bb637c5b667d9885afbde35c7dbe91d7ada9a10b52
Opcode Fuzzy Hash: f69d658b9215d2b629e8e6524a98ab1e4f290472154d914c2c2988ffb8096f3f
Instruction Fuzzy Hash: F4A1D471604740AFF72A8B28CC98F2BB6F5AF4D314F544A1CE296CBAE1C775E4848B51

Function 085045C8 Relevance: 10.8, Strings: 8, Instructions: 759
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@Qk, xrefs: 08504E31
:@Qk, xrefs: 08504A7E
h^wk, xrefs: 0850464F
:@Qk, xrefs: 08504D90
:@Qk, xrefs: 08504D0E
:@Qk, xrefs: 08504B9F
>oVk, xrefs: 08504914
>oVk, xrefs: 0850498E

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID: :@Qk$:@Qk$:@Qk$:@Qk$:@Qk$>oVk$>oVk$h^wk
API String ID: 0-1197224653
Opcode ID: f0dab3807181f979394bcec7376db260d838ae22ca3622fe6db50d054bd2c816
Instruction ID: 79aa89e23e3496f4fd7bf9556f13b88f8a72f4d6e54ee536b74eaf21874bc605
Opcode Fuzzy Hash: f0dab3807181f979394bcec7376db260d838ae22ca3622fe6db50d054bd2c816
Instruction Fuzzy Hash: A8625C34B002148FEB14DB28C9A5B6EB7E6BF88309F2084ADD509AB791DB359C45CF95

Function 085045C0 Relevance: 7.9, Strings: 6, Instructions: 446COMMON

Download Yara Rule

Strings

:@Qk, xrefs: 08504A7E
h^wk, xrefs: 0850464F
:@Qk, xrefs: 08504D0E
:@Qk, xrefs: 08504B9F
>oVk, xrefs: 08504914
>oVk, xrefs: 0850498E

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID: :@Qk$:@Qk$:@Qk$>oVk$>oVk$h^wk
API String ID: 0-3549128206
Opcode ID: fa9456c3b51838521bf9aec69b942992c39d950d5607dbcd81526f9d42ad2338
Instruction ID: 5d384d4f958fa1e8ccf0a41af35f6fc712ca69e1662201f1e50348cb3ec7c89f
Opcode Fuzzy Hash: fa9456c3b51838521bf9aec69b942992c39d950d5607dbcd81526f9d42ad2338
Instruction Fuzzy Hash: 57025B74B00214CFEB14DF68C9A4BADB7E6BF88308F1084A9D509AB791DB35AC45CF95

Function 085078D8 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

:@Qk, xrefs: 08507EA8

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID: :@Qk
API String ID: 0-3079184092
Opcode ID: aba5bc930912ea60df82fb3e3dbd1fb38f546ee22014785ae5ebb6a940838075
Instruction ID: 28494f542f6c0c2e408ed2121862bebdbd990d76e9339da897fe5d1e2a808838
Opcode Fuzzy Hash: aba5bc930912ea60df82fb3e3dbd1fb38f546ee22014785ae5ebb6a940838075
Instruction Fuzzy Hash: 49421A30A00215CFDB25DF24C894BEEBBB2BF89305F1088ADD54AA7295DB35AD95CF41

Function 06B369B7 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 06B36A37

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: ec7e675de5a562b725d0b8977866bc528c9166f5bb7c9a8c565151e902e790b9
Instruction ID: 7973a06982dd01a14a717a55742cdba65ef92f7893d236dea48d334373395a32
Opcode Fuzzy Hash: ec7e675de5a562b725d0b8977866bc528c9166f5bb7c9a8c565151e902e790b9
Instruction Fuzzy Hash: 8221B2B5509780AFDB228F25DC44B52BFF4EF06310F0885DAE9858F563E271D918DB62

Function 06B369EE Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 06B36A37

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 360330b46024bb85be65508e4c89d30a8c07f6e39fb50d2f224d254e0dca0e88
Instruction ID: 427184eae7d4fc6e2fe916dce4849b94a8f631b2842683c5219bff074c542cb7
Opcode Fuzzy Hash: 360330b46024bb85be65508e4c89d30a8c07f6e39fb50d2f224d254e0dca0e88
Instruction Fuzzy Hash: BE118275600254AFDB60CF55D885B56FBE4FF04320F08C4AADD458B662E735E418DFA1

Function 011AA09A Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 011AA0D5

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: fbdbb4f68114f192835b12dbdc059fa507c63f74f16003a51c89e19b74029770
Instruction ID: 95b1f344d2a44fa775e8e7021789253c71510ed6ae5c5b08588dad99fd3894bf
Opcode Fuzzy Hash: fbdbb4f68114f192835b12dbdc059fa507c63f74f16003a51c89e19b74029770
Instruction Fuzzy Hash: D4019A365002409FDB20CF55E985B66FFE4EF04224F08C8AADE498B652D375A418CBA2

Function 06B33CD6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B33D08

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0a72a0f693456afb20302bf9d6995987cc2badf8bfa67e9e1d3d353b9292a9ce
Instruction ID: d6c5dc960f5cf5f2dda96e36e509a2bf0abd359eb0ff840b135138749f6a2f25
Opcode Fuzzy Hash: 0a72a0f693456afb20302bf9d6995987cc2badf8bfa67e9e1d3d353b9292a9ce
Instruction Fuzzy Hash: 6E01ADB1A002849FEB50CF15D885766FBE4EF44224F18C8EADD088F342D379A408CAA2

Function 08500070 Relevance: 1.5, Instructions: 1525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b591f9d713ff9caac5fc441555c15f2c638f382aaa6a0456c3d18f4ad7765b88
Instruction ID: 39e4499f4d0ca34bfcc747deaed96501bb5d14cf1dd8cfb9896ba88e3e509931
Opcode Fuzzy Hash: b591f9d713ff9caac5fc441555c15f2c638f382aaa6a0456c3d18f4ad7765b88
Instruction Fuzzy Hash: 9FF20B74A00629CFDB64DF24C998BADB7B2BF88305F1481E9D409AB3A1DB359D81CF41

Function 0182D980 Relevance: 1.0, Instructions: 1049COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b385e993fd2f7dd772e5255f5d47a02eacf0479447de5af12416126c936f845b
Instruction ID: 681296ce8d123b92dd5fa06bdbf61df67e37447ee76db1c4c3ed159ac7be5d61
Opcode Fuzzy Hash: b385e993fd2f7dd772e5255f5d47a02eacf0479447de5af12416126c936f845b
Instruction Fuzzy Hash: 98B2C774A01229CFDB65CF68D888B99BBF1BF48304F1485E9E449AB355DB34AE85CF40

Function 08500065 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eea2d61ae4e98bf49084c1fa126696631e75e4f7891a03a1a36be7c44a39947
Instruction ID: 99407b37117d1afdf09b3fdd83b99205ab3f3a93937dffb3a13d4c5c83135eb0
Opcode Fuzzy Hash: 5eea2d61ae4e98bf49084c1fa126696631e75e4f7891a03a1a36be7c44a39947
Instruction Fuzzy Hash: 0042D874A00629CFDB64DF28C998B99B7F2BF49305F1481E9D409AB3A1DB749E85CF40

Function 6D001AE0 Relevance: 70.3, APIs: 11, Strings: 29, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupDiClassGuidsFromNameW.SETUPAPI(Ports,00000000,00000000,?,?,73BCE995,?,00000000,00000000), ref: 6D001B5A
SetupDiClassGuidsFromNameW.SETUPAPI(Ports,00000000,00000000,00000000,?,?,73BCE995,?,00000000,00000000), ref: 6D001BB0
SetupDiGetClassDevsW.SETUPAPI(00000000,00000000,00000000,00000002), ref: 6D001BE7
SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 6D001C0D
CM_Get_Device_IDW.SETUPAPI(?,?,00000100,00000000,?,?,73BCE995,?,00000000,00000000), ref: 6D001C3C
__cftoe.LIBCMT ref: 6D001C5C
SetupDiOpenDevRegKey.SETUPAPI(00000000,0000001C,00000001,00000000,00000001,00000001), ref: 6D001CBA

Strings

ERROR: Unable to initialize for usbstor-deviceNumber mapping., xrefs: 6D0024B3
[PHYSICALVOLUME->VOLUMENAME] Using #%d %s -> %s, xrefs: 6D002F80
>u, xrefs: 6D001CFA
ERROR: Problem finding physical volumes., xrefs: 6D003549
ERROR: Problem finding volume names., xrefs: 6D00357D
ERROR: Problem finding drives., xrefs: 6D003501
ERROR: Query for Win32_DiskDrive has failed: 0x%08x, xrefs: 6D002603
DeviceID, xrefs: 6D0026CF
Ports, xrefs: 6D001B55, 6D001BAB
\\.\, xrefs: 6D001D18
ERROR: SetupDiClassGuidsFromName() failed., xrefs: 6D001B66
[USB->PORT] %s -> %s, xrefs: 6D001DF5
&ven_ax3&, xrefs: 6D002C69
PortName, xrefs: 6D001CF4
[USBSTOR->DEVICEID->DEVICENUMBER] %s -> %s -> %u, xrefs: 6D00279E
PNPDeviceID, xrefs: 6D002671
USB\VID_%04X&PID_%04X, xrefs: 6D001B2A, 6D0036B1
`-u, xrefs: 6D002555
[DEVICE->PHYSICALVOLUME] %u [%s] -> %s, xrefs: 6D002C1B
SERIAL: numeric [%s], xrefs: 6D0038BB
ERROR: Unable to get usbstor-deviceNumber mapping., xrefs: 6D0024DA
ERROR: Problem finding ports., xrefs: 6D00343E
SERIAL: =%u %u 0x%08x, xrefs: 6D00392B
[PHYSICALVOLUME->VOLUMENAME] <none> -> %s, xrefs: 6D002FF3
[USB->USBSTOR] %s -> %s, xrefs: 6D00223B
#removablemedia#, xrefs: 6D002C81
SERIAL: [%s], xrefs: 6D0037C3
[PHYSICALVOLUME->VOLUMENAME] Other #%d %s -> %s, xrefs: 6D002FA5
ERROR: Problem finding drive mapping., xrefs: 6D0034B6

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Setup$Class$FromGuidsName$DeviceDevice_DevsEnumGet_InfoOpen__cftoe
String ID: #removablemedia#$&ven_ax3&$DeviceID$ERROR: Problem finding drive mapping.$ERROR: Problem finding drives.$ERROR: Problem finding physical volumes.$ERROR: Problem finding ports.$ERROR: Problem finding volume names.$ERROR: Query for Win32_DiskDrive has failed: 0x%08x$ERROR: SetupDiClassGuidsFromName() failed.$ERROR: Unable to get usbstor-deviceNumber mapping.$ERROR: Unable to initialize for usbstor-deviceNumber mapping.$PNPDeviceID$PortName$Ports$SERIAL: =%u %u 0x%08x$SERIAL: [%s]$SERIAL: numeric [%s]$USB\VID_%04X&PID_%04X$[DEVICE->PHYSICALVOLUME] %u [%s] -> %s$[PHYSICALVOLUME->VOLUMENAME] <none> -> %s$[PHYSICALVOLUME->VOLUMENAME] Other #%d %s -> %s$[PHYSICALVOLUME->VOLUMENAME] Using #%d %s -> %s$[USB->PORT] %s -> %s$[USB->USBSTOR] %s -> %s$[USBSTOR->DEVICEID->DEVICENUMBER] %s -> %s -> %u$\\.\$`-u$>u
API String ID: 527218248-3974024502
Opcode ID: 703999b1780d61d6187129862d34a7150d052d2b77451f111d147b64c36359c0
Instruction ID: 5dbd6939a26ac42ca1efc9e9eabf4a137a538952f9788151bb1488dc14b3eadc
Opcode Fuzzy Hash: 703999b1780d61d6187129862d34a7150d052d2b77451f111d147b64c36359c0
Instruction Fuzzy Hash: 4DC19F71D04618ABFB24DB24CC54BFFB7B9AB49309F4041D9E909E7281EB719A84CF61

Function 6D004000 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 117
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 6D00401E
LoadIconW.USER32(00000000,00007F00), ref: 6D00403F
LoadCursorW.USER32(00000000,00007F00), ref: 6D004056
RegisterClassExW.USER32(00000030), ref: 6D004077
GetModuleHandleW.KERNEL32(00000000,?), ref: 6D004083
CreateWindowExW.USER32(00040200,6D02D2A8,DeviceFinder,00CF0000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6D0040A4
MessageBoxA.USER32(00000000,Error creating device finder window,Error,00000000), ref: 6D0040C0
ShowWindow.USER32(00000000,00000000), ref: 6D0040D1
UpdateWindow.USER32(00000000), ref: 6D0040D8
SetTimer.USER32(00000000,00000001,000001F4,00000000), ref: 6D0040EF
MessageBoxA.USER32(00000000,Error creating device finder timer,Error,00000000), ref: 6D004105
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6D00411C
TranslateMessage.USER32(?), ref: 6D004131
DispatchMessageW.USER32(?), ref: 6D004137
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6D004147
KillTimer.USER32(00000000,00000001), ref: 6D004153

Strings

DeviceFinder, xrefs: 6D004097
Error creating device finder window, xrefs: 6D0040BA
Error, xrefs: 6D0040B5, 6D0040FA
Error creating device finder timer, xrefs: 6D0040FF
#, xrefs: 6D004017
0, xrefs: 6D004010

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Message$Window$HandleLoadModuleTimer$ClassCreateCursorDispatchIconKillRegisterShowTranslateUpdate
String ID: #$0$DeviceFinder$Error$Error creating device finder timer$Error creating device finder window
API String ID: 2990370508-3368772340
Opcode ID: 921f5d384bd3bc2ccdc4ad3971c760ac363508a6057212649e3510af852d30c1
Instruction ID: d1efec5471664e554fbb2d8e4ed36e62698d6a257d0ec5b206976094f25a8daa
Opcode Fuzzy Hash: 921f5d384bd3bc2ccdc4ad3971c760ac363508a6057212649e3510af852d30c1
Instruction Fuzzy Hash: A8413FB1D42309BBEB109FA4CC4AFDE7BB8AF59715F200115F618A71C1D7B498058BA5

Function 6D001F80 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupDiGetClassDevsW.SETUPAPI(6D027290,00000000,00000000,00000012), ref: 6D001FF5
SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 6D00201E
CM_Get_Parent.SETUPAPI(?,?,00000000,?,73BCE995,00000000,?,00000000), ref: 6D00204B
CM_Get_Device_IDW.SETUPAPI(00000000,?,00000100,00000000,?,73BCE995,00000000,?,00000000), ref: 6D00206D
__cftoe.LIBCMT ref: 6D002089
CM_Get_Device_IDW.SETUPAPI(?,?,00000100,00000000,?,?,?,?,?,?,?,?,?,73BCE995,00000000,?), ref: 6D0020D6
__cftoe.LIBCMT ref: 6D0020F2
CM_Get_Parent.SETUPAPI(00000000,00000000,00000000), ref: 6D002113
CM_Get_Device_IDW.SETUPAPI(00000000,?,00000100,00000000), ref: 6D002135
__cftoe.LIBCMT ref: 6D002151

Strings

[USB->USBSTOR] %s -> %s, xrefs: 6D00223B
USB\VID_%04X&PID_%04X, xrefs: 6D001FDA

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Get_$Device___cftoe$ParentSetup$ClassDeviceDevsEnumInfo
String ID: USB\VID_%04X&PID_%04X$[USB->USBSTOR] %s -> %s
API String ID: 2323714233-1325786813
Opcode ID: ac764c1660a90eb4b5fe09272f2f18dfdec5b030baf5f9815b236d0a99d4fb65
Instruction ID: f71916b12ee8c6455445bb2dce2aadfed685a746fef57371754bdf6bc8658e58
Opcode Fuzzy Hash: ac764c1660a90eb4b5fe09272f2f18dfdec5b030baf5f9815b236d0a99d4fb65
Instruction Fuzzy Hash: 1DC1D4B1905218AEFB25DF64CD44BEE77BEAF85304F5042D9E509A7281DB326B84CF60

Function 6D00AAC0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 137
synchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(00000000,00000010,00000000,00000000), ref: 6D00AB69
WaitForSingleObject.KERNEL32(0000058C,000000FF), ref: 6D00AB7F
OmCancelDownload.LIBOMAPI(00000000,00000003,OmCancelDownload(%d)...,00000000), ref: 6D00AC1D
CloseHandle.KERNEL32 ref: 6D00AC4B
CloseHandle.KERNEL32 ref: 6D00AC53

Strings

THREAD: Waiting for DeviceFinder to close..., xrefs: 6D00AB6B
THREAD: DeviceFinder closed., xrefs: 6D00AB87
OmCancelDownload(%d)..., xrefs: 6D00AC0F
THREAD: Stopping DeviceFinder..., xrefs: 6D00AB2D
OmShutdown() done., xrefs: 6D00AC55
OmShutdown() started., xrefs: 6D00AAE6

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: CloseHandle$CancelDownloadMessageObjectPostSingleWait
String ID: OmCancelDownload(%d)...$OmShutdown() done.$OmShutdown() started.$THREAD: DeviceFinder closed.$THREAD: Stopping DeviceFinder...$THREAD: Waiting for DeviceFinder to close...
API String ID: 3577780043-1578849761
Opcode ID: a536bc1c71dd68522557b2ed45ac1fe69acffe50b52c4051f7266c5bc2a686f3
Instruction ID: 130e5cd266d1d21ea38b8ec3badaf4f6cbe92f00ca487fa15f9c4dace3f72aae
Opcode Fuzzy Hash: a536bc1c71dd68522557b2ed45ac1fe69acffe50b52c4051f7266c5bc2a686f3
Instruction Fuzzy Hash: 4F41DD71A04705BFFB209F24CC04F2AB7F4EF05729F214619EA59A7292D772A904CBA0

Function 6D002DE0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstVolumeW.KERNEL32(?,00000104,00000000,00000000,00000000), ref: 6D002E3D
__fassign.LIBCMT ref: 6D002EE0

Strings

\, xrefs: 6D002EA9
?, xrefs: 6D002E9B
\, xrefs: 6D002EBE
\, xrefs: 6D002E8D
[PHYSICALVOLUME->VOLUMENAME volume-name non-matched, skipped] %s, xrefs: 6D003103

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: FindFirstVolume__fassign
String ID: ?$[PHYSICALVOLUME->VOLUMENAME volume-name non-matched, skipped] %s$\$\$\
API String ID: 1573405772-2812856083
Opcode ID: 738ffd3dca4d2d401bc01310993784fce9eae5db4c66c6dcd2fbf546c1f7fc29
Instruction ID: f37070e2eed2c0eaf8e4aed280131213ea8f3fec933ce0238ab630e80221f1fa
Opcode Fuzzy Hash: 738ffd3dca4d2d401bc01310993784fce9eae5db4c66c6dcd2fbf546c1f7fc29
Instruction Fuzzy Hash: A141A675D04218ABFB259B60DC85FEE73BCFB0C314F4045A9EB19D7181E77467888A91

Function 6D00A910 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 120
synchronizationthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 6D00A9BA
CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 6D00A9C7
CreateThread.KERNEL32(00000000,00000000,6D004000,00000000,00000000,00000000), ref: 6D00AA8C
MessageBoxA.USER32(00000000,Error creating device finder thread,Error,00000000), ref: 6D00AAA5

Strings

OMDEBUG, xrefs: 6D00A918
Error, xrefs: 6D00AA9A
Error creating device finder thread, xrefs: 6D00AA9F

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Create$Mutex$MessageThread
String ID: Error$Error creating device finder thread$OMDEBUG
API String ID: 451566311-2746158925
Opcode ID: 7f0057c4335c2fe9af06d4f5f1909bac4118e91b35b177b7a26115c19c3f966b
Instruction ID: e0f291f1903db62c5c5e007844b5d8cb4500724df77a2c2fb76b5ab2905d38b4
Opcode Fuzzy Hash: 7f0057c4335c2fe9af06d4f5f1909bac4118e91b35b177b7a26115c19c3f966b
Instruction Fuzzy Hash: 2E4169B0605301ABFB30CF65C819B577BF4AB06318F214A5DE48A8B6C1E7B5E548CBD1

Function 6D0018A0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupDiClassGuidsFromNameW.SETUPAPI(Ports,00000000,00000000,?,?,73BCE995,?,00000000,00000000), ref: 6D001B5A

Strings

ERROR: SetupDiClassGuidsFromName() failed., xrefs: 6D001B66
&MI_, xrefs: 6D001925
Ports, xrefs: 6D001B55
USB\VID_%04X&PID_%04X, xrefs: 6D001B2A

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: ClassFromGuidsNameSetup
String ID: &MI_$ERROR: SetupDiClassGuidsFromName() failed.$Ports$USB\VID_%04X&PID_%04X
API String ID: 3184447455-3218696524
Opcode ID: 30635b7981fbe584b9680fe33688f5a628f46a5be4576a25dcecada262d9790c
Instruction ID: 1def910eda0fadaa237b5a69e26ced33e0409bfda0a5cc950e3aa022adb6493b
Opcode Fuzzy Hash: 30635b7981fbe584b9680fe33688f5a628f46a5be4576a25dcecada262d9790c
Instruction Fuzzy Hash: CEA13331A08505AFFB15CF68CC80BBEBBB5EF45314F5482A9E815EB286D770D941CB92

Function 6D0029D0 Relevance: 7.6, APIs: 5, Instructions: 144COMMON

Download Yara Rule

APIs

SetupDiGetClassDevsW.SETUPAPI(6D0272A0,00000000,00000000,00000012), ref: 6D002A3E
SetupDiEnumDeviceInterfaces.SETUPAPI(00000000,00000000,6D0272A0,00000000,0000001C), ref: 6D002A88
SetupDiGetDeviceInterfaceDetailW.SETUPAPI(00000000,0000001C,00000000,00000000,?,?), ref: 6D002ADF
SetupDiGetDeviceInterfaceDetailW.SETUPAPI(00000000,0000001C,?,?,00000000,0000001C), ref: 6D002B28
SetupDiEnumDeviceInterfaces.SETUPAPI(00000000,00000000,6D0272A0,00000001,0000001C), ref: 6D002DA3

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Setup$Device$DetailEnumInterfaceInterfaces$ClassDevs
String ID:
API String ID: 34584884-0
Opcode ID: 7861b35809ab641ce70fb70e30cd5afa4ad1abecf5d79fc3cb2997995bfda477
Instruction ID: b143ef348a563f06b194e97166a8c877f51493b97e7e5fbc14668ae15c05275b
Opcode Fuzzy Hash: 7861b35809ab641ce70fb70e30cd5afa4ad1abecf5d79fc3cb2997995bfda477
Instruction Fuzzy Hash: 0B5153B1D01219AFEB20CF14CD84BAEB7B8FF89714F10429AF618A7281DB705A84CF55

Function 01820070 Relevance: 5.3, Strings: 4, Instructions: 343COMMON

Download Yara Rule

Strings

\, xrefs: 01820138
}]j^, xrefs: 018200FD, 01820102
Tqxk, xrefs: 0182047C
5]j^, xrefs: 0182048B, 01820490

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: Tqxk$\$5]j^$}]j^
API String ID: 0-4248719467
Opcode ID: a34cc346b1930d3da794e2e4f62856f05d9525ac24edd971eea6710c88f37fa2
Instruction ID: f9604f6aca99bbc16aa0782c35c4baf13b6a49d73b905916aae6b487fb3fda51
Opcode Fuzzy Hash: a34cc346b1930d3da794e2e4f62856f05d9525ac24edd971eea6710c88f37fa2
Instruction Fuzzy Hash: 9FD1B130700220EBDB1ADF74D885A2E77A6BF84308F158668E906DB795DF78DC46CB91

Function 01820014 Relevance: 5.2, Strings: 4, Instructions: 165COMMON

Download Yara Rule

Strings

\, xrefs: 01820138
}]j^, xrefs: 018200FD, 01820102
Tqxk, xrefs: 0182047C
5]j^, xrefs: 0182048B, 01820490

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: Tqxk$\$5]j^$}]j^
API String ID: 0-4248719467
Opcode ID: 0832367211b4aaef4b52b627e846bb4b411a0f72235bb57ccbe61e37f5f9998b
Instruction ID: 29c9338ad02694db80b88f873c460da4f333c29055befe06856c326339318dc5
Opcode Fuzzy Hash: 0832367211b4aaef4b52b627e846bb4b411a0f72235bb57ccbe61e37f5f9998b
Instruction Fuzzy Hash: 3A51E030B043619FC70ADB74D4542AEBBB2BF86214B0586BAD405DB392CF789C55CBE6

Function 01820690 Relevance: 4.0, Strings: 3, Instructions: 285COMMON

Download Yara Rule

Strings

Tqxk, xrefs: 01820A48
Tqxk, xrefs: 01820759
Tqxk, xrefs: 01820A24

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: Tqxk$Tqxk$Tqxk
API String ID: 0-1964008773
Opcode ID: 7450abad47435704bd92963998deb73998a6d3898df09acd19366927af8bc261
Instruction ID: c55e90e778fd0c43605e90779706dc0ff383bc2441ee6c6601e556ac5aa4b168
Opcode Fuzzy Hash: 7450abad47435704bd92963998deb73998a6d3898df09acd19366927af8bc261
Instruction Fuzzy Hash: 5DB11C347002148FD759AB38C458BAE77A7AFCA308F65847DD44A9B3A5CF35AC06CB91

Function 01820682 Relevance: 4.0, Strings: 3, Instructions: 283COMMON

Download Yara Rule

Strings

Tqxk, xrefs: 01820A48
Tqxk, xrefs: 01820759
Tqxk, xrefs: 01820A24

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: Tqxk$Tqxk$Tqxk
API String ID: 0-1964008773
Opcode ID: 6a93a078ac2ce837c297d0c86f9e9f57d9b018e33dc57b3d4a8c0ed37d227a4e
Instruction ID: 1827dbcb691767aad6d5006f0b30ac4981d8847b655c0d25fa7184d9de607d07
Opcode Fuzzy Hash: 6a93a078ac2ce837c297d0c86f9e9f57d9b018e33dc57b3d4a8c0ed37d227a4e
Instruction Fuzzy Hash: 73B13C347002148FD759AB34C458BAE77A7AFCA308F55847DD44A9B3A6CF39AC02CB91

Function 01820CD8 Relevance: 3.8, Strings: 3, Instructions: 89COMMON

Download Yara Rule

Strings

5Zj^, xrefs: 01820D4C, 01820D51
EZj^, xrefs: 01820D8B, 01820D90
Tqxk, xrefs: 01820D40

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: Tqxk$5Zj^$EZj^
API String ID: 0-2843524477
Opcode ID: a062b40237e8c50fd74ea1a38b0c44cdaf0ce717ebe7c4181a82e530f6fb23fa
Instruction ID: e257e434cb803b0caada3fd95ddbbefc6295462ca0349701466e4d273d6b25db
Opcode Fuzzy Hash: a062b40237e8c50fd74ea1a38b0c44cdaf0ce717ebe7c4181a82e530f6fb23fa
Instruction Fuzzy Hash: F631AEB17003108FC7269B79D85096FB7EAAF892147144A7EE546CB792DF35EC068B60

Function 01820CE8 Relevance: 3.8, Strings: 3, Instructions: 77COMMON

Download Yara Rule

Strings

5Zj^, xrefs: 01820D4C, 01820D51
EZj^, xrefs: 01820D8B, 01820D90
Tqxk, xrefs: 01820D40

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: Tqxk$5Zj^$EZj^
API String ID: 0-2843524477
Opcode ID: 06a3b6d4910dd0b52cf55550493274b42bdae85af6ebb3a51d512415cd7a97b4
Instruction ID: 8d530b3f4985dd5a73f5282c4371f3fe8f2da1c0b81100bfd59b929132e69ad2
Opcode Fuzzy Hash: 06a3b6d4910dd0b52cf55550493274b42bdae85af6ebb3a51d512415cd7a97b4
Instruction Fuzzy Hash: 8F217C717103118F87269B7AD89096FB7EBAFC92043144A7EE54AC7752DF35EC068BA0

Function 06B337DE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B3387B

Strings

xxkT, xrefs: 06B33807

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CreateDirectory
String ID: xxkT
API String ID: 4241100979-1059211526
Opcode ID: ba06d9dee29a0bf9ec01aedcf23702d0cf9dc004454b970387494e471588ad57
Instruction ID: c093ae27b22c5800fbdeb6686321a9b9931dd6c0a87feaf28821524da1afbc4b
Opcode Fuzzy Hash: ba06d9dee29a0bf9ec01aedcf23702d0cf9dc004454b970387494e471588ad57
Instruction Fuzzy Hash: CB312F7164E3C09FD7138B259C55A56BFF4EF07210B0A84DBD985CF2A3D6289849CB72

Function 08504050 Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

Tqxk, xrefs: 085042C1
Tqxk, xrefs: 085043A1

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID: Tqxk$Tqxk
API String ID: 0-207793271
Opcode ID: 771773fd7a9529b57776f999e06dc0133a3c911a467b3420375435df7ab7f845
Instruction ID: 407f293af86156e8f3dd912ee16ed5779e5c190eaf6d1491bcda5ff1b4dc55c5
Opcode Fuzzy Hash: 771773fd7a9529b57776f999e06dc0133a3c911a467b3420375435df7ab7f845
Instruction Fuzzy Hash: 2EB1E534700600CFCB29EB38C49896D77A2BF8624A76548BDD506DB7A1DF36AC06CB91

Function 08501F90 Relevance: 2.7, Strings: 2, Instructions: 247COMMON

Download Yara Rule

Strings

TGwk, xrefs: 085021F3
TGwk, xrefs: 08502243

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID: TGwk$TGwk
API String ID: 0-519439241
Opcode ID: e82a60471633de3bf660066791558ec192f894095f5c637ce9afafe756a8d715
Instruction ID: fd365a065da0609cdf87a832bc9b3163fb4b14d2f46f3d7dfde627f4d449042d
Opcode Fuzzy Hash: e82a60471633de3bf660066791558ec192f894095f5c637ce9afafe756a8d715
Instruction Fuzzy Hash: 10813B343002108BE719AB39C46877E76E7AFC9646F244069E906CF7E5DF7ADC068B42

Function 08503990 Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

h^wk, xrefs: 08503A4D
\, xrefs: 08503A42

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID: \$h^wk
API String ID: 0-3697371996
Opcode ID: c018f39a7151b1c35fad4275f9a6cceb35889122351c843a89f50345e09eddc8
Instruction ID: 1144e4b1fd8e808aae160dc46fe20d2556412492d76409892606fc0dadf8758b
Opcode Fuzzy Hash: c018f39a7151b1c35fad4275f9a6cceb35889122351c843a89f50345e09eddc8
Instruction Fuzzy Hash: 21615E307002158FDB18DB78C558AAEB7E2BF88319B24846DD806DB7A0EF799C45CB81

Function 08503981 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

h^wk, xrefs: 08503A4D
\, xrefs: 08503A42

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID: \$h^wk
API String ID: 0-3697371996
Opcode ID: 84b53c7a7f7b1d0418f8db613c8ac4856d74c3216c10107d88c6781da361096d
Instruction ID: 13283c9ab1422498104dcfa7c0e52ad1ee9eb3762f78398ea2380f516bfd1834
Opcode Fuzzy Hash: 84b53c7a7f7b1d0418f8db613c8ac4856d74c3216c10107d88c6781da361096d
Instruction Fuzzy Hash: 3A614D307002058FDB18DB78C558AAEB7E2BF8830AB15846DD806DB7A0DF799C45CF81

Function 01821560 Relevance: 2.6, Strings: 2, Instructions: 84COMMON

Download Yara Rule

Strings

=Vj^, xrefs: 018215C1, 018215C6
5Rj^, xrefs: 018215F6, 018215FB

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: 5Rj^$=Vj^
API String ID: 0-1801664145
Opcode ID: f05ab5f73f2620d3c07250172a9fcd6ac5caff2b79f397cd140b463896f13d3a
Instruction ID: a8ad455b04098fc67d182870dc7956c282ac1fbbea27aa17c8cdd7f4a77cfe02
Opcode Fuzzy Hash: f05ab5f73f2620d3c07250172a9fcd6ac5caff2b79f397cd140b463896f13d3a
Instruction Fuzzy Hash: 47219AB0310A008BE318E775D8A1A7F73ABAFC41147958A2DD10ACB7D4CF78AC0683A1

Function 01821570 Relevance: 2.6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

=Vj^, xrefs: 018215C1, 018215C6
5Rj^, xrefs: 018215F6, 018215FB

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: 5Rj^$=Vj^
API String ID: 0-1801664145
Opcode ID: ef76717bfcc2a933b0a76f9c66e9c8589ef221f6ff0aa5051132880cc898a0cf
Instruction ID: b01c0d693142e3c9704b820f777bed155efc80cb4378d7786137d59063cf30d8
Opcode Fuzzy Hash: ef76717bfcc2a933b0a76f9c66e9c8589ef221f6ff0aa5051132880cc898a0cf
Instruction Fuzzy Hash: 71215BB4310A008BE318F775D8A1A7F729BAFC4514795CA2CD20A9B7D4DF79ED0683A1

Function 08506DC0 Relevance: 1.8, Strings: 1, Instructions: 595COMMON

Download Yara Rule

Strings

TGwk, xrefs: 08506EE3

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID: TGwk
API String ID: 0-2866842445
Opcode ID: 997137a711bd693ffeab11491ebcd66c298d9a0e165ed7fcb92d20d227c01474
Instruction ID: d2b6af7fa51a036d7da401adf9c5e145c7bb6fd855853cfb8ff16dbc1d6eb4fa
Opcode Fuzzy Hash: 997137a711bd693ffeab11491ebcd66c298d9a0e165ed7fcb92d20d227c01474
Instruction Fuzzy Hash: 5E326C35A00618DFCF159FA4C958ADDBBB2FF89304F0584A9E209AB271DF31AA55DF40

Function 085078C9 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

:@Qk, xrefs: 08507EA8

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID: :@Qk
API String ID: 0-3079184092
Opcode ID: b61435ec342b128d506a30121a0e089ee958576dd28725078721c99a34f9dfdd
Instruction ID: 53d1b852a78cf80038d813f15750e9b9c3de4069eb90c34442ce86d318acaee1
Opcode Fuzzy Hash: b61435ec342b128d506a30121a0e089ee958576dd28725078721c99a34f9dfdd
Instruction Fuzzy Hash: 0B223834A00215CFDB25DB24C894BADB7B2FF88304F1088ADD54AA7255DF35AE99DF50

Function 06B333DA Relevance: 1.6, APIs: 1, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 06B334B9

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e4ea0558ea5125e34be42a29f890b7432eb68865d8f0442ce3672a6389147ba0
Instruction ID: edfc3a48a59d65319899803db334a901522e13535576be2887a5ee50c1822eb0
Opcode Fuzzy Hash: e4ea0558ea5125e34be42a29f890b7432eb68865d8f0442ce3672a6389147ba0
Instruction Fuzzy Hash: 12415E715093C06FE7138B618C55F96BFB8EF07214F0944DBE9818B1A3D265A908CB72

Function 06B364BF Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 06B36597

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 0dce5d7458ff2999794ede989a36611a8bd797fee1a6b63d86fa05bbf14c66d0
Instruction ID: b26b943b5bbb16c734fd2b6680be30cf451f729f77ab496ade2dc016ed4dd300
Opcode Fuzzy Hash: 0dce5d7458ff2999794ede989a36611a8bd797fee1a6b63d86fa05bbf14c66d0
Instruction Fuzzy Hash: 3231B4B15043446FE722DB60CC85FA7BFECEF05314F04489AEA449B192D775A909CB71

Function 06B35A86 Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 06B35B3D

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: fcee7d1c2a96be3d6626f12d3f38f6b693cc6d2288fa5b8d9315a8b0755bd99c
Instruction ID: 6727bbae055ae09e4a9b999c67b683501cf265607c628cfb04804b8157d5af79
Opcode Fuzzy Hash: fcee7d1c2a96be3d6626f12d3f38f6b693cc6d2288fa5b8d9315a8b0755bd99c
Instruction Fuzzy Hash: DB31B2B2504344AFE7228F60CC44FA7BBACEF45314F04889AE985DB152D374A509CBB1

Function 06B3438C Relevance: 1.6, APIs: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 06B3444E

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 17ef74f6d4bc308a1bbdec054afa6580195bb5d9ebe80dddfee60e53f2ffac7e
Instruction ID: 64b9083f60577efc7791f198e75d9b4e41e4bf1ae982bd504ced9f3c9c4dd6ff
Opcode Fuzzy Hash: 17ef74f6d4bc308a1bbdec054afa6580195bb5d9ebe80dddfee60e53f2ffac7e
Instruction Fuzzy Hash: 2A31807150D3C06FD7238B61DC54B56BFF4EF07214F0988DBE9848B5A3D265A808CB62

Function 06B354FB Relevance: 1.6, APIs: 1, Instructions: 93encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateChain.CRYPT32(?,00000E24,?,?), ref: 06B355BE

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: 0101b523d78ab8427d7271587c7d7e28e5c3be30af09e93ffb61a2a2e23cf8ea
Instruction ID: baec5bf1a10317e01d2e713b1325979636cf664296a7d44fb94bb4d813a1025d
Opcode Fuzzy Hash: 0101b523d78ab8427d7271587c7d7e28e5c3be30af09e93ffb61a2a2e23cf8ea
Instruction Fuzzy Hash: 89318D7550D3C45FD3138B258C61BA6BFB4EF47614F0E84CBD8848F2A3D6246919CBA2

Function 011AA605 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 011AA6B5

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c9c72694e1ff49900f61bf89798fdbe86a3acbc567216686aae7306aa9f97152
Instruction ID: de94b0f2884692d6150f71ad279b6cf74984ae875ccc2110568320dc2f6ba4e5
Opcode Fuzzy Hash: c9c72694e1ff49900f61bf89798fdbe86a3acbc567216686aae7306aa9f97152
Instruction Fuzzy Hash: 8A317C75508380AFE722CF65DC85B56BFF8EF05314F0884AEE9858B652D375E908CB61

Function 06B35C86 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 06B35D32

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 380a0a5390a5ed92e211033d88e005ab30e5acbe95d25596434fea003bb3bcfa
Instruction ID: 6f3fe61fd1e55af243d88b98f20987352d59827ffdc06d032c243f5fb9f50d05
Opcode Fuzzy Hash: 380a0a5390a5ed92e211033d88e005ab30e5acbe95d25596434fea003bb3bcfa
Instruction Fuzzy Hash: 6E31A2B25057806FE7228B61DC45FA6BFB8EF06314F08849AE9849B253D274A909CB71

Function 06B361F5 Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B362B0

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 4eb53994a4c43891a5ba8882a50ea827af4d45a185e2e9cbe183dd23441f079e
Instruction ID: 2eca5f3b17a081943fecf6d6106d53a9ad8dad92934e88c539a8fd670d87db9a
Opcode Fuzzy Hash: 4eb53994a4c43891a5ba8882a50ea827af4d45a185e2e9cbe183dd23441f079e
Instruction Fuzzy Hash: 69314C7150D3C46FD7138B259D54B52BFB8EF47214F0A84DBE9849F1A3D268A90CCB62

Function 06B353FD Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B354B1

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 50f91fa8afe3efc91754f4aebbc2714dda2b4a083e13fbe84cd29d69fd23e233
Instruction ID: 9b80b6d8d7398a66a4c1ebc3cbb1a6a15f1fcc1d6385fe6853beb2a1dc360221
Opcode Fuzzy Hash: 50f91fa8afe3efc91754f4aebbc2714dda2b4a083e13fbe84cd29d69fd23e233
Instruction Fuzzy Hash: 0F31A4B2505780AFDB22CF11DC84F92BFF8EF06314F08849AE9848B162D335E919CB61

Function 06B3489C Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 06B34933

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 7ddf962f910607646ec506650554261eac32a7c1f8d41249b881b322caf4dad2
Instruction ID: 7926853a84d215aaf27858417362944e2e715caa9ead178dbda57095879d8a91
Opcode Fuzzy Hash: 7ddf962f910607646ec506650554261eac32a7c1f8d41249b881b322caf4dad2
Instruction Fuzzy Hash: 2231C1B25043446FEB21CF64DC45FA7BBECEF05210F0888AAE944DB152D374E908CB61

Function 0182F2D0 Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

$xk, xrefs: 0182F3ED

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: $xk
API String ID: 0-845860396
Opcode ID: 1cbdf71de1e8c994793f3f9efdf4ba021d23542471ffacc84b52209a53b3bf1e
Instruction ID: 652a6eaf38c77ecd28a25d654a30a43cd561cc1f9f15b3059dc1c5f65f1b06fa
Opcode Fuzzy Hash: 1cbdf71de1e8c994793f3f9efdf4ba021d23542471ffacc84b52209a53b3bf1e
Instruction Fuzzy Hash: 1AC19C707006118FEB269B38C959A6EB7F2AFC8344F14443CE606CB7A5DF789946CB51

Function 06B36A84 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B36B1A

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: cf6a7d1c6e1ce9e9332b5f0d6c86f701bd16d8f5d669eda5c49714e2269c006b
Instruction ID: 8e6209c31afc5abd634310cb4c2ad61a58217139438981e2c9d6e90c1119b318
Opcode Fuzzy Hash: cf6a7d1c6e1ce9e9332b5f0d6c86f701bd16d8f5d669eda5c49714e2269c006b
Instruction Fuzzy Hash: 0521D5B25093846FEB128B20DC55B96BFE8EF06314F0884DAE9849F153D274A508CB61

Function 06B34DC1 Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 06B34E61

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f1d1325760b59e291685121a3b06acb4c15b072f048dad44421f210022f5085a
Instruction ID: c3200e755824c78db0af3888a8c8e3f1ebc6813bdbe3dbf7ee59d203198563ae
Opcode Fuzzy Hash: f1d1325760b59e291685121a3b06acb4c15b072f048dad44421f210022f5085a
Instruction Fuzzy Hash: CE3150B1509380AFE721CF65CC85B56FFF8EF05214F0884AAE9848B292D375E908CB61

Function 06B364F2 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 06B36597

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: e97ef1b39373950542f0570edc47e54587741e230eba41d1315cbf40f98bd93b
Instruction ID: f6cfd0037544fee979a765f2ee80eb9ccdb9576db952001faca5f9693a636791
Opcode Fuzzy Hash: e97ef1b39373950542f0570edc47e54587741e230eba41d1315cbf40f98bd93b
Instruction Fuzzy Hash: 9F21A6B2500204BFEB21DB50CC85FA6F7ECEF04714F14885AEA459A685D774A5498BB1

Function 06B35B92 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B35C3C

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: 5b049dc0668832779f61211a05376f38276b232678a0ff6a196e2b16bfba8ab6
Instruction ID: b2d8accf7b60243f5efadebac7d7c381cb72d3779f3ee31756276655fd4db699
Opcode Fuzzy Hash: 5b049dc0668832779f61211a05376f38276b232678a0ff6a196e2b16bfba8ab6
Instruction Fuzzy Hash: 0C31C3B24053846FEB22CB50DC44F96BFACEF46314F08889AE9849B152D274A509CBB1

Function 06B35998 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNELBASE(?,00000E24), ref: 06B35A31

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: 7b03e81a6b6a0ce466231f1ea11b5f3a157d0974004dc3e695b277821ae6e4d1
Instruction ID: e958b98acebf97054682749edd56db2c687950c8a308966a58daf3d729fff13c
Opcode Fuzzy Hash: 7b03e81a6b6a0ce466231f1ea11b5f3a157d0974004dc3e695b277821ae6e4d1
Instruction Fuzzy Hash: 5421A2B54092806FE7128B609C85FA6BFB8EF06314F0984DAE9449B153D274A909CB71

Function 06B36B79 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B36C0A

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 32735287b9d19b1d80ffce8de3ddcd78f51fb25aadae260623b1fabf4fbca4c1
Instruction ID: 6d40052191effed6029dce7ab3b1be80bd4be6afb870199117bf42f61752e04a
Opcode Fuzzy Hash: 32735287b9d19b1d80ffce8de3ddcd78f51fb25aadae260623b1fabf4fbca4c1
Instruction Fuzzy Hash: 6E21A3B15053846FEB22CB51DC45FA6BFACEF46220F08849AE944DB192D274E908CB71

Function 06B36C70 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000E24,?,?), ref: 06B36D16

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 86d364a1ebc53184e3419e29887920aba0b742d03a712121da5a85e214da3197
Instruction ID: c565a41b126817130587a2c1421862236ea7b088bb8c50c189a663f807a67e68
Opcode Fuzzy Hash: 86d364a1ebc53184e3419e29887920aba0b742d03a712121da5a85e214da3197
Instruction Fuzzy Hash: 1D21AD715093C06FD3128B61CC55B66BFB8EF87214F0984DBD8849B6A3D624A919CBB2

Function 06B33DF2 Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B33E94

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b40a49a83f4f2a44520af8f45c0d9790952bb8728b6079505a3425a1bfee18cc
Instruction ID: daa5603bf075fe6a530d6f1293901890a501ce76db3c74bc9ca1fda13aed83da
Opcode Fuzzy Hash: b40a49a83f4f2a44520af8f45c0d9790952bb8728b6079505a3425a1bfee18cc
Instruction Fuzzy Hash: 88217CB2604384AFE721CF11DC84FA7BBF8EF45610F08859AE9459B292D364E908CB71

Function 06B35319 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B353B3

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 9f0666ce0ebf648b2ba5f0ce5783c9eb759e36bf1800dfb311e0c9a713d2ac2e
Instruction ID: 094c8b706ce06c597b92fecc712d6c575ce8a8e231b35e5f4ee66d993269c6aa
Opcode Fuzzy Hash: 9f0666ce0ebf648b2ba5f0ce5783c9eb759e36bf1800dfb311e0c9a713d2ac2e
Instruction Fuzzy Hash: 732176725093C46FDB22CF21DC95B96BFB8EF46314F0884DAE9859F153D2749508C761

Function 06B357ED Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B35882

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 302e8cf992701b081c406fc5e9bf46e2ee7fc5a90477dbf4b1fef9b7581ebbda
Instruction ID: 9327c2dd41f2ad183479cd4964d7a21ef3297ad90eba07653b7f41a5c9da5c51
Opcode Fuzzy Hash: 302e8cf992701b081c406fc5e9bf46e2ee7fc5a90477dbf4b1fef9b7581ebbda
Instruction Fuzzy Hash: F22197B15093846FD712CB61CC85F96BFBCEF46214F0884DBE9849B152D274A508CBB1

Function 011AA424 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 011AA4BE

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a30e751ad462deed1e99583b21d04263fe6b7a1a5cf91ef4c125e07ed0a6cc8f
Instruction ID: a3c2e5d39eca0bfb3b2f58dc444f1afbdce309d5de119a12f49ff83cfc99d9cc
Opcode Fuzzy Hash: a30e751ad462deed1e99583b21d04263fe6b7a1a5cf91ef4c125e07ed0a6cc8f
Instruction Fuzzy Hash: 5321C2754093C06FD3138B259C51B62BFB8EF87610F0A41DBE884DB693D225A919CBB2

Function 06B35ABE Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 06B35B3D

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3a8c003841ecc64f15471c40f241ef9fd92abdf95e2bef857f1de1faad697bce
Instruction ID: b626f1e536a77160c51a2d915ce485f686f22c662b23a5017a9aca9a9a15ed5d
Opcode Fuzzy Hash: 3a8c003841ecc64f15471c40f241ef9fd92abdf95e2bef857f1de1faad697bce
Instruction Fuzzy Hash: E62183B2600204AEEB21DF55DC45FABF7ECEF08224F14886AE945DB641E774E5088BB1

Function 06B378AB Relevance: 1.6, APIs: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B37932

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 74d5b964b10a96f49c76428c488b48b5f31d51c0dc468eb657d201f40920fa53
Instruction ID: 7a29edb9ae24e66f334570a9d5634fabf211bc34223b7851ab067fad2a55c684
Opcode Fuzzy Hash: 74d5b964b10a96f49c76428c488b48b5f31d51c0dc468eb657d201f40920fa53
Instruction Fuzzy Hash: 5021B2B15042806FEB118F61DC45FA6BFB8EF06214F08859EE9849B152C274A408CB61

Function 06B3060C Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E24,?,?), ref: 06B306A6

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: cb8dd4aacdc3f9fc0a0f66d050636b4e041113b7df9e88a0e4c593f231c6dcd5
Instruction ID: 17c4104679bbda181e15957767b44346e6954e6f4bbf1b88e7d5e8f8dfc5cb92
Opcode Fuzzy Hash: cb8dd4aacdc3f9fc0a0f66d050636b4e041113b7df9e88a0e4c593f231c6dcd5
Instruction Fuzzy Hash: C821A7754093806FD3138B25CC51B62BFB4EF87724F0A45DFE8448B693D2256919CBB2

Function 06B33EEA Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,?,?), ref: 06B33F86

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1c81b91c6be636d519157665b238f2e28def76bffd1100162813e19fcd5a6c69
Instruction ID: 37b2907e472138813216b25547b53239724b03b9b0ed4d9948f6ca2ae1fe174f
Opcode Fuzzy Hash: 1c81b91c6be636d519157665b238f2e28def76bffd1100162813e19fcd5a6c69
Instruction Fuzzy Hash: F521F5755093C06FC3138B258C51B62BFB8EF87614F0985CFE8848B693D2256919CBB2

Function 06B350C4 Relevance: 1.6, APIs: 1, Instructions: 77timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B3514D

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 54a06e8f64d838f4d0b171a55de5673d0f680ccac5987644c71c7eb942eb2ad7
Instruction ID: 4b0174ef096f9914f04cb0f5df91babb663978a479c990b84faff6c0d64f3c47
Opcode Fuzzy Hash: 54a06e8f64d838f4d0b171a55de5673d0f680ccac5987644c71c7eb942eb2ad7
Instruction Fuzzy Hash: 0221C1B2505380AFDB228F51DC45FA7BFF8EF45214F0888AAE9859B152D374A408CBA1

Function 06B34A52 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 06B34AE6

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 7d5ba5b3e8cd06ad8598fe80c265732dc329f97d1be476d7b14840d1212287b6
Instruction ID: ac748f2bf5097e709d8d0a250770d0ce1dd0b4c03fa57cfdc7b19d85c04935ff
Opcode Fuzzy Hash: 7d5ba5b3e8cd06ad8598fe80c265732dc329f97d1be476d7b14840d1212287b6
Instruction Fuzzy Hash: 17219FB1504284AFE722CF55DC44F96FFF8EF09314F04849EE9849B692D375A508CBA1

Function 011AA636 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 011AA6B5

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 41352dd2fc34f49346f12e528ffbfc3b62518b359e9d3151894046df418b2fde
Instruction ID: 86a34d7f51933780baa95f9a6d7ba55762f7dacaf3260e13fddea42879216d3d
Opcode Fuzzy Hash: 41352dd2fc34f49346f12e528ffbfc3b62518b359e9d3151894046df418b2fde
Instruction Fuzzy Hash: 3C21AE75600240AFEB21CF65DC85B66FBE8EF08324F04846DEA498B752E775E408CF62

Function 06B348C2 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 06B34933

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 560692080983f52bc88cf867575a9f06749d2011ba17f4a1971cd92f93a4db75
Instruction ID: 57063dfd0de63b379c6682129f5f4af3d5c9d609d9a9020e017b9c06eeb4f602
Opcode Fuzzy Hash: 560692080983f52bc88cf867575a9f06749d2011ba17f4a1971cd92f93a4db75
Instruction Fuzzy Hash: 6821D4B2600204AFEB20DF65DD45FAAFBECEF04214F04896AE945DB642D774E508CBB1

Function 06B33A6C Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B33AEC

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 37f3fa498db173f08425b377c67fe11a258e66ba409bceecac5ccf2459d4f56d
Instruction ID: ef37e3142945de1aa5bdd3c9654def4586e940aca2f0520a8a1a2a73c2ef50db
Opcode Fuzzy Hash: 37f3fa498db173f08425b377c67fe11a258e66ba409bceecac5ccf2459d4f56d
Instruction Fuzzy Hash: 1D21D4B15093846FEB118B51DC85F97BFF8EF46324F0884EAE944DF292D274A509CB61

Function 06B347AA Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B34848

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e49ba2bb5b41be5ca41a620937af89144c95d8c88f0ce9e1a6ff5f78d7863b97
Instruction ID: 197129153fa9330e44008ad4fe2972018c7fb27afe283560ccb97425511d4c50
Opcode Fuzzy Hash: e49ba2bb5b41be5ca41a620937af89144c95d8c88f0ce9e1a6ff5f78d7863b97
Instruction Fuzzy Hash: 842181B2504384AFE721CB51DD84F67BFF8EF45210F08859AE9459B692D364E508CBA1

Function 06B32AD9 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06B32B67

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 418907f14078bd02adf3164efb8b496f015a01a218a6dc99e19aa158bf18a016
Instruction ID: 714c02a6b2f25c0a7066a15bd22f8d78d8c190d0ca8b526ce4224404dd6df081
Opcode Fuzzy Hash: 418907f14078bd02adf3164efb8b496f015a01a218a6dc99e19aa158bf18a016
Instruction Fuzzy Hash: 152171B55097809FDB22CF25DC45B52BFF4EF06314F0988DAE9858F553D271A508CB61

Function 06B3343A Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 06B334B9

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 41f0fbf61725742c734b501cd3bc1af6c64aa41423eb4f355657ad48f59d47b6
Instruction ID: cd5cbb91589a36a315e889096d8ac7e6abd0efc44578745f5ebb21d2e4dbd966
Opcode Fuzzy Hash: 41f0fbf61725742c734b501cd3bc1af6c64aa41423eb4f355657ad48f59d47b6
Instruction Fuzzy Hash: 3921F0B2600244AEE721DB51CC85FABF7ECEF08224F08885AED45DB641D775E5088BB1

Function 011AAB5A Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 011AABD9

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: cc773aa21669645d37c22f495d36af35ec2dec89da4f9b688e1db4eed5c144e7
Instruction ID: 742e33ba797390f427674ba92ceef0e42efc109ffc6cf1c02c9ae4b9edc6b798
Opcode Fuzzy Hash: cc773aa21669645d37c22f495d36af35ec2dec89da4f9b688e1db4eed5c144e7
Instruction Fuzzy Hash: 2221D1B2504344AFEB228F51DC44FA7BFACEF45324F04889AF9449B152C374A908CBB1

Function 011AA7C7 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 011AA84D

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: c6cc883ecbe4d1129e6229987fecd8866a9bec86f7d02993f2bb6eb1d830e24e
Instruction ID: 3af080d0432d518338267244e4d90a2785cd675ec16f1b90c6826844f88f8db9
Opcode Fuzzy Hash: c6cc883ecbe4d1129e6229987fecd8866a9bec86f7d02993f2bb6eb1d830e24e
Instruction Fuzzy Hash: 8F21D8B54083806FE7128B11DC44BA2BFA8EF46314F0880DBE9849B193C364A909CB71

Function 06B35CBE Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 06B35D32

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a0d6dbd60c0e647a81138b2e9172a221acf180e9ae8d78d586b69020a3c2b16d
Instruction ID: 6090115b3ea998c2e3fe973334e2e6478169405b3b8d081119e30f6abb4af826
Opcode Fuzzy Hash: a0d6dbd60c0e647a81138b2e9172a221acf180e9ae8d78d586b69020a3c2b16d
Instruction Fuzzy Hash: 6921C3B2640204AFEB209F55DC49FAAFBECEF04314F14885AED45DB651D774E5088BB1

Function 06B366A2 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B36731

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 06a664e7b8d6679732bac091ca090a3fb2cdc6d199c0e1d4350f8665dec76d32
Instruction ID: 164d1c516f8eab704e7cfac470622c7014b1e4f2731e8a01c3b014c73759e313
Opcode Fuzzy Hash: 06a664e7b8d6679732bac091ca090a3fb2cdc6d199c0e1d4350f8665dec76d32
Instruction Fuzzy Hash: B621A1B1509384AFD7228B11DC84F96BFB8EF06314F0884DBE9849B193D365A508CB72

Function 06B35436 Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B354B1

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 45245ad249ab7d21d16d61258a2ce17b3abc2548c9b94fc971cf152cf37120c3
Instruction ID: b5ab969a6d0c92d7e4768c6fce6ddd97f6472369acefc1734a6a148bff767fcc
Opcode Fuzzy Hash: 45245ad249ab7d21d16d61258a2ce17b3abc2548c9b94fc971cf152cf37120c3
Instruction Fuzzy Hash: 1F21ACB2600204AFEB20CF51DC84FA6B7E8EF08224F0488AAED458B655D774E418CBA1

Function 06B37992 Relevance: 1.6, APIs: 1, Instructions: 72encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B37A1A

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 1b98a8430fef8a487a8dc1b5bc6f7fdf4b4b3d5700816ac04a493ba84ffd3517
Instruction ID: 19f10e3a12e955957bbb4e61be2258a3167c07a5b3fae0971c379987ba2c122d
Opcode Fuzzy Hash: 1b98a8430fef8a487a8dc1b5bc6f7fdf4b4b3d5700816ac04a493ba84ffd3517
Instruction Fuzzy Hash: 9C2192B1509384AFD721CB51DC84FA6FFB8EF45324F0885ABE9849B152D375A508CB71

Function 06B34DEE Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 06B34E61

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 80fa783516c46d432e51b6eff77dce445a9508ddf2ad7b9906584e71aad21aab
Instruction ID: abb02b70781729a856b89c78e97d19d6a617a2a6a471622964453d7b98b609fe
Opcode Fuzzy Hash: 80fa783516c46d432e51b6eff77dce445a9508ddf2ad7b9906584e71aad21aab
Instruction Fuzzy Hash: 94217FB16003509FE720DF65C885BA6FBE8EF04614F0484A9E9448B741D775E508CBA1

Function 06B358CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B3595B

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: 84d9cf700afa349ac2d5b4a8c940075725308f6af454730f9116d831f2c15041
Instruction ID: 5f394d66c75b3f26510ca95281ff9ea219c23ecc06dc4edc5e476c5c7cc6244e
Opcode Fuzzy Hash: 84d9cf700afa349ac2d5b4a8c940075725308f6af454730f9116d831f2c15041
Instruction Fuzzy Hash: A821D7B15093846FD7228B11DC45FA6FFB8EF46324F0984DBE9849B193D274A508CBB1

Function 06B33E1A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B33E94

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d19128d67a2880521bb255a3448b0010466402bedb883d15d6e55ad8138848e3
Instruction ID: 67ba1c272aaec050c90aa60f7f226577c027bcb7936bcd3039a3d24050a47153
Opcode Fuzzy Hash: d19128d67a2880521bb255a3448b0010466402bedb883d15d6e55ad8138848e3
Instruction Fuzzy Hash: 4921C0B2A00354AFE720CF15CC84FA7B7ECEF04610F08849AED458B691D774E808CAB1

Function 06B3676E Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 06B367F2

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 52745421d8fd7a25615d7a8c09f1120643d4bf59a9b028790ab0a7dc82553b95
Instruction ID: 35bd95e83c30ea1a409afb5fdf08692c052a8bbb98b274dee29b882093dbe427
Opcode Fuzzy Hash: 52745421d8fd7a25615d7a8c09f1120643d4bf59a9b028790ab0a7dc82553b95
Instruction Fuzzy Hash: C8219275509380AFDB22CF61DC84A52BFF4EF0A310F0984DED9858B563D275A819DB61

Function 06B31261 Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 06B312D8

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 1bf5777caafcffba0770cdfdcaa1a92a0a7205669c249f29956229abd5d335af
Instruction ID: a0559b255bdf02e42da27a2c9b9e37316bfcab0923c1b2d13e60f41c3553c1da
Opcode Fuzzy Hash: 1bf5777caafcffba0770cdfdcaa1a92a0a7205669c249f29956229abd5d335af
Instruction Fuzzy Hash: E721A172509380AFDB228F25DC44A62FFF8EF07310F0885DAED858B563D275A918DB61

Function 06B3622F Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B362B0

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 438fe2b0bea7379e312f85f0db97eee638de79b34c412a18bddfe53d6cc1b982
Instruction ID: 0012c822ca607be6d87a5d83b0e11b6b6cd3d6c2ff6dff15b8fe3581b369fb4f
Opcode Fuzzy Hash: 438fe2b0bea7379e312f85f0db97eee638de79b34c412a18bddfe53d6cc1b982
Instruction Fuzzy Hash: 9721A5715093846FD7128B11DC44F96FFB8EF46224F0885DBE9449B193D374A908CB72

Function 06B34A72 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 06B34AE6

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 23c2ab5eb1dc2dca790e609f1ce3628377290c6aa79682ec2fa6f290212446cb
Instruction ID: b358951d11604bd649c8dd08197a8aab15610d1a6c46ebfb96ce78aa04d0e69d
Opcode Fuzzy Hash: 23c2ab5eb1dc2dca790e609f1ce3628377290c6aa79682ec2fa6f290212446cb
Instruction Fuzzy Hash: DD21A1B1604204AFE721DF55DC45F96FBE8EF08324F04849DEA458B641D775E508CFA1

Function 06B36BA6 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B36C0A

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 28ecaba0dd2b1910f8e2d016bf41b9a46fdb7bb86a4a9ee5fa8d8fc1b39a9a32
Instruction ID: ce332e89ba895a684e7147e38b7e553e9687dcea1ae81dc5a70085b9be2afebd
Opcode Fuzzy Hash: 28ecaba0dd2b1910f8e2d016bf41b9a46fdb7bb86a4a9ee5fa8d8fc1b39a9a32
Instruction Fuzzy Hash: 2711B1B1600204AFEB20CF55DD85FA6B7ECEF04224F0484AAED05DB691E774E408CAB1

Function 06B339A4 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B33A1C

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: a1602278b72d0126a4120e56d7e51f3f07fc153ca8f50790701522c0d23f1079
Instruction ID: e69c07035f2bf4a59ff9fc19944d74155de897c01ee425488dabd98efe295bc0
Opcode Fuzzy Hash: a1602278b72d0126a4120e56d7e51f3f07fc153ca8f50790701522c0d23f1079
Instruction Fuzzy Hash: 7011D3B1504284AFEB11CB51DC85F97BBECEF45724F0484AAE9449B292D374A908CBB1

Function 06B343E2 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 06B3444E

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 47a17db60d92de95ece10977fbd7de79d57fc7018980dbe298de2b8ee3e26f8a
Instruction ID: e64dcc2186d496694be187a5c9acb9a2d57e7325baef8775cf156516f4a9e274
Opcode Fuzzy Hash: 47a17db60d92de95ece10977fbd7de79d57fc7018980dbe298de2b8ee3e26f8a
Instruction Fuzzy Hash: 8321A471500240AFE721DF55DD45F56FBE4EF04314F1488ADE9458B751D775A408CBA1

Function 06B359CE Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNELBASE(?,00000E24), ref: 06B35A31

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: 6f2f8f0ef62d322a8f13e1e7ee25408b7927b7dbc2e4ecc65733d15b3ccb7259
Instruction ID: d18f6c302643cff8bbd8c39036e218a4572f5f9181e66d752de7dbd4649a6fa2
Opcode Fuzzy Hash: 6f2f8f0ef62d322a8f13e1e7ee25408b7927b7dbc2e4ecc65733d15b3ccb7259
Instruction Fuzzy Hash: 8611CBB2500204AFE720DF55DD85FAAF7DCEF04314F14846AED04DB641D774A5088BB1

Function 011AB75D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 011AB7D9

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: b8eb3ec904c9e4bb99323f6dbeb65939765f77ab6b89b6c7b98e929c9580bc5d
Instruction ID: 84d1bd56188bdbdd8e4857ef38ca4788ee00aadbc5b4709cd7baf9b9b80acf23
Opcode Fuzzy Hash: b8eb3ec904c9e4bb99323f6dbeb65939765f77ab6b89b6c7b98e929c9580bc5d
Instruction Fuzzy Hash: 602196755087805FD722CA15DC45B62BFF8EF46614F08848AED84CB293D3659504CB71

Function 06B35BD2 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B35C3C

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: 1526fb421ffbc678f4516bd792e51989a8d8e4d5d54d90c13ba5420c63569192
Instruction ID: 4acd86dfe0ec379486fc7ba058754b8aba87ae91ab605fe2f79c609a7b3e5a14
Opcode Fuzzy Hash: 1526fb421ffbc678f4516bd792e51989a8d8e4d5d54d90c13ba5420c63569192
Instruction Fuzzy Hash: 531193B2500208AFEB21DF51DD85F9AF7ECEF04328F14886AEA459B651D774E508CBB1

Function 06B347D6 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B34848

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 93260949486cb59694db1d2e7d85de13dd042bbf773422b83a7bf96a4af6c69c
Instruction ID: d9befed8587fda81b451aeaaf64dff7bccf8bcd549001434cc0f5ba890a128f2
Opcode Fuzzy Hash: 93260949486cb59694db1d2e7d85de13dd042bbf773422b83a7bf96a4af6c69c
Instruction Fuzzy Hash: 9B11B1B2600244AFEB60CF51CC85FA6FBECEF04624F04849AE9459B651D774E408CBB1

Function 06B31314 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B31384

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 4706bb5a6de8b8c84b13b3c21fc0828651ea66cefa30b901baa162c838205be6
Instruction ID: 436606c07ee37bead6fbab4fe4e0a96771aa491c50d6c358e2de564e3f2c7f32
Opcode Fuzzy Hash: 4706bb5a6de8b8c84b13b3c21fc0828651ea66cefa30b901baa162c838205be6
Instruction Fuzzy Hash: 2421E47550D3C0AFC7138B25DC95A52BFB4EF47224F0984DBDD858F2A3D264A908CB62

Function 06B350EE Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B3514D

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 51bdd86419e81fd6680a8ebf988c7e5b3bb65620f001b68857ece4a324961c95
Instruction ID: 15ba94f17bcd98920a37e5e2722f6e73822fb8f3456a369dc8b70e4051b6ba25
Opcode Fuzzy Hash: 51bdd86419e81fd6680a8ebf988c7e5b3bb65620f001b68857ece4a324961c95
Instruction Fuzzy Hash: 4911B6B2600604AFEB21CF55DC85FA6F7E8EF04324F14846AE9459B651D774E408CFB1

Function 06B30AC6 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 06B30B3B

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 3efbc61e4ae50cb931207469d38c37da19f63b4f03d7a3b7e47626ca4a21fb70
Instruction ID: f00d7de45b4564a17e70eebdde1c6f3f7368f7ce7884a69ce668b603bad6cf2a
Opcode Fuzzy Hash: 3efbc61e4ae50cb931207469d38c37da19f63b4f03d7a3b7e47626ca4a21fb70
Instruction Fuzzy Hash: 8F21A2B55093809FD7128B25DC85A52FFB8EF02614F0D84EFDD858F263D2659809CB62

Function 06B36ABE Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B36B1A

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: da6a196976caf1c65cfebb68bb42982593bdf144c9329fb92e5bf9dbfa0ba401
Instruction ID: 7ab93b7f4e086736ad00eee1dfc70efdebe541848258e3c506509dbf4e3658d1
Opcode Fuzzy Hash: da6a196976caf1c65cfebb68bb42982593bdf144c9329fb92e5bf9dbfa0ba401
Instruction Fuzzy Hash: D311E6B2600204AFEB209F55DD86BA6F7E8EF04324F14846AE9458F641E774E4088FB1

Function 06B378D6 Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B37932

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 0dd74c6515f8a9a83d0d1a1d88d7e318faa0191939d9b0349300247ee0671068
Instruction ID: 02ef908103a66f58d03fc0536ea533d3063ae696bd88f9b91ddf7e1210c09e34
Opcode Fuzzy Hash: 0dd74c6515f8a9a83d0d1a1d88d7e318faa0191939d9b0349300247ee0671068
Instruction Fuzzy Hash: 6811E2B2600244AFEB209F61DC85FA6F7E8EF04224F1485AAED458A651D774E408CBB5

Function 06B3581E Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B35882

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 23efc1f917f9d173542dce71d898b5ec9e9589ad2d1828358dd7a399d6ee7622
Instruction ID: c411c40d012121426bea771004a922d54b524e2c9a764feed9023317caa2133b
Opcode Fuzzy Hash: 23efc1f917f9d173542dce71d898b5ec9e9589ad2d1828358dd7a399d6ee7622
Instruction Fuzzy Hash: 251194B2500204AFEB21DF51DC85F9AF7ECEF44324F1484AAE9459B645D774E5088BB1

Function 011AB26F Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000E24,?,?), ref: 011AB2ED

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: b331dd43373f73d82b7f8b307a269ca093dbf204ca16a50cc3d5ba82d9e07211
Instruction ID: 900e58b8513a724fd8bb8d7e4a7a30dc811ea421a3567fcc1d196ae309bc387c
Opcode Fuzzy Hash: b331dd43373f73d82b7f8b307a269ca093dbf204ca16a50cc3d5ba82d9e07211
Instruction Fuzzy Hash: F111E271544780BFD311CB16DC41F72BFB8EF86B24F09859AEC485BA42D234B919CBA2

Function 011AA2A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011AA30E

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eeeee36f53d94cfb8c84f2c1db6caf0d4def8aa30f9f4a3bb521bd43c04637f8
Instruction ID: 24384585ba7bcb7d4059b18f13839a56c07e50ea05cefe9c896171bc66d30501
Opcode Fuzzy Hash: eeeee36f53d94cfb8c84f2c1db6caf0d4def8aa30f9f4a3bb521bd43c04637f8
Instruction Fuzzy Hash: D611AF75409380AFDB228F55DC44A62FFF8EF4A210F08889AED858B163C275A418DB61

Function 06B344B7 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 06B34524

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 7dbc9f7eb52ed47a555d4d75784ff06d338e870f4e3654f44530144f649dd14b
Instruction ID: 298401e9dbd8baf5e16da4f7f23c5744feb24ec09535f19b4f59abbd861154e1
Opcode Fuzzy Hash: 7dbc9f7eb52ed47a555d4d75784ff06d338e870f4e3654f44530144f649dd14b
Instruction Fuzzy Hash: F7218C714093C0AFDB228F65DC45A66FFF4EF46210F0988DAE9898F163C235A459CB62

Function 06B33A96 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B33AEC

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: ba39326e3c97f3ec33402d35c06b78466fc1b8cfb918d0b8d3609a283d8e3367
Instruction ID: 03b6161055b07b28723b402e5dc2ec68228b82e6024b6bc9f6bd3fc1d092b31a
Opcode Fuzzy Hash: ba39326e3c97f3ec33402d35c06b78466fc1b8cfb918d0b8d3609a283d8e3367
Instruction Fuzzy Hash: E411E3B1604244AFEB109B15DC85BABBBDCEF04224F1484AAED04DF281D774E508CAB1

Function 06B310FC Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06B31169

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1bc2a43e9a5525bc807e1d1af7b4ecf616be801523f1106e6c030c96fea3ddeb
Instruction ID: 1e87037db2261d77b955c8afe12ab189eb849e5cd9fa3654be2e1658cd20aff6
Opcode Fuzzy Hash: 1bc2a43e9a5525bc807e1d1af7b4ecf616be801523f1106e6c030c96fea3ddeb
Instruction Fuzzy Hash: 6C1106715097C0AFCB228F25CC84B52FFB4EF06210F0884DFED858B563C225A518CB62

Function 011AAB7A Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 011AABD9

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: dc8dfc18a53bb0287127c25f94cf8c8492b01cb945c982a5ae153bb847e2afa5
Instruction ID: a0b42df9c78719e15341b932d0093f6a8ff03f30e1b4e14ae0649ec8ce20c411
Opcode Fuzzy Hash: dc8dfc18a53bb0287127c25f94cf8c8492b01cb945c982a5ae153bb847e2afa5
Instruction Fuzzy Hash: 1E112772500204AFEB21CF51DD85F96FBE8EF04324F04885AE9459B642C774E448CFB2

Function 011ABD60 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,?,?), ref: 011ABDCA

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 238f163474c26d6abad664874c1e5d867b6853dda2be4714f2621ab09d1f4491
Instruction ID: c859624ad7599c042c4e042448e251b823c9042f7c42006f87f1546cdf3c602e
Opcode Fuzzy Hash: 238f163474c26d6abad664874c1e5d867b6853dda2be4714f2621ab09d1f4491
Instruction Fuzzy Hash: DB1181755093809FD721CF29DC85B56FFE8EF06210F08849AE945CB262D364E908CB62

Function 06B313C0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B3142D

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 5d54fb073e6935ebdf85801154a8f08826dd42b4aa3e050dd1646f0f62983684
Instruction ID: 141a9f55d20fe32a81e7512b09378533392774ca311750da433471c9810fe5ff
Opcode Fuzzy Hash: 5d54fb073e6935ebdf85801154a8f08826dd42b4aa3e050dd1646f0f62983684
Instruction Fuzzy Hash: 0A11AF75509780AFDB228B25DC84A52BFB4EF06224F0984DFED858B563C265A918CB62

Function 06B33B50 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B33BAC

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b4938d91a1b96632b342482032124f785cc123b52e5f094b9109e17a5890d7a7
Instruction ID: 6d0f6b2a37b1f0d97628bf4e43f864b64b3c83fbcb2c07118fe291e496a1cd25
Opcode Fuzzy Hash: b4938d91a1b96632b342482032124f785cc123b52e5f094b9109e17a5890d7a7
Instruction Fuzzy Hash: 8E1186716097805FD712CF25DC95B52BFE8DF46210F0884EAED45CF252D275E808CB61

Function 06B379BE Relevance: 1.6, APIs: 1, Instructions: 59encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B37A1A

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 85ef6eaf8f15a01a72b8661b7c715e4772eb6ee4dccbf9465da230d566140241
Instruction ID: f29e71afe4980085d8d4324022e6bea8d96c124320c9b407716adf364263591e
Opcode Fuzzy Hash: 85ef6eaf8f15a01a72b8661b7c715e4772eb6ee4dccbf9465da230d566140241
Instruction Fuzzy Hash: 4311C4B1600204AFEB20DF51DD85FA6F7E8EF44724F1484AAED449A641D774E508CFB5

Function 06B3146D Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 06B314D8

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: b6dcbe895baf005f785819fb665958fa88c726b59c3bc761c7e11e64f77774e8
Instruction ID: d9fd4cdb6d3a638ecab58d3eca55fdfd5773bc0c7971aa6dff59edf7cdfc5a3f
Opcode Fuzzy Hash: b6dcbe895baf005f785819fb665958fa88c726b59c3bc761c7e11e64f77774e8
Instruction Fuzzy Hash: 9E1181B54093C0AFDB138B25DC84B61BFB4EF47624F0984DEDD858F263D2655908CB62

Function 06B3535A Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B353B3

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 2f62d82c294e61d5d1136f3b79ab3a96eb346e13fa9b769a46b58aa2d1c1fa8a
Instruction ID: 5a51024ad562cb623f6c05c53647f295d006e05583025ffa477a4727d40d4eb6
Opcode Fuzzy Hash: 2f62d82c294e61d5d1136f3b79ab3a96eb346e13fa9b769a46b58aa2d1c1fa8a
Instruction Fuzzy Hash: 6A11C6B2600204AFEB30DF55DC85FA6F7E8EF44324F1484AAEE459B641D7B4A508CBB1

Function 06B33D46 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B33DAB

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 69034f5c27d1e44ae310e3e90a2aef4da8ed254db78d34e5dbeda27448f2b13f
Instruction ID: 89cc071aa09b2638de7a08156727132f70ba53a38d6ee2cde7707d4dcc5629bc
Opcode Fuzzy Hash: 69034f5c27d1e44ae310e3e90a2aef4da8ed254db78d34e5dbeda27448f2b13f
Instruction Fuzzy Hash: 0C11E2755087809FD7128F25DC85B52BFF4EF06220F0980DBDD458F2A3D279A808DB62

Function 06B339C6 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B33A1C

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 09eafafb56cda330919c9bc069620b9e282a28e90444c00f6f39940a6b1a666f
Instruction ID: 142f7c682de4357e6b5b6e724571601aa96b84d62815a00b4fe1a9ba0ae2bf5d
Opcode Fuzzy Hash: 09eafafb56cda330919c9bc069620b9e282a28e90444c00f6f39940a6b1a666f
Instruction Fuzzy Hash: F211C2B1600244AFEB10DF51DD85BAAB7DCEF44324F1484AAED489B241D778A5088FB1

Function 06B33CA4 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B33D08

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: a8d78cc6e2ffdbbb9081ee07ba590ef1d112a1b8a4d5b26b9c4a1d59a083c7b7
Instruction ID: 4f8e8d14158f3d881955e46a974cb5064e7a4c280e5ebd478f59063b742c8138
Opcode Fuzzy Hash: a8d78cc6e2ffdbbb9081ee07ba590ef1d112a1b8a4d5b26b9c4a1d59a083c7b7
Instruction Fuzzy Hash: 73118E714093C0AFDB128F25DC85A52BFF4EF02220F0988EBDD848F163D239A908CB61

Function 06B366D2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B36731

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 29e7108cc41cef1e5c9420696defe257252320bc3e8968afb4b4a4b7ae7a9fa9
Instruction ID: 32112f3257a9301196af9a96a9f855803a10cb1faae2eafb82cdd4426cb17b2e
Opcode Fuzzy Hash: 29e7108cc41cef1e5c9420696defe257252320bc3e8968afb4b4a4b7ae7a9fa9
Instruction Fuzzy Hash: 5511ACB2600204EFEB219F51DD85FA6FBE8EF04724F04849AEE455A691D374E508CBB2

Function 011AA078 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 011AA0D5

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: e04d03f3eae5949a58e64930b56ad63797a64b40e6199408b025082cf8bd4e06
Instruction ID: 8d58dde1477ef4a70ef18aa720a78afed1e4348eb478b91e1b3bd244193ae7ee
Opcode Fuzzy Hash: e04d03f3eae5949a58e64930b56ad63797a64b40e6199408b025082cf8bd4e06
Instruction Fuzzy Hash: AC11BF75509380AFCB22CF55DC44F52FFF4EF46224F08889AED848B153C275A418CB62

Function 011AAFA3 Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 011AB004

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 9102b9f5655d9fb3be6d60e9ea39f2708c09399c3eb60ff7a426dafbfa92f105
Instruction ID: 280a050c493cc87b321f19a6890dfa2b8d118f7365e2b94afa6adb4e6288974a
Opcode Fuzzy Hash: 9102b9f5655d9fb3be6d60e9ea39f2708c09399c3eb60ff7a426dafbfa92f105
Instruction Fuzzy Hash: 83116D714493C0AFDB128B15DC89B52BFB4EF46224F0888DAED858F293D275A509CB62

Function 06B35902 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B3595B

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: 64be0e479ff4f2f119c48044b945cd34579703711088230cd1bdad16763b3dc8
Instruction ID: b6e93e0b26d611f788cf72001ad99cdb853ba6827676d8733d3513b7b7c55b20
Opcode Fuzzy Hash: 64be0e479ff4f2f119c48044b945cd34579703711088230cd1bdad16763b3dc8
Instruction Fuzzy Hash: 9011C2B2600244AFEB208F11DC85FA6F7A8EF04224F04859AEE485A642C374A5088AB2

Function 06B3625A Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 06B362B0

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: d03599e2f8cccd800fa7e0fcf1abeb6e1e9d4bc6671c7658a30ac19f516974b1
Instruction ID: edd5b6836d0a90871c3914754a51afe0b111ab9a55e371edb9b653f4867d52c8
Opcode Fuzzy Hash: d03599e2f8cccd800fa7e0fcf1abeb6e1e9d4bc6671c7658a30ac19f516974b1
Instruction Fuzzy Hash: D701C4B1600244AFEB209F55DD85BA6F7D8EF44628F14849AED049B781D7B8E5088EB2

Function 06B30FB8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B31013

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b59cf8e87e839276725173bf5fe822b3ff957cfd78e276b551f4c2bb0446349c
Instruction ID: 88ace5458fbe7281ef9f4e4c7c9bba34886fcb3f393e7d166252a1d456e909a1
Opcode Fuzzy Hash: b59cf8e87e839276725173bf5fe822b3ff957cfd78e276b551f4c2bb0446349c
Instruction Fuzzy Hash: A111E3715043809FD7118F15DC85A52FFE4EF02320F0880DEED458B263C235A918CB62

Function 011AA7FA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E24,50A98413,00000000,00000000,00000000,00000000), ref: 011AA84D

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8bb156d959a8e94ca97eb5a367ea9bd5b6027f8064654420a9d33adaf60a9d24
Instruction ID: b9d3aa1706683c389bbe6a80d81cd8f9813cd0dfb99a0ca3d8f0af04588b03f3
Opcode Fuzzy Hash: 8bb156d959a8e94ca97eb5a367ea9bd5b6027f8064654420a9d33adaf60a9d24
Instruction Fuzzy Hash: 5A01C076500204AEE7259B15EC85BA6FBD8DF44624F14C0AAED049B782C778A509CAA2

Function 06B33836 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B3387B

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 9d9c2bbee3a29a3b6016f6cef7a5a6471135ab632322f21a9b75f42f9e26aaa6
Instruction ID: 41c01a76d856200526b3fe2f79db921022bddbd35918273e17db836897f7c3f9
Opcode Fuzzy Hash: 9d9c2bbee3a29a3b6016f6cef7a5a6471135ab632322f21a9b75f42f9e26aaa6
Instruction Fuzzy Hash: 0B1152B1B002819FEB50CF19D885B56FBD8EF04224F08C4AADD49CB742E778D444CBA1

Function 06B32B16 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06B32B67

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: dac66663e39565b8547cb57a3ac74260d2444496f523c0ccf7d7e80a19e5eef7
Instruction ID: 546af0ff1f87e4cc6cc850b371844faeb80395d0a4452d51c461d7050761d892
Opcode Fuzzy Hash: dac66663e39565b8547cb57a3ac74260d2444496f523c0ccf7d7e80a19e5eef7
Instruction Fuzzy Hash: 8A1170B1A002449FEB60CF55D985B62FBE8EF04620F0888AADD498F752E375E504CFB1

Function 06B30C28 Relevance: 1.6, APIs: 1, Instructions: 50timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,?,?), ref: 06B30C85

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: e0c443d5b213f8630aa64d89bc75dd5f37f07ae9f985946466990d88d8beafc9
Instruction ID: b5c6c0b5d381a10c15efa425b1dca8fd25e42361f77ebd5499e511b0c85811ec
Opcode Fuzzy Hash: e0c443d5b213f8630aa64d89bc75dd5f37f07ae9f985946466990d88d8beafc9
Instruction Fuzzy Hash: A711A071508380AFCB228F15DC44E62FFF4EF46220F08849EED854B663C275A918DB62

Function 011ABD82 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,?,?), ref: 011ABDCA

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 6c412251d6ba962717601d8f693b6bf2a45478e1ae7460ef929fafbc9a6c53a3
Instruction ID: f9f99bc605ba65bdb810149de3c77800c882f16e1bbcb1bffdb8ef112818c5a7
Opcode Fuzzy Hash: 6c412251d6ba962717601d8f693b6bf2a45478e1ae7460ef929fafbc9a6c53a3
Instruction Fuzzy Hash: 6F0188756042408FD714CF29D885B66FFE4EF05614F48C069DD458B751D775E408CBA7

Function 06B367A6 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 06B367F2

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: b77b61fd698f721fb113f68a9c91d6443231133cdf6761d6eb1505cf7b157633
Instruction ID: 2c3730fc2d8e2db498952a57d6c05e3c3e2443fce0ba194e1128710a917d0aa5
Opcode Fuzzy Hash: b77b61fd698f721fb113f68a9c91d6443231133cdf6761d6eb1505cf7b157633
Instruction Fuzzy Hash: A3117071A00244EFDB20CF55D884B52FBE4EF08314F0888AADD458B652E335E418CFA1

Function 011AB114 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 011AB16E

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 7db7cb8becaed27d236191cf241bab9d1127f275fdedae63c211ad26abc82638
Instruction ID: c3bd25c1a9e4863dbe8730b802b2890f213efe87af419095c5e324920ad8cb7a
Opcode Fuzzy Hash: 7db7cb8becaed27d236191cf241bab9d1127f275fdedae63c211ad26abc82638
Instruction Fuzzy Hash: A41170754087849FC7228F55DC89B52FFF4EF46220F08849AED458B262C375A518CB62

Function 06B36CC6 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000E24,?,?), ref: 06B36D16

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 206ced4847b69d1187bb29a6a88b2d9483567e5639591f7ea7699b8289e801cb
Instruction ID: e969cc55bc43ceecb03adb1ab04bb480e06745d9e9eca20ce55016f35ca2ae04
Opcode Fuzzy Hash: 206ced4847b69d1187bb29a6a88b2d9483567e5639591f7ea7699b8289e801cb
Instruction Fuzzy Hash: 5F017175900200ABD310DF16DC86B66FBE8FF88B24F14856AED089BB41D635B915CAE5

Function 06B33B72 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B33BAC

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a377548fc8f5809e815d485af2bd6ff17679dfd639ec9ab856bbd436de363d03
Instruction ID: 410e29485df1327de07d77ac816d8ffbad55655333444cb1c20fab75b485a89c
Opcode Fuzzy Hash: a377548fc8f5809e815d485af2bd6ff17679dfd639ec9ab856bbd436de363d03
Instruction Fuzzy Hash: FD0175B1B046809FDB50CF29D885756FBD8EF04224F18C4AADD09CF741E775E404CAA1

Function 06B3556E Relevance: 1.5, APIs: 1, Instructions: 47encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateChain.CRYPT32(?,00000E24,?,?), ref: 06B355BE

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: dbadb525efc03f8bbb477f96c0b34d5b5f7b9103a889f30f50031be7cfd9f43b
Instruction ID: cc65f02b820c7a51b3b6999713a3ebf4bff294e8e9517cbce8dd1643686ba2a0
Opcode Fuzzy Hash: dbadb525efc03f8bbb477f96c0b34d5b5f7b9103a889f30f50031be7cfd9f43b
Instruction Fuzzy Hash: 41017175900200ABD310DF16DC86B66FBE8FF88B24F14856AED089BB41D735B915CBE5

Function 011AB78E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 011AB7D9

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: ef88d555ede3ca50994b6b8e9412e88312436d0e0f08a018b35358c5db9854c1
Instruction ID: 88431387af25b3fb8e94ca6299ea908fea3670578199ba8f2d733522c98fe5ea
Opcode Fuzzy Hash: ef88d555ede3ca50994b6b8e9412e88312436d0e0f08a018b35358c5db9854c1
Instruction Fuzzy Hash: 270180766046809FEB20CF59D885B62FFE8EF04620F4C8499DD498B792D374E408CA66

Function 011AA2CA Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011AA30E

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4d64b3c5d9baeed31910f4499bb4e764677f13d3bc16ea264c615fb2f2f1ec9c
Instruction ID: 892012a8d683e4eef03e54ed90c9b2897ed4db45af4cdfb93697d3b700e8fc48
Opcode Fuzzy Hash: 4d64b3c5d9baeed31910f4499bb4e764677f13d3bc16ea264c615fb2f2f1ec9c
Instruction Fuzzy Hash: 34018B36504240DFDB218F55E884B66FFE0EF08220F0888AADE494B652D375E018CF62

Function 06B30AFE Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 06B30B3B

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 4dc271e802b8a687b5341134e1fb1b1890635fc39ecbb9b6177e65ab537535f2
Instruction ID: cb0b8011996c383e305b9694b057bf0e7c7bc7478bd239b586a3a631827ad792
Opcode Fuzzy Hash: 4dc271e802b8a687b5341134e1fb1b1890635fc39ecbb9b6177e65ab537535f2
Instruction Fuzzy Hash: C7018875B00244DFD7509F15D885762FBE8EF04624F08C0EADD458F751D775E408CAA2

Function 011AA46E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 011AA4BE

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 00c0fc90b2c8aab09b7b31df90c015e8b2da03ea8485dc1a2d4265999f3a8673
Instruction ID: 854872a3ed220a9ba3b384031e26a6730e6ddba13718aedfe9e0ef47d0aeaf6a
Opcode Fuzzy Hash: 00c0fc90b2c8aab09b7b31df90c015e8b2da03ea8485dc1a2d4265999f3a8673
Instruction Fuzzy Hash: 6801A275500200ABD210DF16CC82B26FBE8FF88A20F148159EC085BB41D335F915CAE6

Function 011AB2A2 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000E24,?,?), ref: 011AB2ED

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: b8530c45dd31336b93f2ede1111f0756ab2ec4619428ed5478fbb340b652b708
Instruction ID: 2c88ede0ffec9c6f6eb63050e3cc4ab9c5e0022ec196cf0f518c5d433ce56ca6
Opcode Fuzzy Hash: b8530c45dd31336b93f2ede1111f0756ab2ec4619428ed5478fbb340b652b708
Instruction Fuzzy Hash: BF01A275500200ABD210DF16CC82B26FBE8FF88B20F14815AEC085BB41D331F925CBE6

Function 06B3129A Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 06B312D8

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 2f4221b3f418e495849ec50eb9665b7cae3a569e8ce7b6bcd7feeca086061e86
Instruction ID: 559719a2280cd09122f18b8354c8b282b432458c246042161b391f0a9492d044
Opcode Fuzzy Hash: 2f4221b3f418e495849ec50eb9665b7cae3a569e8ce7b6bcd7feeca086061e86
Instruction Fuzzy Hash: 0801B572600640DFDB608F59DD85B65FBE8EF05220F08C4AEDD464A751D375E418DFA2

Function 06B344E6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 06B34524

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: ef2a012c4dc5b5c7f22e0c2a8f8d310a4d703ac5993c40de8d717ac1f9b907a2
Instruction ID: bbd26e12c92a58076926fc7fafcefb3150d719e22d22ca0cdb74a1c5362e59fe
Opcode Fuzzy Hash: ef2a012c4dc5b5c7f22e0c2a8f8d310a4d703ac5993c40de8d717ac1f9b907a2
Instruction Fuzzy Hash: 9A015E72A00240DFDB60CF55D985B66FBE4EF04724F18C8AADE494B652D375E418CFA2

Function 06B30656 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E24,?,?), ref: 06B306A6

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: ec2bdaabf3e645aeb5ef721384054d80eea0d380349147ae694aea185b5340df
Instruction ID: 6cf1f025380c0b634253625ec23ce4c383774e02b89c3bf803ae7846f5ae917d
Opcode Fuzzy Hash: ec2bdaabf3e645aeb5ef721384054d80eea0d380349147ae694aea185b5340df
Instruction Fuzzy Hash: C301A275500200ABD210DF16CC82B26FBE8FF88B20F14815AED085BB41D331F925CAE6

Function 06B33F36 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,?,?), ref: 06B33F86

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 292e4e15ad069b9348e05e4dc24ddcf402936de8e6d655c42cf68bb2d7d04601
Instruction ID: 948ee8bf726c7b1a577ee54d6cb9035caee0703055fb1bc888b4fc6fcd54be09
Opcode Fuzzy Hash: 292e4e15ad069b9348e05e4dc24ddcf402936de8e6d655c42cf68bb2d7d04601
Instruction Fuzzy Hash: 8301A275500200ABD210DF16CC82B26FBE8FF88B20F14815AEC085BB81D371F925CAE6

Function 06B313F2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B3142D

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 975664c4568d1ae297e6db3b86bf0ebb1a54d148a44e450e4294030e046bed55
Instruction ID: 072ac5d9198aacae8a1f931df7c8be189d198ce81bc9460a0448244e05eb6777
Opcode Fuzzy Hash: 975664c4568d1ae297e6db3b86bf0ebb1a54d148a44e450e4294030e046bed55
Instruction Fuzzy Hash: CF018476600640DFDB608F59D885B65FBE4EF04224F08C4AEDD494B752D375E458CFA2

Function 06B3112E Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06B31169

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3be5fde534e100c918d3436d1d576efa673e8d2d45234c16a55276d050f1ac20
Instruction ID: 2ef6f133f117214a0c5245583b8a603ddd57449eb60b26e155d8da14a3907485
Opcode Fuzzy Hash: 3be5fde534e100c918d3436d1d576efa673e8d2d45234c16a55276d050f1ac20
Instruction Fuzzy Hash: 8C01D476A00640DFEB208F19D885BA6FBE4EF14224F08C4AEDD494B752C375E418CFA2

Function 06B30FDE Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B31013

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2d83c97092e4735d03247a3e07317cb2812d7d5c9b704556d5965a2c2883272b
Instruction ID: 3c7416f49bf25e70c8c135a1472fcda864be197a26ba366dab5cfcda3c772fec
Opcode Fuzzy Hash: 2d83c97092e4735d03247a3e07317cb2812d7d5c9b704556d5965a2c2883272b
Instruction Fuzzy Hash: DC01A2756002848FDB608F59D885751FBE8EF04224F08C0AADD494B752C679E558CFA2

Function 06B33D76 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B33DAB

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: cc88841c187a880ddc143624b2378a4f89c0a562518fdd7528d957bf5e96ba15
Instruction ID: 2ef6b51bbb1766419cf423128dbf31f6b55cea59e01453019385f049ca564d06
Opcode Fuzzy Hash: cc88841c187a880ddc143624b2378a4f89c0a562518fdd7528d957bf5e96ba15
Instruction Fuzzy Hash: 8701D675700684CFDB608F16E985752FFE4EF04224F08C0AADD464B752C779E418CEA2

Function 011AAFD2 Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 011AB004

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1fbc09aa9a7c5d91e8ad00a2498acb6ce455f6008e1f0606e93cfdbd60b1785b
Instruction ID: db0d6d70710c47db224d584fe6a814ecbb8e3ec32ad829f8e67fe3965515ba97
Opcode Fuzzy Hash: 1fbc09aa9a7c5d91e8ad00a2498acb6ce455f6008e1f0606e93cfdbd60b1785b
Instruction Fuzzy Hash: 2D01AD75905284DFDB10CF19D989766FFE4EF04224F48C4AADD488F342D379A448CEA2

Function 06B31352 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 06B31384

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 737e1f68e8b5d64ea847fb91da49669e0e5a6ff17e7d25f09795423a6b7f0a4e
Instruction ID: 3a43cd28f062880e8ce0c75a49019fa1aec5d2182a2b05c684553dd23e451e67
Opcode Fuzzy Hash: 737e1f68e8b5d64ea847fb91da49669e0e5a6ff17e7d25f09795423a6b7f0a4e
Instruction Fuzzy Hash: E801D1B5700240DFDB608F19E885762FBE8EF04224F08C0AADD498BB52D674E458CEA2

Function 06B30C4A Relevance: 1.5, APIs: 1, Instructions: 38timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,?,?), ref: 06B30C85

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: ebde6e5c33f0cd44384ece046e6e85fbb7ba827d2792d0bd5953ad24f98eec70
Instruction ID: 8b4d2cdfaf17862b2863986931a37bcc64e0f720592b3dbeaade311ea253196b
Opcode Fuzzy Hash: ebde6e5c33f0cd44384ece046e6e85fbb7ba827d2792d0bd5953ad24f98eec70
Instruction Fuzzy Hash: 15018B76A00240DFEB609F55D885B61FBE0EF08324F08C49ADE490B762C376A458DFB2

Function 011AB136 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 011AB16E

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 770f70c173c3585fc5c84196e1bae8ae3a92cbf687dacff33070479dc7d74c17
Instruction ID: 305500dfa18da276529ece1d545a62d533ac80a979f838947f1270351f68e3e9
Opcode Fuzzy Hash: 770f70c173c3585fc5c84196e1bae8ae3a92cbf687dacff33070479dc7d74c17
Instruction Fuzzy Hash: 1E01AD36904684DFDB208F05E885B52FFE0EF04324F08C4AADD494B752C375A418CEA2

Function 011AA5A2 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 011AA5D4

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 01d3708d36c901e874671523edf2f94a2ca1860b146adb7d5f84ce94979c5e33
Instruction ID: b395d2d13a209e04e256a545dded3615c15f70578f469a55ddd7330bf84e1baa
Opcode Fuzzy Hash: 01d3708d36c901e874671523edf2f94a2ca1860b146adb7d5f84ce94979c5e33
Instruction Fuzzy Hash: 7AF0AF79500284DFDB208F1AE885765FFE4EF04224F48C0AADD494B752D379E548CEA6

Function 06B314A6 Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 06B314D8

Memory Dump Source

Source File: 00000010.00000002.1717682748.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6b30000_OmGui.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 54794be30f743c7addb531ae5d60a2aa421493e9db3993ad5bdfcca10dcf6c37
Instruction ID: da63d84a02298e7b9b1077949ecce4f05ac3aa3416aea58340e0efb1d4383490
Opcode Fuzzy Hash: 54794be30f743c7addb531ae5d60a2aa421493e9db3993ad5bdfcca10dcf6c37
Instruction Fuzzy Hash: 28F0C875A00244DFEB60CF49D885761FBE8EF05225F08C4DADD494B752D379E508CEA2

Function 08503760 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

Tqxk, xrefs: 08503838

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID: Tqxk
API String ID: 0-228462240
Opcode ID: 129f15b46acbadbd921bd223fceba0d3488389c9847dfd175eaab9843fe0b91f
Instruction ID: 7a7bab34d9238eed0b701fc75b4dfd503fedfe646133a250820eb50fa7d75b7e
Opcode Fuzzy Hash: 129f15b46acbadbd921bd223fceba0d3488389c9847dfd175eaab9843fe0b91f
Instruction Fuzzy Hash: 0261E734A005049FDB44DF68C494AADB7F2BF89315F2584B9E80AEB792DB31AC46CF51

Function 08505310 Relevance: 1.3, Instructions: 1325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ad5bfb1285f63245962c9235b55953ffaf78dc79fc4b723a8e161bb9cbe16a
Instruction ID: 5b889ffadac3e429a4718d9c1af0269d5abe4f047e0c38e0b1ea165f8b0cb046
Opcode Fuzzy Hash: 70ad5bfb1285f63245962c9235b55953ffaf78dc79fc4b723a8e161bb9cbe16a
Instruction Fuzzy Hash: 95E22231A05228DFCB269F60C948ADCBBB6FF45304F4684E8D18967265DB319FA8DF41

Function 011AA70C Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 011AA780

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2d0540933d29fee589ac83ee027c3f02ec30a6be563ead07faa2a55423da544a
Instruction ID: f59f27911c93d63208a4b1387d5d695f710bef6acded3251e7f6b580d818617c
Opcode Fuzzy Hash: 2d0540933d29fee589ac83ee027c3f02ec30a6be563ead07faa2a55423da544a
Instruction Fuzzy Hash: 0421F2B55097C09FCB038B25DC95692BFB4EF07220F0984DBDD858F2A3D2755909CB62

Function 0182D48B Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

uAj^, xrefs: 0182D532, 0182D537

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID: uAj^
API String ID: 0-3033221290
Opcode ID: 144b16894a0d4bb486afe7a59209cb94c27aff043c23272b385dc60342249d33
Instruction ID: 54c1692d074f8e9a792d043bb2abade021c2970c4dabded4b3a3f702dc9bcdb0
Opcode Fuzzy Hash: 144b16894a0d4bb486afe7a59209cb94c27aff043c23272b385dc60342249d33
Instruction Fuzzy Hash: DB2127743043009FC325A768E45469ABFEBAFC5214310856DE04EC7B95CF74EC05C791

Function 08505300 Relevance: 1.3, Instructions: 1308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799de8e82c6f7a3fc44d5d6ce20c44d68c12516f6c3e8165817e65d661e58c34
Instruction ID: 137875a01d16086ffb6e1c1593de0365b6194ace2b5576276bcf1bb08d705beb
Opcode Fuzzy Hash: 799de8e82c6f7a3fc44d5d6ce20c44d68c12516f6c3e8165817e65d661e58c34
Instruction Fuzzy Hash: 6DD23331A05228DFCB269F60C948ADCBBB6FF45304F4684E8D18967265DB319FA8DF41

Function 011AA74E Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,50A98413,00000000,?,?,?,?,?,?,?,?,6C103C78), ref: 011AA780

Memory Dump Source

Source File: 00000010.00000002.1705551615.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11aa000_OmGui.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1c3cc6161b704ea0f90a4d832e0e26e3f606a5b163c0b5591055d09e0cd1f39e
Instruction ID: 1509965888af2101e77e8c14d32847c5987b5403965477f88a88412ec93ce995
Opcode Fuzzy Hash: 1c3cc6161b704ea0f90a4d832e0e26e3f606a5b163c0b5591055d09e0cd1f39e
Instruction Fuzzy Hash: D501DF756006408FDB148F69E885766FFE4EF00224F08C4ABDD0A8B742D77AE408CEA2

Function 08506F10 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8586bd47e897e740771e863d3f652654004e7be79320c260a599e1dd5148fce7
Instruction ID: 66f86db9cb12e4d4913ccf1f3870556b5dbfd30b9b41714e2978277f0c070c08
Opcode Fuzzy Hash: 8586bd47e897e740771e863d3f652654004e7be79320c260a599e1dd5148fce7
Instruction Fuzzy Hash: 16226A35901608DFCF159FA4C948ADDBBB2FF49304F0584E9E209AB272DB32AA55DF40

Function 0182989E Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2deb0fee619b83ec8014b31ce634ed2b98784369abf81785442cec21ee1ec49e
Instruction ID: 959c0e2698883c26b9dfc86294b788ce01a997e5e6f633b9a9e2bac3e74cdbfb
Opcode Fuzzy Hash: 2deb0fee619b83ec8014b31ce634ed2b98784369abf81785442cec21ee1ec49e
Instruction Fuzzy Hash: 92D1BC347002119FDB48EB78C4647ADBAE3FFC9308F518628D11A9B795DF759C098B92

Function 018298A0 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6843dc647057132247938679185c3f05420f950de9704776e08eda2653c835
Instruction ID: 74fe74b4df287b895d18e61bd35dba6d784f482aa63825aaea4c4d916b5c120a
Opcode Fuzzy Hash: 4b6843dc647057132247938679185c3f05420f950de9704776e08eda2653c835
Instruction Fuzzy Hash: 91D1BC347002119FDB48EB78C4647ADB6E3FFC9308F518628D11A9B795DF759C098B92

Function 01820F10 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a302b234cfe6c7888ca9dd552908bee847d4379fe1d3c7e2e6c9752b8f5d155c
Instruction ID: 3e52c6df4a95a71f0d5cf18412cae190ad0fbd88de1bd70eb9d570c877e2dde8
Opcode Fuzzy Hash: a302b234cfe6c7888ca9dd552908bee847d4379fe1d3c7e2e6c9752b8f5d155c
Instruction Fuzzy Hash: 3AE1B0347002048FCB19EB74C4987EE77E2AF89308F2485B9D50A9B3A2DF75AC45CB91

Function 01820F01 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee412652d6a14e178679df34ff8a57b87d41a0a40250952d3d83af033370c42
Instruction ID: b3a902d78572cf3a258116a4893c197b201bc961adf0d52f1248e28e548bfd68
Opcode Fuzzy Hash: 5ee412652d6a14e178679df34ff8a57b87d41a0a40250952d3d83af033370c42
Instruction Fuzzy Hash: CDD180747002048FCB09EB74C598BED73E2AF89308F2485B8D50A9B7A5DF75AD45CB91

Function 085083B8 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e238a460c05b6d48bfefc1b2a90ca8f859e8dcc5ae1933819a560dbf198f8c7
Instruction ID: ed7ae3dfa526a49cdb8b23b3fbb21ca9e4c77c7d858d2fe616e619b25714c54f
Opcode Fuzzy Hash: 9e238a460c05b6d48bfefc1b2a90ca8f859e8dcc5ae1933819a560dbf198f8c7
Instruction Fuzzy Hash: 77B15F71A00219DFDF259F25C948B9EBBB2FF48300F5244E8DA896B295CB359E55CF80

Function 085007B1 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef3cf3492f40a096c6f871adb7a00e16661f90b32dff55fcb9c0eed49cde14b
Instruction ID: 5bf498c59899b6b2ef090dd598f47d7256a3a75b25274baedcd5e3ee7f739b14
Opcode Fuzzy Hash: 1ef3cf3492f40a096c6f871adb7a00e16661f90b32dff55fcb9c0eed49cde14b
Instruction Fuzzy Hash: EAB1FA74A00619CFDB64DF24C998BADB7B2BF88305F1480E9D409AB791DB359D81CF51

Function 0850A228 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b83a4b8af87be021e5d4f3161da9b6435cdaac2fcc1df1cb84ae31177f8507
Instruction ID: 536053bde247dd41c9ef4ceb87592203be7aee7818369a45b03d6489389d05cf
Opcode Fuzzy Hash: 33b83a4b8af87be021e5d4f3161da9b6435cdaac2fcc1df1cb84ae31177f8507
Instruction Fuzzy Hash: 3A411531B05361CFCB229A7C8014795BBD5BF46255F0A85FAE0088F392DB759C86CBD2

Function 01821249 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2ada6e9f20a5f3d992d39562d316ba4029835b7956650de92a7b7b93244805
Instruction ID: 4143d31f2745bafb88516062ba5b8805caa57389fbabfa6ef94661fc8347fa08
Opcode Fuzzy Hash: 2a2ada6e9f20a5f3d992d39562d316ba4029835b7956650de92a7b7b93244805
Instruction Fuzzy Hash: 3251F838B001048FDB49EB74C558AAD73E2AF89314F2541E8E906AB3A1CF76AD45CB91

Function 08507600 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224cfe7f4757cd8572e1b1b558bf367641bbfe901cdfbeafa0f40f10ee8f2026
Instruction ID: 71a158fdd8e4301fb958de8641518778b8d4af6bd1c8d0cdb1fd8dc76a9f8ff8
Opcode Fuzzy Hash: 224cfe7f4757cd8572e1b1b558bf367641bbfe901cdfbeafa0f40f10ee8f2026
Instruction Fuzzy Hash: E1516B747017008FD7299A38C45476AB3EABF8825AF25482DC46A87396DF76BC46CB50

Function 0182FB8D Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11d1e33b584e4a8fec9948cd24d1e7c662d2526e96cc57b05c328b76efb05c3
Instruction ID: 1ccd48a2a96aba886d8dba79568f2c6995a051a21ccba80a2ef12cde40fb706e
Opcode Fuzzy Hash: a11d1e33b584e4a8fec9948cd24d1e7c662d2526e96cc57b05c328b76efb05c3
Instruction Fuzzy Hash: C9510974E00229EFDB15CF98D584AADBBB6BF44304F548519E911E7351CB34AE82CF90

Function 01821700 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8dd6fa6ab9e91d43fd361e52206afc09ef99680ff7e33f34898006e598e992
Instruction ID: 0e07c44b0f67c97f690512bf615b55801ba0a07a3882a84e785f1f675c3e19bf
Opcode Fuzzy Hash: 2d8dd6fa6ab9e91d43fd361e52206afc09ef99680ff7e33f34898006e598e992
Instruction Fuzzy Hash: 2951F474A00715CFC724DF69C488AAAB7F2BF89304B2449BDD41ADBB61CB31AD45CB61

Function 085069E3 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24a681e4cf69ac9b329795e3afca5d2da5c203dc8448869a6713e489b72136e
Instruction ID: 0837da7177baa1ffa4e28f68effc9ce43e6cd986218f8a414bdbb0cb9bb56093
Opcode Fuzzy Hash: a24a681e4cf69ac9b329795e3afca5d2da5c203dc8448869a6713e489b72136e
Instruction Fuzzy Hash: 1341635540E7C29FD7038BB189A57803F309F47205F2E89EBC5C4CE9A3D629485AD763

Function 08503568 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d11444bbef449b19b16527ec43a7901d61eabb909ff66b6e5573353d2b7e8b0
Instruction ID: 71dbf62317ced7108646be4a8b8c0e18f6cf2616e749470d5871068afd2950d1
Opcode Fuzzy Hash: 9d11444bbef449b19b16527ec43a7901d61eabb909ff66b6e5573353d2b7e8b0
Instruction Fuzzy Hash: 5B413870E012188FCF05EFB8D5585AEBBF2EF89208B6144A9D005AB352DF399D15CB95

Function 0182D7A0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87fc9c4eb89219d7a69c5102728e6a1ffc98cce68c4740e546dc3b5fde7d7a4
Instruction ID: eee91316e07897c05e22731f080c7527cafb881dd1f418148fcc568331a0978d
Opcode Fuzzy Hash: f87fc9c4eb89219d7a69c5102728e6a1ffc98cce68c4740e546dc3b5fde7d7a4
Instruction Fuzzy Hash: 683149746093918FD313EB38E8446D8BFB1EF81314F4585AAD048CF267DB759849C752

Function 08503578 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714b4a04bd70f7e71416e06cd40ebe8b67e139ffd21a13eb1b8ab065f79ab5ba
Instruction ID: 70c559a5e7a274f9414e432ba55822605c142fe9de6dde77ed4d99bbbc7a158c
Opcode Fuzzy Hash: 714b4a04bd70f7e71416e06cd40ebe8b67e139ffd21a13eb1b8ab065f79ab5ba
Instruction Fuzzy Hash: 2C412470F012188FCB05EFB8D6985AEB7F2FF89208B614469D005AB351DF39AD16CB95

Function 08503440 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0865821c1a736ba0b656e24c397b75de2fd637eb46f656bd26020177fa0f7d6d
Instruction ID: 87ae6a3041ff8e31c59badcd063b12f9519b3ff25ce60914dc3391697dfb9d32
Opcode Fuzzy Hash: 0865821c1a736ba0b656e24c397b75de2fd637eb46f656bd26020177fa0f7d6d
Instruction Fuzzy Hash: 43319A30701201DFDB19DB34D4547AEB7B2BF8A30AF21456DD8059B396DB39AC42CB91

Function 08508D61 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952f60e71bf64ae1c1f3316353f54fc8824b7b8cd78fcd7133c4d4dad462f6a4
Instruction ID: bd879a408932ca174fc35205d0841a3626f02ae917462b509fafc9cef63d3a01
Opcode Fuzzy Hash: 952f60e71bf64ae1c1f3316353f54fc8824b7b8cd78fcd7133c4d4dad462f6a4
Instruction Fuzzy Hash: D3311E343007109FC745AB38C8585AF77E7AFCA255B1509B9E40ACB361EE36AC06CB92

Function 08503450 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35228414be49df31903d933fb6b6581ec81729ed4c1e94f90a523deb361853e7
Instruction ID: 4841193aacaf64ce0d860a1adef88fcf1918273b7de1c36d6d3c271d3b9bce3f
Opcode Fuzzy Hash: 35228414be49df31903d933fb6b6581ec81729ed4c1e94f90a523deb361853e7
Instruction Fuzzy Hash: 4C3158307002019BDB18DB34D455BAEB3A2BF8970AF20442CD9199B395DF75AC42CB94

Function 0182F0E8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254d91efd5eb7814d087988955e168b8c5761ca8fe7b841fa8ceab35adaebba2
Instruction ID: 91a1c1015701aa507b3fdbf9aded34fdf08f8442783df093e04f6fdac578b163
Opcode Fuzzy Hash: 254d91efd5eb7814d087988955e168b8c5761ca8fe7b841fa8ceab35adaebba2
Instruction Fuzzy Hash: 88312534304625CBE62B9A24D54453E73B7FBC5305B704619DD42CB785EB38EE86CB91

Function 08503260 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92888ce55a7c8ca108fa2fbbd822088896e85a5d6ffe8210d60c4e4201a57503
Instruction ID: 517a4105b0b6c8b8e0dae8980ce345336a51ec9eb1b713d491014d53eff853f8
Opcode Fuzzy Hash: 92888ce55a7c8ca108fa2fbbd822088896e85a5d6ffe8210d60c4e4201a57503
Instruction Fuzzy Hash: 9D2103303012609BE7168B38801035D73AAEF89218B2D80FEE940DB392DF7ADC0387D6

Function 0850374F Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0955ba2dd8876844568749711fbd20f9bb15422cc2d571178528a2eb59dc0b
Instruction ID: 15292121afc5b91603412e7a28d78c71bfad4c5d18c35eb1c79454fbb9ad9497
Opcode Fuzzy Hash: 6d0955ba2dd8876844568749711fbd20f9bb15422cc2d571178528a2eb59dc0b
Instruction Fuzzy Hash: E7312C31A01604DFDB05CFA8C584AE9BBB6FF49315F148869E805EB392D771A946CF50

Function 08508D70 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384136259131f375f3ea9389e16cd5395db7b63f8e9a0510db9e5ba3e7f57f69
Instruction ID: 1245b9302f7bab596bdd17c32966aafb3b74eb49a092fe68bee53790fb003dc2
Opcode Fuzzy Hash: 384136259131f375f3ea9389e16cd5395db7b63f8e9a0510db9e5ba3e7f57f69
Instruction Fuzzy Hash: E6210C343006109FC745EB38D858AAF73E7AFC9355B150979E40ACB360EE36AC06CB86

Function 0182F878 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90cc884daf4d8dbc9ad003b537f10943ae2a3c8f7f198668b0f2be4409eb29e2
Instruction ID: 7c74b08f912c49da2933568bac644cdae8bc461b436d189d20c9303b3a940c4f
Opcode Fuzzy Hash: 90cc884daf4d8dbc9ad003b537f10943ae2a3c8f7f198668b0f2be4409eb29e2
Instruction Fuzzy Hash: D2311E34A00219CFDB15DFA8E499A9DBBB1FF48314F10C05AE912AB3A5CB34D984CF50

Function 0182F1F8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2308d2ee44d30d8901007d6bde665cba2e9970b943bb41ae7d06e00df55fbf
Instruction ID: db4fe2b6b1aab2aa4ea568c758186d60387be4d9822b12349b14e319f0e49ecb
Opcode Fuzzy Hash: da2308d2ee44d30d8901007d6bde665cba2e9970b943bb41ae7d06e00df55fbf
Instruction Fuzzy Hash: 7C2168763042628FFB27962CE8057753BBADB83325F14402AD688C7682DF3CAD86C751

Function 08503344 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc313eea3767d00e8208c5127bfd2554e984fd9470892bbe67c11b1f2cba6bf
Instruction ID: 6f10ae7a1cb8e3e0667266ba326cb5d5b293774dab2855ccab6aca00d3e3abb7
Opcode Fuzzy Hash: 5bc313eea3767d00e8208c5127bfd2554e984fd9470892bbe67c11b1f2cba6bf
Instruction Fuzzy Hash: 3E212634A002059FCB15EF78D6499EEB7F2BF89205F2544B8D809AB361DB369D42CB90

Function 0182A087 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab771b1cea40da6f64cb172574e67279a2e2f3a23bb0fc11f41c521c38d040dd
Instruction ID: 9f90c6808b7ae6199b4be014f6348c47f97a890bd8b07c57e171fc4e7b9493e1
Opcode Fuzzy Hash: ab771b1cea40da6f64cb172574e67279a2e2f3a23bb0fc11f41c521c38d040dd
Instruction Fuzzy Hash: 7E21C2303012558FDB09DF74C8906D93762AFC6314F1980BDD80A9F396CE7A6C46CBA0

Function 085075F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1065fcdcfcf3311c437f19826f37c8f28f27ce314acde9f946cd0c3d608188f8
Instruction ID: 46bf3e857aebdfd053e314d4eff28eeae2e5da2c562f7f79cd7ff25afad62b8d
Opcode Fuzzy Hash: 1065fcdcfcf3311c437f19826f37c8f28f27ce314acde9f946cd0c3d608188f8
Instruction Fuzzy Hash: 7A21DE30B003409FE325CB38C445B6B77EABB89305F15846DE42A9B282CF36BC05CBA4

Function 08503350 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c937e3d3fd674a2212f4cea9f4a93b00b7e8bc3e085b09786b93ed89691e59e
Instruction ID: f4c90626c4698ec4b0192639dda59923a6b1dd994c797378c287359cb94fc112
Opcode Fuzzy Hash: 0c937e3d3fd674a2212f4cea9f4a93b00b7e8bc3e085b09786b93ed89691e59e
Instruction Fuzzy Hash: CF211934A002059FCB15EB78D5499EEB7F6BF89205F2504B8D809AB361DB369D02CB90

Function 08503270 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2ef67bfd29879f8bd3c266e23f6df5cfc91078604c648eca0fe375df1e25dc
Instruction ID: cfadba30615950b376ba9d14b7fea865a8a9cec43e2d9f8902119f09b6717bb2
Opcode Fuzzy Hash: 8e2ef67bfd29879f8bd3c266e23f6df5cfc91078604c648eca0fe375df1e25dc
Instruction Fuzzy Hash: 4E1191357001209BE7249A38951175EB2DAEBC821CF2980BDEA05E7391EF7DEC0287D5

Function 08506CFF Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d225d7a994a7a745e97f02513d39ed194b6d0eec7063eb7c703ec6a591f96cc
Instruction ID: 14d4a6059db40bf1ea78e6af3b4e0fd1ed52be97c9cc2c41ccb47b7d2e27ee3e
Opcode Fuzzy Hash: 2d225d7a994a7a745e97f02513d39ed194b6d0eec7063eb7c703ec6a591f96cc
Instruction Fuzzy Hash: 57216D3290064EAFCB029FA4CC45EEE7FB4FF89304F0540A9E558A7262D7319529CBA1

Function 0182A098 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d953594603f60305ca0a38d099f37d9db644abc5d1fbb373a20497bb6ae115
Instruction ID: f199376bd6270251fdf920708b5da040b507b547a8dfcf4ae1b0f23c2ca8e94d
Opcode Fuzzy Hash: b1d953594603f60305ca0a38d099f37d9db644abc5d1fbb373a20497bb6ae115
Instruction Fuzzy Hash: 7311AF343012548BDB18EF7588906A97352AFC6318F5980BCD80A9F386CF76A806CBA0

Function 0182F7A8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f898025f51fa81650f3f46fced3fb914982be6d9f2af092745ee63c1ae849e4
Instruction ID: f1d65be5316e8f03790ea1d6fe58e10b9590929a0895afceba2f5a084004fb67
Opcode Fuzzy Hash: 9f898025f51fa81650f3f46fced3fb914982be6d9f2af092745ee63c1ae849e4
Instruction Fuzzy Hash: 9111F030D042A8AFDB228B6AD8047DEFFF59F49714F00441ED142E6A92DBB05989CBD1

Function 0182FEF4 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3640e9bea16ae1ea25393d9e86cb2ab11b3fcf8e9e56d7182f62d6134d5964c5
Instruction ID: bbab9784554c9adfa4a950ec5fba03c9313d896a89219e337efc4d08281c4467
Opcode Fuzzy Hash: 3640e9bea16ae1ea25393d9e86cb2ab11b3fcf8e9e56d7182f62d6134d5964c5
Instruction Fuzzy Hash: 0B11E4302042519BD712CF3DC480959BBF6FF8632431085AAE594CBB66DB31EC86CB91

Function 018304CB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1708069871.0000000001830000.00000040.00000020.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1830000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0388db0803a4b79b64e766ce978f2097a4db4708171632afc5ee5802f6bf7a1f
Instruction ID: 1d0d73fc2a71fad92d8a2d39fd230705c038d7d19daf9be0c5043edb155bacb1
Opcode Fuzzy Hash: 0388db0803a4b79b64e766ce978f2097a4db4708171632afc5ee5802f6bf7a1f
Instruction Fuzzy Hash: 3C11B6715097C09FD7128F25DC84B62BFB4EF47714F08849AEC458B693C339A904CBA2

Function 01830C5B Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1708069871.0000000001830000.00000040.00000020.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1830000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d0dc4a0c87e35d76e5c8456b49ab05fe438d904e7f9f977a5bde121f50591d
Instruction ID: fed14e2d8e02bbf6fbc81691682e8d90b9b24989e11f269fc4c1f2d0e0ff9a98
Opcode Fuzzy Hash: 95d0dc4a0c87e35d76e5c8456b49ab05fe438d904e7f9f977a5bde121f50591d
Instruction Fuzzy Hash: CA217C3510D3C18FC7078B64C950B55BFB1AB87308F2985DED4888B6A3C73A9916DB52

Function 0182D300 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b23520e87a0d797081ff4b3918a0bf84c8a0da16b63e0ff3133065ba8103a5f
Instruction ID: abf9b26950621f13c7aa78ea31a6da2c7772a4d55c53995d187402db93efbb07
Opcode Fuzzy Hash: 3b23520e87a0d797081ff4b3918a0bf84c8a0da16b63e0ff3133065ba8103a5f
Instruction Fuzzy Hash: 77110670505244CFEB11DF78D99E3AA3FF5EB56308F50019AC045DB6A2CB382D8ACB92

Function 0182FAC0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18af38e49ec5632b9a64a3cad7d99063e7f128ceeb8bc956b15c62d39a75aa1
Instruction ID: a0319942c651eaa48306b031687f27c19c1e1cb75c821827a7931d037eeceb4d
Opcode Fuzzy Hash: a18af38e49ec5632b9a64a3cad7d99063e7f128ceeb8bc956b15c62d39a75aa1
Instruction Fuzzy Hash: 4D216A74A01108AFDB15CFA8D195AEEBFB9AF48310F244028E505E7391DB34AE80CB90

Function 01830C94 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1708069871.0000000001830000.00000040.00000020.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1830000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e5098997bf8733efab7f831685562879cbdf658f6f136182acd9d2c2ded802
Instruction ID: fe0c8f754793a85da4b8733b4c469d599c2debe7974616f80d4e2b9a1caed222
Opcode Fuzzy Hash: 85e5098997bf8733efab7f831685562879cbdf658f6f136182acd9d2c2ded802
Instruction Fuzzy Hash: D611A2312082849FD715CB54C584B19BBD5ABC8708F28CA9CE9499B753CB7BE913CA81

Function 08506D10 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c425e31edef19a7d6ed39b14ade5ca4f208ad0680270a01a98d2728f1469bc0
Instruction ID: 2b328dcf8944ad3b764fcbd65922b90a57cfa726e83a17d895a51a0fe0817e12
Opcode Fuzzy Hash: 7c425e31edef19a7d6ed39b14ade5ca4f208ad0680270a01a98d2728f1469bc0
Instruction Fuzzy Hash: F9116D3290060EAFCF01EF94DC44EFE7BB9FF88304F054069E558A2260D731A625CBA1

Function 08501F80 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306618edef0dc86f9398ba429f6867ac0d0cd5c3dc086638f9950b13d0eb01c9
Instruction ID: a388df30bb3eef03a252d191756583a6a84647fc3bdf8293be23586a7c8dc6da
Opcode Fuzzy Hash: 306618edef0dc86f9398ba429f6867ac0d0cd5c3dc086638f9950b13d0eb01c9
Instruction Fuzzy Hash: 7801D6303052009FD7119738D858A697BEAFFC6211F2941BAE805CF7A2CB71DC45CB61

Function 018216F0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7988c441a0d7a779795d2cbf977446ff5d84916aff5075621351f786a710a7c3
Instruction ID: 4f48a39e7e0c0ca5272b768cc242eec8858f7b3fb11a4b55743b56d57df575d9
Opcode Fuzzy Hash: 7988c441a0d7a779795d2cbf977446ff5d84916aff5075621351f786a710a7c3
Instruction Fuzzy Hash: 8101D4B5B00214AFD718AA79D8549EB77FAEFC9314B1400BEE809DBB51CE30AC0587B1

Function 085036C3 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad04a3b98b30aaa5cc9e0426441520702f25fabef9f256d47dec4078a726c1b7
Instruction ID: dee5cbac0800be287cc05a254f4e7d0d237c41abab52f151202a46511114cf0c
Opcode Fuzzy Hash: ad04a3b98b30aaa5cc9e0426441520702f25fabef9f256d47dec4078a726c1b7
Instruction Fuzzy Hash: 9611523120A3808FD7169B34D9986567BB1AF83219F1A44FED889CF293CA759C46C751

Function 0850A4D9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f5c7e617ff6b4e738f1010a3957ccae283eeb2c02fb5c265e2539be97963bb
Instruction ID: 9b52c52c876b112b70a46cc3d6f8c451dc2b0ecadba3561bddd82e8f98b10322
Opcode Fuzzy Hash: 37f5c7e617ff6b4e738f1010a3957ccae283eeb2c02fb5c265e2539be97963bb
Instruction Fuzzy Hash: 55113975200700CFC315AB34E458A9A77E6EFCA316F1905BDE44A8B761CF7AAC46CB81

Function 01835421 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1708069871.0000000001834000.00000040.00000020.00020000.00000000.sdmp, Offset: 01834000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1834000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074f310b963af2c0b37ed4e5db9a1028c30e701e820b1af9787ec11e25a00fb7
Instruction ID: 276ce269ed119d75600ce48f64f8de1bbd1fa6953e17e6db92a908b8a24d0262
Opcode Fuzzy Hash: 074f310b963af2c0b37ed4e5db9a1028c30e701e820b1af9787ec11e25a00fb7
Instruction Fuzzy Hash: F501D4B24093846FC301CB15AC44C53FFF8DF86520B08C5AFEC888B642D265A918CBA2

Function 018304FE Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1708069871.0000000001830000.00000040.00000020.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1830000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b817e708c022c8da7f10d7518a42a83e8e4031e7bbe91d5a88654ed12a6f5aab
Instruction ID: e85b7a95dda8704941c67ecc91881cd4de2f0e3532ff75ea4313909b20c04fb4
Opcode Fuzzy Hash: b817e708c022c8da7f10d7518a42a83e8e4031e7bbe91d5a88654ed12a6f5aab
Instruction Fuzzy Hash: 1101B172A08684DFD711DB19D980762FBD4EB44728F0C846AFD098BB82C37D9544CAE2

Function 0182D710 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f04388d795b6eeec27305eb892aa47205bc32382844dbb5b1bfbf81476d380
Instruction ID: 09567b19095e2ae15a24f13b2281f2b5946db4f8fd82c617aac8e5a5a7f6ebb7
Opcode Fuzzy Hash: b6f04388d795b6eeec27305eb892aa47205bc32382844dbb5b1bfbf81476d380
Instruction Fuzzy Hash: E2014C353003949FD3219B78D444BDA7B979BC4314B04CA29D106C7B54DF78EE4687D1

Function 0182F240 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4693f2665d2e1600bc4991c561c5b470cb74d1d788b515e2d8f6dde2d351bb
Instruction ID: d0014251146aea858668b6efd76d40d1db8fd97fbc51bf9f36c0aca7d3c30a31
Opcode Fuzzy Hash: ee4693f2665d2e1600bc4991c561c5b470cb74d1d788b515e2d8f6dde2d351bb
Instruction Fuzzy Hash: E601F9B63001124BF726956DDC45B61BB6EDBD6364F080035E248C7783DE2CDD41C361

Function 0182D7D0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c892ec2fa83ebd0b98ee2751787bc445f565b9105e1efaae581921d2b8e1573a
Instruction ID: f8c8388b54a1ad2d8614c2ce1c6ff4c653544547139c21bcc1ba68a5fa6d380c
Opcode Fuzzy Hash: c892ec2fa83ebd0b98ee2751787bc445f565b9105e1efaae581921d2b8e1573a
Instruction Fuzzy Hash: ED01F2706043808FD702AB70E8486987FB1EF82358F8489EDC048CF266EBB99D49C712

Function 0850A441 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4bd30a8e837c085b00abba001011f58f924dd4db11e8370d90dc63a599c59b
Instruction ID: 38bdb3c5b67ca29c159f276408b2225ba72a608779f48a2041e0a8888ee92aa4
Opcode Fuzzy Hash: 2b4bd30a8e837c085b00abba001011f58f924dd4db11e8370d90dc63a599c59b
Instruction Fuzzy Hash: 1101D675700210DFD645EB38E05882D77A6EFD922932940BEE409CB3A1DE79DC02CB92

Function 018305E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1708069871.0000000001830000.00000040.00000020.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1830000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd34ba0cb828e89b4e90779b0ceb32a68c3fe73674144a4944c8573c8c1cedc2
Instruction ID: c7b61d51d5fc4fe11333c14f36bf54a7575fc4fb2e82f4eddc1fe108f4fa96b8
Opcode Fuzzy Hash: bd34ba0cb828e89b4e90779b0ceb32a68c3fe73674144a4944c8573c8c1cedc2
Instruction Fuzzy Hash: 7201DBB65093805FD711CF15EC40862FFF8EF86620709C49FE84987652D635A908CB71

Function 0182FAEE Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0b6c3e9189effc407a45dc8cb7ebcc4d91e53961757660b2f380dddb561386
Instruction ID: 35e510d92cfde3aa694825da17da21bbe7ff7c0b3554f9de82c6911014e1d98d
Opcode Fuzzy Hash: 4d0b6c3e9189effc407a45dc8cb7ebcc4d91e53961757660b2f380dddb561386
Instruction Fuzzy Hash: D1111874A00119EFEB11CF94D695AEDBBB5BF48304F244018E501E7791CB35AE85CF90

Function 085024F0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc7f0d82cc41d19d421e8fde4a3ecd093809cd17f08e55ef4c5551748525398
Instruction ID: 0444d9e679e44fd3df0bba3004597b1293607cdcb9643952dba3234669698e4a
Opcode Fuzzy Hash: 0cc7f0d82cc41d19d421e8fde4a3ecd093809cd17f08e55ef4c5551748525398
Instruction Fuzzy Hash: AC014875E006088FCB55DF79D4405EEBFF4AB8D220B10807AD508E7710E6308984CBA1

Function 085050FF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5475d2121675245ed6ee3641ab918c5a1af0cda1f5a043fb9ecd6653d28edfd7
Instruction ID: 25fe98b7130bb066d85bbf5df402f07e575b9feb6123bc3d8ef8b7dd419df36a
Opcode Fuzzy Hash: 5475d2121675245ed6ee3641ab918c5a1af0cda1f5a043fb9ecd6653d28edfd7
Instruction Fuzzy Hash: 2EF028316093809FD312DE38E4008AA7BE4EF5266130045BED585CB692DB75FC47CB95

Function 0850A450 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2666daae8b44f9f5833579fab676cef7c0403134871918123103ad3dbc10130f
Instruction ID: 60dbc85f3a8bda33114513baf8ea0d1297159ac16f5a9b05f8599ef85185b301
Opcode Fuzzy Hash: 2666daae8b44f9f5833579fab676cef7c0403134871918123103ad3dbc10130f
Instruction Fuzzy Hash: 7E018635300210DFD658EB78E05881D73E6EFC5259315057DD50ADB7A0DF399C42CB91

Function 0850A4E8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe64f089f72bd88fcff0be7c79b702f5e62059026eadd2276357c027f5fdd50d
Instruction ID: c06b98cc4fbd883a7a3c8b8a1d37311ef94fc93cd0b62a814f99291ca8e4a965
Opcode Fuzzy Hash: fe64f089f72bd88fcff0be7c79b702f5e62059026eadd2276357c027f5fdd50d
Instruction Fuzzy Hash: 7401E935300600CFC314AB34E458A9A73E6EFC931AF1505BCD84A9B761CF76AC46CB81

Function 08506C87 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6612bfb9be82ee0d67f6858b6fe41fbb706456a84e01a1a8ab5fc5c8b41b7cfc
Instruction ID: c111f2255bc8975aef03bbe1f453180ca398d4063b93fdf132372c2ce5b9f209
Opcode Fuzzy Hash: 6612bfb9be82ee0d67f6858b6fe41fbb706456a84e01a1a8ab5fc5c8b41b7cfc
Instruction Fuzzy Hash: 5E014735200605AFCB224F50E950C69BFF3FFC621530844A9E15A87AB2DB319868DF51

Function 0182F230 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737bb298f3d7fa5904619fc4afcbcedd836b9f5a2bf1b6e4d5d75cf0ab11b453
Instruction ID: 0122708abddb605b40d79d74ff9604c6d1f4b3868493e98bc3e91e48b5042c64
Opcode Fuzzy Hash: 737bb298f3d7fa5904619fc4afcbcedd836b9f5a2bf1b6e4d5d75cf0ab11b453
Instruction Fuzzy Hash: 07F028B62082914FF727D56CD819B603F35CB93370F0900BAD188CB293DE289D86C362

Function 085036E0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c15fa21d25e8cee28d56bbc6206cea5194e32915a406bdfd1872a3d41610888
Instruction ID: 1dcc4cb28472ce50c8c1d360cb2e23e43e7053f964e41d9c2d6b9417acf878a8
Opcode Fuzzy Hash: 0c15fa21d25e8cee28d56bbc6206cea5194e32915a406bdfd1872a3d41610888
Instruction Fuzzy Hash: A7016D313022008BC724DF34D59866673A6EFC521AF15447DD84A8F386CF71AC42CB50

Function 0182F750 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef3526e4ed22ff6bcffebfd31ab5048afeca44e6cf5fe4ff5a6f4b8ee4af910
Instruction ID: fed46a7c7f0fc0585cfe52a7dca155c6044d6906b538c9f6a19770c218847c2b
Opcode Fuzzy Hash: aef3526e4ed22ff6bcffebfd31ab5048afeca44e6cf5fe4ff5a6f4b8ee4af910
Instruction Fuzzy Hash: 53F0B4323047A05FE7354A6EA488A5BFBFDDBD9324F08053AE30AC2191CE649A85C390

Function 08507801 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67e5a908e3a0c6f92b39ded0e0a416f2c70e9dbe9100258aa7a65fd108f13e4
Instruction ID: 9c83ca887aeb2ae1a068f65beae246a45acce08f36f0c5d256785305c81e8a71
Opcode Fuzzy Hash: f67e5a908e3a0c6f92b39ded0e0a416f2c70e9dbe9100258aa7a65fd108f13e4
Instruction Fuzzy Hash: 83F0CD307002008F93249A3AD894A6BA7E7BBC9214764853EE40ACB794CE32DC0AC7A1

Function 08505128 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56c6ba912a20488bb3e020ee5294c327a338ba8fb86acd220758f47f1cf5a3e
Instruction ID: 448ad6cb63a2e539c5d25fe808f5484e5c3e7c823db529f9970d3b03616aa505
Opcode Fuzzy Hash: c56c6ba912a20488bb3e020ee5294c327a338ba8fb86acd220758f47f1cf5a3e
Instruction Fuzzy Hash: EAF0283120B340AFC3119734D80166D7B66AF9631571040BDD944CB2D2DB79BC43CBA9

Function 0182D350 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ed606333aaced90488cecb2e9ab0750cd6e3547f8f6978a815968ecd0ca46e
Instruction ID: b67ee0ce1a3c72ca77edc996a2cf0f3010f37c1d770e5ab6686f978de3718fc4
Opcode Fuzzy Hash: 82ed606333aaced90488cecb2e9ab0750cd6e3547f8f6978a815968ecd0ca46e
Instruction Fuzzy Hash: E1016DB0600219DBEB10EFA8D99A79A3AF5E758348F500128C406EB295DB792A49CB91

Function 08507810 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c91608609710a82ecd136ac0e3652ea90c79f62392a8bffeb6182737731e78a
Instruction ID: 8db245055808cef4d355deffaa6fada65655e7e95dd04686ac37ddc83741594d
Opcode Fuzzy Hash: 5c91608609710a82ecd136ac0e3652ea90c79f62392a8bffeb6182737731e78a
Instruction Fuzzy Hash: A0F0E2717002008B8324AA3ED894A5BB3EBFFC9124364853DE40ACB744CF32EC0987B1

Function 08506C98 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac146f636b823f62d3cef213f1fa7598a2ab27ebfb871f8bb06ab3c70c9a020
Instruction ID: 1cab28b6ee75643d5ebfb3d0e2a79082b7dcbe064024e2687fe5818469aea6bf
Opcode Fuzzy Hash: dac146f636b823f62d3cef213f1fa7598a2ab27ebfb871f8bb06ab3c70c9a020
Instruction Fuzzy Hash: 94F02236200205EF8B254B85D904C6ABFE7FFC532530488A9E10A87AB0DB31E868EF11

Function 0182D55F Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5523381951d453852f39ca9a4bcc9e21c9cdb597c4df60bb5c70455fd51f0f3d
Instruction ID: 1c1a4d7466683e19644cf160ba4f9eca45777ad62a2b0776d7fb728d2cb0c3ac
Opcode Fuzzy Hash: 5523381951d453852f39ca9a4bcc9e21c9cdb597c4df60bb5c70455fd51f0f3d
Instruction Fuzzy Hash: FFF0C8B62003109FC324DB55E5449D6BBEEEFC9311711845EE58A47BA4DF30AC8ACBA1

Function 0182F748 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750d1df738350599e81964d8657dddf161ec9b667d8f6ac25663aec24525d618
Instruction ID: 765a8ffe1e67c27bffe55bf5db65c39fb9deb5306381a38f75b4ad5435cb2b38
Opcode Fuzzy Hash: 750d1df738350599e81964d8657dddf161ec9b667d8f6ac25663aec24525d618
Instruction Fuzzy Hash: 16F027263007905BD7310A1E6488557FFFEAFD9320B08042EE606C3251CE608E85C2A1

Function 01835446 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1708069871.0000000001834000.00000040.00000020.00020000.00000000.sdmp, Offset: 01834000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1834000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44801783da8722ba901f7b27b4f7818e776660077147e9bbbef5750f24a1e9c5
Instruction ID: 4895b69da3758aac7cb3f61cc902d34b2d376f8bd63e781df70b420c90b99367
Opcode Fuzzy Hash: 44801783da8722ba901f7b27b4f7818e776660077147e9bbbef5750f24a1e9c5
Instruction Fuzzy Hash: B0F082B29452046B9200DF05ED41867F7ECDF84521B04C52EEC088B701E275A9188EE2

Function 08505190 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b115c5f36c86af77a8386ca1bfc37321c5eac76c35a00818a0f2f89df8db78
Instruction ID: b8524ba1603e330e37038315761afe19c2fe346e5328514020c9c5d1c16b1905
Opcode Fuzzy Hash: 02b115c5f36c86af77a8386ca1bfc37321c5eac76c35a00818a0f2f89df8db78
Instruction Fuzzy Hash: 33F082327093845FC3169B7A949445ABBEAEFCB21076600BEE44DCB662CE315C06C755

Function 0182E740 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde747835a9b23514017e5338254f289e82522293b458f0a57461118daec58a3
Instruction ID: 71a78554df18c908d21c71a85e76620a1c90d65a5dc3c786bd9edaff12a31900
Opcode Fuzzy Hash: bde747835a9b23514017e5338254f289e82522293b458f0a57461118daec58a3
Instruction Fuzzy Hash: F1018035A01128DFDB21CF58E888B98B7B1AB48315F518096E919AB251C734AEC4CF44

Function 08505138 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad64b56ef0c6a22e91f36a05a343200ed22f5deadafee584d1451888d9ef85cc
Instruction ID: 3693fe2b65386c5699c3d78db3daefa817d738eb59fd08802e33c6973f7edcbb
Opcode Fuzzy Hash: ad64b56ef0c6a22e91f36a05a343200ed22f5deadafee584d1451888d9ef85cc
Instruction Fuzzy Hash: 1CF01231306201ABD7249635E901A6E7366EF98755B10413DDA05972C1EFB9FC43CBD8

Function 01830D50 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1708069871.0000000001830000.00000040.00000020.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1830000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd296bf4a53f314982fcb7c58504bd35a227a34d9467cdfb69861c0bc7e5325
Instruction ID: e67dc357d589569879c326364dfa733c89176aed73b8fe9c921364ec1e299501
Opcode Fuzzy Hash: 1cd296bf4a53f314982fcb7c58504bd35a227a34d9467cdfb69861c0bc7e5325
Instruction Fuzzy Hash: 84F01D35108644DFC316CF44D540B15FBE2EB89718F28C6ADE9490BB56C737E913DA81

Function 0850B444 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d17583d32fce7d6e2a769fff2c64d72cf2cf91014021a6fbce8bd558cef1491
Instruction ID: 521bbd028cca3c03b718d7e373b72d4e28b4303291f132aa12389ccab8cb4e68
Opcode Fuzzy Hash: 2d17583d32fce7d6e2a769fff2c64d72cf2cf91014021a6fbce8bd558cef1491
Instruction Fuzzy Hash: 95F0A7314097809FE3229779D5463E27FE16F43264F0945DED0C94F8A2CA796889CB53

Function 018216B2 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a53cfb62e292d31a31efb2e8909420f7529d0a1835ea969a632ea22b283bfb6
Instruction ID: 1a03f158a52490e0c1dd4c771ccc6aea1dbe9a5559c3daac5fd46f25670e6cdb
Opcode Fuzzy Hash: 4a53cfb62e292d31a31efb2e8909420f7529d0a1835ea969a632ea22b283bfb6
Instruction Fuzzy Hash: 68E086353142109FC7455B7DE0149EA77E9EFCA23172600FBE409CB721DEB84C4687A1

Function 0182D570 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd5ac4994edd2af4b97627a7886b5d35bf295e4f3e0819ac31be608568bb353
Instruction ID: a598c1c63a36f5ceccea11cba1d954897debef918a6de754e0fb2566035e2b6a
Opcode Fuzzy Hash: 8cd5ac4994edd2af4b97627a7886b5d35bf295e4f3e0819ac31be608568bb353
Instruction Fuzzy Hash: 9CF0A7793006109BC324DB55E548ADBB7EADFCC315740842CE55E47B94CF70AC46CB91

Function 0850B2A8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb3d7ada11c84ebef6c9d34cf1f2201b0d7577996880fddb43d5c8c7c24fa1d
Instruction ID: be6cf9795d3d9a3e3e1053302091b412ae304eaebe365f9495996a04004c4556
Opcode Fuzzy Hash: bcb3d7ada11c84ebef6c9d34cf1f2201b0d7577996880fddb43d5c8c7c24fa1d
Instruction Fuzzy Hash: F5E0E532759BC01FE726562DA4142A93F668BC3222F0900BAD089875E3C8144C8ACB66

Function 0850A3A1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd67237c22ac71d2609734f8c3751d93c0449cd25e9d30561ec9f0bdfc2049eb
Instruction ID: 71aed2aea67a7779cf7a381c98a803afa89de5f2d28887843abc8b4939ae3cd8
Opcode Fuzzy Hash: dd67237c22ac71d2609734f8c3751d93c0449cd25e9d30561ec9f0bdfc2049eb
Instruction Fuzzy Hash: 5EE0DFB210D3D0AFE7030224A8A40803FA4CF93128B4B00EFE0818B1A3DD950D85C3E6

Function 0850A3EF Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83cbf77134faffcaa3762d7ba8996f94f7c1c0627e8acdc5bcfda239a2a0f8c
Instruction ID: b9fae3fd417efff86bfa2afdd4fa95d2a25613bc5ee64756af2b2c449859ed3e
Opcode Fuzzy Hash: e83cbf77134faffcaa3762d7ba8996f94f7c1c0627e8acdc5bcfda239a2a0f8c
Instruction Fuzzy Hash: A4E022366042805BD737862CE8187E93FD28FC6311F0D80BEE0898B2A2C9640C46CB50

Function 085051A0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3921fe54238bd5927339741e1b21d077baf762dc45aee3ad40da09866cdcf9b8
Instruction ID: ea6fcd5d154931534a0ca8ce4cd818061d522177178c3a2b97cdcfc142cc8093
Opcode Fuzzy Hash: 3921fe54238bd5927339741e1b21d077baf762dc45aee3ad40da09866cdcf9b8
Instruction Fuzzy Hash: EEE09A323002009B8324AA2EA48886BF7EAEBCA2207A4403DE40EC3351CE319C028790

Function 01830606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1708069871.0000000001830000.00000040.00000020.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1830000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa85209abaf8d76af80e0dd9dc12382caeec31e114e7bb5a3f55621fd334914
Instruction ID: 132191c1776b5647e37c881d5cb409261c5ac6b00fe14f3ecc3e07cd36a4084b
Opcode Fuzzy Hash: 2aa85209abaf8d76af80e0dd9dc12382caeec31e114e7bb5a3f55621fd334914
Instruction Fuzzy Hash: 92E092B6A046004B9650CF0AFC81452F7D8EF84630708C47FDC0D8BB01D639B518CEA5

Function 01821670 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57bdf6a28fcb2182729b8cbc3d4bba365fb8c15bcf2446a4ffa340617650e4af
Instruction ID: af8a6c5473c8a7b81dd6ac67750eece94fcef2037d008e1a280e1e5ec90b3467
Opcode Fuzzy Hash: 57bdf6a28fcb2182729b8cbc3d4bba365fb8c15bcf2446a4ffa340617650e4af
Instruction Fuzzy Hash: FBE08C362403449FC301ABB4E4158D67BE9FB86271B2280F3E104CB221DABC9C86C7F1

Function 08508D20 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3c474214a1b3cdbb746ee6959061b1f0f3dc7dfcf94c2396fefbf1a0122950
Instruction ID: 78b4f7413387a56d7647c9781a4dbcab13fd3c0ae8e682e2198900ceae21fd2a
Opcode Fuzzy Hash: ff3c474214a1b3cdbb746ee6959061b1f0f3dc7dfcf94c2396fefbf1a0122950
Instruction Fuzzy Hash: BAE08CA231D2D42BCB171229582469E7F9A4BD7260B0A00EBE184CB292CD990C0AC3B7

Function 0850B3E8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a264b9f27f6c67e117575a77dfb48d42efac242cfc9ac8828406bf01d07dd6df
Instruction ID: 95a1e1ba70332d83bdc5ef75dc881441fd1218744fc208c4308bf0dbeb5b437d
Opcode Fuzzy Hash: a264b9f27f6c67e117575a77dfb48d42efac242cfc9ac8828406bf01d07dd6df
Instruction Fuzzy Hash: EBF0F8B1C0420A8FEB50DFA884856EFBFF6AB45300F25492AC004F7541D67402468F91

Function 0182D2C0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c5469f5a5222ae99f0a9893f22771fc4024133d9a49453c2d4cb2795861459
Instruction ID: 6fd3bd2d57dbbfe3967b20a28ce659a13ede1199d4b6c9cf2d26f327ef9b543b
Opcode Fuzzy Hash: 82c5469f5a5222ae99f0a9893f22771fc4024133d9a49453c2d4cb2795861459
Instruction Fuzzy Hash: 09E0C2366006398BF72156E9F4043F67FDCEB0A376F044127E90AC3680DAADEA81C794

Function 0850B263 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865397e04145a6cd2f4fa03e33396b029acbae95d820c64bfbfeb41e9876f42c
Instruction ID: c8a1f86f20400834434a55a2df8fd551540a5cdbf2e34b5582933bb1f4062de7
Opcode Fuzzy Hash: 865397e04145a6cd2f4fa03e33396b029acbae95d820c64bfbfeb41e9876f42c
Instruction Fuzzy Hash: 18E07D3234150103C735955EE4083FD379ADBC9332F08003DE00C832A3CE74580AC341

Function 01820C98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd14da50f96991fdea0b59de0f6e3e06764260600c4db71d6a4e42ea27bf81d
Instruction ID: 93db9486b26fb206f791e6ede259d4076c8b5f413459da2ec5d536c50c39a862
Opcode Fuzzy Hash: ffd14da50f96991fdea0b59de0f6e3e06764260600c4db71d6a4e42ea27bf81d
Instruction Fuzzy Hash: 89E0D830704B588BD326C669C454BD3B7D5AF89314F04806DE44ACF752CBB2BD41C780

Function 01820C89 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de900667c4778c5fc4f74ddafe9b25c335f88654b97a37396b84903bdf1acee
Instruction ID: 3211ad6cc8a8dee785ab00f847113c25c722d796f1168326acfbfa15ecd72d9f
Opcode Fuzzy Hash: 7de900667c4778c5fc4f74ddafe9b25c335f88654b97a37396b84903bdf1acee
Instruction Fuzzy Hash: 44E0D871604B94CFD727C628D4147E277D56F95319F01016EE446DF662C7A11880C340

Function 08502468 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277ca1b17a3ab1736f000b18f9faf743f92ab0c1f7f4c3c9b3ecfe17505c3cdb
Instruction ID: 1e13bf16ed27fd81fcdc14e019bbc9ae450975b7e1a6dfae3a8ceac6c959fea0
Opcode Fuzzy Hash: 277ca1b17a3ab1736f000b18f9faf743f92ab0c1f7f4c3c9b3ecfe17505c3cdb
Instruction Fuzzy Hash: 25E08636209299AFCF075F50D8118DD7F36AF4621074541A7F9818A263C73A8D65EBF1

Function 0850B268 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e95cef9b7a5ba661ae021e297a7c3fb0ac40d13557a11211030732236df595e
Instruction ID: fdd3decdb6e658f51dce66960d189f38e804cef67f0be34cba250d2fb48375d4
Opcode Fuzzy Hash: 9e95cef9b7a5ba661ae021e297a7c3fb0ac40d13557a11211030732236df595e
Instruction Fuzzy Hash: BEE0C23234050107C738954EE8087FE739AEBC8332F080039E10D832A2CE3458458685

Function 0850A400 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8960313566a2d3ad4090b5ff76c3dbc3439ed0e23a841203d0f524c6802fa7e9
Instruction ID: b5bae22a4c8efdcfac910398705f99f728a79dd9ae36f21a7e8279659809db0e
Opcode Fuzzy Hash: 8960313566a2d3ad4090b5ff76c3dbc3439ed0e23a841203d0f524c6802fa7e9
Instruction Fuzzy Hash: 2FE0C23634061143C338954EE80C7EA72DADBC5322F08403AA00D87691DE245845CB84

Function 0850B2B8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e93fec0663c8037367726f32d98e3493212b25433deb3dbbf30f4063f9cb80
Instruction ID: b40f8fc79ed24ba953fa956eed6d17ed4360525b4c0c45381aefdb48d2439dd8
Opcode Fuzzy Hash: 25e93fec0663c8037367726f32d98e3493212b25433deb3dbbf30f4063f9cb80
Instruction Fuzzy Hash: 26E0C23235090107D738950EE8187EE729BDBC5332F08403DA14E83691CD245C458B99

Function 0850B3F8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64df709e6e1be016819011584cb242f85293fecef76eda8f7c477aab37537782
Instruction ID: c06870801ee0856d666ee1a734d8be3860ef278f811c9a15fab02d943e1ffb0f
Opcode Fuzzy Hash: 64df709e6e1be016819011584cb242f85293fecef76eda8f7c477aab37537782
Instruction Fuzzy Hash: 2CE09AB4D0030E9FDB50DFB9C8866AFBEF9FB48650F508929D505E6241E67442418FE1

Function 018216C0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44693badd0e0c8456ba5afb03970d69f169ea293d7b7f7e03a75f87c9a0d7249
Instruction ID: f1306292b6e313c2c6fa3ffe72dc171b4ecead64933f6872d6f2ca780bd777f6
Opcode Fuzzy Hash: 44693badd0e0c8456ba5afb03970d69f169ea293d7b7f7e03a75f87c9a0d7249
Instruction Fuzzy Hash: 7CD05E313100104FC708A63DD00896E77DEDFCD62572540BAE50DC7321DE619C054791

Function 0182E92A Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89214096567939ac1e69f4b4629d6bac40638f7b5fb9472ea8c67bd69d39ea2c
Instruction ID: ec338d0239bf10b659e7df2402806923cf9550c6d517c7a2aed7941ff81ea54e
Opcode Fuzzy Hash: 89214096567939ac1e69f4b4629d6bac40638f7b5fb9472ea8c67bd69d39ea2c
Instruction Fuzzy Hash: 99F0C935A01228CFDB61CF58E488B9CB7B0EB54315F508095E0099B161C7749FC4CF44

Function 08503D78 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43b49a44fbd610ad5f3295280000507e9b716f0c4141855f89c658cbf6899bb
Instruction ID: ce69f1dcaaf2eae835c76ecc9b73a3835290e2769fc030fbc0e6b3fb0fe27c96
Opcode Fuzzy Hash: a43b49a44fbd610ad5f3295280000507e9b716f0c4141855f89c658cbf6899bb
Instruction Fuzzy Hash: 19D02B32711528CF4120D65C94014D5B7D9FF4A6E232401BBEA02CB304DF34DC018FE2

Function 0182D640 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a17d6a654ff40bd3396206ccf6ee2cad5177ceb81ab0c5d0dd4073e04e0bf21
Instruction ID: 6680b953357848937ebaaec973b9d4a1ce9e7be5342e8072f8221601056150f7
Opcode Fuzzy Hash: 1a17d6a654ff40bd3396206ccf6ee2cad5177ceb81ab0c5d0dd4073e04e0bf21
Instruction Fuzzy Hash: 39D05E72B482206F97049AEC6444AEB7FEEDBC8328F20857FE44CC7A80DA750C4447A6

Function 01821520 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4477fc77b48c900d2acc8c19744e7a3ef137e630f9d63d9f547ca1ba64a0c6fe
Instruction ID: c4efb3b05bf7ddce851a5bb698465226d3946ddb6c5bee2eb1f76f30cccb6ae9
Opcode Fuzzy Hash: 4477fc77b48c900d2acc8c19744e7a3ef137e630f9d63d9f547ca1ba64a0c6fe
Instruction Fuzzy Hash: CDE02B71605950EFE7019B28F298BE43770D782314F104466E004DB751CF7C0C8B87C0

Function 0182D8A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c31afe33fa5d75ee7dfaf55288ab72947777952f765a1ddb98939301db04d6e
Instruction ID: 22a9dc18248d8e35ea716f8abdcb1904552aac8b7350ed2c1fbf8e7fa37f9094
Opcode Fuzzy Hash: 9c31afe33fa5d75ee7dfaf55288ab72947777952f765a1ddb98939301db04d6e
Instruction Fuzzy Hash: 9ED0A93630D2601AD202451DBC05AAAAE02A7CA330F484636F2008B2E0CA214845A2A2

Function 0182062D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af248b22a2411526d5f0c44c8685c477a603f447285625c91cf09b3cc92eb91
Instruction ID: 42b828e13896413a5a616a226e1900baf67e8d58b6f46f15ece54ef9958c0457
Opcode Fuzzy Hash: 7af248b22a2411526d5f0c44c8685c477a603f447285625c91cf09b3cc92eb91
Instruction Fuzzy Hash: D2D0A7225DC7640FC707529524204EC37A5594317131501FBD00ACB153CE890945C386

Function 08508D30 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d9aaa6b0bfa5e49118e3c0621272d06ede4344355641ce3e51e2c0fb43f5a6
Instruction ID: 1c27a0a9aeb8f4ac51fb63393344d4704572870de17ddf5feff4e5523ac873b9
Opcode Fuzzy Hash: a7d9aaa6b0bfa5e49118e3c0621272d06ede4344355641ce3e51e2c0fb43f5a6
Instruction Fuzzy Hash: D6C01263318028134409215E64249AFA1CE8BD55A1A05443BD215D7740DD554C0783FA

Function 01820C00 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41c9741065b83d24e829369c2c9a0d8490cc431fd91706b04b0820f21fd7414
Instruction ID: aa9ab56a192960f8c46ef0a33170adf83acf1086437c8a1e34880070e8516707
Opcode Fuzzy Hash: e41c9741065b83d24e829369c2c9a0d8490cc431fd91706b04b0820f21fd7414
Instruction Fuzzy Hash: 00D05E311583848FC3024764A8149903BE89B5A324B1500E6E404CF273C6A96C41C711

Function 08502478 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbd083b0bbd33e0c9025ca5eb7b55d5e52bd9131528f0e8d59f6e44a95a283e
Instruction ID: a13eb5b59e1a7f05ac47eefda4bb548f40a237fc6f0d591f7283ac44442d6001
Opcode Fuzzy Hash: 2dbd083b0bbd33e0c9025ca5eb7b55d5e52bd9131528f0e8d59f6e44a95a283e
Instruction Fuzzy Hash: ECD0C77A20011D7B8F167E84D801CDE7B5AEF89651B404025FE0516310CB76DD71ABF5

Function 08503D74 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481daa0842a4f830e950ff4f0188c949cc79bf451a85ffec8406f8c28ed8927f
Instruction ID: e9a3e9e290024893f70cb707e8b85d15feec682aa00b34934ad181e0e20c66cc
Opcode Fuzzy Hash: 481daa0842a4f830e950ff4f0188c949cc79bf451a85ffec8406f8c28ed8927f
Instruction Fuzzy Hash: 6AD0A73260192CDB81208A5CE4004D4B764FF496A231401ABEA91CB314C730CC008BC1

Function 01821680 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212f1ab558835b51d4010b14ae5c8b270f15407e4c52c69bc72aef3f35578938
Instruction ID: 630fbbbff99073475dcf13e59a18ff14693edade3193e2f2163e471e2214cf54
Opcode Fuzzy Hash: 212f1ab558835b51d4010b14ae5c8b270f15407e4c52c69bc72aef3f35578938
Instruction Fuzzy Hash: 73D0C9317001149BC600EFB8E4499AA77DAFB89266B1180B6E609CB314DF75AC0187E5

Function 011A23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1705472034.00000000011A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11a2000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6efa109f440718c9115aecd6a1dc179a71a979ba16c7375bc7865aea68aed63e
Instruction ID: ff259008a1bbc2ccf2023f66576162db7b688229a142584ac9b74b75315ff09f
Opcode Fuzzy Hash: 6efa109f440718c9115aecd6a1dc179a71a979ba16c7375bc7865aea68aed63e
Instruction Fuzzy Hash: 57D02E393007804FE31A8A0CC1A4F843FE4AB40708F9A00F9A8048B773C328D880C200

Function 011A23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1705472034.00000000011A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_11a2000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31f2f4feac618116a5399577d3ff07956a3665fad62215cb356e7187e458ac6
Instruction ID: 8bc8fbe2868d6a9df1d6fa685f102857f2014cdc45234ac6ab1c4beb102743a5
Opcode Fuzzy Hash: f31f2f4feac618116a5399577d3ff07956a3665fad62215cb356e7187e458ac6
Instruction Fuzzy Hash: D5D05E382042814BEB19DA0CC294F993BD4AF45714F1644E8AC008B762C7B8D8C4CA00

Function 0850341C Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eebc3e77ed21b4c23b8f149619b430f73af52459a092d0baf203828358b95890
Instruction ID: 76c940f06ae7ad8275698d27673849bf1ca5326b33a1c5295b048f73ad28be8c
Opcode Fuzzy Hash: eebc3e77ed21b4c23b8f149619b430f73af52459a092d0baf203828358b95890
Instruction Fuzzy Hash: E5D0C936B501048F8F14EBB8E5554ECB3A1EF8516971001B5D50697661EF369E18C751

Function 01820640 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1cc2733c5cd12bcce24cf7b26bafcfcdc4a4681f943b8b694134efb0630ba0
Instruction ID: 8141b7b7c94f5755636722f30c3ef1ec01e770b11145c32b8d7e2c263ae7ff8b
Opcode Fuzzy Hash: 0b1cc2733c5cd12bcce24cf7b26bafcfcdc4a4681f943b8b694134efb0630ba0
Instruction Fuzzy Hash: D0B0127236453813091A319D34308FE738E898797524106EBE50DD7382CE861D1143DE

Function 08507878 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6fb4d35aba9cacf1485046252290131bc6e5935a3e1c82664caa7ceba55067
Instruction ID: e2abd976221a70d00430b4ce9e4e6abf801aa0d7bcccad21153ca56e95e276a9
Opcode Fuzzy Hash: df6fb4d35aba9cacf1485046252290131bc6e5935a3e1c82664caa7ceba55067
Instruction Fuzzy Hash: EFC0123010A382CFC30B47B494208083F30AEC32003CA08DAE4A0CF6F3CA2A8806DBA5

Function 01820C10 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dee6e9d3a29b74cfc64ecb3760393f7bbb7d0779e925abcbef7313923022205
Instruction ID: 1062477c4c047b850d63dc8d5e956075348864f74b296c1d09c3b55912a18e0d
Opcode Fuzzy Hash: 2dee6e9d3a29b74cfc64ecb3760393f7bbb7d0779e925abcbef7313923022205
Instruction Fuzzy Hash: B0C048312042088BC204AA58E848EA273E9AB98715F1140B9A9098BB72CA72BC50CA99

Non-executed Functions

Function 6D00C010 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 153COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,?,?,00000100,HIBERNATE=,000007D0,?,00000002), ref: 6D00C0D5
OmCommand.LIBOMAPI(?,?,?,00000100,STOP=,000007D0,?,00000002), ref: 6D00C193

Strings

STOP=, xrefs: 6D00C17B
STOP %04u-%02u-%02u %02u:%02u:%02u, xrefs: 6D00C15F
HIBERNATE 0, xrefs: 6D00C03C
HIBERNATE %04u-%02u-%02u %02u:%02u:%02u, xrefs: 6D00C09F
STOP -1, xrefs: 6D00C117
HIBERNATE -1, xrefs: 6D00C057
STOP 0, xrefs: 6D00C0FC
HIBERNATE=, xrefs: 6D00C0BD

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: HIBERNATE %04u-%02u-%02u %02u:%02u:%02u$HIBERNATE -1$HIBERNATE 0$STOP %04u-%02u-%02u %02u:%02u:%02u$STOP -1$STOP 0$HIBERNATE=$STOP=
API String ID: 1098371912-3089591338
Opcode ID: 9d2ca6c222f0cdd0e05544573eee62d6a10d138ff32a6717bdf23e6c0734aa3e
Instruction ID: d142deede38954d8bae1388bfdf088f7f21de8adf08f6fb74fc989c6dd496906
Opcode Fuzzy Hash: 9d2ca6c222f0cdd0e05544573eee62d6a10d138ff32a6717bdf23e6c0734aa3e
Instruction Fuzzy Hash: C841E4B2E1410C7BFB58C658DC81FFE73AC9B18304F40012AFA0AE7582E664DE558BE5

Function 6D0216FE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6D021844

Strings

1#SNAN, xrefs: 6D022A43
1#INF, xrefs: 6D022A51
1#QNAN, xrefs: 6D022A4A
1#IND, xrefs: 6D022A3C

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: b73559f475f6f78417488e036cd5871ef13850cfdd2b31b14ce4f9b029ef52f3
Instruction ID: e36def1632f9e2510c41f5abd02e18240105868265d980f51a16c1167423e8b3
Opcode Fuzzy Hash: b73559f475f6f78417488e036cd5871ef13850cfdd2b31b14ce4f9b029ef52f3
Instruction Fuzzy Hash: 0CC26971E1A6298FEB25CE68CD407EAB3F5FB49304F5141EAD80DE7240E775AA818F41

Function 6D00CDE0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 141COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,ID,?,00000100,ID=,000007D0,?,0000000A), ref: 6D00CE47

Strings

ID, xrefs: 6D00CE33
ERROR: Problem when identifying device %u (mismatched identity as %u) -- reconnect., xrefs: 6D00CF4A
CWA, xrefs: 6D00CEA0
ID=, xrefs: 6D00CE1A

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: ID$CWA$ERROR: Problem when identifying device %u (mismatched identity as %u) -- reconnect.$ID=
API String ID: 1098371912-946307909
Opcode ID: 58d4715c1d0c2dce4a7e47f995e5125780b314eb8fb38bb9d924dd7018d6d8de
Instruction ID: 8195951b7c47b0ceebb06545e42c6a6fce0648fa474670f6f620013edff30ebe
Opcode Fuzzy Hash: 58d4715c1d0c2dce4a7e47f995e5125780b314eb8fb38bb9d924dd7018d6d8de
Instruction Fuzzy Hash: B841C431E481596BFB208B388C407FDB7F4AF4A314F0442D9E949A7281DB719AC2CBA5

Function 08508E78 Relevance: 8.6, Strings: 6, Instructions: 1141COMMON

Download Yara Rule

Strings

Tqxk, xrefs: 08509ED4
t, xrefs: 085098C8
d, xrefs: 085090E7
n, xrefs: 0850985E
Tqxk, xrefs: 0850913C
Tqxk, xrefs: 0850A037

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID: Tqxk$Tqxk$Tqxk$d$n$t
API String ID: 0-2259690248
Opcode ID: 6faaee30a52fcb06693fcea3f5d8b74b001d2f26d72df2a2f87bf3f50959b83e
Instruction ID: 678ab3f8ec28e32c94242d208fe1060158e3a95e9f1e16f1461cafa7662441c9
Opcode Fuzzy Hash: 6faaee30a52fcb06693fcea3f5d8b74b001d2f26d72df2a2f87bf3f50959b83e
Instruction Fuzzy Hash: EEB2F634601604DFDB65DB34C858BDAB7B2EF8A308F5184A8D15AAB3A1CF36AD45CF41

Function 08508E88 Relevance: 8.6, Strings: 6, Instructions: 1137COMMON

Download Yara Rule

Strings

Tqxk, xrefs: 08509ED4
t, xrefs: 085098C8
d, xrefs: 085090E7
n, xrefs: 0850985E
Tqxk, xrefs: 0850913C
Tqxk, xrefs: 0850A037

Memory Dump Source

Source File: 00000010.00000002.1721318314.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8500000_OmGui.jbxd

Similarity

API ID:
String ID: Tqxk$Tqxk$Tqxk$d$n$t
API String ID: 0-2259690248
Opcode ID: 5aeeeb004a89de0a7d6ed19a674ec8d3b1ded299b02eb853d692cc742fda3d52
Instruction ID: 985921a0df3d1cb85272f2a57eea5ec3695beff658d551dbba35a78b9ed715c2
Opcode Fuzzy Hash: 5aeeeb004a89de0a7d6ed19a674ec8d3b1ded299b02eb853d692cc742fda3d52
Instruction Fuzzy Hash: 28B2F634601604DFDB65DB34C858BDAB7B2EF8A308F5184A8D15AAB3A1CF36AD45CF41

Function 6D01E509 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,6D0295A0), ref: 6D01E573
WideCharToMultiByte.KERNEL32(00000000,00000000,6D03243C,000000FF,00000000,0000003F,00000000,?,?), ref: 6D01E5EB
WideCharToMultiByte.KERNEL32(00000000,00000000,6D032490,000000FF,?,0000003F,00000000,?), ref: 6D01E618
_free.LIBCMT ref: 6D01E561

Part of subcall function 6D01B556: HeapFree.KERNEL32(00000000,00000000,?,6D020CBF,6D009950,00000000,6D009950,00000000,?,6D020CE6,6D009950,00000007,6D009950,?,6D020987,6D009950), ref: 6D01B56C
Part of subcall function 6D01B556: GetLastError.KERNEL32(6D009950,?,6D020CBF,6D009950,00000000,6D009950,00000000,?,6D020CE6,6D009950,00000007,6D009950,?,6D020987,6D009950,6D009950), ref: 6D01B57E

_free.LIBCMT ref: 6D01E72D

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 654180a997f0ca7756a368de3fca6951391da003f999b44f19391a18cea3a11a
Instruction ID: 1964594ee19c69cf8c0a3f725feaa5bec101c9bea296f5f81e87dedf3e219d32
Opcode Fuzzy Hash: 654180a997f0ca7756a368de3fca6951391da003f999b44f19391a18cea3a11a
Instruction Fuzzy Hash: E751B97590C216ABFB20DFF9CC80BAE77F8AF46354F52425DE564D7680E7309A448B90

Function 6D00B570 Relevance: 4.9, APIs: 3, Instructions: 387COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 6D00B633

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: d59e0eadf7bcef02b7589e463656bcb563b4ba071b72ff7839a05f6e6b9b8193
Instruction ID: 1f43857a07810f0e7ddcd4277800534dc15528dede7acafb4927a4b9abbe8a35
Opcode Fuzzy Hash: d59e0eadf7bcef02b7589e463656bcb563b4ba071b72ff7839a05f6e6b9b8193
Instruction Fuzzy Hash: 9CE1A4B1A08B554FE324CB39C4907EBBBE2EBC9310F04892EE5EAC7244D7B4A545CB51

Function 6D015063 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6D01515B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D015165
UnhandledExceptionFilter.KERNEL32(?), ref: 6D015172

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5abb6dda0d3f9867af106d850c5b06e54f5467f699d7a871e3c7a0a60d4dcf1b
Instruction ID: 4ef34dd3e3ae18acb8d0db1bb716691b2bdbe54e6bff17447a3aa2547b995382
Opcode Fuzzy Hash: 5abb6dda0d3f9867af106d850c5b06e54f5467f699d7a871e3c7a0a60d4dcf1b
Instruction Fuzzy Hash: 4231C474D05219ABDB21DF64DC88B9DBBB8BF08310F5046DAE51CA7250EB709B858F45

Function 6D017DEB Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,6D017DC1,00000000,6D02F7D8,0000000C,6D017F09,00000000,00000002,00000000), ref: 6D017E0C
TerminateProcess.KERNEL32(00000000,?,6D017DC1,00000000,6D02F7D8,0000000C,6D017F09,00000000,00000002,00000000), ref: 6D017E13
ExitProcess.KERNEL32 ref: 6D017E25

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f3679b9f0916f8f464b0f8131a86c03b75adcc081b781e4925aeee79490b00ae
Instruction ID: b4f2d356eef9e300c86b5e678acaa86e46b536a5fbfbe0d01944476a832e6e06
Opcode Fuzzy Hash: f3679b9f0916f8f464b0f8131a86c03b75adcc081b781e4925aeee79490b00ae
Instruction Fuzzy Hash: 1FE04631809149EBDF016F94CD0AB893BF9FFC5249B110414F9048B021DB35DC92CA90

Function 6D01EEDE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 6D01F071

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: f00d573796032ed29f4975cf9ccc23015313782b7efa10d9acfab8c6f0bdc595
Instruction ID: e95c8951bd27e43dcb03601751eb66321499e91e592a84aea68c80932dc853bd
Opcode Fuzzy Hash: f00d573796032ed29f4975cf9ccc23015313782b7efa10d9acfab8c6f0bdc595
Instruction Fuzzy Hash: EC31287190824AAFEB148EB9CC84FFE7BFDEB85314F1041ACF918C7291E63199448B50

Function 6D01D78C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?), ref: 6D01D7CB

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6D01D79D, 6D01D7A7

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2086374402-595813830
Opcode ID: 67561b3eed5c621de80df3398e50c94ec99e74a13e902a59f2502dd8715bc421
Instruction ID: c2d053270ba6c685d65822be484970c2077740a2068c4dd964d72da4f75191a9
Opcode Fuzzy Hash: 67561b3eed5c621de80df3398e50c94ec99e74a13e902a59f2502dd8715bc421
Instruction Fuzzy Hash: 1BE0E531E8A12867A7109B949C05FBE7BA0DF99610B510658FD0967281DB205E0196E2

Function 6D02542B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D025426,?,?,00000008,?,?,6D0250C6,00000000), ref: 6D025658

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7893bddd42ed422bd3ad01b2f3327b06cc769af92e4454ea3714e3506f3d2b5f
Instruction ID: c9fbb90e5082cc4564dee9c140c7fcf719d56239ced115bc2d938780e3710d3a
Opcode Fuzzy Hash: 7893bddd42ed422bd3ad01b2f3327b06cc769af92e4454ea3714e3506f3d2b5f
Instruction Fuzzy Hash: 8DB189352216099FE705CF28C48AB797BE1FF05325F258658E8A9CF2A5C335E981CB44

Function 6D013D53 Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 6D013EC3

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d1efe47017a820cd5bcdb19ffcece396c453b0205a751768bec508ff4781c931
Instruction ID: b23c4cc47f59e6cb1989745b20a91a8e6c419b2ab2cc741b83924891bed33c6e
Opcode Fuzzy Hash: d1efe47017a820cd5bcdb19ffcece396c453b0205a751768bec508ff4781c931
Instruction Fuzzy Hash: 88517560A1C70767FB2689E88D917BF7BE9BB0F308F40481DD982D72D1C312D90583A2

Function 6D00AF60 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

YYYY-MM-DD hh:mm:ss, xrefs: 6D00AF6E

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID:
String ID: YYYY-MM-DD hh:mm:ss
API String ID: 0-3616787860
Opcode ID: be9cc87775f34832f66a5242072765df91f9af09abe43180d426a3d1dee88b41
Instruction ID: f8666882fe2c31f076a3d9fc42d8ae6e6be46258183dbb0bb64462a88b1f3350
Opcode Fuzzy Hash: be9cc87775f34832f66a5242072765df91f9af09abe43180d426a3d1dee88b41
Instruction Fuzzy Hash: 7951D666B056404FD7198E2EC4A13C5BBD6CBB6250F48C09EE9998F783C2B59A0BC791

Function 6D01FE76 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6D01FE76

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a75b2853a20f604349e17c0914914ab5e8ef9bcbff7dab40b243203cc8dc1c9a
Instruction ID: 13b1c3b5570d373426a81b24a5da105a8fb7867930ec67f4c2747187049c08f9
Opcode Fuzzy Hash: a75b2853a20f604349e17c0914914ab5e8ef9bcbff7dab40b243203cc8dc1c9a
Instruction Fuzzy Hash: CBA02230A03302CFCF208F30820830C3AF8BA8B2C03228228E000CA080FB3080008B02

Function 0182D97C Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1707982192.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1820000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5073bb6ea2b0ed1b01b968e302ecea33a46bae21111e73903aea6490cccb6213
Instruction ID: 4ebc4ed3c24924938fd8dc42b6df1e77a897e4d2c9bae8180eb1bdbc4d042243
Opcode Fuzzy Hash: 5073bb6ea2b0ed1b01b968e302ecea33a46bae21111e73903aea6490cccb6213
Instruction Fuzzy Hash: AC62B574A012289FDB65CF69D888B99BBF1BF48304F1485E9D849AB355DB34AEC0CF50

Function 6D00A4A0 Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 236timeCOMMON

Download Yara Rule

APIs

ClearCommError.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 6D00A5B5
SetupComm.KERNEL32(00000000,00001000,00001000,?,?,00000002), ref: 6D00A5C6
PurgeComm.KERNEL32(00000000,0000000F,?,?,00000002), ref: 6D00A5EA
ClearCommBreak.KERNEL32(00000000,?,?,00000002), ref: 6D00A60B
GetCommState.KERNEL32(00000000,?,?,?,00000002), ref: 6D00A61D
ClearCommError.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000002), ref: 6D00A64D
GetCommState.KERNEL32(00000000,0000001C,?,?,?,?,?,00000002), ref: 6D00A658
SetCommState.KERNEL32(00000000,0000001C,?,?,00000002), ref: 6D00A69E
ClearCommError.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000002), ref: 6D00A6CE
SetCommState.KERNEL32(00000000,0000001C,?,?,?,?,?,00000002), ref: 6D00A6D9
SetCommTimeouts.KERNEL32(00000000,?,?,?,00000002), ref: 6D00A723

Strings

WARNING: PurgeComm() failed., xrefs: 6D00A5F4
ERROR: Problem opening input (%s: %d): %s, xrefs: 6D00A539
WARNING: SetCommState() failed (clearing errors and retrying this): %s, xrefs: 6D00A6AF
ERROR: Open failed: %s, xrefs: 6D00A758
WARNING: SetCommTimeouts() failed: %s, xrefs: 6D00A72E
WARNING: GetCommState() failed (clearing errors and retrying this): %s, xrefs: 6D00A62E
WARNING: Retrying SetCommState() failed: %s, xrefs: 6D00A6E4
WARNING: Retrying GetCommState() failed: %s, xrefs: 6D00A663
ENOENT, xrefs: 6D00A514, 6D00A538
NOTE: Retry %d to open: %s, xrefs: 6D00A4E3
EACCES, xrefs: 6D00A520
other: , xrefs: 6D00A528
WARNING: Failed to get HANDLE from file: %s, xrefs: 6D00A57F
WARNING: SetupComm() failed: %s, xrefs: 6D00A5D1

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Comm$ClearState$Error$BreakPurgeSetupTimeouts
String ID: EACCES$ENOENT$ERROR: Open failed: %s$ERROR: Problem opening input (%s: %d): %s$NOTE: Retry %d to open: %s$WARNING: Failed to get HANDLE from file: %s$WARNING: GetCommState() failed (clearing errors and retrying this): %s$WARNING: PurgeComm() failed.$WARNING: Retrying GetCommState() failed: %s$WARNING: Retrying SetCommState() failed: %s$WARNING: SetCommState() failed (clearing errors and retrying this): %s$WARNING: SetCommTimeouts() failed: %s$WARNING: SetupComm() failed: %s$other:
API String ID: 1204597910-945267382
Opcode ID: e4700a14a730e87f2393fe0d0909bbaa1bcfb2abccc6ddc9e8872bd25079421c
Instruction ID: 09a57f93178dd77aaba0dbba76668d0339afe2d3e986657785f8fe2a9522f64f
Opcode Fuzzy Hash: e4700a14a730e87f2393fe0d0909bbaa1bcfb2abccc6ddc9e8872bd25079421c
Instruction Fuzzy Hash: 32718471D09209BBFB018FE48C44FEF77B8BF86319F214219E908B7181E77459458BA1

Function 6D004D40 Relevance: 37.1, APIs: 9, Strings: 12, Instructions: 342COMMON

Download Yara Rule

APIs

Part of subcall function 6D0049E0: GetVolumeInformationA.KERNEL32(?,?,00000105,00000000,00000000,00000000,00000000,00000000), ref: 6D004A94

GetVolumePathNamesForVolumeNameA.KERNEL32(?,00000000,00000000,00000000), ref: 6D004F0C
GetVolumePathNamesForVolumeNameA.KERNEL32(?,00000000,-00000104,00000000), ref: 6D004F46
OmCancelDownload.LIBOMAPI(?,?,6D02CD18,?,?,?,?,73BCE995), ref: 6D00518A

Strings

DISK-SERIAL, xrefs: 6D004DE1, 6D004DEC
WARNING: Ignoring removed device with invalid serial number %u, xrefs: 6D005156
%s\AX3_%05u\, xrefs: 6D004EB3
DEBUG: Device removed: #%u, xrefs: 6D005168
C:\Mount, xrefs: 6D004E87
%s\AX3_%07u\, xrefs: 6D004EC8
ERROR: Problem detecting device path for device %d (mismatched volume at %s:%s%s%s) -- reconnect., xrefs: 6D004DFD
VOLUME-LABEL, xrefs: 6D004DED, 6D004DF5
DATA-FILE, xrefs: 6D004DCB, 6D004DE0
7a: Didn't set mount point... must run as an Administrator for re-mounting., xrefs: 6D005074
%s\AX3_%010u\, xrefs: 6D004ECF
DEBUG: callback for OM_DEVICE_REMOVED..., xrefs: 6D00519B

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Volume$NameNamesPath$CancelDownloadInformation
String ID: DATA-FILE$ DISK-SERIAL$ VOLUME-LABEL$%s\AX3_%010u\$%s\AX3_%05u\$%s\AX3_%07u\$7a: Didn't set mount point... must run as an Administrator for re-mounting.$C:\Mount$DEBUG: Device removed: #%u$DEBUG: callback for OM_DEVICE_REMOVED...$ERROR: Problem detecting device path for device %d (mismatched volume at %s:%s%s%s) -- reconnect.$WARNING: Ignoring removed device with invalid serial number %u
API String ID: 1437695475-3536749448
Opcode ID: c8483bd0c4196d075a20363262cf685b7afd95f60ab9a199bb4392eecdf78172
Instruction ID: b0321d91c46cc17d7cb5e9b416c77797e59ba36795f7692ca70bffc7008b5ce4
Opcode Fuzzy Hash: c8483bd0c4196d075a20363262cf685b7afd95f60ab9a199bb4392eecdf78172
Instruction Fuzzy Hash: 4CC1E471A05219BFFB10CB24CC55FFE77B8AF4A304F4441E9EA0897186E7719A85CBA1

Function 6D0049E0 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 278COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32(?,?,00000105,00000000,00000000,00000000,00000000,00000000), ref: 6D004A94
__fread_nolock.LIBCMT ref: 6D004BC7

Strings

CWA-DATA.CWA, xrefs: 6D004B85
VOLUME LABEL FOR: #%u %s, xrefs: 6D004A63
- fail, xrefs: 6D004A9E
A, xrefs: 6D004AAB
- MISMATCH: Disk serial, xrefs: 6D004CF8
- CWA FILE = %u%s, xrefs: 6D004CAB
- MISMATCH: Data file, xrefs: 6D004D19
- MISMATCH: Volume, xrefs: 6D004CCD
X, xrefs: 6D004ABA
- VOLUME NAME: %s = %u (last-7: %u), xrefs: 6D004C4D
D, xrefs: 6D004BDA
(none), xrefs: 6D004CA1, 6D004CA9
M, xrefs: 6D004BD4
- DISK SERIAL: [0x%04x=%d 0x%04x=%d] %u // FSIO-SERIAL: [0x%04x=%d 0x%04x=%d] %u, xrefs: 6D004C8A

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: InformationVolume__fread_nolock
String ID: (none)$- CWA FILE = %u%s$- DISK SERIAL: [0x%04x=%d 0x%04x=%d] %u // FSIO-SERIAL: [0x%04x=%d 0x%04x=%d] %u$- MISMATCH: Data file$- MISMATCH: Disk serial$- MISMATCH: Volume$- VOLUME NAME: %s = %u (last-7: %u)$- fail$A$CWA-DATA.CWA$D$M$VOLUME LABEL FOR: #%u %s$X
API String ID: 3086070685-3505455261
Opcode ID: 8aa9a72c0a6e538f9cfaba1eb12dfb0ebfa8178f883bdab1ff8d79f57bd5a765
Instruction ID: 37f5f483801c9c377498fe96210444d83d7f898edc6758a4e38588ed1c59f9e4
Opcode Fuzzy Hash: 8aa9a72c0a6e538f9cfaba1eb12dfb0ebfa8178f883bdab1ff8d79f57bd5a765
Instruction Fuzzy Hash: BC917F70D042193FFB24CA648C99FFE77E59F95305F0041A9E548A71C2D6B5EA448BA8

Function 6D0207EF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6D020833

Part of subcall function 6D020B2A: _free.LIBCMT ref: 6D020B47
Part of subcall function 6D020B2A: _free.LIBCMT ref: 6D020B59
Part of subcall function 6D020B2A: _free.LIBCMT ref: 6D020B6B
Part of subcall function 6D020B2A: _free.LIBCMT ref: 6D020B7D
Part of subcall function 6D020B2A: _free.LIBCMT ref: 6D020B8F
Part of subcall function 6D020B2A: _free.LIBCMT ref: 6D020BA1
Part of subcall function 6D020B2A: _free.LIBCMT ref: 6D020BB3
Part of subcall function 6D020B2A: _free.LIBCMT ref: 6D020BC5
Part of subcall function 6D020B2A: _free.LIBCMT ref: 6D020BD7
Part of subcall function 6D020B2A: _free.LIBCMT ref: 6D020BE9
Part of subcall function 6D020B2A: _free.LIBCMT ref: 6D020BFB
Part of subcall function 6D020B2A: _free.LIBCMT ref: 6D020C0D
Part of subcall function 6D020B2A: _free.LIBCMT ref: 6D020C1F

_free.LIBCMT ref: 6D020828

Part of subcall function 6D01B556: HeapFree.KERNEL32(00000000,00000000,?,6D020CBF,6D009950,00000000,6D009950,00000000,?,6D020CE6,6D009950,00000007,6D009950,?,6D020987,6D009950), ref: 6D01B56C
Part of subcall function 6D01B556: GetLastError.KERNEL32(6D009950,?,6D020CBF,6D009950,00000000,6D009950,00000000,?,6D020CE6,6D009950,00000007,6D009950,?,6D020987,6D009950,6D009950), ref: 6D01B57E

_free.LIBCMT ref: 6D02084A
_free.LIBCMT ref: 6D02085F
_free.LIBCMT ref: 6D02086A
_free.LIBCMT ref: 6D02088C
_free.LIBCMT ref: 6D02089F
_free.LIBCMT ref: 6D0208AD
_free.LIBCMT ref: 6D0208B8
_free.LIBCMT ref: 6D0208F0
_free.LIBCMT ref: 6D0208F7
_free.LIBCMT ref: 6D020914
_free.LIBCMT ref: 6D02092C

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9b74c93956838852dd5cbe7f521d3bb4443e569943a76073a4eef92fc28bc5a9
Instruction ID: 7b854771d33f651c13a2ad50a7a4d72ff8a8bc3034513c2115505c0dc7dfa117
Opcode Fuzzy Hash: 9b74c93956838852dd5cbe7f521d3bb4443e569943a76073a4eef92fc28bc5a9
Instruction Fuzzy Hash: 2E314D3160D3069FFB209B7AEC54B6BB3E8EF01355F114429E599D7260DB71E980CB64

Function 6D00A150 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 76synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,d:\newcastle\projects\openmovement\software\om\omapi\src\omapi-download.c,000000F8,OmBeginDownloadingReference,?), ref: 6D00A184
WaitForSingleObject.KERNEL32(?,000003E8), ref: 6D00A1E6

Strings

WAIT_TIMEOUT, xrefs: 6D00A19C
&om.downloadMutex, xrefs: 6D00A15F, 6D00A1C4, 6D00A1F0
LOCK: #%d %.0s:%d %s() mutex_lock(%s) complete, xrefs: 6D00A1FB
WAIT_FAILED, xrefs: 6D00A1A8
LOCK: #%d %.0s:%d %s() mutex_lock(%s) 0x%8x=%s @%d, xrefs: 6D00A1CF
<unknown>, xrefs: 6D00A190
LOCK: #%d %.0s:%d %s() mutex_lock(%s) called, xrefs: 6D00A16F
WAIT_ABANDONED, xrefs: 6D00A1B6, 6D00A1C2

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: ObjectSingleWait
String ID: &om.downloadMutex$<unknown>$LOCK: #%d %.0s:%d %s() mutex_lock(%s) 0x%8x=%s @%d$LOCK: #%d %.0s:%d %s() mutex_lock(%s) called$LOCK: #%d %.0s:%d %s() mutex_lock(%s) complete$WAIT_ABANDONED$WAIT_FAILED$WAIT_TIMEOUT
API String ID: 24740636-3534622342
Opcode ID: 5c4cd8982e3783aa70622a48c9488fc27fb0f9a48c847e300db903e4c5ad614f
Instruction ID: 1759c7d1c1168e848f88cdad5812cd8a78fcba5ca96d14947b04827a23ddfcbd
Opcode Fuzzy Hash: 5c4cd8982e3783aa70622a48c9488fc27fb0f9a48c847e300db903e4c5ad614f
Instruction Fuzzy Hash: 74117C31A45109BBFF114E55CC44FEF7A6DEF86364F244165FA0C9B1A1E6328E2097B2

Function 6D00C1E0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 119COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,FORMAT WC,?,00000100,COMMIT,00003A98,?,0000000A), ref: 6D00C316

Strings

commit, xrefs: 6D00C2BC
FORMAT WC, xrefs: 6D00C2EF, 6D00C314
d:\newcastle\projects\openmovement\software\om\omapi\src\omapi-download.c, xrefs: 6D00C25F, 6D00C289
FORMAT QC, xrefs: 6D00C2DE
CLEAR DATA, xrefs: 6D00C2CD
&om.downloadMutex, xrefs: 6D00C264, 6D00C279
COMMIT, xrefs: 6D00C303
OmQueryDownload, xrefs: 6D00C255, 6D00C27F

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: CLEAR DATA$FORMAT QC$FORMAT WC$commit$&om.downloadMutex$COMMIT$OmQueryDownload$d:\newcastle\projects\openmovement\software\om\omapi\src\omapi-download.c
API String ID: 1098371912-1599585143
Opcode ID: b6aa10443bbb8dc724735c7b24551109ef056036072975f18839a3ee84861c4e
Instruction ID: 834b18b30032497e520fb46721a834c7610a38df4a0a7702785ee0696f2522be
Opcode Fuzzy Hash: b6aa10443bbb8dc724735c7b24551109ef056036072975f18839a3ee84861c4e
Instruction Fuzzy Hash: D6311D31B08109A7F7148AA99850BBD73B4DFCB314F15426EF91DAB6C0EB709D8187E5

Function 6D009E50 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 108COMMON

Download Yara Rule

Strings

d:\newcastle\projects\openmovement\software\om\omapi\src\omapi-download.c, xrefs: 6D009EB6, 6D009EEB
&om.downloadMutex, xrefs: 6D009EBB, 6D009ED0
OmWaitForDownload() started., xrefs: 6D009E58
OmWaitForDownload() checking status..., xrefs: 6D009F40
OmQueryDownload, xrefs: 6D009EAC, 6D009EE1
OmWaitForDownload() waiting for download thread to terminate..., xrefs: 6D009F23

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID:
String ID: &om.downloadMutex$OmQueryDownload$OmWaitForDownload() checking status...$OmWaitForDownload() started.$OmWaitForDownload() waiting for download thread to terminate...$d:\newcastle\projects\openmovement\software\om\omapi\src\omapi-download.c
API String ID: 0-3166028405
Opcode ID: cd4c5ce70c73c0d012c4528cc01d195947c45d87cd8d9a75f595c1333fc9b442
Instruction ID: a9951c937110cbaf1cbbd64be609069262d96e7d4b2357f8def73371197931d3
Opcode Fuzzy Hash: cd4c5ce70c73c0d012c4528cc01d195947c45d87cd8d9a75f595c1333fc9b442
Instruction Fuzzy Hash: B131D835A05205BBF7108F65E840F7A77F89F85714F194159E92C9B290E731EE41C7E1

Function 6D00BF20 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 76timeCOMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,HIBERNATE,?,00000100,HIBERNATE=,000007D0,?,00000002), ref: 6D00BF6D
OmDateTimeFromString.LIBOMAPI(?), ref: 6D00BF88
OmCommand.LIBOMAPI(?,STOP,?,00000100,STOP=,000007D0,?,00000002), ref: 6D00BFB9
OmDateTimeFromString.LIBOMAPI(?), ref: 6D00BFD4

Strings

STOP, xrefs: 6D00BFB1
STOP=, xrefs: 6D00BFA0
HIBERNATE, xrefs: 6D00BF65
HIBERNATE=, xrefs: 6D00BF4C

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: CommandDateFromStringTime
String ID: HIBERNATE$STOP$HIBERNATE=$STOP=
API String ID: 1572727159-347550760
Opcode ID: d979722e196a0971150d5b508c3ca037cda17cb2b42db2e2369726b05cc05135
Instruction ID: 6f62a0f235c3ffda5323fc9ef16ebc24164481ea66209d441c36fbd13d1510d0
Opcode Fuzzy Hash: d979722e196a0971150d5b508c3ca037cda17cb2b42db2e2369726b05cc05135
Instruction Fuzzy Hash: 33215071E0421ABBFB108E669C41BF973A89F59714F1041A5FE48E7581EBB1EE808FD1

Function 6D01915D Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D018E13: CreateFileW.KERNEL32(00000000,00000000,?,6D019206,?,?,00000000,?,6D019206,00000000,0000000C), ref: 6D018E30

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D00B191), ref: 6D019271
__dosmaperr.LIBCMT ref: 6D019278
GetFileType.KERNEL32(00000000), ref: 6D019284
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D00B191), ref: 6D01928E
__dosmaperr.LIBCMT ref: 6D019297
CloseHandle.KERNEL32(00000000), ref: 6D0192B7
CloseHandle.KERNEL32(?), ref: 6D019401
GetLastError.KERNEL32 ref: 6D019433
__dosmaperr.LIBCMT ref: 6D01943A

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 0163b62ea12d1aab97bba0a9ecffcba9dc8cb2c6545eb9467c48debeec49daa6
Instruction ID: 554b450ba63b0840b48203222dc28f8878e4afa9ddb0ddfe7e24cac5cdd7cc92
Opcode Fuzzy Hash: 0163b62ea12d1aab97bba0a9ecffcba9dc8cb2c6545eb9467c48debeec49daa6
Instruction Fuzzy Hash: 0EA12332E1C1558FEF19DFB8DC95BAE3BF1AB0B324F150159E8219B291DB308916CB91

Function 6D022FC6 Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,6D02329F,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 6D023072
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,6D02329F,00000000,00000000,?,00000001,?,?,?,?), ref: 6D0230F5
__alloca_probe_16.LIBCMT ref: 6D02312D
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,6D02329F,?,6D02329F,00000000,00000000,?,00000001,?,?,?,?), ref: 6D023188
__alloca_probe_16.LIBCMT ref: 6D0231D7
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,6D02329F,00000000,00000000,?,00000001,?,?,?,?), ref: 6D02319F

Part of subcall function 6D01B961: HeapAlloc.KERNEL32(00000000,00000000,6D009950,?,6D01D394,00000000,?,00000000,00000000,000000FF,00000000,00000000), ref: 6D01B993

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,6D02329F,00000000,00000000,?,00000001,?,?,?,?), ref: 6D02321B
__freea.LIBCMT ref: 6D023246
__freea.LIBCMT ref: 6D023252

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
String ID:
API String ID: 3256262068-0
Opcode ID: 403596a1420583d4bc5c7d129d8a297c85779d3df267c9783f1627fca5506601
Instruction ID: 7a9824cbefc42587193e834e4de0035a66470e188bc1d9b67e05784a1669e3f6
Opcode Fuzzy Hash: 403596a1420583d4bc5c7d129d8a297c85779d3df267c9783f1627fca5506601
Instruction Fuzzy Hash: DB91F171E062179AFF158EA4CC91BEE7BF5AF0E710F14452EEA10E7180D725D849CB60

Function 6D00B140 Relevance: 13.7, APIs: 9, Instructions: 198timeCOMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 6D00B1D6
OmReaderDataBlockSeek.LIBOMAPI(00000000,00000000), ref: 6D00B2D7
OmReaderNextBlock.LIBOMAPI(00000000,00000000,00000000), ref: 6D00B2DD
OmReaderTimestamp.LIBOMAPI(00000000,00000000,00000000), ref: 6D00B2F9
OmReaderDataBlockSeek.LIBOMAPI(00000000,?), ref: 6D00B33C
OmReaderNextBlock.LIBOMAPI(00000000,00000000,?), ref: 6D00B342
OmReaderDataBlockSeek.LIBOMAPI(00000000,00000000), ref: 6D00B35A
OmReaderTimestamp.LIBOMAPI(00000000,-00000001,00000000), ref: 6D00B370
OmReaderDataBlockSeek.LIBOMAPI(00000000,00000000), ref: 6D00B381

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Reader$Block$DataSeek$NextTimestamp$__fread_nolock
String ID:
API String ID: 480906324-0
Opcode ID: b5554cc93367395d2ba77993e7a18ac122de2a5e5c58376511d167d5ac8d4732
Instruction ID: 635ac16c866900c39ce699600b786b35307ec8c4d383397623aa839132bacba0
Opcode Fuzzy Hash: b5554cc93367395d2ba77993e7a18ac122de2a5e5c58376511d167d5ac8d4732
Instruction Fuzzy Hash: 915135F29082156BFB108E689CC17BA7BD8EF01304F1841B9EE9D9F287E7B4814487B0

Function 6D00A780 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 62synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,6D00E18D), ref: 6D00A813

Strings

OmPortRelease, xrefs: 6D00A7AB, 6D00A7EE, 6D00A81E
d:\newcastle\projects\openmovement\software\om\omapi\src\omapi-internal.c, xrefs: 6D00A7B5, 6D00A7F8, 6D00A82F
UNLOCK: #%d %.0s:%d %s() mutex_unlock(%s) failed, xrefs: 6D00A834, 6D00A83D
UNLOCK: #%d %.0s:%d %s() mutex_unlock(%s) complete, xrefs: 6D00A82A
&om.portMutex, xrefs: 6D00A7BA, 6D00A7E9, 6D00A819
UNLOCK: #%d %.0s:%d %s() mutex_unlock(%s) called, xrefs: 6D00A7FE

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: MutexRelease
String ID: &om.portMutex$OmPortRelease$UNLOCK: #%d %.0s:%d %s() mutex_unlock(%s) called$UNLOCK: #%d %.0s:%d %s() mutex_unlock(%s) complete$UNLOCK: #%d %.0s:%d %s() mutex_unlock(%s) failed$d:\newcastle\projects\openmovement\software\om\omapi\src\omapi-internal.c
API String ID: 1638419-1776799954
Opcode ID: 76eee3323ecf4f4c4a1d25e45c0d928321244e59b3e9f4079d44646425a155ce
Instruction ID: 49b7e409f5f198074c7c2757b58e0a7d83377a35fac3b05fb067d430f32510df
Opcode Fuzzy Hash: 76eee3323ecf4f4c4a1d25e45c0d928321244e59b3e9f4079d44646425a155ce
Instruction Fuzzy Hash: 2111E571B06A027BF6116A289C14F3B3AB89FC1618F254221F61CDB6D7D760DC0186F1

Function 6D020EEE Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,7FFFFFFF,6D00B193,?,?,?,6D02113F,00000001,00000001,6A000001), ref: 6D020F48
__alloca_probe_16.LIBCMT ref: 6D020F80
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,6D02113F,00000001,00000001,6A000001,6D00B191,?,?), ref: 6D020FCE
__alloca_probe_16.LIBCMT ref: 6D021065
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,6D00B191,6A000001,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6D0210C8
__freea.LIBCMT ref: 6D0210D5

Part of subcall function 6D01B961: HeapAlloc.KERNEL32(00000000,00000000,6D009950,?,6D01D394,00000000,?,00000000,00000000,000000FF,00000000,00000000), ref: 6D01B993

__freea.LIBCMT ref: 6D0210DE
__freea.LIBCMT ref: 6D021103

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: 9fc5edba4efd1c5bae0a0b58da8f86e4d2f3a4bb23c37e79dfc29143e920b82c
Instruction ID: 6bc7815f71299d7b1e57536824fd1da6e318663a3ba8f9a79714ca6c6eb08872
Opcode Fuzzy Hash: 9fc5edba4efd1c5bae0a0b58da8f86e4d2f3a4bb23c37e79dfc29143e920b82c
Instruction Fuzzy Hash: 3B511F72606247ABFB258EA6CC80FBF77AAEB45750F114629FD04D7180DBB2DC808661

Function 6D019E36 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,6D01A5AB,6D0204E4,00000000,00000000,00000000,00000000,00000000), ref: 6D019E78
__fassign.LIBCMT ref: 6D019EF3
__fassign.LIBCMT ref: 6D019F0E
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 6D019F34
WriteFile.KERNEL32(?,00000000,00000000,6D01A5AB,00000000,?,?,?,?,?,?,?,?,?,6D01A5AB,6D0204E4), ref: 6D019F53
WriteFile.KERNEL32(?,6D0204E4,00000001,6D01A5AB,00000000,?,?,?,?,?,?,?,?,?,6D01A5AB,6D0204E4), ref: 6D019F8C

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4fe319c7b05c7c16306edd11707d5952bb3a0cf9cf9ec3fef166d109fda9ca3e
Instruction ID: 629e4ed9cd9c3486799507e11ada53f94eca824d65993d763e8fd3eb7f1add7c
Opcode Fuzzy Hash: 4fe319c7b05c7c16306edd11707d5952bb3a0cf9cf9ec3fef166d109fda9ca3e
Instruction Fuzzy Hash: 4B519F75A04249AFEB10CFE9D841BEEBBF8BF09310F14415AE565E7281E7709941CB61

Function 6D00FCD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6D00FCFB
___except_validate_context_record.LIBVCRUNTIME ref: 6D00FD03
_ValidateLocalCookies.LIBCMT ref: 6D00FD91
__IsNonwritableInCurrentImage.LIBCMT ref: 6D00FDBC
_ValidateLocalCookies.LIBCMT ref: 6D00FE11

Strings

csm, xrefs: 6D00FDA6

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 8e75d6d0c8e00e66cf80f65cb7d82a33bf4d807ab8483c532fa9dc607c45f26f
Instruction ID: 2f3fdd93ffe34e7b76f2a22ea191a95e36c92e62dbbf52c3e2d1e88699fee796
Opcode Fuzzy Hash: 8e75d6d0c8e00e66cf80f65cb7d82a33bf4d807ab8483c532fa9dc607c45f26f
Instruction Fuzzy Hash: F941B534E08209ABEF00DF68CC44BAEBFFAAF45318F118156E9149B291D771DA11CBD5

Function 6D020CCD Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D020C91: _free.LIBCMT ref: 6D020CBA

_free.LIBCMT ref: 6D020D1B

Part of subcall function 6D01B556: HeapFree.KERNEL32(00000000,00000000,?,6D020CBF,6D009950,00000000,6D009950,00000000,?,6D020CE6,6D009950,00000007,6D009950,?,6D020987,6D009950), ref: 6D01B56C
Part of subcall function 6D01B556: GetLastError.KERNEL32(6D009950,?,6D020CBF,6D009950,00000000,6D009950,00000000,?,6D020CE6,6D009950,00000007,6D009950,?,6D020987,6D009950,6D009950), ref: 6D01B57E

_free.LIBCMT ref: 6D020D26
_free.LIBCMT ref: 6D020D31
_free.LIBCMT ref: 6D020D85
_free.LIBCMT ref: 6D020D90
_free.LIBCMT ref: 6D020D9B
_free.LIBCMT ref: 6D020DA6

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3f82e07238ead881142fa9c3aefd4cdb53c88ea02e52f086d5cfb788392a73d9
Instruction ID: 4d69ecb361484d9e50d2c023520c7c598f906dd84cdafbeb589db7bff2db291b
Opcode Fuzzy Hash: 3f82e07238ead881142fa9c3aefd4cdb53c88ea02e52f086d5cfb788392a73d9
Instruction Fuzzy Hash: B81193B194DB08BAF630ABB1CC56FDB779C9F01704F420814BBD967290DBB4B5049754

Function 6D0101A1 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6D0100AA,6D00ED30,6D00E946,?,6D00EB63,?,00000001,?,?,00000001,?,6D02F458,0000000C,6D00EC57), ref: 6D0101AF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D0101BD
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D0101D6
SetLastError.KERNEL32(00000000,6D00EB63,?,00000001,?,?,00000001,?,6D02F458,0000000C,6D00EC57,?,00000001,?), ref: 6D010228

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4cbb5893fe33c2f580c8cb4787377b78f8357b3f1c124d77bcefe0aca4739a4c
Instruction ID: 233420c8764ee98994128d2eb03514bd7a9b638c5f044c8b60f1eda8142551e8
Opcode Fuzzy Hash: 4cbb5893fe33c2f580c8cb4787377b78f8357b3f1c124d77bcefe0aca4739a4c
Instruction Fuzzy Hash: 7401473220D7139EBB2517F6ACC4B6F26B4EB0A3BA7320229F760531D4EF6548114551

Function 6D017E70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6D017E21,00000000,?,6D017DC1,00000000,6D02F7D8,0000000C,6D017F09,00000000,00000002), ref: 6D017E90
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D017EA3
FreeLibrary.KERNEL32(00000000,?,?,?,6D017E21,00000000,?,6D017DC1,00000000,6D02F7D8,0000000C,6D017F09,00000000,00000002), ref: 6D017EC6

Strings

CorExitProcess, xrefs: 6D017E9B
mscoree.dll, xrefs: 6D017E89

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1185a7d6cf3b81c3bb545b4ce5c9777fd493406b4eed6db3c8603187f2a66aed
Instruction ID: c9a746f6a2a84906b171a56e4c123666f7d1acf74ad3c663edc3371b2a48951f
Opcode Fuzzy Hash: 1185a7d6cf3b81c3bb545b4ce5c9777fd493406b4eed6db3c8603187f2a66aed
Instruction Fuzzy Hash: C5F04F34D05119BBEF019F94CC0ABAE7FF8EF89311F1000A8F805A3290DB308D44CA91

Function 6D0149A8 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a5a4d21b5ea7b1fc3c592967e81c6cd4396b17a67472348f98b83531f0e1bb
Instruction ID: 7e72933d8dd6edf29be931687b5f148cebfdfd950e7ed6305c67067a74f3ea4d
Opcode Fuzzy Hash: e0a5a4d21b5ea7b1fc3c592967e81c6cd4396b17a67472348f98b83531f0e1bb
Instruction Fuzzy Hash: 9271BE75E08257ABEB11CFD4CC84BBEBBB5EF49328F214269E524572A0D770C945C7A0

Function 6D0186FC Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6D01876E
_free.LIBCMT ref: 6D01878E

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc6aa8195af976983d1b55f5b1ed0f3339111568da46439f49d8a4b4e43a10b6
Instruction ID: 4b9c0be1382104e238e4c672ea8033c7fb3375e9676a329d02f42a51ab800160
Opcode Fuzzy Hash: fc6aa8195af976983d1b55f5b1ed0f3339111568da46439f49d8a4b4e43a10b6
Instruction Fuzzy Hash: F241C336A04200AFEB14CFB8CD84B5DB7F6EF89714B164668E615EB341E731EA01DB40

Function 6D020DB1 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(6D00B191,00000000,6A000001,6D00B193,00000000,00000000,6D00B193,?,7FFFFFFF,6D00B191,00000001,6D00B193,6A000001,00000001,6D00B193,6D00B193), ref: 6D020DFE
__alloca_probe_16.LIBCMT ref: 6D020E36
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6D020E87
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6D020E99
__freea.LIBCMT ref: 6D020EA2

Part of subcall function 6D01B961: HeapAlloc.KERNEL32(00000000,00000000,6D009950,?,6D01D394,00000000,?,00000000,00000000,000000FF,00000000,00000000), ref: 6D01B993

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: 6b1766ce8e90936c9a3ada8891f6e195e5d6898f5d47a44a2f1e582688afea19
Instruction ID: 4b60a77b9f0ccacdf6fd472c12bcfc317cf6fb699e52585214eca79b6524e3b7
Opcode Fuzzy Hash: 6b1766ce8e90936c9a3ada8891f6e195e5d6898f5d47a44a2f1e582688afea19
Instruction Fuzzy Hash: 4B31FE32A0520AABEF148F66CC90FBE3BA9EB44360F014168FD14DB250E735C890CB90

Function 6D020C28 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6D020C40

Part of subcall function 6D01B556: HeapFree.KERNEL32(00000000,00000000,?,6D020CBF,6D009950,00000000,6D009950,00000000,?,6D020CE6,6D009950,00000007,6D009950,?,6D020987,6D009950), ref: 6D01B56C
Part of subcall function 6D01B556: GetLastError.KERNEL32(6D009950,?,6D020CBF,6D009950,00000000,6D009950,00000000,?,6D020CE6,6D009950,00000007,6D009950,?,6D020987,6D009950,6D009950), ref: 6D01B57E

_free.LIBCMT ref: 6D020C52
_free.LIBCMT ref: 6D020C64
_free.LIBCMT ref: 6D020C76
_free.LIBCMT ref: 6D020C88

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0c2be40064ce0cf99f808a88a292fdd1f99333c9d5b5dd1d870a56aa1d8884a4
Instruction ID: edbaf15b1581d5e4bfdaf607d1c8345ea46450b11ca6d08a98f7844f926a2b42
Opcode Fuzzy Hash: 0c2be40064ce0cf99f808a88a292fdd1f99333c9d5b5dd1d870a56aa1d8884a4
Instruction Fuzzy Hash: 50F04FB540D3465BEB30DB99E9C5F2B73E9AB063113620805F118D7740C730F9804AA9

Function 6D01894E Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6D01896C

Part of subcall function 6D01B556: HeapFree.KERNEL32(00000000,00000000,?,6D020CBF,6D009950,00000000,6D009950,00000000,?,6D020CE6,6D009950,00000007,6D009950,?,6D020987,6D009950), ref: 6D01B56C
Part of subcall function 6D01B556: GetLastError.KERNEL32(6D009950,?,6D020CBF,6D009950,00000000,6D009950,00000000,?,6D020CE6,6D009950,00000007,6D009950,?,6D020987,6D009950,6D009950), ref: 6D01B57E

_free.LIBCMT ref: 6D01897E
_free.LIBCMT ref: 6D018991
_free.LIBCMT ref: 6D0189A2
_free.LIBCMT ref: 6D0189B3

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3cbd4d9786637752ceca40ff340b9fdf7c679cc74e6dbad3d355a552affebb37
Instruction ID: 7dc050887b1db5eec2a4821fcba886c90f463cd13a1ab3af002135ed87c4b951
Opcode Fuzzy Hash: 3cbd4d9786637752ceca40ff340b9fdf7c679cc74e6dbad3d355a552affebb37
Instruction Fuzzy Hash: E3F0B77980C6639B9F315F6AAC807583BB4E71B7253074506F520973A0C77507528FDA

Function 6D00C990 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 188COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,?,?,00000100,RATE=,000007D0,?,0000000A), ref: 6D00CB31

Strings

RATE=, xrefs: 6D00CB19
RATE %u, xrefs: 6D00CAFD
RATE %u,%u, xrefs: 6D00CAEC

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: RATE %u$RATE %u,%u$RATE=
API String ID: 1098371912-922130091
Opcode ID: 7097fbec40903604919b83214ffe4d9bce7302d01a427687b8d8ea0c83c12912
Instruction ID: 02d92101335a89480a166435c26e3f0dbe4881091331ad5d84fe43ecadf44255
Opcode Fuzzy Hash: 7097fbec40903604919b83214ffe4d9bce7302d01a427687b8d8ea0c83c12912
Instruction Fuzzy Hash: D4512732E4810973FB14C97CCC407FE72A4EB87718F1442BAE91AD72D0DA658E8446B9

Function 6D01ED4E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 6D01ED9D
_free.LIBCMT ref: 6D01EEBA

Part of subcall function 6D01525A: IsProcessorFeaturePresent.KERNEL32(00000017,6D01522C,00000000,6D009950,?,?,?,6D009950,?,?,6D015239,00000000,00000000,00000000,00000000,00000000), ref: 6D01525C
Part of subcall function 6D01525A: GetCurrentProcess.KERNEL32(C0000417,6D009950), ref: 6D01527E
Part of subcall function 6D01525A: TerminateProcess.KERNEL32(00000000), ref: 6D015285

Strings

*?, xrefs: 6D01ED91
., xrefs: 6D01F071

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 7a2036c7dd5503ee6673448372b997ec4fdf1431a7a2d2b25c6861e2232aafca
Instruction ID: 198db03956e3ed0ebc78933ce2cb74f79bbee1e80420fd68caec07dad81524ae
Opcode Fuzzy Hash: 7a2036c7dd5503ee6673448372b997ec4fdf1431a7a2d2b25c6861e2232aafca
Instruction Fuzzy Hash: CE515D76E0821AAFEB14CFE8CC80AADBBF5FF49314F258169D954E7740E7719A018B50

Function 6D017F14 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe,00000104), ref: 6D017F54
_free.LIBCMT ref: 6D01801F
_free.LIBCMT ref: 6D018029

Strings

C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe, xrefs: 6D017F4B, 6D017F52, 6D017F81, 6D017FB9

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe
API String ID: 2506810119-748945681
Opcode ID: 6d2366273f8427eda2dae86711a95223bc41d8f48fdf278a2742063ddb7f28f8
Instruction ID: 372fef33412cf8c7ffc8bd199629af122224e69422337f2c770d6532f48487b1
Opcode Fuzzy Hash: 6d2366273f8427eda2dae86711a95223bc41d8f48fdf278a2742063ddb7f28f8
Instruction Fuzzy Hash: AB313075E08259EFEB22CBD9DC84B9EBBF8EF86354B11405AE90497200D7708B408B91

Function 6D0099D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

OmGetDevicePath.LIBOMAPI(?,?), ref: 6D009A10
OmReaderOpen.LIBOMAPI(?), ref: 6D009A58
OmReaderDataRange.LIBOMAPI(00000000,?,?,?,?,?), ref: 6D009A8F

Strings

CWA-DATA.CWA, xrefs: 6D009A2D

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Reader$DataDeviceOpenPathRange
String ID: CWA-DATA.CWA
API String ID: 3733521012-341621345
Opcode ID: 5084f89a8b257095fdaae72a9be3dbe628c3c9cd24afa465b86088cdb13c34b6
Instruction ID: fdfcd9fb94c064e8eeffd815f65347e40a421634a3753e61032db5dc56668fdb
Opcode Fuzzy Hash: 5084f89a8b257095fdaae72a9be3dbe628c3c9cd24afa465b86088cdb13c34b6
Instruction Fuzzy Hash: DD31A275A08119AFEB11CF58DC40BDAB7F4EF4A304F1440A9E94897201E7729A41CFD1

Function 6D00D6A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,TIME,?,00000100,$TIME=,000007D0,?,00000002), ref: 6D00D6E9

Strings

TIME, xrefs: 6D00D6D9
$TIME=, xrefs: 6D00D6C5

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: TIME$$TIME=
API String ID: 1098371912-3115832756
Opcode ID: 878b42cb9f980ea9edb41597cedb7701129e8adaec6ad88cd626cf85759021e1
Instruction ID: ce3f8d66943c16777a7a55e9833a60947b19f66af7b609c9073b786cea634358
Opcode Fuzzy Hash: 878b42cb9f980ea9edb41597cedb7701129e8adaec6ad88cd626cf85759021e1
Instruction Fuzzy Hash: 2A118631E4411CA7FB10DF249C41BFD73A8DF59314F5142AAED49EB680EBB05A448BD1

Function 6D00C770 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49timeCOMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,LASTCHANGED,?,00000100,LASTCHANGED=,000007D0,?,00000002), ref: 6D00C7B9
OmDateTimeFromString.LIBOMAPI(?), ref: 6D00C7E8

Strings

LASTCHANGED=, xrefs: 6D00C795
LASTCHANGED, xrefs: 6D00C7A9

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: CommandDateFromStringTime
String ID: LASTCHANGED$LASTCHANGED=
API String ID: 1572727159-3681739171
Opcode ID: 997e47e9b1b88e3f52f282039d840dc3013b46da0dc194bee2f85b2be068deba
Instruction ID: eaf7731a9a001e2f86a99466e1db27be569827b04af394151c74b56b5d7023f1
Opcode Fuzzy Hash: 997e47e9b1b88e3f52f282039d840dc3013b46da0dc194bee2f85b2be068deba
Instruction Fuzzy Hash: 9201B931E4411D67FB10CB249C81BFD73A89F19314F414299A948E7180EB7099848FD1

Function 6D01BF69 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6D01BFF4
__alldvrm.LIBCMT ref: 6D01C1F5
__alldvrm.LIBCMT ref: 6D01C217

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 0874cdba27bdbc3456da5b1db72648c5459b124b3ef85f4c435538710fc9093b
Instruction ID: 5838a87feaa5790515308bfa0b2c5285007463a7229116f464c5f6fd560589df
Opcode Fuzzy Hash: 0874cdba27bdbc3456da5b1db72648c5459b124b3ef85f4c435538710fc9093b
Instruction Fuzzy Hash: 1AA1217294C3869FF7128EA8CC917AEFBE5EF46354F184179E9859B281C338C941C798

Function 6D003160 Relevance: 6.2, APIs: 4, Instructions: 202COMMON

Download Yara Rule

APIs

GetVolumePathNamesForVolumeNameW.KERNEL32(0000005C,00000000,00000106,00000105,6D02CD18,00000000,73BCE995,0000005C,00000000), ref: 6D00327E
GetLastError.KERNEL32 ref: 6D003291
GetVolumePathNamesForVolumeNameW.KERNEL32(?,00000000,00000106,00000105), ref: 6D0032D0
__fassign.LIBCMT ref: 6D003324

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Volume$NameNamesPath$ErrorLast__fassign
String ID:
API String ID: 1348221759-0
Opcode ID: ed5baf70840466d885b73fd9b3de489d42470ae6ce1fc0aa892d0d3f52bdd3b6
Instruction ID: 855bd16987ff96ede099320e3be6ae79a0affe58d4dac1b44e9c9b7659dcff58
Opcode Fuzzy Hash: ed5baf70840466d885b73fd9b3de489d42470ae6ce1fc0aa892d0d3f52bdd3b6
Instruction Fuzzy Hash: 5561F6B1D04204ABFB14CF68DC85BAEB7B5EF49304F14812DE902A7291EB75A944CB91

Function 6D015C62 Relevance: 6.2, APIs: 4, Instructions: 172pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(00000000,00000000,00000000,00000000), ref: 6D015C87

Part of subcall function 6D015FFA: __dosmaperr.LIBCMT ref: 6D01603D

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D015B90), ref: 6D015DB2
__dosmaperr.LIBCMT ref: 6D015DB9
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 6D015DF6

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: __dosmaperr$ErrorFileLastNamedPeekPipeType
String ID:
API String ID: 3955570002-0
Opcode ID: 6851c45b58e88c1f089de04660ee80e7f7407ffac1fbd545b6cc73c6c70a886d
Instruction ID: 426b994110eedd12ad051849ae431ddaddb35062898f39431892c596cc45419a
Opcode Fuzzy Hash: 6851c45b58e88c1f089de04660ee80e7f7407ffac1fbd545b6cc73c6c70a886d
Instruction Fuzzy Hash: 3D518A76D08609AFEB14CFE4CC49BBEB7F9FF49314B148929E566DB290E73098418B50

Function 6D020423 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6D020552

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fcfa41b6afce55a7fc1301e8c4abdee8aa17481de78ade4deed0539d8d7e5d1b
Instruction ID: c372a9b40e98d3e0ef84e0093e41a107e047440676683256f12e5642e023fa42
Opcode Fuzzy Hash: fcfa41b6afce55a7fc1301e8c4abdee8aa17481de78ade4deed0539d8d7e5d1b
Instruction Fuzzy Hash: 84411B71E0E3216BFB115BFA8C507AF3AE8FF47334F524215F61897290EB74854146A1

Function 6D0176C8 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3646f348b9c619346c2bf73034b7024156fc2f529361f2943913368412e2daf5
Instruction ID: f244104924e86b5e57de89da2c7e766d4477f35e3e003959f89dc63b71db18f4
Opcode Fuzzy Hash: 3646f348b9c619346c2bf73034b7024156fc2f529361f2943913368412e2daf5
Instruction Fuzzy Hash: 1B412B75E48304EFF7159FB8CC40BAA7BF8EBC9714F21862AE241DB280E7B195018780

Function 6D015E1A Relevance: 6.1, APIs: 4, Instructions: 65timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(00000000,?,?,?,00000000,00000000,000000FF,?,?,00000000), ref: 6D015E48
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 6D015E5C
GetLastError.KERNEL32 ref: 6D015EA4
__dosmaperr.LIBCMT ref: 6D015EAB

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Time$System$ErrorFileLastLocalSpecific__dosmaperr
String ID:
API String ID: 593088924-0
Opcode ID: 9e205418b60b33eaa33a462d6d351f46faeb375a545dbc1d3e052c55c2a5e61a
Instruction ID: 8b1d5de485ea72080a4bcfec5f3bf52e0eb0ad1cab6395826ada8fa3b45f848d
Opcode Fuzzy Hash: 9e205418b60b33eaa33a462d6d351f46faeb375a545dbc1d3e052c55c2a5e61a
Instruction Fuzzy Hash: EE21F976D08109ABEB04DAE4CD48BEE77FCBF09321F504266E615DB180DB34DA458BA1

Function 6D010459 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 6D010473

Part of subcall function 6D0103C0: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 6D0103EF
Part of subcall function 6D0103C0: ___AdjustPointer.LIBCMT ref: 6D01040A

_UnwindNestedFrames.LIBCMT ref: 6D010488
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 6D010499
CallCatchBlock.LIBVCRUNTIME ref: 6D0104C1

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: eb23b95905831b5fffec0f6dfd6375fbc78d73342de290a76073ff75c816097a
Instruction ID: eb2d60eed38110f3ea77ea8faa3a9633492a520276c53d28c2e776959a94d3eb
Opcode Fuzzy Hash: eb23b95905831b5fffec0f6dfd6375fbc78d73342de290a76073ff75c816097a
Instruction Fuzzy Hash: 2601DB72108149BBEF115E96DC40EEB7B6DEF89758F054418FA5866120C732E8719BA1

Function 6D01D491 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,?,?,6D01D438,?,?,6D009950,?,?,6D01D533,00000000,AreFileApisANSI), ref: 6D01D4C3
GetLastError.KERNEL32(?,00000000,00000800,?,?,?,?,6D01D438,?,?,6D009950,?,?,6D01D533,00000000,AreFileApisANSI), ref: 6D01D4CF
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,00000000,00000800,?,?,?,?,6D01D438,?,?,6D009950), ref: 6D01D4DD

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d01486af3d140afb4074108e45afb4dea346ba95033cfe294c3124c42a9be5b0
Instruction ID: 82ca5e7e5b8ea33fa0bf5c33cd0c0b725ea54fff43d145aaee0d74dc554f6025
Opcode Fuzzy Hash: d01486af3d140afb4074108e45afb4dea346ba95033cfe294c3124c42a9be5b0
Instruction Fuzzy Hash: FC01D43665A233ABEB214BBC8C49B5B77B8BFC67657614620FD05D7240D724E800C6F0

Function 6D00C810 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,RATE,?,00000100,RATE=,000007D0,?,0000000A), ref: 6D00C875

Strings

RATE=, xrefs: 6D00C846
RATE, xrefs: 6D00C85F

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: RATE$RATE=
API String ID: 1098371912-3280130573
Opcode ID: 85b2f5db3c0df8668d0d7b728321a0fbd493c86de0708c39a509894b7339615a
Instruction ID: 83ae2ad6eeb51bf85d0d791c727d853086ae3d8557b4ab518f23c9f1efc9f534
Opcode Fuzzy Hash: 85b2f5db3c0df8668d0d7b728321a0fbd493c86de0708c39a509894b7339615a
Instruction Fuzzy Hash: A841B671F052196BFB10CB69DC90BEDB3E5DF49360F1142A5E94DE7284EB709E808BA0

Function 6D00C630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,?,?,00000100,?,000007D0,?,00000002), ref: 6D00C714

Strings

ANNOTATE%02d=, xrefs: 6D00C68F
ANNOTATE%02d=, xrefs: 6D00C678

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: ANNOTATE%02d=$ANNOTATE%02d=
API String ID: 1098371912-3061302589
Opcode ID: d48e4c639ae6966879cb8d146f08dbee6113729ac49f16b48726e00602b7448c
Instruction ID: b30809c0188b6c48d6edc972d35b2f832d5f9f830928bb4e31b564539aa3aed9
Opcode Fuzzy Hash: d48e4c639ae6966879cb8d146f08dbee6113729ac49f16b48726e00602b7448c
Instruction Fuzzy Hash: E131D731E44219ABFB24CE64DD80BEEB3F8EF49314F5042ADE949E7180DB715A45CBA0

Function 6D00C4D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,?,?,00000100,?,000007D0,?,00000002,?,ANNOTATE%02d=,00000000,?,ANNOTATE%02d,00000000), ref: 6D00C575

Strings

ANNOTATE%02d=, xrefs: 6D00C545
ANNOTATE%02d, xrefs: 6D00C52E

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: ANNOTATE%02d$ANNOTATE%02d=
API String ID: 1098371912-1841606361
Opcode ID: 007f310c1eb193c1325adc26bf1dc69e570e3c2eca17420c0bec188d5250514f
Instruction ID: 5db7f0387c3c5133f0375f5eb1fd259b2c9f1993ed24f565a98441bd6fb065d6
Opcode Fuzzy Hash: 007f310c1eb193c1325adc26bf1dc69e570e3c2eca17420c0bec188d5250514f
Instruction Fuzzy Hash: 2031B571E00218ABFB20CE65DC84BEDB7F8EF89315F5041AAD90DE7291DB309A448B90

Function 6D00D180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,SAMPLE 1,?,00000100,$BATT=,000007D0,?,0000000A), ref: 6D00D1D3

Strings

SAMPLE 1, xrefs: 6D00D1BD
$BATT=, xrefs: 6D00D1A4

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: SAMPLE 1$$BATT=
API String ID: 1098371912-3527989080
Opcode ID: bf68575cebe3775af4c17662a2546cd90cbd2ac48ce8365db827cdc37acbe26c
Instruction ID: a81d8268521286905b2a39d048d8ce73987228bc2b37a0ae5bcca5e6427df50d
Opcode Fuzzy Hash: bf68575cebe3775af4c17662a2546cd90cbd2ac48ce8365db827cdc37acbe26c
Instruction Fuzzy Hash: 5D310B32E4822CA6FF2086659D517FDB2A4DF56350F1142B6ED08F75C0EA25CE908BE1

Function 6D00D5B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,SAMPLE 5,?,00000100,$ACCEL=,000007D0,?,0000000A), ref: 6D00D614

Strings

SAMPLE 5, xrefs: 6D00D5FE
$ACCEL=, xrefs: 6D00D5E5

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: SAMPLE 5$$ACCEL=
API String ID: 1098371912-1166773783
Opcode ID: 8f4dd47bfe226a859d9823a91e988bc934d5f9d72066f9596d46a1a067f88977
Instruction ID: d3ee070197df1eac122b651a0091754faa39d8de582f222b41f0874c74579ef6
Opcode Fuzzy Hash: 8f4dd47bfe226a859d9823a91e988bc934d5f9d72066f9596d46a1a067f88977
Instruction Fuzzy Hash: 7C21CF71E04209ABFB11CF65DC41BE9B3F4AF5A314F0102E9E90CA7190EB719AA0CF91

Function 6D00D750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,?,?,00000100,$TIME=,000007D0,?,00000002,?,TIME %04u-%02u-%02u %02u:%02u:%02u,?,?,?,?,?,73BCE995), ref: 6D00D7DA

Strings

TIME %04u-%02u-%02u %02u:%02u:%02u, xrefs: 6D00D7A9
$TIME=, xrefs: 6D00D7C2

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: TIME %04u-%02u-%02u %02u:%02u:%02u$$TIME=
API String ID: 1098371912-604382393
Opcode ID: 7ac687c544e2f70ff3fa34d103424fb60953c87ed80e29c902d61ca9d4b87b7b
Instruction ID: 1816c842fa04ae11dd21936e9908a1d688167d6a4e62d1f2172a46823d368f31
Opcode Fuzzy Hash: 7ac687c544e2f70ff3fa34d103424fb60953c87ed80e29c902d61ca9d4b87b7b
Instruction Fuzzy Hash: 4D1188B2E1010C7BE758C668CC42FFE73AC9B1C300F40026AF91DE7581EA74DA459B91

Function 6D00CC70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,MAXSAMPLES,?,00000100,MAXSAMPLES=,000007D0,?,0000000A), ref: 6D00CCC7

Strings

MAXSAMPLES=, xrefs: 6D00CC95
MAXSAMPLES, xrefs: 6D00CCA9

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: MAXSAMPLES$MAXSAMPLES=
API String ID: 1098371912-1163244196
Opcode ID: 60a4d1d87b9efa0e3b7c059b29b44a10adeae5de1e0e32da9046c39a13242903
Instruction ID: eae64831a62a54ec633395812f83bedc82225a2dcafc9fa23871337a98377e67
Opcode Fuzzy Hash: 60a4d1d87b9efa0e3b7c059b29b44a10adeae5de1e0e32da9046c39a13242903
Instruction Fuzzy Hash: 27118231E4421CA7FB10DB649C41BFDB3B89F59314F1142DAED49EB280EB706A908BD1

Function 6D00D970 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,?,?,00000100,LOCK=,000007D0,?,0000000A,?,UNLOCK %d,?), ref: 6D00D9D5

Strings

UNLOCK %d, xrefs: 6D00D996
LOCK=, xrefs: 6D00D9BD

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: UNLOCK %d$LOCK=
API String ID: 1098371912-2081717695
Opcode ID: 6839f8e2e9a1788d6662b45c5ec0c62307cb358cb431aca8038b21869f70b0c2
Instruction ID: d7a96fc0fc4146cade979f86b3035f1adecc1a1abcc2bd6873d1cbf209e92de6
Opcode Fuzzy Hash: 6839f8e2e9a1788d6662b45c5ec0c62307cb358cb431aca8038b21869f70b0c2
Instruction Fuzzy Hash: 04118F71E4810CAAFB50DB64CC41BFD73B89F1A314F1142D9F94DEB190EB71AA948BA1

Function 6D00D810 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,lock,?,00000100,LOCK=,000007D0,?,0000000A), ref: 6D00D867

Strings

lock, xrefs: 6D00D849
LOCK=, xrefs: 6D00D835

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: lock$LOCK=
API String ID: 1098371912-2458490141
Opcode ID: 33ef95e584aae676935d5691bea527a83c75781187cec847029cf7ebc5259cfa
Instruction ID: ea77031e7db9471d47093afeb5ffe0692bcae9768da64f9ec1387a407a083081
Opcode Fuzzy Hash: 33ef95e584aae676935d5691bea527a83c75781187cec847029cf7ebc5259cfa
Instruction Fuzzy Hash: C3110831E4421DA7FB109B248C41BFD73B8DF59318F054299EE49EB281EB70AA948FD1

Function 6D00D500 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,?,?,00000100,LED=,000007D0,?,0000000A,?,LED %d,?), ref: 6D00D563

Strings

LED=, xrefs: 6D00D54B
LED %d, xrefs: 6D00D51C

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: LED %d$LED=
API String ID: 1098371912-1559619084
Opcode ID: f85f6f4255cdde8a97eec4c431095e59468e4d05b9d42097d0008e2639114cba
Instruction ID: 9e3fc01b5fa9f1d9c451f57d83bd602882e4f46fc38ea6aef4fddc3ddc87b52d
Opcode Fuzzy Hash: f85f6f4255cdde8a97eec4c431095e59468e4d05b9d42097d0008e2639114cba
Instruction Fuzzy Hash: 0F113071E4420CAAFB10DB64CD41BFDB3B89F5D304F1182A5ED0DE6190EB71AA948BA1

Function 6D00CD30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,?,?,00000100,MAXSAMPLES=,000007D0,?,0000000A,?,MAXSAMPLES %u,?), ref: 6D00CD93

Strings

MAXSAMPLES %u, xrefs: 6D00CD4C
MAXSAMPLES=, xrefs: 6D00CD7B

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: MAXSAMPLES %u$MAXSAMPLES=
API String ID: 1098371912-1988451946
Opcode ID: 90c7ff23c18d6be54ea8325a0292c588a253a27e3fd7b19181702a8ac910f4c4
Instruction ID: 0360abf2c9f5c832d7dee14547322320af1be31fd01d85aaaa701454353ff6d7
Opcode Fuzzy Hash: 90c7ff23c18d6be54ea8325a0292c588a253a27e3fd7b19181702a8ac910f4c4
Instruction Fuzzy Hash: 86118231E4420DAAFB10CF75CD40BED73B89F09304F018296BA0DE6190EB70AA948B95

Function 6D00C420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,?,?,00000100,SESSION=,000007D0,?,0000000A,?,SESSION %u,?), ref: 6D00C483

Strings

SESSION=, xrefs: 6D00C46B
SESSION %u, xrefs: 6D00C43C

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: SESSION %u$SESSION=
API String ID: 1098371912-3541579760
Opcode ID: dbbc6a3d6bb10247104f5982fc63b4758c78b5d1cd1237dd5ef7cc67126b814e
Instruction ID: d708b1bdf31e440b645be1e1470388155ce8922c7648747ae12448511243be41
Opcode Fuzzy Hash: dbbc6a3d6bb10247104f5982fc63b4758c78b5d1cd1237dd5ef7cc67126b814e
Instruction Fuzzy Hash: 35118E31E4420CAAFB10CF74CD80BFD73B89F1D304F018299B90DEA191EB71AA948B95

Function 6D00D460 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

OmCommand.LIBOMAPI(?,STATUS 2,?,00000100,BATTHEALTH=,000007D0,?,0000000A), ref: 6D00D4B3

Strings

BATTHEALTH=, xrefs: 6D00D484
STATUS 2, xrefs: 6D00D49D

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: Command
String ID: STATUS 2$BATTHEALTH=
API String ID: 1098371912-2118528183
Opcode ID: 61a678066b82f8169f08fee12ce8a1f26159991e5d13f737430e17ec764c009b
Instruction ID: c6037b405aad8a98c1653c2b1c5fd2d798e4998121d2ff6b95186218e5979f37
Opcode Fuzzy Hash: 61a678066b82f8169f08fee12ce8a1f26159991e5d13f737430e17ec764c009b
Instruction Fuzzy Hash: AA017170E4420CA7FB10CB619C41BFDB3B89F1A304F4142D9AE4CA6181EB706A908F91

Function 6D01E7DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D01671C: EnterCriticalSection.KERNEL32(0000001C,?,6D016850,00000001,6D02F6F0,0000001C,6D0191AD,?,6D00B191,00000000,00000000,00000000,6D02F880,00000010,6D019158,?), ref: 6D016737

FlushFileBuffers.KERNEL32(00000000,6D02FA60,0000000C,6D01E89B,6D0310E0,6D0310E0,?,6D0310E0,?,000003E8), ref: 6D01E828
GetLastError.KERNEL32 ref: 6D01E839

Strings

&om.downloadMutex, xrefs: 6D01E820

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: &om.downloadMutex
API String ID: 4109680722-665916619
Opcode ID: be4c15c8f0453143cd7eee2cc6abe60f231d520a0736774f49052ed8f28b4f49
Instruction ID: 5e37e7a2651f8e317f8df5a6e6d179e3d494430b7792f71dabd996a3b457af31
Opcode Fuzzy Hash: be4c15c8f0453143cd7eee2cc6abe60f231d520a0736774f49052ed8f28b4f49
Instruction Fuzzy Hash: 0F01DF71E182019FEB00DFF8CC44B4D7BB9AF4A724B16420AE525DB2E1DB7499418B80

Function 6D00E696 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D00E6A2

Part of subcall function 6D00E619: std::exception::exception.LIBCONCRT ref: 6D00E626

__CxxThrowException@8.LIBVCRUNTIME ref: 6D00E6B0

Part of subcall function 6D00FE27: RaiseException.KERNEL32(?,?,?,6D00F090,?,76E82FA0,?,?,?,?,?,?,6D00F090,?,6D02F494), ref: 6D00FE87

Strings

Unknown exception, xrefs: 6D00E6BD

Memory Dump Source

Source File: 00000010.00000002.1723737782.000000006D001000.00000020.00000001.01000000.00000017.sdmp, Offset: 6D000000, based on PE: true

Associated: 00000010.00000002.1723685597.000000006D000000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1723955939.000000006D027000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724049058.000000006D031000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.1724107549.000000006D033000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d000000_OmGui.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
String ID: Unknown exception
API String ID: 1586462112-410509341
Opcode ID: d206657f72c48defb3938d578c053874bd9739087d38c2c95929cbada278c72c
Instruction ID: 05fdfcda8bcc81fae1f1e5979fd36ef71fa87fb2ac18f0f39d1f323ce4d30b7e
Opcode Fuzzy Hash: d206657f72c48defb3938d578c053874bd9739087d38c2c95929cbada278c72c
Instruction Fuzzy Hash: 33D0A738E0410877FB00DAA4D820B5C7B7C6F00288B9080A4AA44D7051F770E60587C0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AX3-GUI-45.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Open Movement\OM GUI\OmApiNet.dll (copy)

C:\Program Files (x86)\Open Movement\OM GUI\OmGui.exe (copy)

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\64x64 converter.ico (copy)

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\OMPA Convertor.exe (copy)

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\OMPA Convertor.gif (copy)

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\OMPA Convertor.plugin (copy)

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\OMPA convertor.html (copy)

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\bootstrap-responsive.css (copy)

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\bootstrap-responsive.min.css (copy)

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\bootstrap.css (copy)

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\bootstrap.min.css (copy)

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\is-93OIK.tmp

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\is-BVQ2P.tmp

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\is-GA9GG.tmp

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\is-JSF5T.tmp

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\is-QCCS6.tmp

C:\Program Files (x86)\Open Movement\OM GUI\Plugins\Convert_CWA\css\page.css (copy)

Windows Analysis Report
AX3-GUI-45.exe

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre