Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.6479.21607.exe

Overview

General Information

Sample name:	SecuriteInfo.com.FileRepMalware.6479.21607.exe
Analysis ID:	1546265
MD5:	5e96050ed8827efeb9c90d59ce708f10
SHA1:	83dca0d791cfaeca7fe8ad68fed370c37ef48ce1
SHA256:	0a9157f45b50d30bc4ba535bf2e5ee8a447870edaf887ba7e7fe011e4081d075
Tags:	exe
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to infect the boot sector

Machine Learning detection for dropped file

PE file has a writeable .text section

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.FileRepMalware.6479.21607.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe" MD5: 5E96050ED8827EFEB9C90D59CE708F10)

dqwhj_errwd.exe (PID: 7344 cmdline: "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /setupsucc MD5: 75A7CC387D1E24DE8BA1275E81A840D1)

dqwhj_errwd.exe (PID: 7428 cmdline: "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun MD5: 75A7CC387D1E24DE8BA1275E81A840D1)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T17:22:17.022414+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	49747	TCP
2024-10-31T17:22:56.685751+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	49764	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T17:22:02.053802+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	159.75.141.43	80	TCP
2024-10-31T17:22:06.396934+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	163.171.133.72	80	TCP
2024-10-31T17:22:19.130275+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49748	159.75.141.43	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Avira: detection malicious, Label: HEUR/AGEN.1303415

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

ReversingLabs: Detection: 53%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe

ReversingLabs: Detection: 50%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\mk-jzcq\uninst.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Joe Sandbox ML: detected

Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 180.188.25.9:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 43.154.254.89:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 60.221.17.65:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 60.221.17.65:443 -> 192.168.2.4:49761 version: TLS 1.2

Source:	Binary string: \Bin\lander.pdbX G source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr
Source:	Binary string: \Bin\lander.pdb source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr
Source:	Binary string: \Bin\iconTips.pdb source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr
Source:	Binary string: \Bin\iconAnimate.pdb source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr
Source:	Binary string: \Bin\lander.pdbX L source: dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: Joe Sandbox View

IP Address: 163.171.133.72 163.171.133.72

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 163.171.133.72:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 159.75.141.43:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49748 -> 159.75.141.43:80
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49747
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49764

Source: global traffic	HTTP traffic detected: GET /httpsEnable.gif?t=1730391733433 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: my.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /TCaptcha.js HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.qcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1/tcaptcha-frame.5e0f125a.js HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.gtimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /template/drag_ele.html HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.qcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1/dy-jy3.js HTTP/1.1Accept: /Referer: https://turing.captcha.qcloud.com/template/drag_ele.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.gtimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1/dy-ele.16bf5dd7.js HTTP/1.1Accept: /Referer: https://turing.captcha.qcloud.com/template/drag_ele.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.gtimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dy-jy3.js HTTP/1.1Accept: /Referer: https://turing.captcha.qcloud.com/template/drag_ele.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.qcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gameapp.37.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1.css?t=1730391723 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/js/client/game1.js?t=1730391723 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2017/06/19141848xsCpC.jpg HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img2.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /js/sq/lib/sq.core.js?t=20140304 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /js/sq/widget/sq.login.js?t=20230803101600 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /controller/client.php?action=register&game_id=417&tpl_type=game2 HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gameapp.37.comConnection: Keep-AliveCookie: PHPSESSID=r8n5i200li7ekleljhb17avtb1; sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1/rem_on.png HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1/kv-ico.png HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1.css?t=1730391727 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/js/client/game1.js?t=1730391727 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2017/06/19141848xsCpC.jpg HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img2.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /js/sq/lib/sq.core.js?t=20140304 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /js/sq/widget/sq.login.js?t=20230803101600 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1/reg.jpg HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1/dot.png HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /www2015/images/common/third-logo-24.png HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /js/sq/widget/sq.tab.js HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /js/sq/widget/sq.statis.js HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /js/sq/widget/sq.clientclass2.js?t=1730391727 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /controller/istat.controller.php?platform=37wan&item=u3tfl5ftfl&game_id=417&sid=&position=1&ext_1=4&ext_2=wd_37cs&ext_3=921614&ext_4=&ext_5=gy&ext_6=&login_account=&browser_type=&user_ip=&refer=wd_37cs&uid=921614&page=4&t=1730391732770 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: a.clickdata.37wan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /www2015/images/reglog/200x42.png?v=1 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /www/css/images/common/dialog2/bg-dialog-avatar.png?v=1 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /proxy_yk.html HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: regapi.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /www/css/images/common/ico.png HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1/ HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cm.he2d.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /js/sq/lib/sq.core.js HTTP/1.1Accept: /Referer: http://regapi.37.com/proxy_yk.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /sys/?u=uK4jZ7lpa5IBAAAALNcr&fdata= HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: cookiem.37.comCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1/btn-log-short.jpg HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1/btn-reg.jpg HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Code function: 1_2_0047DFE0 _memset,InternetCrackUrlW,InternetOpenW,InternetConnectW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpOpenRequestW,HttpSendRequestW,HttpQueryInfoW,HttpQueryInfoW,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CreateFileW,InternetReadFile,WriteFile,CloseHandle,

1_2_0047DFE0

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 31 Oct 2024 16:22:03 GMTContent-Type: text/html;charset=UTF-8Connection: closeSet-Cookie: PHPSESSID=r8n5i200li7ekleljhb17avtb1; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; path=/; domain=37.comSet-Cookie: client_type=3; path=/; domain=37.comContent-Encoding: gzipserver-timing: inner; dur=79Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b5 5a 7b 73 d3 56 16 ff bb cc f4 3b a8 62 5b 92 82 2c c9 76 e2 b7 3b 34 94 60 86 d0 10 28 29 9e ce 30 57 0f db 8a f5 42 92 ed 38 29 33 30 b3 b4 dd 6e 69 e9 ce f6 c5 32 db c7 2e 1d 66 bb 6d 77 a7 33 6d 77 4b db 0f 43 9c c0 5f fb 15 f6 9c ab 87 25 5b 81 50 40 26 96 74 ef 3d e7 fc ce b9 e7 71 ef c5 d5 67 14 4b f6 86 b6 ca 74 3c 43 af ef ab e2 8d d1 89 d9 ae b1 1b 1d 16 1b 54 a2 d4 f7 31 70 55 0d d5 23 8c dc 21 8e ab 7a 35 f6 95 33 47 b9 22 cb f0 41 a7 a7 79 ba 5a 1f fd f2 cd ce 57 df 56 79 ff 2d 46 66 12 43 ad b1 2d c7 32 3d d5 54 58 46 a6 0f c0 a6 43 4c 10 14 b1 d1 Data Ascii: Z{sV;b[,v;4`()0WB8)30ni2.fmw3mwKC_%[P@&t=qgKt<CT1pU#!z53G"AyZWVy-FfC-2=TXFCL
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: image/pngContent-Length: 912Connection: keep-aliveAge: 2505797Cache-Control: max-age=2592000Content-Encoding: gzipEtag: "59438b1e-764"Expires: Fri, 01 Nov 2024 16:18:50 GMTLast-Modified: Fri, 16 Jun 2017 07:39:10 GMTVary: Accept-EncodingX-Bdcdn-Cache-Status: TCP_HITX-Request-Id: 0a19ff7cb6bc940fd8c4beaba853c0a9X-Request-Ip: 173.254.250.77X-Response-Cache: edge_hitX-Response-Cinfo: 173.254.250.77X-Tt-Trace-Tag: id=5Date: Thu, 31 Oct 2024 16:22:07 GMTvia: pic03.hnxxcmData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 53 5d 6c 14 55 14 3e cd 36 c5 40 9a 10 9f 40 1e bc cc 82 d1 c4 dd d9 d9 76 4b 77 e8 42 ba 3b bb ed 46 a6 94 ed 46 ab 2f 74 76 e6 b6 3b 29 f3 d3 99 db ee 6e 83 51 8b 62 c0 3f 4c 48 fc a1 a6 12 45 22 08 44 8d 08 56 d0 28 3e 90 2c a0 46 08 3f 35 d1 04 21 e1 85 07 7e da 20 e1 7a 67 e9 96 c4 b8 c6 27 9f f8 92 99 7b cf cd f7 9d 7b ce b9 e7 6c e9 ee ea 68 9c ff d0 7c 00 68 4c 77 4a 19 b6 2e 61 df 82 07 7c ec 7f 78 aa e1 36 5b 16 93 64 2f e9 b1 fa 49 41 71 30 b4 6b 56 0e a3 b4 a1 0c e0 0c 56 b4 d2 d0 71 dc 06 e0 f3 eb d9 5e d2 2b af 11 55 cb 08 2a 1e 27 58 34 6c f0 d0 b6 ba 68 2b ea 20 26 28 87 07 74 33 c6 5d 9d fc 86 43 ba 16 e3 9e 8a c8 21 d9 4e e0 bc de 39 ea e0 9e d1 ae ac 3a 3a a8 46 35 6e f5 2a d4 56 14 99 03 03 13 05 15 8d 0d a6 2b 16 63 5c c5 af c8 f6 de 31 cf a1 0a 85 0c c6 b8 bb 41 f5 ca dd 28 61 39 18 45 82 91 80 1a 12 9a d1 8a 68 50 88 08 cd ad c2 e3 28 1c 12 9a f8 50 13 2f 34 05 84 b0 18 8a 8a 42 04 cd 82 63 b7 39 5a bf 98 91 52 b3 77 31 2b c6 e5 09 b1 45 9e 2f 14 0a c1 42 53 d0 72 06 78 21 1a 8d f2 a1 30 1f 0e 07 18 23 e0 96 4c a2 14 03 a6 eb af 7a 90 b0 ab 3a ba 4d 74 cb 44 9e ad e4 ac 61 12 e3 b8 6a 0a 86 3d e7 d6 74 67 cb c4 0a c6 17 15 9b 17 82 21 2f a5 2a 51 96 ff 9d 6a 18 73 6c 97 64 f0 bd 78 ff 91 ed 66 4b 36 e6 33 d8 b5 86 1d 95 3d 5c bf df 13 db 62 c2 c1 0a b1 9c ac 65 6d a8 56 b1 3b 6f 11 cb cd 5b 36 4a 24 d0 a3 b2 a2 ea a6 67 3f 56 11 c8 b2 98 36 5d a2 98 2a 4e 4b 31 8e 9d 04 75 5d 13 c3 52 24 d2 1e 4f 49 2b 84 e6 84 20 24 9b db 59 f1 5b e3 d1 96 96 16 a1 35 1c 4e 09 55 ad 64 a9 c3 06 36 49 55 ab dd d3 26 6b 6a bd 5e b8 ab c6 8e 3e 82 b5 94 63 19 a8 92 b3 a8 d7 8e 25 5e d3 df ac 56 ab 1d 4b a2 a6 96 67 c1 f0 7f 7b e9 ea 11 6b 1f 6f 3b d7 b7 cc 98 eb 7c 6c b2 76 77 58 5f 4f 1e ed d9 c8 c6 05 ba d7 64 93 6c 36 28 c3 cf 40 7f 01 7a 06 e8 49 a0 a7 80 1e 87 4b 9f 01 fd 0e e8 31 b8 f2 29 ec db 04 74 12 e8 d7 40 0f 02 3d 0c 74 3f d0 cf e1 f7 71 a0 7b 80 ee 05 ba 0f e8 07 40 3f 82 3b bb e0 d6 04 9c 7b 15 e8 fb 40 77 c2 af 5b e1 80 09 cf ad 05 ba 03 ee bc Data Ascii: S]lU>6@@vKwB;FF/tv;)nQb?LHE"DV(>,F?5!~ zg'{{lh\|hLwJ.a\|x6[d/IAq0kVVq^+U'X4lh+ &(t3]C!N9::F5nV+c\1A(a9EhP(P/4Bc9ZRw1+E/BSrx!0#Lz:MtDaj
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: image/pngContent-Length: 1078Connection: keep-aliveAge: 2443286Cache-Control: max-age=2592000Content-Encoding: gzipExpires: Sat, 02 Nov 2024 09:40:41 GMTLast-Modified: Fri, 16 Jun 2017 07:39:10 GMTVary: Accept-EncodingX-Bdcdn-Cache-Status: TCP_HITX-Request-Id: 76736ea00734abf7da8cab947d6bad4cX-Request-Ip: 173.254.250.77X-Response-Cache: edge_hitX-Response-Cinfo: 173.254.250.77X-Tt-Trace-Tag: id=5Date: Thu, 31 Oct 2024 16:22:07 GMTvia: pic03.hnxxcmData Raw: 1f 8b 08 00 00 00 00 00 00 03 eb 0c f0 73 e7 e5 92 e2 62 60 60 e0 f5 f4 70 09 02 d2 7c 20 cc c1 0c 24 35 a6 dd 7d 0c a4 24 4b 5c 23 4a 82 f3 d3 4a ca 13 8b 52 19 1c 53 f2 93 52 15 3c 73 13 d3 53 83 52 13 53 2a 0b 4f a6 da 30 30 30 2b 67 86 44 94 44 f8 fa 58 25 e7 e7 ea 25 82 d4 e8 55 e4 16 30 80 80 8d 7d 45 41 62 72 76 6a 89 42 52 6a 7a 66 9e ad d2 fb dd fb 95 14 32 53 6c 95 c2 4d 7d 0d 7c 0b 9c 53 33 32 3d aa 8a 52 83 ab fc 42 92 ab b2 93 2d 53 94 ec ed 14 6c 2a ac 80 06 e4 a6 96 24 2a 54 e4 e6 e4 15 5b 55 d8 2a 81 cd b5 02 b2 41 c2 fa 4a 0a 60 25 25 d9 b6 4a 10 47 45 f8 06 28 38 e7 17 a5 2a 98 ea 99 ea 26 1b 18 9a 28 98 5b ea 19 9a 1a 9a 58 18 ea 28 18 19 18 1a eb 1b 18 eb 1b 1a eb 1a 1a 59 19 58 5a 19 9a 2a 40 81 12 d0 b6 a2 94 34 ab 20 17 37 a8 5d 40 9e ad 52 46 49 49 81 95 be 7e 79 79 b9 5e b9 b1 5e 7e 51 ba be a1 a5 a5 a5 be 81 91 be 91 91 2e 50 85 6e 71 65 5e 49 62 85 6e 5e b1 32 cc 04 97 d4 e2 e4 a2 cc 82 92 cc fc 3c 05 10 3f 31 29 bf b4 c4 56 49 09 e6 85 dc 02 b8 b1 79 c5 d0 60 02 06 98 7e 45 62 81 be a1 9e 01 c8 4b 30 85 be be f8 95 e6 e6 c2 55 17 97 04 a5 22 dc 8b 55 75 71 48 65 41 aa 7e 50 6a 71 7e 69 51 32 30 e2 d2 94 41 9a 0b ac 9c 8b 52 13 4b f2 8b 42 f2 f3 73 60 a1 18 90 91 5f 92 5f 9c 91 5f a0 e0 ec ac a0 e1 9b 98 9c 99 07 e2 6b 82 35 f8 fa 5a 79 e6 15 97 24 e6 25 a7 7a ba d8 2a 01 45 f4 32 33 53 ac 8c 4d dc 5c 8c 5c cc 8d 2d 4c 8c 2d 0c 0d 5d 4d 2c 1d 9d dd 9c 8d 5d 4d 5d cc cd 8c 0c cd 0c 8d 61 7a 5d f2 93 4b 73 53 f3 4a 60 7a 53 10 7a 4d 70 ea 05 a5 05 88 ee d4 a2 cc b2 d4 14 b7 a2 fc 5c 05 b0 9f ad 32 71 bb c5 10 a7 79 50 bd 29 b8 dd 62 84 53 af 3e d0 31 fa 68 31 0d 13 02 26 1f 10 13 9e 6e 81 1c 78 ca 4f cd 03 26 f7 22 60 ba 6e 60 31 f6 05 66 17 86 00 9f 10 57 60 de f8 ff ff ff c1 89 6e 47 a7 7a 1c 9e ec 7e 64 8a c7 da 46 bb ed 9d 4e 5b da 1d 97 54 59 77 a7 18 4c c9 31 69 4f d4 9f 5b 6c 51 19 aa 59 1d ae 55 1a a4 91 ec ac 90 e3 a5 22 23 c0 22 c5 cf 22 c1 c7 22 c6 cb 22 2b c0 22 cd cf 22 c9 c7 22 27 c8 2a ce cb 12 64 22 19 64 2a 19 60 2c 29 c9 cb 2c ce c3 2c c5 c7 22 01 52 c3 1a 60 24 e1 a5 27 26 c5 cb ec a2 21 ec ac 21 2c c1 c3 22 ce c3 Data Ascii: sb``p\| $5}$K\#JJRSR<sSRSO000+gDDX%%U0}EAbrvjBRjzf2SlM}\|S32=RB-Sl$T[UAJ`%%JGE(8&([X(YXZ@4 7]@RFII~yy^^~Q.Pnqe^Ibn^2<?1)VIy`~Eb
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 31 Oct 2024 16:22:07 GMTContent-Type: text/html;charset=UTF-8Connection: closeExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Encoding: gzipserver-timing: inner; dur=141Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b5 1a fb 73 13 d5 fa 67 99 f1 7f 58 97 ab b4 c2 76 1f 49 9b 77 1c 2c 52 c2 50 2c 05 a9 64 9c 61 f6 95 64 9b 7d b1 bb 49 9a 56 66 ca 8c 95 5e a4 52 bc 8a ca 70 e7 aa 57 b8 8c 0a 78 af 77 04 05 e5 8f a1 9b 94 9f ee bf 70 bf 73 f6 91 dd 24 ad 45 ca a6 cd ee 9e f3 bd cf f7 3a a7 cd bf 22 19 a2 d3 36 65 a2 e6 68 6a 71 4f 1e dd 08 95 d7 ab 05 72 b1 46 a2 01 99 97 8a 7b 08 b8 f2 9a ec f0 84 58 e3 2d 5b 76 0a e4 3b a7 0e 53 69 92 a0 fd 49 47 71 54 b9 e8 fe 7e b7 fb fd bd 3c ed bd 45 d0 74 5e 93 0b 64 c5 32 74 47 d6 25 92 10 f1 03 90 a9 f1 3a 30 0a c9 a8 8a 5e 27 2c 59 2d 90 b6 d3 56 65 bb 26 cb 0e 49 d4 2c b9 52 20 69 5a d1 aa ec 58 22 d5 e2 75 78 1a 13 0d 8d 9e 5f 14 cf d1 a2 6d d3 a2 aa 00 3d ba 0a 7c d8 31 18 78 c3 29 b0 a9 04 93 c8 b0 29 2e 15 d2 df 93 a7 3d 85 f2 82 21 b5 7d 9e 92 d2 24 44 95 b7 ed 02 89 c4 e2 15 5d b6 90 0c bc a3 34 65 78 a8 12 4e 4d b1 24 b0 06 86 0f 71 14 a9 40 c2 2c 55 31 2c 8d 0c 28 04 03 21 01 d2 e3 12 62 9a 01 a4 49 55 14 cb 76 08 93 b2 a8 86 6d f5 c1 61 58 95 17 64 95 00 72 1e dd 86 2d 5b c8 90 64 b1 fb e9 ed ce ea 7d f7 c1 ba 7b e5 fe ff 1e 5d cf d3 18 b2 98 57 74 b3 e1 10 68 41 0b a4 23 2f 80 e9 02 21 43 5c 7f 29 e2 63 11 e1 c3 41 ba 98 b7 4d 5e 0f e6 6c 87 77 1a 36 59 cc d3 68 b4 4f 29 da dc 4a 4b 44 d2 51 4c 02 34 44 77 b2 98 a4 38 66 e3 c1 77 9d cf 7e 74 ef 7c fe 64 f9 02 7c 77 ee ad 75 56 af 6d 2e af 6c 3c f8 c8 5d fd a4 fb eb e3 ee c3 0f 3a ab eb db 90 45 46 33 5b 68 4d a2 f3 18 a6 cf 68 26 c0 b7 0c b4 7c 9b 77 7f ef fe 76 d7 bd f7 61 f7 ab 0b 5b 19 2d 84 0e 0d d7 1b e9 19 ae 37 16 d1 32 1c dc 5d c3 81 96 9e e1 26 b6 31 5c f7 af bf 74 ee 5e 82 91 ee 0f b7 76 6a 3b ee 19 8c 07 b0 4f 2f ae b9 df ae fd 59 eb 71 c3 cc c7 0d b5 1f b7 fb 06 e4 3c 0b 6e 3c f8 b6 f3 c3 d7 9b bf ff cd 5d b9 d9 bd fe 81 a7 cb e6 bd fb 1b 8f ff de b9 7c 61 e3 c1 f2 e6 c5 ff 6e 43 d0 16 c9 b8 60 62 4d 16 eb 04 fe a6 0c dd 53 1a bf 09 c6 82 17 a7 be c8 79 de 4f 61 35 c7 31 b3 34 ad b5 21 8b e1 fc 85 a2 ed 2c 5f b5 64 59 83 f4 35 86 d2 6f 68 94 70 98 24 1c de aa a2 a4 7b 56 80 dc 5c 27 8b 9d d5 ab ee fd ff 3c fd 62 65 f3 de 43 f7 97 9f dd f5 cb 9d 0f ae 3c 59 be e4 e5 85 ce 4f b7 dd 0f 2f 77 6e ac b9 97 be 76 d7 ae 6c de bd eb 5e b9 f4 f4 fa 7a f7 5f 17 3a 9f 3e ee de b9 f6 64 f9 a3 3c cd 17 07 75 0d e4 dc 1b 0a 21 38 3a 01 bf 14 58 13 c4 40 69 bd 40 22 bd f8 2d 30 7d 0d 51 1e e6 4d 33 50 13 e5 55 cb 50 55 d9 f2 13 f5 98 59 33 df 40 40 67 c1 68 49 36 f5 9a 63 aa 67 b1 13 a1 41 ee 35 a0 25 5b 85 96 74 36 91 12 ed d7 1a 00 94 e1 d8 09 36 39 20 97 6a 54 29 bb 66 58 ce 30 a1 a2 99 1d b3 a5 70 26 a7 70 95 89 8e 90 04 2e 37 05 52 52 6c 53 e5 db 59 dd d0 d1 f2 e1 d5 73 57 7e de 78 78 cd 4b b6 dd 2f 1f b
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: image/jpegContent-Length: 41066Connection: keep-aliveAge: 1215620Cache-Control: max-age=2592000Content-Encoding: gzipEtag: "59438b1e-a44a"Expires: Sat, 16 Nov 2024 14:41:48 GMTLast-Modified: Fri, 16 Jun 2017 07:39:10 GMTVary: Accept-EncodingX-Bdcdn-Cache-Status: TCP_HITX-Request-Id: 7f0f1a632160649a6c61a0c50335d249X-Request-Ip: 173.254.250.77X-Response-Cache: edge_hitX-Response-Cinfo: 173.254.250.77X-Tt-Trace-Tag: id=5Date: Thu, 31 Oct 2024 16:22:08 GMTvia: pic03.hnxxcmData Raw: 1f 8b 08 00 00 00 00 00 00 03 b4 b9 75 5c 9b 4f b7 2f 1a dc 9d 00 c5 5d 82 06 77 77 8a 13 bc 14 2f 01 82 7b 29 d2 a2 29 ee 45 0a c5 2d 58 09 5a a0 05 82 d3 e2 50 a0 a5 68 71 2b 14 8a 1e fa 3b ef bb f7 b9 f7 ec b3 ef f9 e7 ce 27 79 3e 33 6b 96 7c d7 ac 59 33 eb 49 ee 17 ee 57 01 34 6a 41 50 67 00 40 4b 0b 04 c0 05 fc 67 bb df 07 90 a9 fa 3b b8 05 03 d0 00 98 0f 63 d9 07 d2 2a 46 a0 8b 9f 9f 97 b4 a0 a0 87 af 80 9d a3 a7 bd 93 80 83 27 4c 30 c8 ce 4b 10 2c 20 24 08 90 55 08 f2 b2 73 70 73 f2 63 b6 77 7a 06 f5 90 63 3d ea ec 61 65 86 3a ca b1 9a 89 e9 0a e9 7a a9 38 b9 40 35 43 7c 9c 8c 43 f4 4c 1c 42 dc 1c a4 1c 59 15 e4 99 65 83 a4 83 60 5e 30 27 3f 3b e6 20 98 bb 87 af 74 90 1c eb 3f ca a5 1f fa 7f c9 82 ac cc ff b0 f8 b9 c9 b1 2a fd 9d 60 36 d7 35 60 56 f1 f4 71 62 16 13 10 e3 77 10 02 8b 32 4b 48 09 80 c5 c0 a2 92 60 3e 66 61 21 b0 88 a0 90 88 20 58 84 1f 2c 2c 2d 24 25 0d 16 63 fe 57 63 7d b0 e6 e3 e8 2c 6d a4 aa fe 2f 5b 0f 23 39 d6 7f 39 15 18 18 28 10 28 22 e0 e9 f3 4c 10 2c 25 25 25 28 24 2c 28 2c cc ff c0 c1 ef 1b ec e1 67 17 c4 ef e1 cb f6 6f 0d aa 4e be 0e 3e 50 2f 3f a8 a7 07 f3 df b1 9d bd a7 bf 9f 1c 2b eb bf 5d 80 79 e9 ea fe 87 e2 ff 72 b5 60 b0 bf 7e fd c3 ed eb 67 e4 f4 9f 30 fe 4b 6e 5f 93 60 2f 27 41 23 27 5f 4f 7f 1f 07 a7 07 76 b6 ff c5 d4 7f 2f fa 97 f1 01 8d b4 be 0f f4 21 28 76 ee aa 9e 0e fe 30 27 0f 3f 2d 55 39 d6 87 19 01 47 a8 a3 b4 04 58 4c 58 4a 48 58 5d 44 48 45 4c 4d 04 0c 56 06 0b a9 28 89 aa 08 4b 8a 4a 29 81 95 85 24 fe ad e3 bf 92 95 14 03 ab a9 0a ab 2a 89 4a 09 4b 81 c1 6a 12 4a e2 ea 42 92 42 4a a2 c2 c2 6a 6a 6a 2a ca 2a ff 96 d5 f2 f0 f5 b3 f3 70 70 fa b7 2c f4 3f 65 a5 fe 5b 59 69 15 1f 27 3b 3f 4f 1f 13 4f 4f f7 7f ef 00 03 17 4f 3f 4f 5f 17 4f 2f 66 15 95 bf 11 17 63 e6 36 83 7a 38 7a 06 fa f2 fc 0d d1 bf d0 3a f9 40 03 9c 1c d5 7d 3c 61 cc ff ac b1 34 f4 bf c0 e0 24 09 16 15 76 b0 07 f3 0b 89 49 8a f0 8b da 49 48 f1 4b da 09 d9 f3 4b 39 3b 08 39 48 09 09 d9 8b 3b 08 b1 fe 4b de f1 bf f0 ff ff 73 ed 04 1f 00 09 fe bf 36 cd bf 49 0f 3b f1 6f Data Ascii: u\O/]ww/{))E-XZPhq+;'y>3k\|Y3IW4jAPg@Kg;cF'L0K, $Uspscwzc=ae:z8@5C\|CLBYe`^0'?; t?`65`Vqbw2KH`>fa! X,,-$%cWc},m/[#99(("L,%%%($,(,goN>P/?+]yr`~
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: image/jpegContent-Length: 18275Connection: keep-aliveAccess-Control-Allow-Headers: X-Requested-WithAccess-Control-Allow-Methods: GET,POST,OPTIONSAccess-Control-Allow-Origin: Age: 1645057Cache-Control: max-age=2592000Content-Encoding: gzipEtag: "59476cc8-490e"Expires: Mon, 11 Nov 2024 15:24:32 GMTLast-Modified: Mon, 19 Jun 2017 06:18:48 GMTVary: Accept-EncodingX-Bdcdn-Cache-Status: TCP_HITX-Request-Id: 61816d58b5ba3fd3d61a03f678e512b3X-Request-Ip: 173.254.250.77X-Response-Cache: edge_hitX-Response-Cinfo: 173.254.250.77X-Tt-Trace-Tag: id=5Date: Thu, 31 Oct 2024 16:22:09 GMTvia: pic01.hnxxcmData Raw: 1f 8b 08 00 00 00 00 00 00 03 8c ba 05 50 5d cf d2 2f ba 71 77 77 77 db 1b 77 77 77 49 70 77 dd b8 05 77 0d ee ee 6e c1 09 6e 1b 0b 10 9c e0 c1 25 10 3c e4 26 ff 73 ce f7 dd fb de 57 f7 bd a9 9a aa d5 d3 32 bf 9e ee 5e 33 6b 6a fd 5e fd bd 0b 20 94 f1 b1 b3 06 00 14 14 98 01 88 80 ff 6e bf cf 01 58 d2 9e 16 0e be 00 28 00 ec 1f 5a f8 cf d0 2e 8c b7 2d 18 ec 2a c8 c1 e1 ec c1 6e 66 e9 62 6e c5 6e e1 e2 c4 e1 63 e6 ca 01 62 07 72 00 84 c5 7c 5c cd 2c 1c ac c0 94 e6 56 36 76 ce 22 d4 57 3d 03 d4 94 76 96 22 d4 7a 3c 2a 40 15 57 29 2b 5b 3b 79 3f 77 2b 2d 3f 55 6d 0b 3f 07 0b 01 4b 6a 31 51 4a 61 1f 41 1f 27 57 27 2b b0 19 a5 8f 93 a3 b3 87 a0 8f 08 f5 3f c6 05 ff 3c ff 1d e6 a0 a6 fc 47 04 ec 20 42 2d f1 97 41 a9 af a2 4e 29 e5 e2 6e 45 c9 c3 ce cb 66 01 e4 e5 a3 e4 13 60 07 f1 f0 f1 71 f3 b1 52 72 02 41 3c 1c 40 2e 0e 2e 20 1b 27 97 20 37 50 90 9b 93 f2 df 8d fa cf 6c ee 96 d6 82 9a d2 b2 ff 9e eb 0f 25 42 fd 6f a7 bc bd bd d9 bd b9 d8 5d dc 6d 38 40 02 02 02 1c 40 4e 0e 4e 4e b6 3f 12 6c 1e be ce 60 33 1f 36 67 0f 9a ff 58 90 b6 f2 b0 70 b7 73 05 db b9 38 53 fe a5 cd cc 5d 3c c1 22 d4 d4 ff 71 c1 c9 55 45 e5 bf 0c ff 8f ab e5 e4 f4 d7 af 7f a4 3d c0 9a 56 ff 0d e3 7f 94 f6 d0 f6 75 b5 e2 d0 b4 f2 70 f1 74 b7 b0 fa 23 4e f3 bf 4d f5 7f 57 fd 2b f8 07 8d a0 9a bb dd 9f a0 98 39 4a bb 58 78 3a 59 39 83 15 a4 45 a8 ff 70 d8 2d ed 2c 05 f9 40 3c 9c 02 40 4e 59 2e a0 14 8f 0c 17 08 24 09 02 4a 49 70 4b 71 f2 73 0b 48 80 24 81 7c ff b1 f1 3f e9 f2 4a c9 f0 80 f8 f9 80 3c 9c 5c b2 20 90 0c 9f 84 2c 27 a7 0c 1f 2f b7 14 0f b7 80 8c 14 2f d7 7f 74 15 9c 3d c0 66 ce 16 56 ff d1 b5 fb 2f 5d 5e d9 ff ab ae a0 94 bb 95 19 Data Ascii: P]/qwwwwwwIpwwnn%<&sW2^3kj^ nX(Z.-nfbnncbr\|\,V6v"W=v"z<*@W)+[;y?w+-?Um?Kj1QJaA'W'+?<G B-AN)nEf`qRrA<@.. ' 7Pl%Bo]m8@@NNN?l`36gXps8S]<"qUE=Vupt#NMW+9JXx:Y9Ep-,@<@NY.$JIpKqsH$\|?J<\ ,'//t=fV/]^
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: image/jpegContent-Length: 2329Connection: keep-aliveAge: 8377Cache-Control: max-age=2592000Content-Encoding: gzipExpires: Sat, 30 Nov 2024 14:02:58 GMTLast-Modified: Fri, 16 Jun 2017 07:39:10 GMTVary: Accept-EncodingVia: cache64.tzmp,pic03.hnxxcmX-Bdcdn-Cache-Status: TCP_MISS,TCP_HITX-Request-Id: e0a8cd40c56b2049ae1c40b560a3bf3bX-Request-Ip: 173.254.250.77X-Response-Cache: parent_hitX-Response-Cinfo: 173.254.250.77X-Tt-Trace-Tag: id=5Date: Thu, 31 Oct 2024 16:22:35 GMTData Raw: 1f 8b 08 00 00 00 00 00 00 03 8c 54 07 54 53 69 16 7e a9 b4 a8 44 8a 48 18 89 41 01 67 0c c9 4b 21 05 01 21 21 88 a8 20 20 45 54 36 0d 89 48 02 49 20 09 03 16 50 50 10 46 40 2c d8 06 c5 86 88 6b 41 ec 8c 0a 82 e0 5a 40 44 14 75 90 32 82 8a 42 44 10 27 64 5e 38 a2 b3 7b 5c 77 ef 39 ef 9d 77 ef fd ee fd bf ef ff ff fb f4 8f f4 ed 80 8d 8f 5a 12 0d 00 7e 7e 3f 02 c6 c0 57 d3 bf 06 b0 dc 44 61 ac 06 80 01 48 c8 9f 03 85 da 11 aa 18 a5 32 9e 4d 22 49 15 2e 7c 91 4c 20 76 11 ca e2 48 6a 7e 3c 09 74 21 93 80 39 9e ea 78 be 30 56 ac c4 0b c4 2b 25 52 77 c2 db 4b 55 04 bc 44 e4 4e 08 a3 2f 24 2f 8c e7 88 63 24 f3 92 e5 e2 e0 e4 45 21 c2 e4 58 21 4b 44 f0 f4 c0 cf 51 b3 d5 71 f1 71 62 25 1f af 8e 5b 2d 55 b0 d5 ee 84 b1 e6 6c e8 db 10 26 11 f0 63 10 65 ac 3b c1 cb 90 c0 87 2f 0c c4 73 64 72 31 9e ee 42 27 0a c9 20 0d cf 60 b9 80 74 90 c6 04 67 e3 29 64 90 4a 22 53 49 20 95 08 52 d8 64 16 1b a4 e3 3f 1b 01 5a 4d 2e 8a 66 07 71 79 9f d7 82 3c 77 c2 67 51 2a 95 ca 45 45 75 91 c9 57 92 40 16 8b 45 22 53 48 14 0a 11 42 10 15 1a a9 92 af 26 4a 15 0e e3 1d b8 62 85 50 2e 89 57 4a 64 52 bc c1 e7 0b 64 89 4a 77 02 61 5c 42 5c fc c2 85 5f 1a 7f 73 b7 e2 e2 0c ba c6 d0 0a 65 90 f8 2b 8d 6f a2 15 21 9a 78 31 29 48 ac 90 25 ca 85 62 08 ee f0 b7 a5 be 5f 6a 00 42 6c d8 01 72 09 74 28 fc d5 5c 99 30 31 4e 2c 55 fa 71 dd 09 50 c6 45 24 11 b1 19 20 9d c2 22 53 78 54 32 87 ee 43 05 41 6f 90 cc f1 a2 71 28 4c 1a cb 0b f4 26 33 c6 7b 7c ab 96 49 a3 80 2c 1a 8b 41 63 51 98 20 e8 c3 f0 72 e5 91 99 64 2f 1a 85 e2 e3 e3 c3 f1 e6 8c d7 fa 49 15 4a be 54 28 1e af 95 7c ad 75 fd 6e 2d 9b 23 17 f3 95 32 79 88 4c b6 7a fc 06 04 c6 c8 94 32 45 8c 2c 1e cf e1 18 4e 9c 8e 77 0e 93 48 45 32 95 62 96 e1 88 3e b3 15 cb 25 49 62 11 4f 2e 8b c3 8f ed 31 5b f2 0d 0e 62 26 48 a3 08 05 20 91 4c 67 52 89 34 3e 83 45 64 f2 c9 02 22 2b 5a 48 16 b2 c8 64 81 ab 90 4c f8 5c 2f fa 86 fe ff b9 77 24 88 10 e9 3f 2e cd 78 08 ba 89 86 cf 2f 23 00 39 5f 86 48 2c 85 26 47 0e 8d 88 be 0f 98 38 26 1b 10 fd 06 8d 22 4c ff 04 d8 00 a0 91 48 24 0a 89 46 a1 d0 Data Ascii: TTSi~DHAgK!!! ET6HI PPF@,kAZ@Du2BD'd^8{\w9wZ~~?WDaH2M"I.\|L vHj~<t!9x0V+%RwKUDN/$/c$E!X!KDQqqb%[-Ul&ce;/sdr1B' `tg)dJ"SI Rd?ZM.fqy<wgQ*EEuW@E"SHB&JbP.WJdRdJwa\B\_s
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: image/jpegContent-Length: 8042Connection: keep-aliveAge: 8400Cache-Control: max-age=2592000Content-Encoding: gzipEtag: "59438b1e-2113"Expires: Sat, 30 Nov 2024 14:02:58 GMTLast-Modified: Fri, 16 Jun 2017 07:39:10 GMTVary: Accept-EncodingVia: cache07.jhmp03,pic03.hnxxcmX-Bdcdn-Cache-Status: TCP_MISS,TCP_HITX-Request-Id: eb3a40d660ffd02b0ab7368ee441e826X-Request-Ip: 173.254.250.77X-Response-Cache: parent_hitX-Response-Cinfo: 173.254.250.77X-Tt-Trace-Tag: id=5Date: Thu, 31 Oct 2024 16:22:58 GMTData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 76 05 54 5c cd b2 ee 10 9c 20 c1 12 24 c0 04 02 04 67 06 d7 21 d8 00 41 82 3b 04 19 24 30 0c 0c 4e 90 04 77 0b 12 20 c1 dd 9d 04 87 e0 16 34 38 04 0f ee 3e c0 23 ff 3d ff 39 f7 bd 75 de b9 b7 d6 da 7b 75 77 d5 57 fd 7d dd 55 7b ed bb a9 bb 25 00 85 8c 9b b5 05 00 20 2f cf 0a c0 01 fc cb ee 76 00 c4 d2 ce 66 36 ee 00 34 00 c6 fd 5c f4 7e 69 09 dd d5 ca c9 c9 5e 98 8b cb ce 91 d3 c4 1c 61 0a e3 34 43 c0 b9 dc 4c ec b9 40 9c dc 5c 00 51 88 9b bd 89 99 0d cc 09 68 0a b3 b4 b6 13 a3 df 6f 68 a1 07 5a 9b 8b d1 6b f3 29 71 2b d9 4b c1 ac ac e5 3c 90 30 75 0f 65 0d 33 0f 1b 33 21 73 7a 88 38 50 d4 4d d8 0d 6e 0f 87 39 99 00 dd e0 b6 76 8e c2 6e 62 f4 7f 25 17 be 1f ff 59 e6 a2 07 fe 15 e2 64 23 46 ff f2 8f 03 a8 a3 f4 1a 28 85 40 c2 80 7c 9c 7c 1c 66 dc 20 5e a0 80 10 27 88 0f c4 2b 08 62 07 82 b9 41 3c 5c dc 3c 5c 20 1e 0e 10 58 98 5b 48 18 c4 07 fc 87 d1 df ef 86 34 b7 10 56 93 96 fd c7 5e f7 33 31 fa 7f 88 72 75 75 e5 74 e5 e1 44 20 2d b9 40 42 42 42 5c dc 60 2e 30 98 e3 3e 82 c3 d1 dd ce c9 c4 8d c3 ce 91 e1 ef 0c d2 30 47 33 a4 b5 bd 93 35 c2 0e f8 67 6e 62 8a 70 76 12 a3 a7 ff 5b 02 dc 5e 49 e9 9f 89 ff ed 69 c1 e1 7f 74 fd 15 ed e8 a4 06 fb 17 8d 7f 1b ed a8 e1 6e 0f e3 52 83 39 22 9c 91 66 b0 fb 70 86 ff b6 d5 7f 86 fe 09 bc 67 23 ac 82 b4 be bf 14 13 5b 69 84 99 33 1c 66 e7 24 2f 2d 46 7f ef e1 34 b7 36 17 16 00 f1 81 85 b8 c1 b2 3c dc 52 7c 32 3c 20 90 24 88 5b ea 25 af 14 58 90 57 e8 25 48 92 5b e0 ef 1c ff 0e 2b c8 0b 06 09 f1 0a f1 f0 0a 81 05 41 20 19 81 97 fc b2 dc 82 dc 2f 79 c1 60 19 19 19 29 49 a9 bf b1 f2 76 8e 4e 26 76 66 b0 bf b1 d6 ff c2 82 ff 23 56 58 0a 09 33 71 42 20 35 10 08 db bf 2b e0 b5 15 c2 09 e1 68 85 b0 07 4a 49 fd b9 71 3e e0 0b 6d 6b 3b 73 84 ab 23 cb 9f 2b fa 07 5b 18 d2 da 05 66 2e 8b 44 c0 81 7f 9d b1 b0 f5 bf e1 00 13 04 f1 82 cd 4c 41 1c dc 7c 82 3c 1c bc 26 02 42 1c 82 26 dc a6 1c 42 16 66 dc 66 42 dc dc a6 fc 66 dc f4 ff c0 9b ff 1b fd ff e3 d9 71 dd 13 Data Ascii: vT\ $g!A;$0Nw 48>#=9u{uwW}U{% /vf64\~i^a4CL@\QhohZk)q+K<0ue33!sz8PMn9vnb%Yd#F(@\|\|f ^'+bA<\<\ X[H4V^31ruutD -@BBB\`.0>0G35gnbpv[^IitnR9"fpg#[i3

Source: global traffic	HTTP traffic detected: GET /httpsEnable.gif?t=1730391733433 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: my.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /TCaptcha.js HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.qcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1/tcaptcha-frame.5e0f125a.js HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.gtimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /template/drag_ele.html HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.qcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1/dy-jy3.js HTTP/1.1Accept: /Referer: https://turing.captcha.qcloud.com/template/drag_ele.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.gtimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1/dy-ele.16bf5dd7.js HTTP/1.1Accept: /Referer: https://turing.captcha.qcloud.com/template/drag_ele.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.gtimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dy-jy3.js HTTP/1.1Accept: /Referer: https://turing.captcha.qcloud.com/template/drag_ele.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.qcloud.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=417&ext_1=2&ext_2=wd_37cs&ext_3=921614&ext_4=2D9765A5A2ED4CE2ADBD5F7D47905931&ext_5=dc76deab4f96ab09d9dcaf79af94e8d7&ext_6=2&browser_type=3000 HTTP/1.1User-Agent: HTTPDownloaderHost: a.clickdata.37wan.com
Source: global traffic	HTTP traffic detected: GET /controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gameapp.37.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1.css?t=1730391723 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/js/client/game1.js?t=1730391723 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2017/06/19141848xsCpC.jpg HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img2.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /yx/jzcq/wd_37cs/921614/app.ini HTTP/1.1User-Agent: HTTPDownloaderHost: d.wanyouxi7.com
Source: global traffic	HTTP traffic detected: GET /js/sq/lib/sq.core.js?t=20140304 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /js/sq/widget/sq.login.js?t=20230803101600 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /controller/client.php?action=register&game_id=417&tpl_type=game2 HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gameapp.37.comConnection: Keep-AliveCookie: PHPSESSID=r8n5i200li7ekleljhb17avtb1; sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1/rem_on.png HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1/kv-ico.png HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1.css?t=1730391727 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/js/client/game1.js?t=1730391727 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2017/06/19141848xsCpC.jpg HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img2.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /js/sq/lib/sq.core.js?t=20140304 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /js/sq/widget/sq.login.js?t=20230803101600 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1/reg.jpg HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1/dot.png HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /www2015/images/common/third-logo-24.png HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /js/sq/widget/sq.tab.js HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /js/sq/widget/sq.statis.js HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /js/sq/widget/sq.clientclass2.js?t=1730391727 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /controller/istat.controller.php?platform=37wan&item=u3tfl5ftfl&game_id=417&sid=&position=1&ext_1=4&ext_2=wd_37cs&ext_3=921614&ext_4=&ext_5=gy&ext_6=&login_account=&browser_type=&user_ip=&refer=wd_37cs&uid=921614&page=4&t=1730391732770 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: a.clickdata.37wan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /www2015/images/reglog/200x42.png?v=1 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /www/css/images/common/dialog2/bg-dialog-avatar.png?v=1 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146 HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /proxy_yk.html HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: regapi.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /www/css/images/common/ico.png HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1/ HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cm.he2d.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /js/sq/lib/sq.core.js HTTP/1.1Accept: /Referer: http://regapi.37.com/proxy_yk.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /sys/?u=uK4jZ7lpa5IBAAAALNcr&fdata= HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: cookiem.37.comCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic	HTTP traffic detected: GET /controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=417&ext_1=4&ext_2=wd_37cs&ext_3=921614&ext_4=2D9765A5A2ED4CE2ADBD5F7D47905931&ext_5=dc76deab4f96ab09d9dcaf79af94e8d7&ext_6=2&browser_type=3000 HTTP/1.1User-Agent: HTTPDownloaderHost: a.clickdata.37wan.com
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1/btn-log-short.jpg HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jzcq/css/client/game1/btn-reg.jpg HTTP/1.1Accept: /Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: a.clickdata.37wan.com
Source: global traffic	DNS traffic detected: DNS query: gameapp.37.com
Source: global traffic	DNS traffic detected: DNS query: img1.37wanimg.com
Source: global traffic	DNS traffic detected: DNS query: img2.37wanimg.com
Source: global traffic	DNS traffic detected: DNS query: ptres.37.com
Source: global traffic	DNS traffic detected: DNS query: d.wanyouxi7.com
Source: global traffic	DNS traffic detected: DNS query: regapi.37.com
Source: global traffic	DNS traffic detected: DNS query: my.37.com
Source: global traffic	DNS traffic detected: DNS query: turing.captcha.qcloud.com
Source: global traffic	DNS traffic detected: DNS query: cm.he2d.com
Source: global traffic	DNS traffic detected: DNS query: cookiem.37.com
Source: global traffic	DNS traffic detected: DNS query: turing.captcha.gtimg.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 16:22:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveServer: nginx/1.4.7X-Via: 1.1 dianxun233:2 (Cdn Cache Server V2.0), 1.1 dj136:6 (Cdn Cache Server V2.0), 1.1 PS-CDG-01orF60:16 (Cdn Cache Server V2.0)x-ws-request-id: 6723aeae_PSfgblPAR2dz77_28077-3410Data Raw: 61 38 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 34 2e 37 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a8<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.4.7</center></body></html>0

Source: dqwhj_errwd.exe, 00000002.00000003.2102065360.000000000B1A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://a.clickdata.37wan.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://a.clickdata.37wan.com/0
Source: dqwhj_errwd.exe, 00000001.00000002.1722527337.000000000081E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://a.clickdata.37wan.com/ces
Source: dqwhj_errwd.exe, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a.clickdata.37wan.com/controller/istat.controller.php?platform=37wan&item=u3tfl5ftfl&game_id=
Source: dqwhj_errwd.exe	String found in binary or memory: http://api.clogin.m2.6wtx.com/?act=c&account=%s&server_id=%s&platform=37wan&RandomTime=%s
Source: dqwhj_errwd.exe	String found in binary or memory: http://api.clogin.m2.6wtx.com/?act=m&ope=k&platform=37wan&server_id=%s&account=%s&timestamp=%s
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://api.clogin.m2.6wtx.com/?act=m&ope=k&platform=37wan&server_id=%s&account=%s&timestamp=%sCurAcc
Source: dqwhj_errwd.exe	String found in binary or memory: http://api.clogin.m2.6wtx.com/?act=m&ope=r&platform=37wan
Source: dqwhj_errwd.exe, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://api.clogin.m2.6wtx.com?act=p&platform=37wan
Source: dqwhj_errwd.exe	String found in binary or memory: http://bbs.37.com/list-3829-1.html
Source: dqwhj_errwd.exe, 00000002.00000003.2102406429.000000000B108000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B108000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1882032734.000000000B10A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cm.he2d.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2953530382.000000000B228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cm.he2d.com/1/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cm.he2d.com/1/&
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cm.he2d.com/1/(
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cm.he2d.com/1/comde
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cm.he2d.com/1/dd
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cookiem.37.com/
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cookiem.37.com/sys/?u=uK4jZ7lpa5IBAAAALNcr&fdata=
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cookiem.37.com/sys/?u=uK4jZ7lpa5IBAAAALNcr&fdata=e
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: dqwhj_errwd.exe	String found in binary or memory: http://d.wanyouxi7.com/37/jzcq/official/37jzcq.exe
Source: dqwhj_errwd.exe	String found in binary or memory: http://d.wanyouxi7.com/37/jzcq/official/app.ini
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1691381928.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1668064574.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1723271232.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1669149936.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1668683718.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692162572.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692348251.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692330335.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1724369946.0000000002390000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1889253533.000000000E550000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1889292431.000000000E550000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp, lander.ini.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/app.ini
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/app.inic
Source: dqwhj_errwd.exe, 00000002.00000002.2938942824.0000000002570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/app.inio
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/app.inir
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1691381928.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1668064574.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1723271232.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1669149936.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1668683718.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692162572.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692348251.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692330335.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1724369946.0000000002390000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1889253533.000000000E550000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1889292431.000000000E550000.00000004.00000800.00020000.00000000.sdmp, lander.ini.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/dqwhj_errw.exe
Source: dqwhj_errwd.exe, 00000002.00000002.2938942824.0000000002570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/dqwhj_errw.exeW
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/.ZJC/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/a
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/al
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/c
Source: client[1].htm.2.dr	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#0
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#;
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#B
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#E
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000954000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#L
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000954000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#O
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#U
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#i
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#l
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#s
Source: dqwhj_errwd.exe, 00000002.00000003.1882032734.000000000B0E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2(
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2-IX
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFD3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game21
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game22
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game23
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game23000
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game25n
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2;
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2?t
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2A
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2B
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2E
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2F)
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2H
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2K
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2MN8C
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2R
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2UN
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2X
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2_
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2ame1/dot.png
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2awRB2
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2d
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2dlogin=1&refer
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2eC:
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2eI
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2ef))
Source: dqwhj_errwd.exe, 00000002.00000003.1896698789.000000000B58A000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869813849.000000000B588000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869677910.000000000B586000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2939218925.0000000002683000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896549007.000000000B585000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1870146236.000000000B58D000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869638235.000000000B585000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869890267.000000000B589000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869569951.000000000B583000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896778847.000000000B58C000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896491573.000000000B582000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896808247.000000000B58D000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896728000.000000000B58B000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896667533.000000000B589000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1870076464.000000000B58B000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896606881.000000000B587000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869464913.000000000B580000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1870109855.000000000B58C000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869534061.000000000B582000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869980076.000000000B58A000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896636744.000000000B588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2http://gameapp
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2i
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2l
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2mO
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2p
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2s
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2t
Source: dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2v
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr	String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&refer=wd_37cs&uid=921614
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&refer=wd_37cs&uid=921614-bu
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&refer=wd_37cs&uid=9216149
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&refer=wd_37cs&uid=921614P
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&refer=wd_37cs&uid=921614U
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&refer=wd_37cs&uid=921614p
Source: dqwhj_errwd.exe	String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1
Source: dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&ui
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1http://d.wanyouxi
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gameapp.37.com/rZ
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr	String found in binary or memory: http://huodong.37.com/data/pop/app_yx_jzcqTips.xml
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37w
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/L
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000959000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D69000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000959000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000959000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=17303917237
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D6B000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723C:
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723com/
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723f
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723w
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391727
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000959000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391727G
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DBF4000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpg
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpg#
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpg...
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpgMicrosoft
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpgc
Source: dqwhj_errwd.exe, 00000002.00000002.2968733704.000000000DC4A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102279160.000000000DC48000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102316505.000000000DC5E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DC2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpggame2&refer=wd_37cs&uid=921614
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpgi
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpgine-height:18px;padding-top:4px
Source: dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DBF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpgs
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-reg.jpg
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-reg.jpg8
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-reg.jpgC
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-reg.jpgS
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-reg.jpgc
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/dot.png
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/dot.png6
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/dot.pngF
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/dot.pngj
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/dot.pngster&game_id=417&tpl_type=game2#
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/kv-ico.png
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/kv-ico.png391723
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/kv-ico.pngK
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/kv-ico.pngX
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/log.jpg
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/log.jpgE
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/log.jpgT
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/log.jpgyG
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/reg.jpg
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/reg.jpg8
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/reg.jpgster&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem.png
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem.pngC
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem.pngg
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem.pngg3
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem.pnggS
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem.pngl
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem_on.png
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem_on.png.
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem_on.png723235&
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem_on.png;
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D3E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391723
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=17303917230
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=17303917233
Source: dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391723C:
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391723LMEM
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391723QQC:
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=17303917270
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727D
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727U
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727e
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727me_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727t
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727w
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/6D
Source: dqwhj_errwd.exe, 00000002.00000002.2962649939.000000000BC80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dial
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar-8.png)
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar-8.png);
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png)
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png?v=1
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png?v=1F
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png?v=1ame2
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png?v=1o
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png?v=1t
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-close-8.png)
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2962649939.000000000BC80000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-close-8.png);
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-close.png
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2962649939.000000000BC80000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-close.png)
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/ico.png
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/ico.png$
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/ico.png.
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/ico.pngM
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/ico.pngz
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/loading-48x48.gif)
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/loading-48x48.gif.i
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www2015/images/common/third-logo-24.png
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www2015/images/common/third-logo-24.png#
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www2015/images/common/third-logo-24.png1a
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www2015/images/common/third-logo-24.pngi
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/200x42.png?v=1
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/200x42.png?v=1F
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/200x42.png?v=1W
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/200x42.png?v=1me_id=417&tpl_type=game2xyiframe
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1#
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1L
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1M
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1y
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img2.37wanimg.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img2.37wanimg.com/$
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img2.37wanimg.com/2017/06/19141848xsCpC.jpg
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img2.37wanimg.com/2017/06/19141848xsCpC.jpg4
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img2.37wanimg.com/2017/06/19141848xsCpC.jpgPjrB
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img2.37wanimg.com/2017/06/19141848xsCpC.jpgregister&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img2.37wanimg.com/2017/06/19141848xsCpC.jpgt
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img2.37wanimg.com/2017/06/19141848xsCpC.jpgvkTC
Source: dqwhj_errwd.exe	String found in binary or memory: http://jzcq.37.com/
Source: dqwhj_errwd.exe	String found in binary or memory: http://kf.37.com/
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://kf.37.com/http://jzcq.37.com/http://bbs.37.com/list-3829-1.htmlwd_returnlogin=1Software
Source: dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765851841.0000000003562000.00000004.00000020.00020000.00000000.sdmp, client[1].htm.2.dr	String found in binary or memory: http://my.37.com/forgetpwd/
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://my.37.com/forgetpwd/AP8B
Source: dqwhj_errwd.exe, 00000002.00000003.1870252571.000000000B590000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://my.37.com/proxy.html
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr	String found in binary or memory: http://my.37.com/user_agreement.html
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://my.37.com/user_agreement.htmlnt.php?action=register&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2960871026.000000000B710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.a
Source: dqwhj_errwd.exe, 00000002.00000002.2941164285.0000000003570000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.co
Source: dqwhj_errwd.exe, 00000002.00000002.2941164285.0000000003570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.co:stR
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsbe.c/x7
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, uninst.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, uninst.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: dqwhj_errwd.exe	String found in binary or memory: http://pay.37.com/select.php?gamename=jzcq&gameserver=%s&username=%s
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://pay.37.com/select.php?gamename=jzcq&gameserver=%s&username=%s/uninstallsucc/setupsuccRunCount
Source: dqwhj_errwd.exe	String found in binary or memory: http://pt.clickdata.37wan.com/ps.gif?id=38&la=%s&gid=%s&sid=%s&e1=%s&e2=%s&e3=%d&e4=%s&e5=%s&e6=%s&e
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/XZ
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2953530382.000000000B1FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js(
Source: dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=201403040k
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304Bj
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304L
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304egister&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304jkxC
Source: dqwhj_errwd.exe, 00000002.00000003.1806212560.0000000003FD4000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2436574299.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2945508827.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304p
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304xkjC
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304y
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.jsOR
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.jsa.js...15/images/reglog/200x42.png?v=1...2;
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.jsha-frame.5e0f125a.jsme_id=417&tpl_type=game2EM
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.jshp?action=register&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000003.1882032734.000000000B092000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.jso
Source: dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391723
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391723Kg
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391723Nk
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391723l2
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391723lF
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391723qg
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391727
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391727id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D6B000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102406429.000000000B086000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D39000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D69000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000090D000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=
Source: dqwhj_errwd.exe, 00000002.00000002.2943953244.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146
Source: dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=173039173314607
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=17303917331462
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146ame2
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146c
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146e9);background-imag
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146m#
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=202308031016001
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600B
Source: dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600P
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600R
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600S
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600T
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600me_id=417&tpl_type=game26
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600t
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600v
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.statis.js
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.statis.jsep
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.statis.jsrp
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.statis.jstion=register&game_id=417&tpl_type=game2ogin=1
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2943953244.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.js
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.js=
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.js?action=register&game_id=417&tpl_type=game2L
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.jsO
Source: dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.jshttp://ptres.37.com/js/sq/widget/sq.statis.js
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.jsi
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.jss
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/TQ.C
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/a
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/a4
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/ae
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1868502766.000000000B5D1000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1868388353.000000000B5D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1866641939.000000000B5C3000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1898865420.000000000B5CE000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1868228791.000000000B5CE000.00000004.00000800.00020000.00000000.sdmp, sq.login[1].js.2.dr	String found in binary or memory: http://regapi.37.com/proxy_yk.html
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CF3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B1A3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102065360.000000000B1A1000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1882740614.000000000B1A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/proxy_yk.html#
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/proxy_yk.html-ta
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/proxy_yk.html/
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/proxy_yk.html9
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/proxy_yk.htmlC:
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/proxy_yk.htmlM
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/proxy_yk.htmlQ
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/proxy_yk.htmlame
Source: dqwhj_errwd.exe, 00000002.00000002.2958030492.000000000B4E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/proxy_yk.htmlhttp://ptres.37.com/js/sq/lib/sq.core.jsh
Source: dqwhj_errwd.exe, 00000002.00000002.2972690301.000000000E3BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/proxy_yk.htmlhttp://regapi.37.com/proxy_yk.htmlt
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://regapi.37.com/proxy_yk.htmlient.php?action=register&game_id=417&tpl_type=game2pe=game2
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DBF4000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2436574299.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2945508827.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2968608108.000000000DBF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://turing.captcha.qcloud.com/
Source: dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DBF4000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2968608108.000000000DBF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://turing.captcha.qcloud.com/l
Source: dqwhj_errwd.exe, 00000002.00000003.2101296947.000000000DC6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://turing.captcha.qcloud.comC:
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725207147.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr	String found in binary or memory: http://www.37.com
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102346615.000000000B19A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/
Source: dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B19A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/-s
Source: dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B19A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq//;-webkit-tapr
Source: dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B19A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/Te
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/bQ
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/kQ
Source: dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B19A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/mp
Source: dqwhj_errwd.exe, 00000002.00000003.2102346615.000000000B19A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/ne;-webkit-tapr
Source: dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B19A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/o
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/ror
Source: dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765851841.0000000003562000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D44000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr	String found in binary or memory: http://www.37.com/jzcq/xinwen/
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/xinwen/20180428-2101/
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/xinwen/20180428-2101//
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/xinwen/20200904-3964/
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/xinwen/20201119-3965/
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/xinwen/20201119-3965//btn-reg.jpg;
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/xinwen/20201119-3965/9WRC
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/xinwen/20201119-3965/mlPW5C
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/xinwen/20201119-3965/mlzW
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/xinwen/G
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/xinwen/N
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/xinwen/~
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/jzcq/z
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/notice/2021/0112/78827.html
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/notice/2021/0112/78827.html&
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.37.com/notice/2021/0112/78827.html)
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725207147.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr	String found in binary or memory: http://www.37.com17512031204RTL
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725207147.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr	String found in binary or memory: http://www.37.com;
Source: dqwhj_errwd.exe, 00000002.00000002.2948731273.0000000007A3D000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2948731273.0000000007A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: dqwhj_errwd.exe, 00000002.00000002.2961100661.000000000BB43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ca.turing.captcha.qcloud.com
Source: dqwhj_errwd.exe, 00000002.00000002.2967544283.000000000DABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ca.turing.captcha.qcloud.comhttps://turing.captcha.qcloud.com
Source: dqwhj_errwd.exe, 00000002.00000002.2972517657.000000000E3A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudcache.tencentcs.com/qcloud/main/scripts/release/common/vendors/jquery-3.2.1.min.js3
Source: dqwhj_errwd.exe, 00000002.00000002.2959133004.000000000B560000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudcache.tencentcs.com/qcloud/main/scripts/release/common/vendors/jquery-3.2.1.min.jsNatK
Source: dqwhj_errwd.exe, 00000002.00000002.2967324498.000000000DA96000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2958484214.000000000B52F000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2041786911.000000000DA96000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2012767637.000000000DA96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudcache.tencentcs.com/qcloud/main/scripts/release/common/vendors/jquery-3.2.1.min.jsf
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: dqwhj_errwd.exe, 00000002.00000002.2972238558.000000000E377000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://global.turing.captcha.gtimg.com
Source: dqwhj_errwd.exe, 00000002.00000002.2961100661.000000000BB43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://global.turing.captcha.gtimg.comhttps://turing.captcha.gtimg.com/1Y
Source: dqwhj_errwd.exe, 00000002.00000002.2971897316.000000000E369000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://global.turing.captcha.gtimg.comhttps://turing.captcha.gtimg.comtarget
Source: dqwhj_errwd.exe, 00000002.00000002.2967544283.000000000DABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://global.turing.captcha.gtimg.comtencent-captcha__middle-fontsizetencent-captcha-dy__status-no
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comt
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.37.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.37.com/2
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, sq.login[1].js.2.dr	String found in binary or memory: https://my.37.com/api/login.php
Source: dqwhj_errwd.exe, 00000002.00000002.2939218925.000000000269B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my.37.com/api/login.phpERROR_TYPE_FRAMEJS_CODE_ERROR
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, sq.login[1].js.2.dr	String found in binary or memory: https://my.37.com/api/register.php
Source: dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my.37.com/httpsEnable.gif?t=
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.37.com/httpsEnable.gif?t=1730391733433
Source: dqwhj_errwd.exe, 00000002.00000003.2436833597.000000000B25C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my.37.com/httpsEnable.gif?t=17303917334331
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.37.com/httpsEnable.gif?t=1730391733433:hidden;width:1px;padding:1px;display:inline;zoom:1
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.37.com/httpsEnable.gif?t=1730391733433_
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.37.com/httpsEnable.gif?t=1730391733433m
Source: dqwhj_errwd.exe, 00000002.00000003.2012644987.000000000DA8C000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2958811416.000000000B553000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2012767637.000000000DA8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rce.tencentrio.com
Source: dqwhj_errwd.exe, 00000002.00000002.2967324498.000000000DA8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rce.tencentrio.comA
Source: dqwhj_errwd.exe, 00000002.00000003.2041786911.000000000DA8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rce.tencentrio.comNatK8$0
Source: dqwhj_errwd.exe, 00000002.00000002.2961497409.000000000BB6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rce.tencentrio.comt
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, sq.login[1].js.2.dr	String found in binary or memory: https://regapi.37.com/api/p_register_phone.php
Source: dqwhj_errwd.exe, 00000002.00000002.2939218925.0000000002683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://regapi.37.com/api/p_register_phone.php//regapi.37.com/code_check.php?callback=?
Source: dqwhj_errwd.exe, 00000002.00000002.2957391207.000000000B4C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://regapi.refreshImgthirdLogBtninputStatusclientTypeNamescheckCodeUrlisRenderenterGame//gameapp
Source: dqwhj_errwd.exe, 00000002.00000002.2966096684.000000000DA2A000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2039534223.000000000DA29000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2013697091.000000000DA22000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2013775670.000000000DA25000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2039339268.000000000DA25000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2013850453.000000000DA27000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2013932735.000000000DA29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sv.aq.qq.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2972238558.000000000E377000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CF3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B1A3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102065360.000000000B1A1000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1882740614.000000000B1A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2967544283.000000000DABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1
Source: dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DC2E000.00000004.00000020.00020000.00000000.sdmp, drag_ele[1].htm.2.dr	String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-ele.16bf5dd7.js
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-ele.16bf5dd7.js8
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-jy3.js
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-jy3.js/template/drag_ele.html...ata=...6ww/c
Source: dqwhj_errwd.exe, 00000002.00000002.2967857693.000000000DAC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-jy3.js0W
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-jy3.js3
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-jy3.js7
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-jy3.jsag_ele.htmlag_ele.html...tpl_type=game2N
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1/tcaptcha-frame.5e0f125a.js
Source: dqwhj_errwd.exe, 00000002.00000003.1930021748.000000000DAA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1/tcaptcha-frame.5e0f125a.js//ptres.37.com/js/sq/widget/sq.login.js
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1/tcaptcha-frame.5e0f125a.jsX
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1/tcaptcha-frame.5e0f125a.jsme_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1/tcaptcha-frame.5e0f125a.jsme_id=417&tpl_type=game2:inline;zoom:1
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1/tcaptcha-frame.5e0f125a.jsz
Source: dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B1A3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102065360.000000000B1A1000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1882740614.000000000B1A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/104
Source: dqwhj_errwd.exe, 00000002.00000003.1979973185.000000000E3A9000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1930358141.000000000E3A9000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2972517657.000000000E3A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/1https://global.turing.captcha.gtimg.comhttps://ca.turing.captcha.q
Source: dqwhj_errwd.exe, 00000002.00000002.2959994308.000000000B5C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.gtimg.com/public/res/tcaptcha-icons-merge.34d219bf.png)
Source: dqwhj_errwd.exe, 00000002.00000002.2968608108.000000000DBF6000.00000004.00000020.00020000.00000000.sdmp, drag_ele[1].htm.2.dr	String found in binary or memory: https://turing.captcha.qcloud.com
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com///turing.captcha.qcloud.com/template/drag_ele.html...
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/FW
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2953530382.000000000B1FF000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2958484214.000000000B53D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/TCaptcha.js
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/TCaptcha.js-
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/TCaptcha.jsj
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/TCaptcha.jsn
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.js
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.js&
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.js)
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.js3
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.js7/gC
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.js;/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsC:
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsO
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsbf5dd7.jsml
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsefineProperty
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsg/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsrag_ele.htmler&game_id=417&tpl_type=game2Fs
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsrag_ele.htmll=
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jst
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/tcapicon.eot
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/tcapicon.eot7
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102316505.000000000DC5E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934946845.00000000006BD000.00000004.00000010.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DC2E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html#
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html##
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html#D8FFFFFF
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html#c
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html#s
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html...
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html/6
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html172727IE5
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html2
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmlC
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmlS
Source: dqwhj_errwd.exe, 00000002.00000002.2934946845.00000000006BD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmlW
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmler&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2938942824.0000000002575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmler&game_id=417&tpl_type=game2er=wd_37cs&uid=
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmler&game_id=417&tpl_type=game2pe=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2967857693.000000000DAC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmlhttps://turing.captcha.qcloud.com/template/d
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmll
Source: dqwhj_errwd.exe, 00000002.00000002.2971897316.000000000E369000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.comNatKH$8
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.comTCaptcha.js.js?t=1730391733146&_=1730391733146..2c
Source: dqwhj_errwd.exe, 00000002.00000003.1978756747.000000000E369000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2971897316.000000000E369000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.comhttps://turing.captcha.qcloud.com
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.comtemplate/drag_ele.htmler&game_id=417&tpl_type=game2Z
Source: dqwhj_errwd.exe, 00000002.00000002.2961100661.000000000BB43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://turing.captcha.qcloud.comx

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757

Source: unknown	HTTPS traffic detected: 180.188.25.9:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 43.154.254.89:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 60.221.17.65:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 60.221.17.65:443 -> 192.168.2.4:49761 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405042

System Summary

PE file has a writeable .text section

Source: FindProcDLL.dll.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Code function: 1_2_00483070: DeviceIoControl,_memset,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,CloseHandle,

1_2_00483070

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040323C

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Code function: 0_2_00404853	0_2_00404853
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Code function: 0_2_00406131	0_2_00406131
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_00462F20	1_2_00462F20
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004A41C2	1_2_004A41C2
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_00482250	1_2_00482250
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004643F0	1_2_004643F0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004AA415	1_2_004AA415
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_00486560	1_2_00486560
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_0048A7F0	1_2_0048A7F0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_00464870	1_2_00464870
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_0046CA50	1_2_0046CA50
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004A0A6F	1_2_004A0A6F
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_00492B70	1_2_00492B70
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004A8CAF	1_2_004A8CAF
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004A4EAA	1_2_004A4EAA
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004A0F44	1_2_004A0F44
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_00499117	1_2_00499117
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004A91F3	1_2_004A91F3
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_0046F370	1_2_0046F370
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004A1318	1_2_004A1318
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_00455570	1_2_00455570
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_00481510	1_2_00481510
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_0049D71E	1_2_0049D71E
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004A1724	1_2_004A1724
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004A9737	1_2_004A9737
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_0046D9F0	1_2_0046D9F0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_00479A60	1_2_00479A60
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004A1B44	1_2_004A1B44
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_0047FD00	1_2_0047FD00
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_00455F40	1_2_00455F40
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_00479A60	2_2_00479A60
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004A41C2	2_2_004A41C2
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_00482250	2_2_00482250
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004643F0	2_2_004643F0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004AA415	2_2_004AA415
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_00486560	2_2_00486560
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0048A7F0	2_2_0048A7F0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_00464870	2_2_00464870
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0046CA50	2_2_0046CA50
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004A0A6F	2_2_004A0A6F
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_00492B70	2_2_00492B70
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004A8CAF	2_2_004A8CAF
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004A4EAA	2_2_004A4EAA
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004A0F44	2_2_004A0F44
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_00462F20	2_2_00462F20
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_00499117	2_2_00499117
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004A91F3	2_2_004A91F3
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0046F370	2_2_0046F370
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004A1318	2_2_004A1318
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_00455570	2_2_00455570
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_00481510	2_2_00481510
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0049D71E	2_2_0049D71E
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004A1724	2_2_004A1724
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004A9737	2_2_004A9737
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0046D9F0	2_2_0046D9F0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004A1B44	2_2_004A1B44
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0047FD00	2_2_0047FD00
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_00455F40	2_2_00455F40

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: String function: 0049AA11 appears 32 times
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: String function: 00490890 appears 38 times
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: String function: 00481000 appears 36 times
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: String function: 00457360 appears 99 times
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: String function: 00495E80 appears 120 times
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: String function: 00498B0A appears 60 times

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.evad.winEXE@5/48@12/9

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_0046C9B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,		1_2_0046C9B0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0046C9B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,		2_2_0046C9B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404356

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Code function: 1_2_00480F30 RegOpenKeyExW,CreateToolhelp32Snapshot,_memset,Process32FirstW,Process32NextW,CloseHandle,

1_2_00480F30

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Code function: 1_2_0045E050 LoadResource,LockResource,SizeofResource,

1_2_0045E050

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

File created: C:\Users\user\AppData\Roaming\mk-jzcq

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

File created: C:\Users\user\AppData\Local\Temp\nsv2F3B.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Command line argument: 37Lander		1_2_004697C0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Command line argument: 37Lander		2_2_004697C0

Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Process created: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /setupsucc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Process created: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Process created: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /setupsucc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Process created: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: windowscodecsext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: dxtrans.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: ddrawex.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: ddraw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: dxtmsft.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Section loaded: xmllite.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: .lnk.0.dr	LNK file: ..\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
Source: .lnk0.0.dr	LNK file: ..\..\..\..\..\..\mk-jzcq\dqwhj_errwd.exe
Source: .lnk.0.dr	LNK file: ..\..\..\..\..\..\mk-jzcq\uninst.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

File written: C:\Users\user\AppData\Roaming\mk-jzcq\lander.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe

Static file information: File size 1647950 > 1048576

Source:	Binary string: \Bin\lander.pdbX G source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr
Source:	Binary string: \Bin\lander.pdb source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr
Source:	Binary string: \Bin\iconTips.pdb source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr
Source:	Binary string: \Bin\iconAnimate.pdb source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr
Source:	Binary string: \Bin\lander.pdbX L source: dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_00496616 push ecx; ret	1_2_00496629
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_00495EC5 push ecx; ret	1_2_00495ED8
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004925D3 push dword ptr [ecx-75h]; iretd	2_2_004925DF
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_00496616 push ecx; ret	2_2_00496629
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_00495EC5 push ecx; ret	2_2_00495ED8
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0BC044D6 push esi; ret	2_2_0BC044D8
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0BC095EE push 6803580Bh; iretd	2_2_0BC095F5
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0BC08CB0 push 6803580Bh; iretd	2_2_0BC08CB5
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0BC09217 push 6803580Bh; iretd	2_2_0BC0921C
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0E558A65 push 6803580Bh; retf 0002h	2_2_0E558A6A
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0E5546D4 push edx; iretd	2_2_0E5546DA
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0E5546E6 push edx; iretd	2_2_0E5546EC
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0E5520BE push 00000078h; iretd	2_2_0E5520C4
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0E55474B push ecx; iretd	2_2_0E55474C
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0E554773 push ecx; iretd	2_2_0E554774
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0E554734 push ecx; iretd	2_2_0E55473A
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0E5547DB push ecx; iretd	2_2_0E5547E1
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0E5547F2 push ecx; iretd	2_2_0E5547F3
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0E5547BA push ecx; iretd	2_2_0E5547C0

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: DeviceIoControl,_memset,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	1_2_00483070
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	1_2_004834E0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	1_2_00483509
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: DeviceIoControl,_memset,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	2_2_00483070
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	2_2_004834E0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	2_2_00483509

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	File created: C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	File created: C:\Users\user\AppData\Roaming\mk-jzcq\uninst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	File created: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	File created: C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\FindProcDLL.dll	Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: DeviceIoControl,_memset,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	1_2_00483070
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	1_2_004834E0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	1_2_00483509
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: DeviceIoControl,_memset,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	2_2_00483070
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	2_2_004834E0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	2_2_00483509

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\37	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\37 \	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\37 \ \ .lnk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\37 \ \ .lnk	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004799A0 IsIconic,ShowWindow,ShowWindow,ShowWindow,SetWindowPos,SetForegroundWindow,		1_2_004799A0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004799A0 IsIconic,ShowWindow,ShowWindow,ShowWindow,SetWindowPos,SetForegroundWindow,		2_2_004799A0

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: 3F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: 2730000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: 28D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: 28D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: B1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: B3C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: B440000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: B4A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: B500000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: B5A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: BB80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: BBE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: BC20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: BC40000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: BBA0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: BE60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: BE80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: 4670000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: A9C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: A9E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: B2C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: DBC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: D8A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: D920000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: D960000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: D9C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: DA40000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E330000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E3D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E410000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E430000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: D8E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: D900000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: DA00000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: DFE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E000000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E020000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E060000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E080000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E0A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E1A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E1C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E1E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E200000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E240000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E260000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E280000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E2A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E2C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E590000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E5F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E6B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E710000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E730000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E750000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E770000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E790000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E7B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E810000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E830000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Memory allocated: E850000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: _malloc,GetAdaptersInfo,_malloc,GetAdaptersInfo,		1_2_0047F940
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: _malloc,GetAdaptersInfo,_malloc,GetAdaptersInfo,		2_2_0047F940

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Window / User API: foregroundWindowGot 1719

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\mk-jzcq\uninst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\FindProcDLL.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-41083

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_1-40078
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_1-39822

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-40615

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

API coverage: 9.7 %

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_0046CA50 GetLocalTime followed by cmp: cmp ax, cx and CTI: jnc 0046CE0Fh		1_2_0046CA50
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0046CA50 GetLocalTime followed by cmp: cmp ax, cx and CTI: jnc 0046CE0Fh		2_2_0046CA50

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Code function: 1_2_00490B2A VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

1_2_00490B2A

Source: dqwhj_errwd.exe, 00000001.00000002.1722527337.000000000084E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@`
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQH
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: dqwhj_errwd.exe, 00000001.00000002.1722527337.000000000087D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnH&
Source: dqwhj_errwd.exe, 00000001.00000002.1722527337.000000000087D000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	API call chain: ExitProcess graph end node	graph_0-3426
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	API call chain: ExitProcess graph end node	graph_1-40079
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	API call chain: ExitProcess graph end node	graph_2-44924

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Code function: 1_2_0049089B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_0049089B

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Code function: 1_2_00490B2A VirtualProtect ?,-00000001,00000104,?

1_2_00490B2A

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Code function: 1_2_004AA16A CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_004AA16A

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_0049662A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0049662A
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_0049089B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0049089B
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_0048F4C0 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0048F4C0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_0049160D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0049160D
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 1_2_004A5EA9 SetUnhandledExceptionFilter,	1_2_004A5EA9
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0049662A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0049662A
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0049089B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0049089B
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0048F4C0 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0048F4C0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_0049160D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0049160D
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: 2_2_004A5EA9 SetUnhandledExceptionFilter,	2_2_004A5EA9

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: nsv2F3C.tmp.0.dr	Binary or memory string: @Program ManagerProgmanSHELLDLL_DefViewSysListView32WorkerWGetNativeSystemInfokernel32.dllSeDebugPrivilege
Source: nsv2F3C.tmp.0.dr	Binary or memory string: @]>'"><&</PRE><PRE>--><!--><!DOCTYPE]]><![CDATA[rbProgram ManagerProgmanSHELLDLL_DefViewSysListView32WorkerWGetNativeSystemInfokernel32.dllSeDebugPrivilege

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	1_2_004A0325
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: GetLocaleInfoA,	1_2_004A640C
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	1_2_004A043C
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	1_2_004A04D4
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	1_2_004A0548
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	1_2_004A071A
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_004A07DB
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_004A0842
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	1_2_004A087E
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	1_2_00496B75
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	1_2_0049F47D
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: GetLocaleInfoA,	1_2_0049750F
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	1_2_0049F60B
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	1_2_0049FC79
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	1_2_004A7DE0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	1_2_004A7E14
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	1_2_0049FED1
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_004A7F53
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	2_2_004A0325
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: GetLocaleInfoA,	2_2_004A640C
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	2_2_004A043C
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	2_2_004A04D4
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	2_2_004A0548
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	2_2_004A071A
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_004A07DB
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_004A0842
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	2_2_004A087E
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	2_2_00496B75
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	2_2_0049F47D
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: GetLocaleInfoA,	2_2_0049750F
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_0049F60B
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	2_2_0049FC79
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	2_2_004A7DE0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	2_2_004A7E14
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	2_2_0049FED1
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_004A7F53

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Code function: 1_2_004A6237 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_004A6237

Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Code function: 1_2_00499CF9 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

1_2_00499CF9

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe

Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B88

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	4 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Email Collection	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Bootkit	2 Process Injection	2 Obfuscated Files or Information	Security Account Manager	35 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bootkit	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.FileRepMalware.6479.21607.exe	50%	ReversingLabs	Win32.PUA.YouXun
SecuriteInfo.com.FileRepMalware.6479.21607.exe	100%	Avira	ADWARE/Wews87.jccce

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	100%	Avira	HEUR/AGEN.1303415
C:\Users\user\AppData\Roaming\mk-jzcq\uninst.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\FindProcDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe	54%	ReversingLabs	Win32.PUA.YouXun
C:\Users\user\AppData\Roaming\mk-jzcq\uninst.exe	7%	ReversingLabs

Source	Detection	Scanner	Label
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
d.wanyouxi7.com.wscdns.com	163.171.133.72	true	false	unknown
regapi.37.com	180.188.25.9	true	false	unknown
1z8kxno0.sched.sma-dk.tdnsstic1.cn	60.221.17.65	true	false	unknown
ins-taraok4w.ias.tencent-cloud.net	43.154.254.89	true	false	unknown
gameapp.37.com	180.188.25.9	true	false	unknown
a.clickdata.37wan.com	159.75.141.43	true	false	unknown
my.37.com	180.188.25.9	true	false	unknown
p2019.q1qfc323.com	139.9.125.189	true	false	unknown
sx-img-all.volcgtm.com	111.6.1.212	true	false	unknown
img2.37wanimg.com	unknown	unknown	false	unknown
img1.37wanimg.com	unknown	unknown	false	unknown
turing.captcha.qcloud.com	unknown	unknown	false	unknown
turing.captcha.gtimg.com	unknown	unknown	false	unknown
cookiem.37.com	unknown	unknown	false	unknown
d.wanyouxi7.com	unknown	unknown	false	unknown
cm.he2d.com	unknown	unknown	false	unknown
ptres.37.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
http://a.clickdata.37wan.com/controller/istat.controller.php?platform=37wan&item=u3tfl5ftfl&game_id=417&sid=&position=1&ext_1=4&ext_2=wd_37cs&ext_3=921614&ext_4=&ext_5=gy&ext_6=&login_account=&browser_type=&user_ip=&refer=wd_37cs&uid=921614&page=4&t=1730391732770	false	unknown
http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391727	false	unknown
http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723	false	unknown
http://img1.37wanimg.com/www2015/images/reglog/200x42.png?v=1	false	unknown
http://img1.37wanimg.com/jzcq/css/client/game1/rem_on.png	false	unknown
https://turing.captcha.qcloud.com/TCaptcha.js	false	unknown
http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png?v=1	false	unknown
http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2	false	unknown
https://turing.captcha.qcloud.com/template/drag_ele.html	false	unknown
http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1	false	unknown
http://img1.37wanimg.com/www2015/images/common/third-logo-24.png	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600me_id=417&tpl_type=game26	dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://turing.captcha.qcloud.com/dy-jy3.js7/gC	dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://turing.captcha.qcloud.com/	dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://turing.captcha.qcloud.com/template/drag_ele.htmler&game_id=417&tpl_type=game2er=wd_37cs&uid=	dqwhj_errwd.exe, 00000002.00000002.2938942824.0000000002575000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391727G	dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000959000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://gameapp.37.com/al	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/app.ini	SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1691381928.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1668064574.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1723271232.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1669149936.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1668683718.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692162572.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692348251.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692330335.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1724369946.0000000002390000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1889253533.000000000E550000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1889292431.000000000E550000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp, lander.ini.0.dr, nsv2F3C.tmp.0.dr	false		unknown
http://www.37.com/jzcq/xinwen/G	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1	dqwhj_errwd.exe	false		unknown
http://www.37.com/jzcq/Te	dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B19A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/www/css/images/common/6D	dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.37.com/jzcq/xinwen/20201119-3965/mlzW	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/www/css/images/common/ico.png$	dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://turing.captcha.gtimg.com/1/dy-jy3.jsag_ele.htmlag_ele.html...tpl_type=game2N	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://turing.captcha.qcloud.com/template/drag_ele.html#s	dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://turing.captcha.qcloud.comC:	dqwhj_errwd.exe, 00000002.00000003.2101296947.000000000DC6B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.37.com/jzcq/xinwen/20201119-3965//btn-reg.jpg;	dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/www/css/images/common/ico.png.	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://d.wanyouxi7.com/37/jzcq/official/app.ini	dqwhj_errwd.exe	false		unknown
http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391723QQC:	dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.37.com/notice/2021/0112/78827.html	dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=17303917331462	dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://turing.captcha.qcloud.com/template/drag_ele.html#c	dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://turing.captcha.gtimg.com/1/dy-jy3.js/template/drag_ele.html...ata=...6ww/c	dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ptres.37.com/js/sq/widget/sq.tab.js=	dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723w	dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/jzcq/css/client/game1/kv-ico.pngX	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://my.37.com/user_agreement.html	dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr	false		unknown
http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304Bj	dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/www/css/images/common/ico.pngM	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2http://gameapp	dqwhj_errwd.exe, 00000002.00000003.1896698789.000000000B58A000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869813849.000000000B588000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869677910.000000000B586000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2939218925.0000000002683000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896549007.000000000B585000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1870146236.000000000B58D000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869638235.000000000B585000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869890267.000000000B589000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869569951.000000000B583000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896778847.000000000B58C000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896491573.000000000B582000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896808247.000000000B58D000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896728000.000000000B58B000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896667533.000000000B589000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1870076464.000000000B58B000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896606881.000000000B587000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869464913.000000000B580000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1870109855.000000000B58C000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869534061.000000000B582000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869980076.000000000B58A000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896636744.000000000B588000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1	dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://regapi.37.com/proxy_yk.htmlient.php?action=register&game_id=417&tpl_type=game2pe=game2	dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://my.37.com/forgetpwd/AP8B	dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.symauth.com/cps0(	SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	false	URL Reputation: safe	unknown
https://turing.captcha.qcloud.com/template/drag_ele.html#D8FFFFFF	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ptres.37.com/js/sq/widget/sq.statis.jstion=register&game_id=417&tpl_type=game2ogin=1	dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://my.37.com/api/register.php	dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, sq.login[1].js.2.dr	false		unknown
http://nsis.sf.net/NSIS_Error	SecuriteInfo.com.FileRepMalware.6479.21607.exe, uninst.exe.0.dr	false	URL Reputation: safe	unknown
http://cm.he2d.com/1/comde	dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.symauth.com/rpa00	SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	false	URL Reputation: safe	unknown
https://turing.captcha.qcloud.com/dy-jy3.jsC:	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://regapi.37.com/api/p_register_phone.php//regapi.37.com/code_check.php?callback=?	dqwhj_errwd.exe, 00000002.00000002.2939218925.0000000002683000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146ame2	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://cm.he2d.com/	dqwhj_errwd.exe, 00000002.00000003.2102406429.000000000B108000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B108000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1882032734.000000000B10A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ptres.37.com/XZ	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/jzcq/css/client/game1/kv-ico.pngK	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://turing.captcha.qcloud.com/template/drag_ele.htmlhttps://turing.captcha.qcloud.com/template/d	dqwhj_errwd.exe, 00000002.00000002.2967857693.000000000DAC3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2UN	dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/jzcq/css/client/game1/kv-ico.png391723	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://my.37.com/api/login.phpERROR_TYPE_FRAMEJS_CODE_ERROR	dqwhj_errwd.exe, 00000002.00000002.2939218925.000000000269B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://turing.captcha.qcloud.com/TCaptcha.jsn	dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.37.com/jzcq/xinwen/	dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765851841.0000000003562000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D44000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr	false		unknown
https://cloudcache.tencentcs.com/qcloud/main/scripts/release/common/vendors/jquery-3.2.1.min.js3	dqwhj_errwd.exe, 00000002.00000002.2972517657.000000000E3A9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://regapi.37.com/proxy_yk.htmlame	dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/www/css/images/common/ico.pngz	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/jzcq/css/client/game1/dot.png6	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/jzcq/css/client/game1/rem.pnggS	dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1M	dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://turing.captcha.qcloud.com/TCaptcha.jsj	dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://rce.tencentrio.com	dqwhj_errwd.exe, 00000002.00000003.2012644987.000000000DA8C000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2958811416.000000000B553000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2012767637.000000000DA8E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1L	dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cloudcache.tencentcs.com/qcloud/main/scripts/release/common/vendors/jquery-3.2.1.min.jsf	dqwhj_errwd.exe, 00000002.00000002.2967324498.000000000DA96000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2958484214.000000000B52F000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2041786911.000000000DA96000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2012767637.000000000DA96000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://img2.37wanimg.com/2017/06/19141848xsCpC.jpgt	dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391723C:	dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D3E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1#	dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-close.png)	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2962649939.000000000BC80000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr	false		unknown
http://a.clickdata.37wan.com/	dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://regapi.37.com/proxy_yk.htmlC:	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img2.37wanimg.com/2017/06/19141848xsCpC.jpgvkTC	dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://turing.captcha.qcloud.com/dy-jy3.jsg/	dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391723LMEM	dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://turing.captcha.qcloud.comx	dqwhj_errwd.exe, 00000002.00000002.2961100661.000000000BB43000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146c	dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/jzcq/css/client/game1/dot.pngj	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://turing.captcha.qcloud.com/TCaptcha.js-	dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.37.com/jzcq/z	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/dqwhj_errw.exeW	dqwhj_errwd.exe, 00000002.00000002.2938942824.0000000002570000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://my.37.com/httpsEnable.gif?t=	dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.37.com/jzcq/ror	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://turing.captcha.qcloud.com///turing.captcha.qcloud.com/template/drag_ele.html...	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://kf.37.com/http://jzcq.37.com/http://bbs.37.com/list-3829-1.htmlwd_returnlogin=1Software	SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	false		unknown
http://www.37.com/jzcq/o	dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B19A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.founder.com.cn/cn	dqwhj_errwd.exe, 00000002.00000002.2948731273.0000000007A3D000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2948731273.0000000007A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.37.com/jzcq//;-webkit-tapr	dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B19A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://img1.37wanimg.com/jzcq/css/client/game1/dot.pngF	dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=	dqwhj_errwd.exe, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr	false		unknown
https://global.turing.captcha.gtimg.comhttps://turing.captcha.gtimg.com/1Y	dqwhj_errwd.exe, 00000002.00000002.2961100661.000000000BB43000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://turing.captcha.qcloud.com/template/drag_ele.html##	dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
139.9.125.189	p2019.q1qfc323.com	China	55990	HWCSNETHuaweiCloudServicedatacenterCN	false
193.112.116.230	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
60.221.17.65	1z8kxno0.sched.sma-dk.tdnsstic1.cn	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
183.204.211.166	unknown	China	24445	CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN	false
111.6.1.212	sx-img-all.volcgtm.com	China	24445	CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN	false
163.171.133.72	d.wanyouxi7.com.wscdns.com	European Union	54994	QUANTILNETWORKSUS	false
159.75.141.43	a.clickdata.37wan.com	China	1257	TELE2EU	false
180.188.25.9	regapi.37.com	China	136190	CHINATELECOM-ZHEJIANG-JINHUA-IDCJINHUAZHEJIANGProvince	false
43.154.254.89	ins-taraok4w.ias.tencent-cloud.net	Japan	4249	LILLY-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546265
Start date and time:	2024-10-31 17:21:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.FileRepMalware.6479.21607.exe
Detection:	MAL
Classification:	mal84.evad.winEXE@5/48@12/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 335 Number of non-executed functions: 224
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: SecuriteInfo.com.FileRepMalware.6479.21607.exe

Simulations

Behavior and APIs

Time	Type	Description
12:22:09	API Interceptor	4x Sleep call for process: dqwhj_errwd.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
139.9.125.189	SecuriteInfo.com.Win32.Adware-gen.4366.267.exe	Get hash	malicious	Unknown	Browse	cookiem.37.com/sys/?u=FA.vZqgCZIUBAAAAgdkv&fdata=
	SecuriteInfo.com.FileRepMalware.28303.12839.exe	Get hash	malicious	Unknown	Browse	cookiem.37.com/sys/?u=lJLVZpsedD4BAAAAS5Uj&fdata=
	SecuriteInfo.com.Win32.Malware-gen.31849.9616.exe	Get hash	malicious	Unknown	Browse	pt.clickdata.37wan.com/ps.gif?id=31&la=&gid=810&sid=400832&cf=http%3A%2F%2Fc.02kdid.com%2Fs%2F1%2F3205%2F114084.html%3Fp%3D1%26un%3D3205%26l%3D114084%26uid%3D910338%26a%3D52290%26pd%3D1%26g%3D810%26gs%3D357147%26s%3D40%26t%3D1%26v%3DU1Nl6BrOHhNiDQA6-BM.%26c%3D14416%26cg%3D19384%26b%3D0%26n%3D0%26sz%3D-1&rf=http://c.02kdid.com/w/sys_cs.html?c=14415&refer=feitian_wd&uid=910338&version=3000&installtime=20240306&runcount=1&curtime=20240306082705&showlogintype=3&pagetype=1&thirdlogin=1&regtimes=1&b=IE7&ext=script::https%3A%2F%2Fturing.captcha.qcloud.com%2FTCaptcha.js&e2=3&e3=3205&e4=cs_cswl_new&e5=910338&e6=&e7=&t=0.7494238551936825
193.112.116.230	SecuriteInfo.com.Win32.Adware-gen.4366.267.exe	Get hash	malicious	Unknown	Browse	cm.he2d.com/1/
193.112.116.230	SecuriteInfo.com.Win32.Malware-gen.31849.9616.exe	Get hash	malicious	Unknown	Browse	cookiem.37.com/sys/?u=0xroZex.ujIBAAAA5DYu&fdata=
163.171.133.72	http://worker-royal-cake-d668.20030725gg.workers.dev/	Get hash	malicious	Unknown	Browse
	http://worker-winter-voice-2d98.mlzfuyun.workers.dev/	Get hash	malicious	Unknown	Browse
	http://ygworker.shivermin-7b4.workers.dev/	Get hash	malicious	Unknown	Browse
	http://helloone.boilcetea.workers.dev/	Get hash	malicious	Unknown	Browse
	http://1165888888.com/	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ins-taraok4w.ias.tencent-cloud.net	SecuriteInfo.com.Win32.Adware-gen.4366.267.exe	Get hash	malicious	Unknown	Browse	43.154.254.185
	SecuriteInfo.com.FileRepMalware.28303.12839.exe	Get hash	malicious	Unknown	Browse	43.154.254.185
	SecuriteInfo.com.Trojan.Inject4.54824.15312.17403.exe	Get hash	malicious	Unknown	Browse	43.154.254.185
	SecuriteInfo.com.Trojan.PWS.Siggen2.60328.11377.32540.exe	Get hash	malicious	Unknown	Browse	43.154.254.185
	SecuriteInfo.com.Unwanted-Program.0056626f1.515.26855.exe	Get hash	malicious	Unknown	Browse	43.154.254.89
	SecuriteInfo.com.Win32.Malware-gen.31849.9616.exe	Get hash	malicious	Unknown	Browse	43.154.254.89
	SecuriteInfo.com.Riskware.Wews87.704.12580.exe	Get hash	malicious	Unknown	Browse	43.154.254.185
	SecuriteInfo.com.Trojan.DownLoader46.44011.13581.29916.exe	Get hash	malicious	Unknown	Browse	43.154.254.89
d.wanyouxi7.com.wscdns.com	SecuriteInfo.com.Win32.Adware-gen.4366.267.exe	Get hash	malicious	Unknown	Browse	163.171.128.148
	SecuriteInfo.com.FileRepMalware.28303.12839.exe	Get hash	malicious	Unknown	Browse	163.171.132.42
	SecuriteInfo.com.Trojan.DownLoader40.40259.3271.29415.exe	Get hash	malicious	Unknown	Browse	157.185.170.144
	SecuriteInfo.com.Trojan.Inject4.54824.15312.17403.exe	Get hash	malicious	Unknown	Browse	138.113.159.20
	SecuriteInfo.com.Trojan.PWS.Siggen2.60328.11377.32540.exe	Get hash	malicious	Unknown	Browse	157.185.177.205
	SecuriteInfo.com.Unwanted-Program.0056626f1.515.26855.exe	Get hash	malicious	Unknown	Browse	157.185.145.100
	SecuriteInfo.com.Win32.Malware-gen.31849.9616.exe	Get hash	malicious	Unknown	Browse	157.185.177.205
	SecuriteInfo.com.Variant.Tedy.266362.6338.31808.exe	Get hash	malicious	Unknown	Browse	157.185.177.205
	SecuriteInfo.com.Riskware.Wews87.704.12580.exe	Get hash	malicious	Unknown	Browse	138.113.159.20
	SecuriteInfo.com.Trojan.DownLoader46.44011.13581.29916.exe	Get hash	malicious	Unknown	Browse	157.185.177.205
regapi.37.com	SecuriteInfo.com.Win32.Adware-gen.4366.267.exe	Get hash	malicious	Unknown	Browse	180.188.25.9
regapi.37.com	SecuriteInfo.com.FileRepMalware.28303.12839.exe	Get hash	malicious	Unknown	Browse	180.188.25.9
1z8kxno0.sched.sma-dk.tdnsstic1.cn	SecuriteInfo.com.Win32.Adware-gen.4366.267.exe	Get hash	malicious	Unknown	Browse	123.138.255.99
	SecuriteInfo.com.FileRepMalware.28303.12839.exe	Get hash	malicious	Unknown	Browse	153.0.228.201
	SecuriteInfo.com.Trojan.Inject4.54824.15312.17403.exe	Get hash	malicious	Unknown	Browse	101.72.233.169
	https://n1h8wf.cn/IP:	Get hash	malicious	Unknown	Browse	116.153.46.40
	https://221d.cn/IP:	Get hash	malicious	Unknown	Browse	113.201.158.139
	SecuriteInfo.com.Trojan.PWS.Siggen2.60328.11377.32540.exe	Get hash	malicious	Unknown	Browse	36.249.65.247
	https://www.yunfuchu.cn/IP:	Get hash	malicious	Unknown	Browse	119.167.147.251
	https://www.tvrur.cn/IP:	Get hash	malicious	Unknown	Browse	123.234.2.61
	SecuriteInfo.com.Unwanted-Program.0056626f1.515.26855.exe	Get hash	malicious	Unknown	Browse	42.177.83.214
	SecuriteInfo.com.Win32.Malware-gen.31849.9616.exe	Get hash	malicious	Unknown	Browse	211.93.212.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	LJSS65p4Kz.elf	Get hash	malicious	Unknown	Browse	123.7.250.20
	W6Z9uSRsKQ.elf	Get hash	malicious	Unknown	Browse	157.10.154.186
	wZU2edEGL3.elf	Get hash	malicious	Unknown	Browse	175.44.144.193
	SuNMTBkfPo.elf	Get hash	malicious	Unknown	Browse	219.155.84.78
	8v2IShmMos.elf	Get hash	malicious	Unknown	Browse	120.10.137.130
	B6eg13TpEH.elf	Get hash	malicious	Unknown	Browse	110.242.6.182
	vHnFyxemFf.elf	Get hash	malicious	Unknown	Browse	121.26.32.110
	v6pwbOEUpl.elf	Get hash	malicious	Unknown	Browse	116.95.152.186
	belks.arm.elf	Get hash	malicious	Mirai	Browse	112.230.29.38
	belks.arm7.elf	Get hash	malicious	Mirai	Browse	42.227.192.109
CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	LJSS65p4Kz.elf	Get hash	malicious	Unknown	Browse	129.28.4.86
	W6Z9uSRsKQ.elf	Get hash	malicious	Unknown	Browse	115.159.65.226
	belks.mpsl.elf	Get hash	malicious	Mirai	Browse	62.234.100.154
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	62.234.36.107
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	139.199.180.83
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	119.29.18.160
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	129.211.60.156
	splppc.elf	Get hash	malicious	Unknown	Browse	115.159.172.85
	sh4.elf	Get hash	malicious	Unknown	Browse	175.24.179.191
	splarm7.elf	Get hash	malicious	Unknown	Browse	139.155.99.43
HWCSNETHuaweiCloudServicedatacenterCN	na.elf	Get hash	malicious	Mirai	Browse	117.78.79.98
	nabmips.elf	Get hash	malicious	Unknown	Browse	121.36.193.221
	nklarm5.elf	Get hash	malicious	Unknown	Browse	117.79.59.250
	botnet.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	121.38.33.222
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	139.9.94.123
	SecuriteInfo.com.FileRepMalware.25324.30248.exe	Get hash	malicious	Unknown	Browse	124.70.63.17
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	124.70.41.104
	yakuza.sparc.elf	Get hash	malicious	Unknown	Browse	121.36.145.83
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	121.37.166.122
	armv7l.elf	Get hash	malicious	Unknown	Browse	139.9.27.96
CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN	arm5.elf	Get hash	malicious	Unknown	Browse	117.160.92.69
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	120.219.169.205
	nabarm5.elf	Get hash	malicious	Unknown	Browse	183.205.164.42
	nabsh4.elf	Get hash	malicious	Unknown	Browse	39.148.57.187
	nabmpsl.elf	Get hash	malicious	Unknown	Browse	39.162.10.186
	m68k.elf	Get hash	malicious	Unknown	Browse	117.160.75.243
	arm7.elf	Get hash	malicious	Unknown	Browse	39.150.61.211
	jklm68k.elf	Get hash	malicious	Unknown	Browse	111.5.43.141
	arm7.elf	Get hash	malicious	Mirai	Browse	111.7.211.99
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	120.213.200.28

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	WGo3ga1AL9.exe	Get hash	malicious	Stealc, Vidar	Browse	180.188.25.9 60.221.17.65 43.154.254.89
	FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.pif.exe	Get hash	malicious	FormBook, GuLoader	Browse	180.188.25.9 60.221.17.65 43.154.254.89
	FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.pif.exe	Get hash	malicious	FormBook, GuLoader	Browse	180.188.25.9 60.221.17.65 43.154.254.89
	PO-000172483 (2).exe	Get hash	malicious	FormBook, GuLoader	Browse	180.188.25.9 60.221.17.65 43.154.254.89
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse	180.188.25.9 60.221.17.65 43.154.254.89
	Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	180.188.25.9 60.221.17.65 43.154.254.89
	#U2749Factura_#U2749_#U2462#U2465#U2460#U2463#U2463#U2460#U2462#U2461.hta	Get hash	malicious	Unknown	Browse	180.188.25.9 60.221.17.65 43.154.254.89
	#U2749Factura_#U2749_#U2466#U2461#U2466#U2462#U2467#U2465#U2465#U2465.hta	Get hash	malicious	Unknown	Browse	180.188.25.9 60.221.17.65 43.154.254.89
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	180.188.25.9 60.221.17.65 43.154.254.89
	Contrato.exe	Get hash	malicious	DarkCloud	Browse	180.188.25.9 60.221.17.65 43.154.254.89

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\System.dll	Uninstall.exe	Get hash	malicious	Unknown	Browse
	WhiteDefenderSetup64_20201118.exe	Get hash	malicious	GuLoader	Browse
	WhiteDefenderSetup64_20201118.exe	Get hash	malicious	GuLoader	Browse
	563299efce875400a8d9b44b96597c8e-sample (1).zip	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.20128.24359.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Adware-gen.4366.267.exe	Get hash	malicious	Unknown	Browse
	bomgar-scc-w0yc30wie5hdhfjjhy58wyh1jzdzhxyz5yxjj7c40jc90 (1).exe	Get hash	malicious	Unknown	Browse
	bomgar-scc-w0yc30wie5hdhfjjhy58wyh1jzdzhxyz5yxjj7c40jc90 (1).exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.27948.29630.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\FindProcDLL.dll	SecuriteInfo.com.Win32.Adware-gen.4366.267.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.28303.12839.exe	Get hash	malicious	Unknown	Browse
	tGnix5uKlr.exe	Get hash	malicious	Unknown	Browse
	tGnix5uKlr.exe	Get hash	malicious	Unknown	Browse
	temp.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.DownLoader40.40259.3271.29415.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.31849.9616.exe	Get hash	malicious	Unknown	Browse
	Dlabel_PC.exe	Get hash	malicious	Unknown	Browse
	Dlabel_PC.exe	Get hash	malicious	Unknown	Browse
	ooP6zOr5H9.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E6F1PLIB\turing.captcha.qcloud[1].xml

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Reputation:	high, very likely benign file
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	data
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	0.0017331682157558962
Encrypted:	false
SSDEEP:	3:Ztt:T
MD5:	0392ADA071EB68355BED625D8F9695F3
SHA1:	777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:	EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\19141848xsCpC[1].jpg

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], progressive, precision 8, 326x176, components 3
Category:	dropped
Size (bytes):	18702
Entropy (8bit):	7.958662494277084
Encrypted:	false
SSDEEP:	384:qzPysrL8uknGKu8uVgoAQ/d+tk0T2kDx1yn0C8I/8vysG57:qzPLrfkn88WgSkkApD2n/6Vu
MD5:	154EE9269893481124F0E5A362ABF9C8
SHA1:	558C0D77162A56AD472BBD26DF7F9FEFE69A9E16
SHA-256:	3D232C0E5A649F37E50831DF95D8510EE1DEDE77D22FD6C1C6CF11C1D741C7C4
SHA-512:	39F64B831A26B63FA1B8564D4449FBADA373B31E697985A04D1CC774D8F1B8FAC9C84070A4C529A4B090BA7A256422E52514472B6B1EA0A0663BAB290057ADF1
Malicious:	false
Reputation:	low
Preview:	......Exif..II*.................Ducky.......<.....whttp://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c067 79.157747, 2015/03/30-23:40:42 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:7152902F30C5E311B10CA4C2849A1B07" xmpMM:DocumentID="xmp.did:6CE51870523F11E7AF22E764C549EC63" xmpMM:InstanceID="xmp.iid:6CE5186F523F11E7AF22E764C549EC63" xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:caec76d0-55c9-a646-ba24-1b309185d5f0" stRef:documentID="xmp.did:7152902F30C5E311B10CA4C2849A1B07"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...&Adobe.d...........................I.........................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\btn-reg[1].jpg

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 188x79, components 3
Category:	modified
Size (bytes):	8467
Entropy (8bit):	7.912871515053087
Encrypted:	false
SSDEEP:	192:InzrttGhj5cSrYivHKyewHD+ep96g85rLBjBXG9:MzrrHSrYiSyewj+CR85nBjBW
MD5:	C6CFCCC4BBD6E6E4698327BEB27E2CA2
SHA1:	69247A225882819AC70969B8F5089FB6A4BE12E8
SHA-256:	FC0C371EDFC08F2DF7DE9547F83D9E549259F7B12D3537DDA90B9D859BA4D855
SHA-512:	04F413366EBD33A8D1BF7668486A7ABC4435B32A0BCFC87525DB042A0B5A6DA277E8234DDE06EAF39AF9A3063371CCFB72758B1D3D3588327282AC3F5E83DADE
Malicious:	false
Reputation:	low
Preview:	......Exif..II*.................Ducky.......<.....whttp://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:7152902F30C5E311B10CA4C2849A1B07" xmpMM:DocumentID="xmp.did:84219493492811E7A6F080A422EEECBC" xmpMM:InstanceID="xmp.iid:84219492492811E7A6F080A422EEECBC" xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e8142cb1-0583-4a79-8a0b-9fc0c900b6c0" stRef:documentID="xmp.did:7152902F30C5E311B10CA4C2849A1B07"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.....................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\drag_ele[1].htm

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (58960)
Category:	dropped
Size (bytes):	60039
Entropy (8bit):	6.024095692334277
Encrypted:	false
SSDEEP:	768:v+9WOsk6X6WKDLKUc+cDD91Oo8F/OiuYXq0mBcCYdBaunU3WbjIsrInU3g0mBcBK:/KTxcioT064suUmPIrUQ0M8dC
MD5:	D2E93BD29D9DCAE01CA3A4B5C06E3568
SHA1:	C58702605B442A679AAC7104C43F231F1696548E
SHA-256:	C7062A7999C14BD725DDDB3A7DBFE686AF0234B5CED118C2D5F5B163CD6C69D7
SHA-512:	2C563DF4783EA02690195240FBF13943358738107840526D9F7ECAFC259D9FA240EE3E2BC76C4239176922D1DBAA3E2FF57F8F216DA10C5621375DA2DE41F2C2
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html><html lang="mul"><head><meta charset="UTF-8"><meta name="renderer" content="webkit"><title>...</title><script type="text/javascript">window.Set="undefined"!=typeof Set?Set:function(){};var apiDomain=window.name;window.TCaptchaApiDomain=apiDomain\|\|"https://turing.captcha.qcloud.com"</script> [if lte IE 7]>. <style>. .tcaptcha-embed-contrl{. margin-left: 5px !important;. }. .tcaptcha-embed .verify-btn{. margin-left: 5px !important;. }. .tc-action--normal, .tc-action--aged{. display: inline !important;. zoom:1 !important;. }. </style>. <![endif]--> [if lte IE 8]>. <style>. .tc-cover{. filter:progid:DXImageTransform.Microsoft.gradient(startColorstr=#D8FFFFFF,endColorstr=#D8FFFFFF);. }. </style>. <![endif]--> [if lte IE 9]>. <style>. .tc-title{. display: block !important;. }. body .body-wrap .tc-title-wrap .tc-title .tc-instruction-icon{. display: inline;. vertical-align: center !imp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\dy-jy3[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	5.289253356817004
Encrypted:	false
SSDEEP:	1536:BjExXUqrnxDjoXEZxkMV4SYSt0zvDD6ip3h8cApwEjOPrBeU6QLir:BYh8eip3huuf6Iir
MD5:	14D1C24151B7000F94C2C2FAE0ED7472
SHA1:	F42F17CA33BC21A675D690A0779BC3A0CD0632DC
SHA-256:	F04029C2558F3B9F0B374B0F0E0CF64D9E296ACA474BDC85D130645CCDE554B0
SHA-512:	0B8A84D8463BDFD925870AD7DBA9D7EC59898E4F1B00703DB5667961650847ED933C70534B624ED164C3167088F418FCEAD3194552FD473628B3603DC3A60653
Malicious:	false
Reputation:	low
Preview:	!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n\|\|E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]\|\|t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e\|\|"function"==typeof e?n[o.call(e)]\|\|"object":typeof e}var f="3.5.1",

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\game1[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	5701
Entropy (8bit):	4.0880289126742495
Encrypted:	false
SSDEEP:	96:jMvVfCwyKoEfxArUB+iM+gB+tJb7UGwP3k/dUXIxVdUXKyV2z:AvVqwTZCrUBqSJb7UBfoyXUVyX1u
MD5:	EC0A6479D04CCEF2B6F18BA28622815D
SHA1:	9368BD641CD92252161D1B954A8E4306F28279A5
SHA-256:	FAAB552AE3CE16B383FCE64E010445137A500C86D9425C68D6F5DD6373A282D5
SHA-512:	16757AF85AB986D0202BC5C64A6CB78D0C66DBC9C8C60409DA97F92EE1E4AB1F654A821F168994D329048D43052BA6BA51335207B7C3CCAE0215AE303D924F3B
Malicious:	false
Preview:	/.. client game.js.. * @author hanzh.. * @date 2014-04-17.. */..(function( $, SQ, undefined ){.... var clientC = new SQ.ClientClass({.. gameId: DefaultGameId,.. data: DefaultDataMeta,.. gameName: DefaultGameName,.. pageSize: 500,.. logEvent: {.. suc: function() {.. SQ.ClientClass.skipToServer({});.. },.. fai: function( res ) {.. alert( res.msg );.. }.. },.. regEvent: {.. suc: function( options ) {.. if ( options.server_id ) {.. SQ.ClientClass.enterGame( options.sid, options.login_account );.. } else {.. SQ.ClientClass.skipToServer();.. }.. },.. fai: function( msg ) {.. alert( msg );.. }.. },.. regType: "Ad".. });.. var game = {.. init: function() {.. this.login();.. this

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\istat.controller[1].php

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.000978092779002
Encrypted:	false
SSDEEP:	3:YGKhaBEija:YGKhaBJe
MD5:	DBB6F23686ECB4F3874719CEE71C11F7
SHA1:	F4877108CCF884416E47137E694D0277631FB25A
SHA-256:	A4E0BE6E7905A298130A048AE83B3D979425244387D27B6427F4B46F979BE2DF
SHA-512:	A700553F5D840930A321B4A4FF1FBC299F8756CD135B1D43621063F1324A2F9307BBC046C0D9B22DA6A90F069A23C37AE6DBBFDEFA789C0EFA90DBE9AB218194
Malicious:	false
Preview:	{"code":1,"msg":"send data success!"}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\proxy_yk[1].htm

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.007332925929006
Encrypted:	false
SSDEEP:	6:qTFQW3t9YkxMUzqLAqJmW/1zUTV6mNVMDAqJmBoHJzIb4K1DD3GYeeovZKOMch0z:qTWgHzlqJmWGjVMcqJmCysvQy0OMCL8B
MD5:	EDCF8984B709ED0752587A7A07C94D49
SHA1:	6993C2B606073E17F9F810C9A76659D52BC13BE9
SHA-256:	ECACFE1DE7A84DC7D67633E33BA9DA356710FDFA27BEEDDBA6861697E5CCF2E9
SHA-512:	93C6608BE4C7C4A4DCBFCD0754AFAA04DF400C756EC3F139D8D82446225367C32E4162FFDD4DA209BD8045A5D5B8B622879C7E77912934287373859AA1794EDB
Malicious:	false
Preview:	<!doctype html>..<html>..<head>..<meta charset="utf-8">..<title>37-proxy</title>..<script type="text/javascript" src="//ptres.37.com/js/sq/lib/sq.core.js"></script>..<script type="text/javascript"> ...document.domain = '37.com';...window.parent.ykproxyDisabledSc();..</script>..</head>..<body>..</body>..</html>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sq.core[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (32816)
Category:	dropped
Size (bytes):	102584
Entropy (8bit):	5.409252654369815
Encrypted:	false
SSDEEP:	1536:Xp4okW2d5x7YojMgWa63jGBRXiczV+2OjfgwRENbUFRS0ohGTRaDHZY5bB864fkr:z/0BO9KINKXOZKUtCux
MD5:	F583E8B1F035F0D7F4FF01BC155D261B
SHA1:	FC5589D91B064FE95706B7A16E841EA847F5E8FC
SHA-256:	EA4580A816AD527E6CD5DC30AB5C69E2882F5790143B133D61D12B4A726FA27D
SHA-512:	B561ED2D1A87B66B64299D569B080E27CF343AA4DA5495FD62F5B615B97E87EDB2D9FF779F712F1C1A5E356CE6A4B814A24D95DF27573F2A549B34E35A430A8D
Malicious:	false
Preview:	!function(a,b){function c(a){var b=ob[a]={};return $.each(a.split(bb),function(a,c){b[c]=!0}),b}function d(a,c,d){if(d===b&&1===a.nodeType){var e="data-"+c.replace(qb,"-$1").toLowerCase();if(d=a.getAttribute(e),"string"==typeof d){try{d="true"===d?!0:"false"===d?!1:"null"===d?null:+d+""===d?+d:pb.test(d)?$.parseJSON(d):d}catch(f){}$.data(a,c,d)}else d=b}return d}function e(a){var b;for(b in a)if(("data"!==b\|\|!$.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function f(){return!1}function g(){return!0}function h(a){return!a\|\|!a.parentNode\|\|11===a.parentNode.nodeType}function i(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}function j(a,b,c){if(b=b\|\|0,$.isFunction(b))return $.grep(a,function(a,d){var e=!!b.call(a,d,a);return e===c});if(b.nodeType)return $.grep(a,function(a){return a===b===c});if("string"==typeof b){var d=$.grep(a,function(a){return 1===a.nodeType});if(Kb.test(b))return $.filter(b,d,!c);b=$.filter(b,d)}return $.grep(a,function(a){return $.inArray(a,b)>=0===c})}fun

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\third-logo-24[1].png

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	PNG image data, 24 x 104, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.645281958330552
Encrypted:	false
SSDEEP:	48:gtcGGGGGGGGGGWw5DltSDKwqvU/+lWh5ULrDv:qcGGGGGGGGGx44KH5l25urDv
MD5:	A1EF4405C7942E6B466A7C569D5BA411
SHA1:	776980E31CAC1B79D394BC3531AED7C73C6B36C8
SHA-256:	320F68140664F8CB91E164D87D816E646954DAFB94C99512922F70019D4400D8
SHA-512:	84F72D08B62C99AF0C54CBDE9917DE96CF624A99B08755EE079D9F7989A737724D44427F561585AD12EC0708B3E7C7C185C7F313FF3A1C5AB9450C75ADCC485C
Malicious:	false
Preview:	.PNG........IHDR.......h............PLTE.........3...<(...3...<(...3...<(...3...<(...3...<(...3...<(...3...<(...3...<(...3...<(...3...<(.....................!.!"."/./3..5..5.59..:..:.:=..?..C.CD..F..H.HI.IM..O..R.RT.TU..`..`.`a..e..j..n..o..q.qr.rv..v.vw..\|................................................................................................................................................<(.>*.>+.?+....A..B/.C0.D0.G5.I6.K8.N<.P>.TB.VE.XF.ZI.[K.\K.^M.`P.bR.cS.dT.gW....k\.l].n_.n`.rc....xj.xk.yk.zl.{m....\|o..q.v.w....y.{.}.~.......................................................................................................................................................................................N:..... tRNS..((()))fffggg..................Qi......IDATH..S.[TA......%.....]....b.b.....EE...E...Vl....,....&v....}z~x3s..w....Jk0..Z.+..9.lA.....2....y_s....f;.3.<N....<......V......p.l. ...HE'..Q.Z..i.=.7]k..N.s!.......qaQ}.P!d.X..$

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\dy-jy3[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	89391
Entropy (8bit):	5.288898697062284
Encrypted:	false
SSDEEP:	1536:BjExXUqrnxDjoXEZxkMV4SYSt0zvDD6ip3h8cApwEjOPrBeU6QLiTFbc0QlQvakF:BYh8eip3huuf6IidlrvakdtQ47GK1
MD5:	626436A6C87A002EB7E8A99C6F5F96B6
SHA1:	67D9732C33DC7689A98E63AF2A97B0912F290762
SHA-256:	2A5FC3AD9F9E68E6DE662DE3E43661E1E8E447DF0929EFC64C0F067BE2D9C455
SHA-512:	36DAC1D5EA743F78E2FA1A503CE5D4448497717589529D1946EDDE1E474968D116BB21CEA723CE8CF3CBB7D6B195D347588A0AA00473B5F41808DDA1EE50369C
Malicious:	false
Preview:	!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n\|\|E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]\|\|t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e\|\|"function"==typeof e?n[o.call(e)]\|\|"object":typeof e}var f="3.5.1",

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\httpsEnable[1].gif

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	2.9889835948335506
Encrypted:	false
SSDEEP:	3:CUkxl7/lHh/:slf/
MD5:	B4491705564909DA7F9EAF749DBBFBB1
SHA1:	279315D507855C6A4351E1E2C2F39DD9CD2FCCD8
SHA-256:	4E0705327480AD2323CB03D9C450FFCAE4A98BF3A5382FA0C7882145ED620E49
SHA-512:	B8D82D64EC656C63570B82215564929ADAD167E61643FD72283B94F3E448EF8AB0AD42202F3537A0DA89960BBDC69498608FC6EC89502C6C338B6226C8BF5E14
Malicious:	false
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\ico[1].png

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	PNG image data, 19 x 1489, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5411
Entropy (8bit):	7.961326419552633
Encrypted:	false
SSDEEP:	96:jT+mbb4s7Q0GWIjN0dOExxgi7DOUuvbuEjJOhiw+vcFNkiqQ:mvs7Q0GNQOWQuwYwwmiqQ
MD5:	38031B70C833E8DA4A1F67EFB1B03479
SHA1:	166A6CB0AF09D997DBF16F5043625FAED37A00AB
SHA-256:	7D5A66526F63959D5960515CFEDD9181F147C3C8CCFE8DDEA2E3274947851020
SHA-512:	F2C40F5A53779133CAB42F06F02A031955D6DC7D1C23C9C27492476FCD3AD00EA60010B7BF5054F8E8144868502357BDD02EFF30F30617AB4689FDE37AA770EF
Malicious:	false
Preview:	.PNG........IHDR.............K.V.....PLTE....f.z..?k........uuu......K.................o......>.S.....<..U3......C............@....G$x.......SSS........k..............rrr..0.........Z.2..4.h.d.........G+.....8........R.....w....Y....ZG.NM.iF..T..U.....I..mo......l..k.H_........ds(&0......o.................n.....5 ..e..3.....@...l.2;......BC.\..-..n.....io.....8./.s\.p.........e.y..............41x#.......y-.Mn.9.........bG.s..............]...N.z.......X.5..{\|~h...pm..P.....AW...zY.c.D..............H./....u...r.h.4[.DU.K....o..qJ.J...Y.....{..........q...[.rU.f..J.`(.....`\.........'........b.5.w............<<I..7........z......O.....`...\OP_.Z..jc....................[...nCA.......R?...klg...lor.....O......f. ...........5.........z.P.E.29....tRNS.@..f....IDATx...XSW...s..r.j..@iR.$(..a.d..a..1......E@...Q@.........u.{.:V..Ng./....<.9...EQ..6....x.y.s./9w......r............T.....8..S...1.....s..a.....#2....q:zzq]..J....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\kv-ico[1].png

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	PNG image data, 27 x 11, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1892
Entropy (8bit):	4.96692868387669
Encrypted:	false
SSDEEP:	24:041h4SHWwjx82lY2T3UVG/ovyJ3VmhWPU/DEGda/YeFdXypK+FZ:7KS2Nn2wQQ6J3YhCU/4KO5dXyc+3
MD5:	D5B3BFFCE8F7C343F8ACA8AEDF4D9C84
SHA1:	D209DE53E6318B11FA5E75BAFBC8424F53BA2805
SHA-256:	C9B98D54D43A20A7184EB18E27678579593D115FE38D2907E320C0D7652F86CB
SHA-512:	604847CD5AE8572E5D9C93451567A6126FF39B1D206A0E202B04BCF4F56F8FB00AC905DCFA40B971FEEE5DDF6F9DAA391504A91411A49965229A2E0490E8148F
Malicious:	false
Preview:	.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<...#iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:2D55ABFD714C11E4A0148B96661822F1" xmpMM:DocumentID="xmp.did:2D55ABFE714C11E4A0148B96661822F1"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2D55ABFB714C11E4A0148B96661822F1" stRef:documentID="xmp.did:2D55ABFC714C11E4A0148B96661822F1"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..S\|....PLTE.........................................................................................n..O........b

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\rem_on[1].png

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	PNG image data, 14 x 14, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1979
Entropy (8bit):	5.632862379734798
Encrypted:	false
SSDEEP:	24:E1h4SHWwjx82lY2T3UVs5DayJ3VHpGXaRn6Nh49YdIwgd3VN:KKS2Nn2wCthJ3zEI6SYdIwgVVN
MD5:	43095E7E7FA46635E48BC31EA3E3FADB
SHA1:	A255AD8FAE45FC667CB7F31C1A283E95ACE91911
SHA-256:	9958ADF0C26AA55E5E27B659170237AD048BC30A0E2EA06BFC3D2037F18D865D
SHA-512:	59CDDC9AE63A80D5D81F5131872D835178801E4C0E6534B6CE7ACFC425A8D8429AF627070530C86F939210EF00A73969E8D78C9A5910C27DB412CF1198BAD4ED
Malicious:	false
Preview:	.PNG........IHDR.............(.......tEXtSoftware.Adobe ImageReadyq.e<...#iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:34FD2D73843811E49ACFC3E5D7621613" xmpMM:DocumentID="xmp.did:34FD2D74843811E49ACFC3E5D7621613"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:34FD2D71843811E49ACFC3E5D7621613" stRef:documentID="xmp.did:34FD2D72843811E49ACFC3E5D7621613"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..3M....PLTE........F.H.G.H..>..B..A.z;.d0.l4.a/.s8yU){W*uR(cC lJ$...........................R4.R5.P3...............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sq.core[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (32816)
Category:	dropped
Size (bytes):	102584
Entropy (8bit):	5.409252654369815
Encrypted:	false
SSDEEP:	1536:Xp4okW2d5x7YojMgWa63jGBRXiczV+2OjfgwRENbUFRS0ohGTRaDHZY5bB864fkr:z/0BO9KINKXOZKUtCux
MD5:	F583E8B1F035F0D7F4FF01BC155D261B
SHA1:	FC5589D91B064FE95706B7A16E841EA847F5E8FC
SHA-256:	EA4580A816AD527E6CD5DC30AB5C69E2882F5790143B133D61D12B4A726FA27D
SHA-512:	B561ED2D1A87B66B64299D569B080E27CF343AA4DA5495FD62F5B615B97E87EDB2D9FF779F712F1C1A5E356CE6A4B814A24D95DF27573F2A549B34E35A430A8D
Malicious:	false
Preview:	!function(a,b){function c(a){var b=ob[a]={};return $.each(a.split(bb),function(a,c){b[c]=!0}),b}function d(a,c,d){if(d===b&&1===a.nodeType){var e="data-"+c.replace(qb,"-$1").toLowerCase();if(d=a.getAttribute(e),"string"==typeof d){try{d="true"===d?!0:"false"===d?!1:"null"===d?null:+d+""===d?+d:pb.test(d)?$.parseJSON(d):d}catch(f){}$.data(a,c,d)}else d=b}return d}function e(a){var b;for(b in a)if(("data"!==b\|\|!$.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function f(){return!1}function g(){return!0}function h(a){return!a\|\|!a.parentNode\|\|11===a.parentNode.nodeType}function i(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}function j(a,b,c){if(b=b\|\|0,$.isFunction(b))return $.grep(a,function(a,d){var e=!!b.call(a,d,a);return e===c});if(b.nodeType)return $.grep(a,function(a){return a===b===c});if("string"==typeof b){var d=$.grep(a,function(a){return 1===a.nodeType});if(Kb.test(b))return $.filter(b,d,!c);b=$.filter(b,d)}return $.grep(a,function(a){return $.inArray(a,b)>=0===c})}fun

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sq.login[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (32032)
Category:	dropped
Size (bytes):	39151
Entropy (8bit):	5.812960198989842
Encrypted:	false
SSDEEP:	768:hzckgnVRP74OGm/eGk0mt7yAVlKmzcbtWKOWylKfMijmq+SX/zYfhnx:+7wGsVll8QijWUYfhnx
MD5:	EAC17958F1B690A482D6E18FB304F7A5
SHA1:	7B5E55F39616C93E6AA31F8570910756599BFB53
SHA-256:	EFF9AAF3E22046AF3A389A0B9FCF81811791CD893CC5729ACDDE885A39C33EA5
SHA-512:	B98FF0AAC34F93A5085BBF90A41796014D50898B3C89C50542AA72BAD54CF9096E34B9669975AF34E405416AB607F24F5A6BFB2F52E77432E1F1519704A7DD46
Malicious:	false
Preview:	!function($,SQ,undefined){window.bHTTPSEnabled=0,window.jumpLoginPage=0,window.thirdReload=0;var ie=!!window.ActiveXObject,ie6=ie&&!window.XMLHttpRequest,ie8=ie&&!!document.documentMode,ie7=ie&&!ie6&&!ie8,dtdHttpsFail=$.Deferred();if(SQ&&(!SQ.Login\|\|!SQ.Login.version)){var jumpDomains=["bbs.37.com","kf.37.com","chat.online.kf.37.com","chatkf.37.com","admin2013.37wan.com"];$(document).ready(function(){$.inArray(location.hostname,jumpDomains)>-1?(window.jumpLoginPage=!0,window.thirdReload=!0):window.document.domain="37.com",window.httpsStatis=function(a){var b="//pt.clickdata.37wan.com/ps.gif?id=21&la={la}&ck={ck}&cf={cf}&rf={rf}&ext={e}".replace("{ck}",SQ.cookie("tg_uv")).replace("{cf}",encodeURIComponent(location.hostname+location.pathname)).replace("{rf}",encodeURIComponent(document.referrer)).replace("{e}",a),c=new Image,d=SQ.cookie("passport_37wan_com"),e="";d&&d.indexOf("\|")>0&&(e=d.split("\|")[1]),c.src=b.replace("{la}",e)+"&t="+Math.random()};var a=new Image,b=0,c=navigator.userAg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sq.statis[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	C source, Unicode text, UTF-8 text, with very long lines (6290), with no line terminators
Category:	dropped
Size (bytes):	6378
Entropy (8bit):	5.412603652688562
Encrypted:	false
SSDEEP:	96:t69ApENysO3T0gDbNfRd7QCC7cnD29ZaF+F8UIquf3w7MomKyD8iKyO:twApENysk3DbtZCiF+uUpT7vXoJKh
MD5:	4CBB9B6D17984B8E56D6E2ADA30B29B9
SHA1:	F894C6641B9DF2DE5B7B9CAFC5704E72859ED370
SHA-256:	746B3B3AB8A597E6D6B753EBD409F496C19422BFA75D6B3CF42F4B74E8DC6C91
SHA-512:	EB9FBFDCDF72DCB0195002B55C92B0861AEB095ED27FC976E4F4DC10812A5B36E07490DF0F31FCA80ECF34D58E8D04CEEBBE7CAA6F5617DBE6DB66D94135C57F
Malicious:	false
Preview:	!function(a,b,c){var d,e={version:"1.2.2",Track:{},Trigger:{url:"//a.clickdata.37wan.com/controller/istat.controller.php",defaults:{platform:"37wan",item:"",game_id:"",sid:"",position:"",ext_1:"",ext_2:"",ext_3:"",ext_4:"",ext_5:"",ext_6:"",login_account:"",browser_type:"",user_ip:""}},convertMap:{baidu_pinpai:"baidu_ppzq"},getDocReferrer:function(a){var b="",c=a\|\|document.referrer;return c&&(b=c.split("://")[1].split("/"),b=a?b[0]+"/"+b[1]:b[0]),b},convertPathToDomain:function(a){var b="",c=/^www.37.com\/([0-9a-z]+)$/;return a=this.getDocReferrer(a),c.test(a)&&(b=a.split("/")[1]+".37.com"),b},addDom:function(b,c,d){c=c\|\|"script",this.d&&d&&document.body.removeChild(this.d),b&&(this.d=document.createElement(c),"script"===c?this.d.type="text/javascript":this.d.style.display="none",this.d.src=b+(b.indexOf("?")>-1?"&t=":"?t=")+a.now(),document.body.appendChild(this.d))},referCookie:"37wanrefer",setReferer:function(a,c,d){var e,f,g,h,i,j,k,l,m,n,o,p=document.referrer,q=/^(https?:)?\/\/(?:w

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\200x42[1].png

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	PNG image data, 200 x 42, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	539
Entropy (8bit):	6.713480533409795
Encrypted:	false
SSDEEP:	12:6v/7SPUSOzP9WuVq1j+9W0iELHERPYlh1uCotI8LWk8hjayyXSH:jP+P9PV++9RRwRP21Foa8v8hjXyCH
MD5:	6610F6F2B5B04E1E01AF2E6EBDA21785
SHA1:	8ADC3DECC98DD6F95D72E97691DE98A432BA7C99
SHA-256:	69D8110F714431E7F8CBEBFA41401EF77A4050A774CA4C74F427F7FCEA9A4E4F
SHA-512:	93C542D1C9064C2C5A225D3F3EE36707B9D4FE7ECAB59FE37C882093C8B873BD8CDCC9141A45C9C2733A816369BD66CB639A211D048C04B1860D212014DD68A2
Malicious:	false
Preview:	.PNG........IHDR...............%....PLTE.....................................................R..............R............................................................................................................................................ .."..$..$..&..(....,.....0..1..3..5..6..8..9..;..<..=..>..?..@..R..R.......B.....tRNS.@..f....IDAT....1..Q.F.W..d..K.....k.".....$.....sh..a....8...m...5l.vn....`....(.......F.iFh..C`...!0....P...C`E.C`....!0....P..C`...b...!..0a....d..........c.>...q...;7.w..d.1b..'....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\TCaptcha[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	ASCII text, with very long lines (55614), with no line terminators
Category:	dropped
Size (bytes):	55614
Entropy (8bit):	5.630230511118253
Encrypted:	false
SSDEEP:	1536:SSGmK4NS5H9fmbfO41tyoBebvYUoRKYev+JTsL01vvlgeetT:jfO4zyoBZvIDAU
MD5:	0261EBCCFA4B49F9DBED9077F0E0AB86
SHA1:	94F0115E88232393EC4C12ADD16194F8B2ED2D93
SHA-256:	148C8B6BCAB09B992F39EC722ECD9F6B51CE5F78EA68A6DFF2B920537024742F
SHA-512:	86BC12C0B4FEDD5CC63A3B2D08745294F95A4245871BE91AC6912A34B97BB1AD4303E4D4A1DBDBEC9F46C9B99DC17E9FF8AE3B9DED476D7321A1C5343E17BA17
Malicious:	false
Preview:	!function(e){var t={};function n(r){if(t[r])return t[r].exports;var o=t[r]={i:r,l:!1,exports:{__esModule: undefined}};return e[r].call(o.exports,o,o.exports,n),o.l=!0,o.exports}n.m=e,n.c=t,n.d=function(e,t,r){n.o(e,t)\|\|Object.defineProperty(e,t,{enumerable:!0,get:r})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,t){if(1&t&&(e=n(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var r=Object.create(null);if(n.r(r),Object.defineProperty(r,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var o in e)n.d(r,o,function(t){return e[t]}.bind(null,o));return r},n.n=function(e){var t=e&&e.__esModule?function(){return e["default"]}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},n.p="",n(n.s=58)}([,function(e,t,n){"use strict";var r=this&&this.__values\|\|functi

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\btn-log-short[1].jpg

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 68x19, components 3
Category:	dropped
Size (bytes):	2767
Entropy (8bit):	7.539982446595691
Encrypted:	false
SSDEEP:	48:GKS2vnLCzPKNwK2SJ3epkF1MQctYHaVPLxLdwv0rOIoAvpshD/qpne3cs16L0ISj:lSeWzSz2Tp61MHt9VlCsaXACSIGQvj
MD5:	46DE8356286BCC50A11B535E54059565
SHA1:	FBD9C0DFDC8E2F7B9A4B27F6AD57F7339DD4233E
SHA-256:	9A8F7A12222BE0AAC329F9ADE18E6D3DEE8D8E283BA5DFD14772A017423A14AD
SHA-512:	4FA6FAB40F44D1F3BBEA9E4E5B069C0C09C68D32B8180E38709B52CFEDD29859962D47571A2F91214F718B08C353F7110543480CB66C07FC0F4120A640A074F5
Malicious:	false
Preview:	......Exif..II*.................Ducky.......<.....whttp://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:7152902F30C5E311B10CA4C2849A1B07" xmpMM:DocumentID="xmp.did:84219497492811E7A6F080A422EEECBC" xmpMM:InstanceID="xmp.iid:84219496492811E7A6F080A422EEECBC" xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e8142cb1-0583-4a79-8a0b-9fc0c900b6c0" stRef:documentID="xmp.did:7152902F30C5E311B10CA4C2849A1B07"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.....................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\client[1].htm

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3988), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	9522
Entropy (8bit):	5.677509332691027
Encrypted:	false
SSDEEP:	192:aohqihBEhAIPvM9o+srnrqLPdyk4rHJL5uunvRvuQv1wy:zIcC+snrq7dyk4rHJL5dRvuQvr
MD5:	7A3DF01259399545E904BC6A0F3F08FD
SHA1:	CBFD62E3F30ECE68CD93FDCE4C9F0442E0170B0A
SHA-256:	28E067862A2B4EF9E7E1C867EEE3BEFAE326C98D1F5F738EF985F0051141CA09
SHA-512:	4E8ADB419C2C96BC74BB342E784C31A278A6A59121E70399ADBAF74A364D201E6FA542E28BD9D98729E984E072FB6FB768646D53A6E6DE9116FAEFC860B282B0
Malicious:	false
Preview:	<!doctype html>.<html lang="zh">.<head>. <meta charset="UTF-8" />. <title>..</title>. <meta name="frontend" content="hanzh" />. <link rel="stylesheet" href="//img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391727" />. .</head>.<body>. <div class="container relative reg third">.. <div id="reg-form" class="reg-form relative">. <p class="p-first p-r-usr">. <label for="reg-username">.....</label><input type="text" id="reg-username" name="reg-username" class="reg-username"/><span class="status"></span>. </p>. <p class="reg-tip usr-tip">4-20.............</p>. <p class="p-r-pwd">. <label for="reg-password">.....</label><input type="password" id="reg-password" name="reg-password" class="reg-password"/><span class="status"></span>. </p>. <p class="reg-tip pwd-tip">6-20..............</p>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\dot[1].png

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	PNG image data, 9 x 9, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	979
Entropy (8bit):	5.952687662393366
Encrypted:	false
SSDEEP:	24:o1h4SHWwjx82lY2T3UVZEKCa68yJ3V4PYZGtX:mKS2Nn2w3EKwJ3+mW
MD5:	3FCD676E54C06A300213BA34D50AC484
SHA1:	7FB582FD6863242036A17BD42D8795287DA88C18
SHA-256:	05F2C45CBCC819972730BE15A9A3002FBE47716C229D5C32AD9A293B546271BB
SHA-512:	34A94EA9F4A779E18F5BB3C3078CAB789B625E34B32BC16BF72826B799AD6C34447CA5EC1CEE6DD220D6B6F1C62247A61E646BEE159707E8C96DE374092878BE
Malicious:	false
Preview:	.PNG........IHDR..............O."....tEXtSoftware.Adobe ImageReadyq.e<...#iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:054A843D491511E7A6F080A422EEECBC" xmpMM:DocumentID="xmp.did:054A843E491511E7A6F080A422EEECBC"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:054A843B491511E7A6F080A422EEECBC" stRef:documentID="xmp.did:054A843C491511E7A6F080A422EEECBC"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.q.....PLTE.!....h.7....tRNS...0J...&IDATx.b`........a10.......Ff..C..%.....b.).......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\game1[1].css

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	assembler source, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	10927
Entropy (8bit):	5.173123412943941
Encrypted:	false
SSDEEP:	192:6jlTdzFgjsSyO9s/Jl+xgkIEolEQGS13yvxN1nBagHoOXu3odNEIY65t0SKfwBli:mqBTLKGlr6Zg2VHGv6eYua
MD5:	21817FC512C692BBE167E8317AA07551
SHA1:	9A4427724C54800326B3170533A76D41AB2FB7BD
SHA-256:	84782E7A3EB13AA398AA3D6C2A9B48F9FDE592FAC1BE5F692DC6EE5CF6619E25
SHA-512:	3F111FE137AB9110EE1864ABE583DC92B5D69ABBE42D393630C0A7BEB5CD5110CC21ECC863658A9D35AC19E68572962B1EBBF65BEAD1B20F877BBB4DD6A363F4
Malicious:	false
Preview:	@charset "utf-8";..html, body, div, span, iframe,h1, h2, p, blockquote, pre,abbr, em, img, samp,small, strong, sub,b, i,dl, dt, dd, ul, li,.fieldset, form, label, legend,table, caption, tbody, tfoot, thead, tr, th, td,article, aside, canvas, details, figcaption, .figure, footer, header,hgroup, menu, nav, section, summary {margin:0;padding:0;border:0;outline:0;}.a, input, button {padding:0;margin:0;outline:0;border:none;}.body {font-size:12px;font-family:"....";}.ul {list-style:none;}.a {text-decoration:none;}.a:hover {text-decoration:underline;}.table {border-collapse:collapse;border-spacing:0;}.input,select,img {vertical-align:middle;}..clearfix {zoom:1;}..clearfix:after {clear:both;display:block;content:"";}.../* function */..relative {position:relative;}..left {float:left;_display:inline;}..right {float:right;_display:inline;}..placeholder {color:#6f5850 !important;}..hide {display:none;}..checkbox, .check {display:inline-block;width:14px;height:14px;vertical-align:middle;po

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\reg[1].jpg

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 604x333, components 3
Category:	dropped
Size (bytes):	42058
Entropy (8bit):	7.9665165280754024
Encrypted:	false
SSDEEP:	768:MzCaFAVqC/kr6chqJ6LeP2aJ8+2wv52Djsv4XfC13jK0ILpYDs7SZyv:MzCwAP/krjwPPV8+Zv52Djy4Xq3eLpY6
MD5:	69DD301697DAA0F3B49F991417A73DE8
SHA1:	C46049ECCBCBCCDC7FD15A84BF9D4DDADC6CE9BB
SHA-256:	2085BF50EEC3FEA2F52875EACB46394DB4232590DB0D23EB855C2F6E9A3CB0AD
SHA-512:	55A78A1663EB8F8E9D496130E29CC3E58EB4D0D5606131E5C5EFB824765493587AEE0134D44F4CC4253738B96CD4C221C7C3ADCA07BC9A596F2752E65129B784
Malicious:	false
Preview:	......Exif..II*.................Ducky.......<.....whttp://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:7152902F30C5E311B10CA4C2849A1B07" xmpMM:DocumentID="xmp.did:851ED2DA492911E7A6F080A422EEECBC" xmpMM:InstanceID="xmp.iid:851ED2D9492911E7A6F080A422EEECBC" xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e8142cb1-0583-4a79-8a0b-9fc0c900b6c0" stRef:documentID="xmp.did:7152902F30C5E311B10CA4C2849A1B07"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.....................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\sq.dialog2015[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (5668), with no line terminators
Category:	dropped
Size (bytes):	5772
Entropy (8bit):	5.183518620621301
Encrypted:	false
SSDEEP:	96:tqoHflzANjqPiqDX0jher0wKR8JT4cUzINLj1Z/1PGoldUcr4Wn4M2K4fiG+bFcB:tqcRA5UVrg7yTNLzdbl7rZ4qG+BcZ3
MD5:	DB9C1B4AB18019B1CBC2599C0EC6E849
SHA1:	C3ECB8079FCF0E650620EA0E8F7367D6058CEF75
SHA-256:	6E124A26AA28CC971BAAD1D8CB433F477C85476667C7BE33CAD8C1D4338B51F8
SHA-512:	EB4318620E30F7CBC25569C2CCF3A3AEE3DA9C8820BBF4CFEB3DE2366126DDBD11CF6F2D97D35FD4C0ABADB2F204401903E5C62AF57C3D525230D6D10FD2928E
Malicious:	false
Preview:	!function(a,b,c){var d=new c.Class(c.Widget);d.include({init:function(b){this.setting={title:null,buttons:null,mask:!0,type:"html",content:"",width:600,height:"auto",appendTo:document.body,autoShow:!0,drag:!0,classStyle:""},a.extend(this.setting,b),this.render(),this.events(),this.setting.autoShow&&this.show(),this.drag()},events:function(){a(window).resize(this.proxy(this.position)),this.el.on("click.sq.dialog",".sq-dialog-btn[href^=javascript]",this.proxy(this._buttonsHandler)).on("click.sq.dialog",".sq-dialog-close",this.proxy(this.hide))},_buttonsHandler:function(b){b.preventDefault();var c=a(b.target),d=c.attr("data-name"),e=this.setting.buttons[d];e&&("function"==typeof e&&e(b,this,d),e.fn&&"function"==typeof e.fn&&e.fn(b,this,d))},render:function(){if(!this.el){var b='<div style="display:none;"></div>';this.el=a(b),this.el.appendTo(a(this.setting.appendTo)),this.el.attr("data-kid",this.id)}var d='<div class="sq-dialog-masking" style="height:{$docHeight}px;"></div>',e='<div class

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\tcaptcha-frame.5e0f125a[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	176102
Entropy (8bit):	5.694240580710699
Encrypted:	false
SSDEEP:	3072:a+IQ2Iqz45yxcYMs2Dozqh1KISgSf24ITaES1S3glptRXsa6TaifCX:a+I7MOzqh1KIlyYLy8MtRXT9
MD5:	DF930D4526A65DFCAD8E6610DD98419A
SHA1:	754CD5168FB6BD9E0C94D044DCFEC7732C9245DB
SHA-256:	E69D801C4149D3D8C326AABB3BC8FEC4D2498E696A14ABB195B789978B55FC39
SHA-512:	A39AE7CF70661F8057996C5FB5CEC6AA33C27428BD3F8C789A9CA6FD2E30E21D318C5878B4D85D2694C00B829A81A30AD92E6CA5F4356F7BF061DC97B9372855
Malicious:	false
Preview:	!function(e){var t={};function a(i){if(t[i])return t[i].exports;var r=t[i]={i:i,l:!1,exports:{__esModule: undefined}};return e[i].call(r.exports,r,r.exports,a),r.l=!0,r.exports}a.m=e,a.c=t,a.d=function(e,t,i){a.o(e,t)\|\|Object.defineProperty(e,t,{enumerable:!0,get:i})},a.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},a.t=function(e,t){if(1&t&&(e=a(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var i=Object.create(null);if(a.r(i),Object.defineProperty(i,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var r in e)a.d(i,r,function(t){return e[t]}.bind(null,r));return i},a.n=function(e){var t=e&&e.__esModule?function(){return e["default"]}:function(){return e};return a.d(t,"a",t),t},a.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},a.p="",a(a.s=112)}([function(e,t,a){"use strict";var i=this&&this.__importDefault\|

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\bg-dialog-avatar[1].png

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	PNG image data, 22 x 23, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1426
Entropy (8bit):	6.974751088348583
Encrypted:	false
SSDEEP:	24:5W1h4SHWwjx82lY2T3UVWlabyJ3VhPLqeGgjKn1oxb8PJ7bgYXOR:6KS2Nn2w0J3rDqefCA8PNXeR
MD5:	525BF6D1A23470F9FA4FB5FDD2287895
SHA1:	B5C809C4E2E44BB147D679518446CBEF07A7FF5C
SHA-256:	BEF589C6570A00499E5FCF23FC8124887ABA7F824F6AA46B96DFE54ECD06FDD9
SHA-512:	3BDC7291B09699F451FADF8D73BD1A1633D1C9E6558716C085052BD1F79A9D41FD22A90C172F8F5D0DAE4FF1D852EBB666D0D604D5C7D0F10CF66BD4B5490937
Malicious:	false
Preview:	.PNG........IHDR...................tEXtSoftware.Adobe ImageReadyq.e<...#iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:1502882C722711E4A5759AECD45DA7EC" xmpMM:DocumentID="xmp.did:1502882D722711E4A5759AECD45DA7EC"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1ED1C7EB721211E4A5759AECD45DA7EC" stRef:documentID="xmp.did:1ED1C7EC721211E4A5759AECD45DA7EC"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>[.L>....IDATx..MK.Q..g.u..GDtaDQ?.\D..j...r...0.h.T.PA.......!.@......ZE.$-?........s.A.r.3.{...X.Q.[ .Dp..^.\?I.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\client[1].htm

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3988), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	9238
Entropy (8bit):	5.596067178144633
Encrypted:	false
SSDEEP:	192:jJhUh1e+jOM9o+sRjNnrq7Pdyk4rHJL5uunvRvuQv1wy:WbbC+QpnrqLdyk4rHJL5dRvuQvr
MD5:	57C6C372E98F0513189C7A1846F7E1B2
SHA1:	9F5C161FA61FD5BC4A51A7E9D0BF42FD7280CEEE
SHA-256:	22B5E239E2724C028280E4805A633BD2C12B5FC855BD5D72B38C7D4D04255EBA
SHA-512:	D8E47274BA5F4D1C7FB975C5DDDDD4573EFC380BD8D0A2EA264E4EA08D7FA49B44F895F46D3DCE08A938A8E99E6E1F98AA271197E4BD8283293C9987F41A6E81
Malicious:	false
Preview:	<!doctype html>.<html lang="zh">.<head>. <meta charset="UTF-8" />. <title>..</title>. <meta name="frontend" content="hanzh" />. <link rel="stylesheet" href="//img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723" />. .</head>.<body>. <div class="container relative log third">.. <div class="log-form relative">. <p class="p-l-usr">. <label for="log-username">...</label>. <input type="text" name="log-username" id="log-username" class="log-username"/><span class="status"></span>. </p>. <p class="p-l-pwd">. <label for="log-password">...</label>. <input type="password" name="log-password" id="log-password" class="log-password"/><span class="status"></span>. </p>. <p class="log-form-footer">. <span id="checkbox" class="checkbox checked"></span>. <span id="checkbox-a" class="checkbox-label" href="#">...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\dy-ele.16bf5dd7[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	170363
Entropy (8bit):	5.60350393649432
Encrypted:	false
SSDEEP:	3072:puIK8Vrv2XxcYMs2Dozqh1KISgSf4x3JP1nQBI:puIzyzqh1KIlyA3f
MD5:	C66DC8B719955848DD1BC2D0D3B1707D
SHA1:	EB9936EE51FB177B6293F80A6E7E31227F3BC2CC
SHA-256:	F8DF59D4EB6B190D089649887877A5F5FCCB2D94B908B5AE717B9CF16D4D262E
SHA-512:	6C67474C198C200F74433ED72EABD2C83FAA5158577B2A45EAD04CEB3AD8D9703462276419F36D96DB9C8FA221C349F25C58B0A67464819BB79877239D79FF01
Malicious:	false
Preview:	!function(t){var e={};function r(n){if(e[n])return e[n].exports;var i=e[n]={i:n,l:!1,exports:{__esModule: undefined}};return t[n].call(i.exports,i,i.exports,r),i.l=!0,i.exports}r.m=t,r.c=e,r.d=function(t,e,n){r.o(t,e)\|\|Object.defineProperty(t,e,{enumerable:!0,get:n})},r.r=function(t){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})},r.t=function(t,e){if(1&e&&(t=r(t)),8&e)return t;if(4&e&&"object"==typeof t&&t&&t.__esModule)return t;var n=Object.create(null);if(r.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:t}),2&e&&"string"!=typeof t)for(var i in t)r.d(n,i,function(e){return t[e]}.bind(null,i));return n},r.n=function(t){var e=t&&t.__esModule?function(){return t["default"]}:function(){return t};return r.d(e,"a",e),e},r.o=function(t,e){return Object.prototype.hasOwnProperty.call(t,e)},r.p="",r(r.s=114)}([function(t,e,r){"use strict";var n=this&&this.__importDefault\|

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\game1[1].css

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	assembler source, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	10927
Entropy (8bit):	5.173123412943941
Encrypted:	false
SSDEEP:	192:6jlTdzFgjsSyO9s/Jl+xgkIEolEQGS13yvxN1nBagHoOXu3odNEIY65t0SKfwBli:mqBTLKGlr6Zg2VHGv6eYua
MD5:	21817FC512C692BBE167E8317AA07551
SHA1:	9A4427724C54800326B3170533A76D41AB2FB7BD
SHA-256:	84782E7A3EB13AA398AA3D6C2A9B48F9FDE592FAC1BE5F692DC6EE5CF6619E25
SHA-512:	3F111FE137AB9110EE1864ABE583DC92B5D69ABBE42D393630C0A7BEB5CD5110CC21ECC863658A9D35AC19E68572962B1EBBF65BEAD1B20F877BBB4DD6A363F4
Malicious:	false
Preview:	@charset "utf-8";..html, body, div, span, iframe,h1, h2, p, blockquote, pre,abbr, em, img, samp,small, strong, sub,b, i,dl, dt, dd, ul, li,.fieldset, form, label, legend,table, caption, tbody, tfoot, thead, tr, th, td,article, aside, canvas, details, figcaption, .figure, footer, header,hgroup, menu, nav, section, summary {margin:0;padding:0;border:0;outline:0;}.a, input, button {padding:0;margin:0;outline:0;border:none;}.body {font-size:12px;font-family:"....";}.ul {list-style:none;}.a {text-decoration:none;}.a:hover {text-decoration:underline;}.table {border-collapse:collapse;border-spacing:0;}.input,select,img {vertical-align:middle;}..clearfix {zoom:1;}..clearfix:after {clear:both;display:block;content:"";}.../* function */..relative {position:relative;}..left {float:left;_display:inline;}..right {float:right;_display:inline;}..placeholder {color:#6f5850 !important;}..hide {display:none;}..checkbox, .check {display:inline-block;width:14px;height:14px;vertical-align:middle;po

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\game1[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	5701
Entropy (8bit):	4.0880289126742495
Encrypted:	false
SSDEEP:	96:jMvVfCwyKoEfxArUB+iM+gB+tJb7UGwP3k/dUXIxVdUXKyV2z:AvVqwTZCrUBqSJb7UBfoyXUVyX1u
MD5:	EC0A6479D04CCEF2B6F18BA28622815D
SHA1:	9368BD641CD92252161D1B954A8E4306F28279A5
SHA-256:	FAAB552AE3CE16B383FCE64E010445137A500C86D9425C68D6F5DD6373A282D5
SHA-512:	16757AF85AB986D0202BC5C64A6CB78D0C66DBC9C8C60409DA97F92EE1E4AB1F654A821F168994D329048D43052BA6BA51335207B7C3CCAE0215AE303D924F3B
Malicious:	false
Preview:	/.. client game.js.. * @author hanzh.. * @date 2014-04-17.. */..(function( $, SQ, undefined ){.... var clientC = new SQ.ClientClass({.. gameId: DefaultGameId,.. data: DefaultDataMeta,.. gameName: DefaultGameName,.. pageSize: 500,.. logEvent: {.. suc: function() {.. SQ.ClientClass.skipToServer({});.. },.. fai: function( res ) {.. alert( res.msg );.. }.. },.. regEvent: {.. suc: function( options ) {.. if ( options.server_id ) {.. SQ.ClientClass.enterGame( options.sid, options.login_account );.. } else {.. SQ.ClientClass.skipToServer();.. }.. },.. fai: function( msg ) {.. alert( msg );.. }.. },.. regType: "Ad".. });.. var game = {.. init: function() {.. this.login();.. this

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\istat.controller[1].php

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.000978092779002
Encrypted:	false
SSDEEP:	3:YGKhaBEija:YGKhaBJe
MD5:	DBB6F23686ECB4F3874719CEE71C11F7
SHA1:	F4877108CCF884416E47137E694D0277631FB25A
SHA-256:	A4E0BE6E7905A298130A048AE83B3D979425244387D27B6427F4B46F979BE2DF
SHA-512:	A700553F5D840930A321B4A4FF1FBC299F8756CD135B1D43621063F1324A2F9307BBC046C0D9B22DA6A90F069A23C37AE6DBBFDEFA789C0EFA90DBE9AB218194
Malicious:	false
Preview:	{"code":1,"msg":"send data success!"}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\istat.controller[2].php

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.000978092779002
Encrypted:	false
SSDEEP:	3:YGKhaBEija:YGKhaBJe
MD5:	DBB6F23686ECB4F3874719CEE71C11F7
SHA1:	F4877108CCF884416E47137E694D0277631FB25A
SHA-256:	A4E0BE6E7905A298130A048AE83B3D979425244387D27B6427F4B46F979BE2DF
SHA-512:	A700553F5D840930A321B4A4FF1FBC299F8756CD135B1D43621063F1324A2F9307BBC046C0D9B22DA6A90F069A23C37AE6DBBFDEFA789C0EFA90DBE9AB218194
Malicious:	false
Preview:	{"code":1,"msg":"send data success!"}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sq.clientclass2[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	Unicode text, UTF-8 text, with very long lines (32043)
Category:	dropped
Size (bytes):	45019
Entropy (8bit):	5.656626861720512
Encrypted:	false
SSDEEP:	768:qs0E+iZ0SHQunWJJIhAldZxEMPx43oimbqOU:T+iZlLnQRxpim2
MD5:	91CBB263C58F5ECA9903BE986075CF5D
SHA1:	A6B541459DBA284FC2686CD7E898F95FED3F1D27
SHA-256:	F92E7836E2C383B21E5C268E57D521F14CD96BA30692351A172FCAE19F09F8AD
SHA-512:	A3750E2BDD28CE64DCCE0B3DDAFDBD4EA6044AA60C0246726D621A7CAA094708823FAB8F521C46EE740A2E7E3BDFE2BD4CBE0EB6B98FD13D688BFD573BE85565
Malicious:	false
Preview:	var hosts="37.com";!function($){function WebSuperCall(a,b){var c=null;try{c=$.parseJSON(b)}catch(d){c=null}CC["pcDef"+a]&&CC["pcDef"+a].fn.apply(CC["pcDef"+a].def,[a,c])}function DoSuperCall(a,b){try{var c={1:function(){return{name:"getcookie"}}};b=b\|\|c[a](),window.external.DoSuperCall(a,stringify(b))}catch(d){}}function stringify(a,b){var c,d,e,f,g,h=/["\\\x00-\x1f\x7f-\x9f]/g;switch(typeof a){case"string":return h.test(a)?'"'+a.replace(h,function(a){var b=m[a];return b?b:(b=a.charCodeAt(),"\\u00"+Math.floor(b/16).toString(16)+(b%16).toString(16))})+'"':'"'+a+'"';case"number":return isFinite(a)?String(a):"null";case"boolean":case"null":return String(a);case"object":if(!a)return"null";if("function"==typeof a.toJSON)return stringify(a.toJSON());if(c=[],"number"==typeof a.length&&!a.propertyIsEnumerable("length")){for(f=a.length,d=0;f>d;d+=1)c.push(stringify(a[d],b)\|\|"null");return"["+c.join(",")+"]"}if(b)for(f=b.length,d=0;f>d;d+=1)e=b[d],"string"==typeof e&&(g=stringify(a[e],b),g&&c.pu

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sq.tab[1].js

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	ASCII text, with very long lines (1679), with no line terminators
Category:	dropped
Size (bytes):	1679
Entropy (8bit):	4.852874286736375
Encrypted:	false
SSDEEP:	48:N7E5oWKa11hrRBMfxx/aT+W1u+DLYIAu6qVl:tvWKa5rsbaiKfqu6qT
MD5:	6307CFFF3A79C1DEBDFBB74E362D2BD9
SHA1:	2F16C517CD6EC52C2A6A978EBBFF8861412C006E
SHA-256:	BF8CF01A18233CF567E7638E3115C7145AC0B09698A2EC85980E23826366D784
SHA-512:	224D3BB8BBEB34D03B077D31133A98080DCDA90BB2963D981FBD49A0CC156C2C6E668927403C8C4E54D012FCA0011093259A082CDBC0E36AD5DE23339C61BFAF
Malicious:	false
Preview:	!function(a,b,c){var d=new c.Class(c.Widget);d.include({init:function(b){this.options={el:"body",tabs:"li",panels:"div",eventType:"click",index:0,auto:!1,interval:5e3,animate:{show:"show",hide:"hide"},currentClass:"focus"},a.extend(this.options,b\|\|{}),this.el=a(this.options.el),this.tabs=a(this.options.tabs,this.el),this.panels=a(this.options.panels,this.el),this.el.attr("data-kid",this.id),this.change(this.options.index),this._events(),this.options.auto&&this.auto()},change:function(a){var b=this.options.currentClass;this.tabs.filter("."+b).removeClass(b),this.tabs.eq(a).addClass(b),this.panels.hide().eq(a)[this.options.animate.show](),this.currentIndex=a,this.trigger("change",a,this)},_events:function(){this.tabs.bind(this.options.eventType,this.proxy(this._eventHandler)),this.options.auto&&(this.tabs.bind("mouseenter",this.proxy(this.stop)),this.tabs.bind("mouseleave",this.proxy(this.auto)),this.panels.bind("mouseenter",this.proxy(this.stop)),this.panels.bind("mouseleave",this.proxy

C:\Users\user\AppData\Local\Temp\ActiveStat.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.000978092779002
Encrypted:	false
SSDEEP:	3:YGKhaBEija:YGKhaBJe
MD5:	DBB6F23686ECB4F3874719CEE71C11F7
SHA1:	F4877108CCF884416E47137E694D0277631FB25A
SHA-256:	A4E0BE6E7905A298130A048AE83B3D979425244387D27B6427F4B46F979BE2DF
SHA-512:	A700553F5D840930A321B4A4FF1FBC299F8756CD135B1D43621063F1324A2F9307BBC046C0D9B22DA6A90F069A23C37AE6DBBFDEFA789C0EFA90DBE9AB218194
Malicious:	false
Preview:	{"code":1,"msg":"send data success!"}.

C:\Users\user\AppData\Local\Temp\InstallStat.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
File Type:	JSON data
Category:	modified
Size (bytes):	38
Entropy (8bit):	4.000978092779002
Encrypted:	false
SSDEEP:	3:YGKhaBEija:YGKhaBJe
MD5:	DBB6F23686ECB4F3874719CEE71C11F7
SHA1:	F4877108CCF884416E47137E694D0277631FB25A
SHA-256:	A4E0BE6E7905A298130A048AE83B3D979425244387D27B6427F4B46F979BE2DF
SHA-512:	A700553F5D840930A321B4A4FF1FBC299F8756CD135B1D43621063F1324A2F9307BBC046C0D9B22DA6A90F069A23C37AE6DBBFDEFA789C0EFA90DBE9AB218194
Malicious:	false
Preview:	{"code":1,"msg":"send data success!"}.

C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\FindProcDLL.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	4.070406328694606
Encrypted:	false
SSDEEP:	48:SJp9bgAa4QYAOpO+k5SR4aV0GV/XamAKDNh7Mt:Ab+4Tptk5SR4gxV/XamBN
MD5:	8614C450637267AFACAD1645E23BA24A
SHA1:	E7B7B09B5BBC13E910AA36316D9CC5FC5D4DCDC2
SHA-256:	0FA04F06A6DE18D316832086891E9C23AE606D7784D5D5676385839B21CA2758
SHA-512:	AF46CD679097584FF9A1D894A729B6397F4B3AF17DFF3E6F07BEF257BC7E48FFA341D82DAF298616CD5DF1450FC5AB7435CACB70F27302B6DB193F01A9F8391B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win32.Adware-gen.4366.267.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.28303.12839.exe, Detection: malicious, Browse Filename: tGnix5uKlr.exe, Detection: malicious, Browse Filename: tGnix5uKlr.exe, Detection: malicious, Browse Filename: temp.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.DownLoader40.40259.3271.29415.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.31849.9616.exe, Detection: malicious, Browse Filename: Dlabel_PC.exe, Detection: malicious, Browse Filename: Dlabel_PC.exe, Detection: malicious, Browse Filename: ooP6zOr5H9.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9/.]XA.]XA.]XA..DO.\XA.]X@.VXA..P..XXA.k~J._XA..xE.\XA.Rich]XA.........................PE..L...s..E...........!......................... ...............................0..........................................K...t...<............................ ..P.......................................................4............................text............................... ....reloc..h.... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.568877095847681
Encrypted:	false
SSDEEP:	192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
MD5:	C17103AE9072A06DA581DEC998343FC1
SHA1:	B72148C6BDFAADA8B8C3F950E610EE7CF1DA1F8D
SHA-256:	DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
SHA-512:	D32A71AAEF18E993F28096D536E41C4D016850721B31171513CE28BBD805A54FD290B7C3E9D935F72E676A1ACFB4F0DCC89D95040A0DD29F2B6975855C18986F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Uninstall.exe, Detection: malicious, Browse Filename: WhiteDefenderSetup64_20201118.exe, Detection: malicious, Browse Filename: WhiteDefenderSetup64_20201118.exe, Detection: malicious, Browse Filename: 563299efce875400a8d9b44b96597c8e-sample (1).zip, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.20128.24359.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Adware-gen.4366.267.exe, Detection: malicious, Browse Filename: bomgar-scc-w0yc30wie5hdhfjjhy58wyh1jzdzhxyz5yxjj7c40jc90 (1).exe, Detection: malicious, Browse Filename: bomgar-scc-w0yc30wie5hdhfjjhy58wyh1jzdzhxyz5yxjj7c40jc90 (1).exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.27948.29630.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L......K...........!................0).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text...1........................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv2F3C.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe
File Type:	data
Category:	dropped
Size (bytes):	2505432
Entropy (8bit):	7.488939231093537
Encrypted:	false
SSDEEP:	49152:LIezeDJzIPUscXs/VMLAOYlsK/QwT173VJEHwGcseLb:Uew1IPUsLNkAMgQS1kQJH
MD5:	44DD20DF19FA729BDBDFE32846C02843
SHA1:	635B83BC1288DF64E4911F5B533E52BE39AC4FE3
SHA-256:	829AB837156737FC1A9A25E7C4D0E9B282DC17AF5A171F434E99210ED7983E37
SHA-512:	C5A91131D15762A8437E38C25D65C928FEAF423A1CF99DD918B64D227C5523D0605A6504FA0A7582C7909CA18B6637F40F6263E10FD8AFF742A94EE5FC0D050E
Malicious:	false
Preview:	........,...............<...............r...................................q...........................J.......9...r.......................................................................................................................................................................e...i............%..................@...............................................f.......A...F...J...............................................h.......K...P...[...............................................j.......\...a...b.......................................................................................................................o.......................................................................O.......................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\37 \ \ .lnk

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Oct 31 15:21:55 2024, mtime=Thu Oct 31 15:21:55 2024, atime=Thu Oct 31 15:21:55 2024, length=201311, window=hide
Category:	dropped
Size (bytes):	953
Entropy (8bit):	4.90375726156885
Encrypted:	false
SSDEEP:	24:8mP7Y3t+8+RCueRZWQMsRgCAQmk0WerkI/Bm:8mPc3t+kuSMs2hl3L
MD5:	5B3DAD245E4E4E757FBFC3C12B85F1D1
SHA1:	D266DDD8CE3638B6090BE89095BFE9C7B16294A3
SHA-256:	E97ED87D272EB87982F5948A38470AFE00AA94B710E20EF8EF087C8BE26D6C7D
SHA-512:	A0B8EBC45ED667FE00257686A016AC2D40AF2CD57E7D83C69B7F368496D6B92AB13C1A965F40FF673FCD22B6F631D4A0E2349E400E750CD8CE4A49459FD23137
Malicious:	false
Preview:	L..................F.... .......+.......+.......+.._.........................:..DG..Yr?.D..U..k0.&...&......vk.v........+.......+......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^_Y.............................%..A.p.p.D.a.t.a...B.V.1....._Y....Roaming.@......CW.^_Y.............................D(.R.o.a.m.i.n.g.....V.1....._Y....mk-jzcq.@......_Y.._Y............................7F..m.k.-.j.z.c.q.....`.2._..._Y.. .uninst.exe..F......_Y.._Y................................u.n.i.n.s.t...e.x.e.......`...............-......._............(z......C:\Users\user\AppData\Roaming\mk-jzcq\uninst.exe..$.....\.....\.....\.....\.....\.....\.m.k.-.j.z.c.q.\.u.n.i.n.s.t...e.x.e.&.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.m.k.-.j.z.c.q.`.......X.......632922...........hT..CrF.f4... .U.T..b...,.......hT..CrF.f4... .U.T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\37 \ \ .lnk

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Jun 12 05:29:58 2018, mtime=Thu Oct 31 15:21:57 2024, atime=Tue Jun 12 05:29:58 2018, length=1488880, window=hide
Category:	dropped
Size (bytes):	980
Entropy (8bit):	4.96200230340549
Encrypted:	false
SSDEEP:	24:8mGe33t+8+RCueRZWs7JUARmCkSi3erkIQ/EBm:8mGi3t+kuUNfiua/m
MD5:	4FDB3365AB4D00A81358AEF564F9E709
SHA1:	086737BFCFC4D8A996B1A5F56E0004C656A2F78F
SHA-256:	95C11ECBD821C496D0C960D29E0A5A40302CE4766B9E8247A8ECFFD43352EDD1
SHA-512:	A0C0C45CD50CF5EDBBAC962276E05422784B8988348A36E38E5F00DE488A2602D8908AFD0367F932D23B38412C0359B11BD57852722D072D0F81E926A0AC2F89
Malicious:	false
Preview:	L..................F.... ....w......Bts..+...w...............................:..DG..Yr?.D..U..k0.&...&......vk.v........+.......+......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^_Y.............................%..A.p.p.D.a.t.a...B.V.1....._Y....Roaming.@......CW.^_Y.............................D(.R.o.a.m.i.n.g.....V.1....._Y....mk-jzcq.@......_Y.._Y............................7F..m.k.-.j.z.c.q.....l.2.....L.3 .DQWHJ_~1.EXE..P.......L.3_Y................................d.q.w.h.j._.e.r.r.w.d...e.x.e.......e...............-.......d............(z......C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe..).....\.....\.....\.....\.....\.....\.m.k.-.j.z.c.q.\.d.q.w.h.j._.e.r.r.w.d...e.x.e.&.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.m.k.-.j.z.c.q.`.......X.......632922...........hT..CrF.f4... .~T..b...,.......hT..CrF.f4... .~T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1488880
Entropy (8bit):	7.657764797840652
Encrypted:	false
SSDEEP:	24576:0crRiaOaDNnjJMEIPP8scrDs/VMLAM+wikai0kmSyTuKZqWRPQM6B6RTRL73VC:BDJzIPUscXs/VMLAOYlsK/QwT173VC
MD5:	75A7CC387D1E24DE8BA1275E81A840D1
SHA1:	8A21D186EFB66BE5DB46925518E0B70861BF6DAB
SHA-256:	D5C4461055DFDD7D755400207BEBACDFE0CC880F7B6C742409E07AFD24515BFC
SHA-512:	550DE9D37A27FA93D0869B1FF02A55BFBC49B20871B59B85513B03D4664A1C34350764AADA6A23A13F56E7F6E4EB5A4DC6D06FDE761713EDD1C9CBBBCB5DE158
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 54%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............D...D...D..\D...D.._D...D..ND...D..ID...D..ND...D..D...D.h.D...D.h.D...D...D...D..@D...D..^D...D..[D...DRich...D........................PE..L...j..Z............................v^............@.................................Ch....@.................................x...................................XM..................................(...@...............@............................text............................... ..`.rdata..............................@..@.data...<y... ...4..................@....rsrc................@..............@..@.reloc...m.......n...2..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\mk-jzcq\lander.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe
File Type:	Microsoft Windows Autorun file
Category:	dropped
Size (bytes):	439
Entropy (8bit):	5.489316452907451
Encrypted:	false
SSDEEP:	12:3c0nMDWmIKCR8LRtU4d3RtUi84rtr2swFc34gg:MyKokRtl3Rtt8eocY
MD5:	3DA26A80566734A9A3AD46EABAC58466
SHA1:	89DBA78344DEC37EFCCA9EE4C5B711100938179D
SHA-256:	C43D6942FC321C6E68728E569821CDF40359E32EFDB9E8A6E2DB76B55A9813C2
SHA-512:	051AB50EB8B4B0E504F149C61E3AF534C8B866401C56FA294FBBB53393D0C72E8CD8785E9C39657ECC8C7682D546E3F3FD7C9C8C96A375E565E9C00CB4E7BEB8
Malicious:	false
Preview:	[Common]..Refer=wd_37cs..UID=921614..AutoRun=0..RunAfterSetup=1..TopMost=0..ShowDeskTop=0..TaskbarShortCut=0..DesktopShortCut=1..IsSilent=1..VersionCheck=http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/app.ini..VersionDownLoad=http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/dqwhj_errw.exe..IconAnimate=0..IconTips=0..RunCount=1..ActiveCount=1..[Install]..GUID=2D9765A5A2ED4CE2ADBD5F7D47905931..InstallTime=2024-10-31 12:21:58..InstallType=0..

C:\Users\user\AppData\Roaming\mk-jzcq\uninst.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	201311
Entropy (8bit):	7.784848738856364
Encrypted:	false
SSDEEP:	3072:BQIURTXJw9XG7MY4VwfavMfAIKiUzKEMIwIyFU2kaf5OQW70HTGrBMhSYfAalScH:BseWrnf3IteEryTkaf5OFQzGr2h9ScH
MD5:	80B05828A4C0D54E3A3CA2A4CD61492A
SHA1:	F27DF18439239725862D94450D284A4E41E5384B
SHA-256:	9B381DCB55D28FCB668B6F9E4209A7B67C332C5179517FB6BA78FD3F701B8BDC
SHA-512:	B64E6DCE7732D57C62236412CC0F4D08BCCAEF472134A4B905A3CBBB0C0A7B8B49A58BC1660DF1B329621B653C333003840E30293077002C48F931B0333542C3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 7%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......@..pV...........................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...pV...@...X...v..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\ .lnk

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Jun 12 05:29:58 2018, mtime=Thu Oct 31 15:21:55 2024, atime=Tue Jun 12 05:29:58 2018, length=1488880, window=hide
Category:	dropped
Size (bytes):	982
Entropy (8bit):	4.972398158123632
Encrypted:	false
SSDEEP:	24:8mG43t+8+RCueRZWs7JUARmCmkSi3erkIQ/EBm:8mG43t+kuUNuiua/m
MD5:	9EC7945AAB356C9F29E96F3D1EE1BB02
SHA1:	4C7B798D0076BFB5ACD8A519506C94B7422CC2D2
SHA-256:	EB572B0249F8B97496F206AA043B7268B1EA011AA37C338CEF72EB98622DF277
SHA-512:	FC4B695C3326C9C528967C3F74A4495258B4999A976C03878967F719ECE33C02866F3F8586AF249622CDC0AD53C1BDAFF640CD4D0A20AE288EF4576407700EF6
Malicious:	false
Preview:	L..................F.... ....w......>...+...w...............................:..DG..Yr?.D..U..k0.&...&......vk.v........+.......+......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^_Y.............................%..A.p.p.D.a.t.a...B.V.1....._Y....Roaming.@......CW.^_Y.............................D(.R.o.a.m.i.n.g.....V.1....._Y....mk-jzcq.@......_Y.._Y............................7F..m.k.-.j.z.c.q.....l.2.....L.3 .DQWHJ_~1.EXE..P.......L.3_Y................................d.q.w.h.j._.e.r.r.w.d...e.x.e.......e...............-.......d............(z......C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe..*.....\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.m.k.-.j.z.c.q.\.d.q.w.h.j._.e.r.r.w.d...e.x.e.&.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.m.k.-.j.z.c.q.`.......X.......632922...........hT..CrF.f4... .~T..b...,.......hT..CrF.f4... .~T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.99319093031833
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.FileRepMalware.6479.21607.exe
File size:	1'647'950 bytes
MD5:	5e96050ed8827efeb9c90d59ce708f10
SHA1:	83dca0d791cfaeca7fe8ad68fed370c37ef48ce1
SHA256:	0a9157f45b50d30bc4ba535bf2e5ee8a447870edaf887ba7e7fe011e4081d075
SHA512:	7fe2d4986f2331eb2d780f3326bba9dfeff8f773094bf1eb08c4ac601bc0579c9649c1f0646bde1043202d2261914f649ea7fa8fa2c8ee5ac370a880071fdb37
SSDEEP:	24576:G1cfyJ8m1Z79b6BMxWcrJfO/RIweCJK3VmmsPEq9lDBff3hVYpPGf69tC:wrz1Z7YBkWcpO/RTrD9lNffxVY2m8
TLSH:	7D7533142661C833C93102F11C8FF65AA67B9F3966070B5BAF372F9E10B58EEEA11754
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

File Icon


Icon Hash:	78fcd8f2e2e6cc61

Static PE Info

General

Entrypoint:	0x40323c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007FBB78EDEA8Eh
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F458h
call dword ptr [00407158h]
push 004091B8h
push 004236A0h
call 00007FBB78EDE741h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007FBB78EDE72Fh
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007FBB78EDBE8Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007FBB78EDE222h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FBB78EDBEE5h
cmp cl, 00000020h
jne 00007FBB78EDBE88h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FBB78EDBE7Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0x5670	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a5a	0x5c00	0bc2ffd32265a08d72b795b18265828d	False	0.6604534646739131	data	6.417698236857409	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	f179218a059068529bdb4637ef5fa28e	False	0.4453125	data	5.181627099249737	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	975304d6dd6c4a4f076b15511e2bbbc0	False	0.55859375	data	4.70902740305165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x34000	0x5670	0x5800	0d02276ce7affa384deb8852a6326b3e	False	0.6237571022727273	data	5.9681991286770675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x34280	0x666	Device independent bitmap graphic, 96 x 16 x 8, image size 1538, resolution 2868 x 2868 px/m, 15 important colors	English	United States	0.18192918192918192
RT_ICON	0x348e8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m	English	United States	0.7093764761454889
RT_DIALOG	0x38b10	0xa0	data	English	United States	0.6
RT_DIALOG	0x38bb0	0x104	data	English	United States	0.5346153846153846
RT_DIALOG	0x38cb8	0x1ec	data	English	United States	0.3861788617886179
RT_DIALOG	0x38ea8	0xe4	data	English	United States	0.6359649122807017
RT_DIALOG	0x38f90	0xda	data	English	United States	0.6376146788990825
RT_GROUP_ICON	0x39070	0x14	data	English	United States	1.1
RT_VERSION	0x39088	0x22c	data	Chinese	China	0.5413669064748201
RT_MANIFEST	0x392b8	0x3b3	XML 1.0 document, ASCII text, with very long lines (947), with no line terminators	English	United States	0.5195353748680043

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T17:22:02.053802+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	159.75.141.43	80	TCP
2024-10-31T17:22:06.396934+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	163.171.133.72	80	TCP
2024-10-31T17:22:17.022414+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	49747	TCP
2024-10-31T17:22:19.130275+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49748	159.75.141.43	80	TCP
2024-10-31T17:22:56.685751+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	49764	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 17:21:59.942130089 CET	49730	80	192.168.2.4	159.75.141.43
Oct 31, 2024 17:21:59.947676897 CET	80	49730	159.75.141.43	192.168.2.4
Oct 31, 2024 17:21:59.947753906 CET	49730	80	192.168.2.4	159.75.141.43
Oct 31, 2024 17:21:59.948915005 CET	49730	80	192.168.2.4	159.75.141.43
Oct 31, 2024 17:21:59.953793049 CET	80	49730	159.75.141.43	192.168.2.4
Oct 31, 2024 17:22:02.053667068 CET	80	49730	159.75.141.43	192.168.2.4
Oct 31, 2024 17:22:02.053802013 CET	49730	80	192.168.2.4	159.75.141.43
Oct 31, 2024 17:22:02.159784079 CET	49730	80	192.168.2.4	159.75.141.43
Oct 31, 2024 17:22:02.982819080 CET	49731	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:02.988318920 CET	80	49731	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:02.988387108 CET	49731	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:02.988563061 CET	49731	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:02.993535995 CET	80	49731	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:04.120419979 CET	80	49731	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:04.120464087 CET	80	49731	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:04.120475054 CET	80	49731	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:04.120485067 CET	80	49731	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:04.120495081 CET	49731	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:04.120522022 CET	49731	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:04.120654106 CET	80	49731	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:04.120665073 CET	80	49731	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:04.120701075 CET	49731	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:04.358808994 CET	80	49731	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:04.362196922 CET	49731	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:04.409423113 CET	49731	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:04.414979935 CET	80	49731	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:04.848289967 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:04.848587990 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:04.853434086 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:04.853513956 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:04.853683949 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:04.853686094 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:04.853735924 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:04.854091883 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:04.858625889 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:04.858849049 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:04.859580994 CET	49736	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:04.864453077 CET	80	49736	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:04.864516973 CET	49736	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:04.864654064 CET	49736	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:04.869432926 CET	80	49736	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:05.333849907 CET	49738	80	192.168.2.4	163.171.133.72
Oct 31, 2024 17:22:05.340032101 CET	80	49738	163.171.133.72	192.168.2.4
Oct 31, 2024 17:22:05.340127945 CET	49738	80	192.168.2.4	163.171.133.72
Oct 31, 2024 17:22:05.340327978 CET	49738	80	192.168.2.4	163.171.133.72
Oct 31, 2024 17:22:05.345571041 CET	80	49738	163.171.133.72	192.168.2.4
Oct 31, 2024 17:22:05.367022038 CET	49739	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:05.367281914 CET	49740	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:05.371891022 CET	80	49739	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:05.371953964 CET	49739	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:05.372124910 CET	80	49740	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:05.372174025 CET	49740	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:05.372267008 CET	49739	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:05.372406960 CET	49740	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:05.377315998 CET	80	49739	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:05.377691031 CET	80	49740	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:06.300555944 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:06.300586939 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:06.300601959 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:06.300614119 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:06.300640106 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:06.300656080 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:06.301129103 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:06.301181078 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:06.301259995 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:06.301271915 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:06.301282883 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:06.301294088 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:06.301331043 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:06.301599026 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:06.301635027 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:06.301647902 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:06.328347921 CET	49741	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:06.333240032 CET	80	49741	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:06.333307028 CET	49741	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:06.333461046 CET	49741	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:06.335933924 CET	49739	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:06.336019993 CET	49740	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:06.336319923 CET	49736	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:06.338489056 CET	80	49741	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:06.338711977 CET	80	49741	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:06.396864891 CET	80	49738	163.171.133.72	192.168.2.4
Oct 31, 2024 17:22:06.396934032 CET	49738	80	192.168.2.4	163.171.133.72
Oct 31, 2024 17:22:06.773926973 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:06.774164915 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:06.862957954 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:06.862984896 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:07.256825924 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:07.256961107 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:07.257041931 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:07.269928932 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:07.270136118 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:07.270263910 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:07.539261103 CET	80	49741	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:07.539294004 CET	80	49741	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:07.539304018 CET	80	49741	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:07.539319038 CET	80	49741	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:07.539402962 CET	49741	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:07.539427996 CET	80	49741	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:07.539431095 CET	49741	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:07.539469004 CET	49741	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:07.767502069 CET	80	49741	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:07.770109892 CET	49741	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:07.981969118 CET	49741	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:07.987663984 CET	80	49741	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:07.999295950 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.000047922 CET	49742	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.000916958 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:08.001468897 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:08.002487898 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.005876064 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.005889893 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.005945921 CET	49742	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.006649971 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:08.006701946 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:08.007240057 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:08.007293940 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:08.007781029 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.016073942 CET	49742	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.016455889 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:08.016638041 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:08.021408081 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.022458076 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:08.022779942 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:08.465065956 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.465082884 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.465097904 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.465123892 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.465164900 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.467547894 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.467597008 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.486951113 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.492023945 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.504734039 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.504784107 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.504851103 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.504888058 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.505928993 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.505979061 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.507271051 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.512454033 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.899939060 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.899987936 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.899992943 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.900002003 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.900027037 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.900053978 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.903776884 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.903827906 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.903954029 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.903995037 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.904736996 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.904778957 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.906675100 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.906733990 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.906809092 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.906848907 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.908061981 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.908216953 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.908242941 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.908253908 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.908272028 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.908293962 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.912390947 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.912446976 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.912503958 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.912527084 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.912543058 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.912575960 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.913750887 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.917287111 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.917319059 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.917330027 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:08.917335987 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.917357922 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:08.917376041 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.021286964 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.021308899 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.021321058 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.021365881 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.021367073 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.023082018 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.023159027 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.023169041 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.023284912 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.027642012 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.027746916 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.027992964 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.028012037 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.028260946 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.030699968 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.030723095 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.030734062 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.030752897 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.030792952 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.039048910 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.039072037 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.039081097 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.039165020 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.140727997 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.140737057 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.140748024 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.140866041 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.141628981 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.141683102 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.141755104 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.141755104 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.141793013 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.141978025 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.145821095 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.145840883 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.145977974 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.146023035 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.146095037 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.149633884 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.149646997 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.149676085 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.149745941 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.157834053 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.158016920 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.166678905 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.166686058 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.166698933 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.166750908 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.166757107 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.166762114 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.166779041 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.166799068 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.166834116 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.166862011 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.166868925 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.166966915 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.166975975 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.167191982 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.171745062 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.171751976 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.171763897 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.171863079 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.193205118 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.193231106 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.193239927 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.193245888 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.193315029 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.193345070 CET	49742	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.193413019 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.193424940 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.193454027 CET	49742	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.193487883 CET	49742	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.193727016 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.193746090 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.193751097 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.193933010 CET	49742	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.198318958 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.198324919 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.198331118 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.198369026 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.198374987 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.198399067 CET	49742	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.198519945 CET	49742	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.286135912 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.286164045 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.286176920 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.286220074 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.286226034 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.286228895 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.286463976 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.286633968 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.286645889 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.286653042 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.286674976 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.286752939 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.286758900 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.286787033 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.286798000 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.310404062 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.310410976 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.310422897 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.310493946 CET	49742	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.310591936 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.310597897 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.310667992 CET	49742	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.313183069 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.313237906 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:09.313268900 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.313288927 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:09.326761961 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.326783895 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.326796055 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.326947927 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.448611021 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.448621035 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.448633909 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.448755026 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.453134060 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.453140974 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.453146935 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.454139948 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.456083059 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.456089973 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.456100941 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.456186056 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.459161043 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.459167004 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.459178925 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.459183931 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.459306955 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.464263916 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.464271069 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.464282990 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.464508057 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.468643904 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.468729973 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.468780994 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.468857050 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.567845106 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.567858934 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.567889929 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.568067074 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.569683075 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.569689035 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.572017908 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.574187040 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.574244022 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.574249983 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.576026917 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.578282118 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.578298092 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.578305960 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.578310966 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.580003977 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.582516909 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.582523108 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.582535028 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.582540989 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.582613945 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.582614899 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.586553097 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.586605072 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.590871096 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.686994076 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.687140942 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.687148094 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.688030958 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.689538002 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.689543009 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.691997051 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.693319082 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.693341017 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.693352938 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.696012974 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.697241068 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.697247028 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.697259903 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.697388887 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.697395086 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.697419882 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.698059082 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.701749086 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.701817036 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.705832958 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.705838919 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.705849886 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.705867052 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.708015919 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.806284904 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.806440115 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.808108091 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.808567047 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.808590889 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.808595896 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.808659077 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.808660030 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.812485933 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.812491894 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.812504053 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.816015959 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.818742037 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.818782091 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.818794012 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.818852901 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.818857908 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.818908930 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.820041895 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:09.821649075 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.822004080 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:09.824011087 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.060045004 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.060060024 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.060070992 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.060137033 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.060161114 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.060208082 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.060684919 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.060739994 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.060739994 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.060753107 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.060764074 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.060775995 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.060787916 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.060811043 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.060831070 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.060888052 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.060899973 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.060909986 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.060920954 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.060920954 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.060952902 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.060965061 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.061443090 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.061491966 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.061788082 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.066709042 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.465122938 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.465148926 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.465255022 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.470191956 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.476140022 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.862617016 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.862634897 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.862662077 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.862687111 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.862720013 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.862720013 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.862731934 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.862744093 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.862761021 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.862782001 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.862869024 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.862936974 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.862981081 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.863342047 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.863370895 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.863418102 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.867801905 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.867815018 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.867825031 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.867867947 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.867885113 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.867916107 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.867957115 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.868237972 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.868400097 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.868453026 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.877245903 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.877310038 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.877321959 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.877387047 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.880600929 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.880613089 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.880623102 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.880683899 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.880712986 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:10.884819984 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:10.888036966 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.028379917 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.240837097 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.240899086 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.240911007 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.240935087 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.240952969 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.240966082 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.240966082 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.240972042 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.240983963 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.240991116 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.240995884 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.241015911 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.241020918 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.241029978 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.241041899 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.241058111 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.241079092 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.241178989 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.241221905 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.241225004 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.241267920 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.241271973 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.241286993 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.241323948 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.241997004 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.242047071 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.242053986 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.242067099 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.242095947 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.242111921 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.242134094 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.242146969 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.242157936 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.242163897 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.242183924 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.242186069 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.242196083 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.242230892 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.242242098 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.242316961 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.242368937 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.242407084 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.242458105 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.244184017 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.246257067 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.246274948 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.246287107 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.246300936 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.246310949 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.246321917 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.246341944 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.246341944 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.246475935 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.246493101 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.246521950 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.246532917 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.246840954 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.246881962 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.246922016 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.246958971 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.247354031 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.247365952 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.247395039 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.247406960 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.247441053 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.247452021 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.247510910 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.247575998 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.247587919 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.247622967 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.247633934 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.247994900 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.248034954 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.248059034 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.248084068 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.248164892 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.248176098 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.248202085 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.248215914 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.248373985 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.248388052 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.248409986 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.248424053 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.248541117 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.248580933 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.248632908 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.248668909 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:11.248994112 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:11.249037981 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:13.254604101 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.254755974 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.254764080 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.254774094 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:13.254875898 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:13.256216049 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.256236076 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.256256104 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.256403923 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:13.258717060 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.258735895 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.258754969 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.258775949 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:13.258863926 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:13.263115883 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.263154030 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.263171911 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.263176918 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:13.263295889 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:13.267786980 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.267807007 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.267827034 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.267851114 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:13.267851114 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:13.268001080 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:13.380302906 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:13.380508900 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:13.498632908 CET	49748	80	192.168.2.4	159.75.141.43
Oct 31, 2024 17:22:13.504136086 CET	80	49748	159.75.141.43	192.168.2.4
Oct 31, 2024 17:22:13.504614115 CET	49748	80	192.168.2.4	159.75.141.43
Oct 31, 2024 17:22:13.504615068 CET	49748	80	192.168.2.4	159.75.141.43
Oct 31, 2024 17:22:13.510711908 CET	80	49748	159.75.141.43	192.168.2.4
Oct 31, 2024 17:22:13.878204107 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:13.878588915 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:13.879044056 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:13.883232117 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:13.883681059 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:13.884304047 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:14.051333904 CET	49749	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:14.058218002 CET	80	49749	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:14.060060978 CET	49749	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:14.063551903 CET	49749	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:14.071095943 CET	80	49749	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:14.283483982 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:14.283556938 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:14.376039982 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:14.376063108 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:14.376077890 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:14.376142979 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:14.376199007 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:14.377218008 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:14.377285004 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:14.548599005 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:14.555258036 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:14.555814028 CET	80	49748	159.75.141.43	192.168.2.4
Oct 31, 2024 17:22:14.555860996 CET	49748	80	192.168.2.4	159.75.141.43
Oct 31, 2024 17:22:14.733047009 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:14.733064890 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:14.733105898 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:14.733135939 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:14.914917946 CET	49750	443	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:14.914949894 CET	443	49750	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:14.915035963 CET	49750	443	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:14.941617012 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:14.941665888 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:14.941740036 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:14.945940971 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:14.945955038 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:14.945962906 CET	49750	443	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:14.945977926 CET	443	49750	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:14.950808048 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:14.950834036 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:14.950850010 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:14.950870037 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:14.950903893 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:14.950956106 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:14.955730915 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:14.955746889 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:14.955760956 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:14.955827951 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:14.960499048 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:14.960555077 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:15.359641075 CET	49753	80	192.168.2.4	139.9.125.189
Oct 31, 2024 17:22:15.364674091 CET	80	49753	139.9.125.189	192.168.2.4
Oct 31, 2024 17:22:15.364739895 CET	49753	80	192.168.2.4	139.9.125.189
Oct 31, 2024 17:22:15.364939928 CET	49753	80	192.168.2.4	139.9.125.189
Oct 31, 2024 17:22:15.369856119 CET	80	49753	139.9.125.189	192.168.2.4
Oct 31, 2024 17:22:16.530667067 CET	80	49753	139.9.125.189	192.168.2.4
Oct 31, 2024 17:22:16.530879974 CET	49753	80	192.168.2.4	139.9.125.189
Oct 31, 2024 17:22:16.545677900 CET	443	49750	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:16.545790911 CET	49750	443	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:16.559185028 CET	80	49749	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:16.559875011 CET	49749	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:16.565685987 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:16.571980000 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.601135015 CET	49750	443	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:16.601150990 CET	443	49750	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:16.601594925 CET	443	49750	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:16.603501081 CET	49750	443	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:16.608032942 CET	49750	443	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:16.655333042 CET	443	49750	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:16.783121109 CET	80	49749	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:16.783222914 CET	49749	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:16.793994904 CET	49749	80	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:16.799427986 CET	80	49749	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:16.850240946 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:16.850316048 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:16.856029034 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:16.856040001 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:16.856264114 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:16.860104084 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:16.860538960 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:16.903335094 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:16.937899113 CET	49756	80	192.168.2.4	193.112.116.230
Oct 31, 2024 17:22:16.943037033 CET	80	49756	193.112.116.230	192.168.2.4
Oct 31, 2024 17:22:16.943264008 CET	49756	80	192.168.2.4	193.112.116.230
Oct 31, 2024 17:22:16.943264008 CET	49756	80	192.168.2.4	193.112.116.230
Oct 31, 2024 17:22:16.948225021 CET	80	49756	193.112.116.230	192.168.2.4
Oct 31, 2024 17:22:16.970139027 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.970216036 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:16.970304966 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.970314026 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.970444918 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:16.973896980 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.973939896 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.973948002 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.973973989 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:16.974117041 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:16.978001118 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.978009939 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.978017092 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.978080988 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:16.981337070 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.981345892 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.981360912 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.981419086 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:16.985304117 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.985342979 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.985351086 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:16.985368013 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:16.985404968 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.050395966 CET	443	49750	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:17.050466061 CET	49750	443	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:17.050491095 CET	443	49750	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:17.050570011 CET	443	49750	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:17.050638914 CET	49750	443	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:17.051269054 CET	49750	443	192.168.2.4	180.188.25.9
Oct 31, 2024 17:22:17.051280975 CET	443	49750	180.188.25.9	192.168.2.4
Oct 31, 2024 17:22:17.088998079 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.089093924 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.089107990 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.089121103 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.089123011 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.089133978 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.089152098 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.089152098 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.089171886 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.093034983 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.093080997 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.093095064 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.093142986 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.093178034 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.097170115 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.097182989 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.097196102 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.097239017 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.097269058 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.100963116 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.100980043 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.100994110 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.101027012 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.101057053 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.106024027 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.106036901 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.106055975 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.106067896 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.106091022 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.106118917 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.170114994 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.170135975 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.170236111 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.170262098 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.170277119 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.170341969 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.170350075 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.170397997 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.170974016 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.171073914 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.208420992 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.208440065 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.208451986 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.208478928 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.208499908 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.208544970 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.212605953 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.212615967 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.212630987 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.212666988 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.212713957 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.216773033 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.216785908 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.216835976 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.216896057 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.216941118 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.219934940 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.219945908 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.219955921 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.219978094 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.220001936 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.226083040 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.226094961 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.226152897 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.226166010 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.226171970 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.226200104 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.226217031 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.226221085 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.226257086 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.226638079 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.227160931 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.327866077 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.327884912 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.327908993 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.327925920 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.327927113 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.327938080 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.327960014 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.327986002 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.331307888 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.331368923 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.331379890 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.331391096 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.331432104 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.335267067 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.335316896 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.335330963 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.335336924 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.335355043 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.335366964 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.338840961 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.338865042 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.338876009 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.338913918 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.338941097 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.345314026 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.345331907 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.345344067 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.345355988 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.345374107 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.345385075 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.345395088 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.345410109 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.345423937 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.345827103 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.345922947 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.346184969 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.347692013 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.347835064 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.347912073 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.347935915 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.348104000 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.348170996 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.348226070 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.348233938 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.348447084 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.348494053 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.348583937 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.349108934 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.349184036 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.609920025 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.609951019 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.609961987 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610032082 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.610081911 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610094070 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610105991 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610115051 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610131025 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610132933 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.610143900 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610162020 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.610173941 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.610217094 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610228062 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610238075 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610255957 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610270023 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610279083 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.610280037 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610291004 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610292912 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.610305071 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610316038 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610322952 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.610368013 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.610548019 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610558987 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610568047 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610609055 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.610690117 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.610740900 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.610759974 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.610775948 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.610789061 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.610796928 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.610850096 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.610856056 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.610919952 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610968113 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.610980034 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.610990047 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.611010075 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.611021042 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.611027002 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.611057043 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.611352921 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.611363888 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.611375093 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.611386061 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.611396074 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.611397982 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.611414909 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.611423016 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.611427069 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:22:17.611448050 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.611469984 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:22:17.611502886 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.611536980 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.611572981 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.611572981 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.611582041 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.612195015 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.612229109 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.612257004 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.612263918 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.612277031 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.612293005 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.612369061 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.664103985 CET	49751	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:17.664120913 CET	443	49751	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:17.967518091 CET	80	49756	193.112.116.230	192.168.2.4
Oct 31, 2024 17:22:17.970016956 CET	49756	80	192.168.2.4	193.112.116.230
Oct 31, 2024 17:22:18.279846907 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:18.279879093 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:18.279951096 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:18.280622959 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:18.280638933 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:18.778271914 CET	49748	80	192.168.2.4	159.75.141.43
Oct 31, 2024 17:22:18.784229040 CET	80	49748	159.75.141.43	192.168.2.4
Oct 31, 2024 17:22:19.130207062 CET	80	49748	159.75.141.43	192.168.2.4
Oct 31, 2024 17:22:19.130275011 CET	49748	80	192.168.2.4	159.75.141.43
Oct 31, 2024 17:22:19.805211067 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:19.805288076 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:19.819825888 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:19.819843054 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:19.820065022 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:19.820144892 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:19.820614100 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:19.863322020 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.292824984 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.294069052 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.336652040 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.336661100 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.336700916 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.336745024 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.336764097 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.336780071 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.336815119 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.453898907 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.453916073 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.453986883 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.454001904 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.454185009 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.740772963 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.740786076 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.740818977 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.740852118 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.740866899 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.740884066 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.740910053 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.741190910 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.741208076 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.741245031 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.741250038 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.741286039 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.742404938 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.804621935 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.804646015 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.804697037 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.804713011 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.804723978 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.804755926 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.921904087 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.921924114 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.922000885 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:20.922013998 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:20.924041986 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:21.038327932 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.038347006 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.038423061 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:21.038433075 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.044044971 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:21.155158997 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.155175924 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.155236959 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:21.155252934 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.157866001 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:21.163655043 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.163667917 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.163733006 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:21.163738966 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.163780928 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:21.273119926 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.273138046 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.273299932 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:21.273308992 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.273355007 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:21.389010906 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.389061928 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.389091969 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:21.389101028 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.389144897 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:21.389162064 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:21.391729116 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:21.391768932 CET	443	49757	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:21.391825914 CET	49757	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:22.131735086 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:22.131794930 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:22.131865025 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:22.132134914 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:22.132153034 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.116743088 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.116859913 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.117660999 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.117666006 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.117927074 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.117930889 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.432290077 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.432343960 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.432351112 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.432365894 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.432384968 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.432393074 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.432431936 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.432435989 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.432446957 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.432476997 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.437850952 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:23.437906981 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:23.438141108 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:23.438421965 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:23.438438892 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:23.617343903 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.617440939 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.617470980 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.617558002 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.617589951 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.617605925 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.617613077 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.617623091 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.617649078 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.618240118 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.618314028 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.618508101 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.618551016 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.618576050 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.618598938 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.618604898 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.618614912 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.620040894 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.736757994 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.736877918 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.736958027 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.737008095 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.737304926 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.737360954 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.857400894 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.857489109 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.857501030 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.857521057 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.857561111 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.858494997 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.858531952 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.858531952 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.858537912 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.858649015 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.858692884 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.858697891 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.858736992 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.976434946 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.976473093 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.976495981 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.976502895 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.976520061 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.976531029 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:23.976546049 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.976577044 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.977416039 CET	49760	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:23.977431059 CET	443	49760	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:25.519643068 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:25.519788980 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:25.535495043 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:25.535506964 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:25.536276102 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:25.536336899 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:25.536855936 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:25.579334974 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:25.928112030 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:25.928199053 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.363622904 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.363651991 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.363699913 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.363751888 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.363771915 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.363806963 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.363821983 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.364500046 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.364543915 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.364676952 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.364685059 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.364759922 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.637821913 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.637845039 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.637860060 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.637907982 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.637923002 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.637949944 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.637973070 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.638349056 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.638365030 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.638427019 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.638432980 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.638461113 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.638470888 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.638489008 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.638524055 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.640058994 CET	49761	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.640072107 CET	443	49761	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.689471006 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.689538956 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:26.689637899 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.690385103 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:26.690418005 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:28.366250038 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:28.370204926 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:28.432502985 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:28.432538986 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:28.432728052 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:28.432743073 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:28.787143946 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:28.787714005 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:28.901324034 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:28.901333094 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:28.901374102 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:28.901442051 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:28.901489973 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:28.901525021 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:28.901546955 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.017493010 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.017508984 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.017589092 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.017618895 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.017678022 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.131776094 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.131794930 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.132091999 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.132123947 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.132183075 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.250006914 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.250027895 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.250281096 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.250304937 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.250356913 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.362433910 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.362452984 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.362673044 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.362699032 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.362754107 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.477844000 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.477864027 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.477952003 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.477987051 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.478014946 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.478034973 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.592730045 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.592747927 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.592843056 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.592864990 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.592922926 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.708168030 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.708182096 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.708240986 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.708272934 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.708306074 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.708328009 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.711954117 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.711977005 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.712083101 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.712097883 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.712155104 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.826594114 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.826608896 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.826798916 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.826816082 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.826867104 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.827102900 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.827172041 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.827241898 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.827302933 CET	443	49762	60.221.17.65	192.168.2.4
Oct 31, 2024 17:22:29.827358007 CET	49762	443	192.168.2.4	60.221.17.65
Oct 31, 2024 17:22:29.876586914 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:29.876621008 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:29.876688004 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:29.876944065 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:29.876960039 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:30.993942022 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:30.994018078 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:30.994445086 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:30.994456053 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:30.994659901 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:30.994667053 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.615708113 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.615750074 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.615818977 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.615820885 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:31.615820885 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:31.615834951 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.615860939 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:31.615873098 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:31.787744045 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.787800074 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.787858009 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:31.787878036 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.787899017 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:31.787918091 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:31.788422108 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.788479090 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:31.788583994 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.788635969 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:31.789433956 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.789489031 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:31.902817965 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.902899027 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:31.903376102 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.903429031 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:31.903979063 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:31.904028893 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.020121098 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.020184040 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.020698071 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.020745993 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.020787954 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.020817041 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.020839930 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.020854950 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.020868063 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.020895004 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.136385918 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.136487007 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.136626005 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.136676073 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.137522936 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.137571096 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.138057947 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.138108015 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.253848076 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.253931999 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.254251957 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.254297972 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.254306078 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.254317045 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.254369974 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.255625963 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.255662918 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.255662918 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.255671978 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.255686998 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.255773067 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:32.255842924 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.255842924 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.255842924 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.256648064 CET	49763	443	192.168.2.4	43.154.254.89
Oct 31, 2024 17:22:32.256666899 CET	443	49763	43.154.254.89	192.168.2.4
Oct 31, 2024 17:22:35.636288881 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:35.642726898 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:36.106542110 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:36.106565952 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:36.106576920 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:36.106645107 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:36.106671095 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:57.784804106 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:57.790394068 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:58.835599899 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:58.835617065 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:58.835628986 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:58.835663080 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:58.835690022 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:58.837403059 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:58.837414980 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:58.837425947 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:58.837445021 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:58.837467909 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:58.840748072 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:58.840797901 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:58.840807915 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:22:58.840809107 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:58.840837002 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:22:58.840850115 CET	49734	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:23:06.503827095 CET	80	49738	163.171.133.72	192.168.2.4
Oct 31, 2024 17:23:06.503938913 CET	49738	80	192.168.2.4	163.171.133.72
Oct 31, 2024 17:23:14.490334988 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:23:14.490448952 CET	49742	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:23:16.145612955 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:23:16.145785093 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:23:16.557991028 CET	80	49753	139.9.125.189	192.168.2.4
Oct 31, 2024 17:23:16.558105946 CET	49753	80	192.168.2.4	139.9.125.189
Oct 31, 2024 17:23:18.236114025 CET	80	49756	193.112.116.230	192.168.2.4
Oct 31, 2024 17:23:18.236166954 CET	49756	80	192.168.2.4	193.112.116.230
Oct 31, 2024 17:23:20.246367931 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:23:20.246443033 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:23:22.245445013 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:23:22.245505095 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:23:34.356021881 CET	80	49748	159.75.141.43	192.168.2.4
Oct 31, 2024 17:23:34.356098890 CET	49748	80	192.168.2.4	159.75.141.43
Oct 31, 2024 17:23:52.938729048 CET	49756	80	192.168.2.4	193.112.116.230
Oct 31, 2024 17:23:52.938786983 CET	49753	80	192.168.2.4	139.9.125.189
Oct 31, 2024 17:23:52.938920975 CET	49748	80	192.168.2.4	159.75.141.43
Oct 31, 2024 17:23:52.938944101 CET	49738	80	192.168.2.4	163.171.133.72
Oct 31, 2024 17:23:52.939003944 CET	49743	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:23:52.939049959 CET	49744	80	192.168.2.4	183.204.211.166
Oct 31, 2024 17:23:52.939101934 CET	49742	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:23:52.939174891 CET	49735	80	192.168.2.4	111.6.1.212
Oct 31, 2024 17:23:52.943671942 CET	80	49756	193.112.116.230	192.168.2.4
Oct 31, 2024 17:23:52.943697929 CET	80	49753	139.9.125.189	192.168.2.4
Oct 31, 2024 17:23:52.943708897 CET	80	49748	159.75.141.43	192.168.2.4
Oct 31, 2024 17:23:52.943749905 CET	80	49738	163.171.133.72	192.168.2.4
Oct 31, 2024 17:23:52.943896055 CET	80	49743	183.204.211.166	192.168.2.4
Oct 31, 2024 17:23:52.943906069 CET	80	49744	183.204.211.166	192.168.2.4
Oct 31, 2024 17:23:52.943945885 CET	80	49742	111.6.1.212	192.168.2.4
Oct 31, 2024 17:23:52.943957090 CET	80	49735	111.6.1.212	192.168.2.4
Oct 31, 2024 17:24:04.884006023 CET	80	49734	111.6.1.212	192.168.2.4
Oct 31, 2024 17:24:04.884088993 CET	49734	80	192.168.2.4	111.6.1.212

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 17:21:59.540941954 CET	65271	53	192.168.2.4	1.1.1.1
Oct 31, 2024 17:21:59.933784008 CET	53	65271	1.1.1.1	192.168.2.4
Oct 31, 2024 17:22:02.968332052 CET	52228	53	192.168.2.4	1.1.1.1
Oct 31, 2024 17:22:02.977432966 CET	53	52228	1.1.1.1	192.168.2.4
Oct 31, 2024 17:22:04.143969059 CET	56700	53	192.168.2.4	1.1.1.1
Oct 31, 2024 17:22:04.289496899 CET	65449	53	192.168.2.4	1.1.1.1
Oct 31, 2024 17:22:04.463746071 CET	61640	53	192.168.2.4	1.1.1.1
Oct 31, 2024 17:22:04.563483000 CET	52120	53	192.168.2.4	1.1.1.1
Oct 31, 2024 17:22:04.842061043 CET	53	56700	1.1.1.1	192.168.2.4
Oct 31, 2024 17:22:04.858546019 CET	53	65449	1.1.1.1	192.168.2.4
Oct 31, 2024 17:22:05.332793951 CET	53	52120	1.1.1.1	192.168.2.4
Oct 31, 2024 17:22:05.365748882 CET	53	61640	1.1.1.1	192.168.2.4
Oct 31, 2024 17:22:13.878201008 CET	54709	53	192.168.2.4	1.1.1.1
Oct 31, 2024 17:22:14.005032063 CET	53	54709	1.1.1.1	192.168.2.4
Oct 31, 2024 17:22:14.275862932 CET	54294	53	192.168.2.4	1.1.1.1
Oct 31, 2024 17:22:14.441118002 CET	53	54294	1.1.1.1	192.168.2.4
Oct 31, 2024 17:22:14.927025080 CET	53437	53	192.168.2.4	1.1.1.1
Oct 31, 2024 17:22:14.934621096 CET	53	53437	1.1.1.1	192.168.2.4
Oct 31, 2024 17:22:15.020117044 CET	62095	53	192.168.2.4	1.1.1.1
Oct 31, 2024 17:22:15.358445883 CET	53	62095	1.1.1.1	192.168.2.4
Oct 31, 2024 17:22:16.538991928 CET	58265	53	192.168.2.4	1.1.1.1
Oct 31, 2024 17:22:16.936907053 CET	53	58265	1.1.1.1	192.168.2.4
Oct 31, 2024 17:22:17.755665064 CET	53312	53	192.168.2.4	1.1.1.1
Oct 31, 2024 17:22:18.208426952 CET	53	53312	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 17:21:59.540941954 CET	192.168.2.4	1.1.1.1	0xa614	Standard query (0)	a.clickdata.37wan.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:02.968332052 CET	192.168.2.4	1.1.1.1	0xf516	Standard query (0)	gameapp.37.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.143969059 CET	192.168.2.4	1.1.1.1	0x1f72	Standard query (0)	img1.37wanimg.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.289496899 CET	192.168.2.4	1.1.1.1	0x1318	Standard query (0)	img2.37wanimg.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.463746071 CET	192.168.2.4	1.1.1.1	0xd3d5	Standard query (0)	ptres.37.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.563483000 CET	192.168.2.4	1.1.1.1	0xb5b0	Standard query (0)	d.wanyouxi7.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:13.878201008 CET	192.168.2.4	1.1.1.1	0x942b	Standard query (0)	regapi.37.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:14.275862932 CET	192.168.2.4	1.1.1.1	0x5d31	Standard query (0)	my.37.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:14.927025080 CET	192.168.2.4	1.1.1.1	0x243f	Standard query (0)	turing.captcha.qcloud.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:15.020117044 CET	192.168.2.4	1.1.1.1	0x7c45	Standard query (0)	cm.he2d.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:16.538991928 CET	192.168.2.4	1.1.1.1	0x2e56	Standard query (0)	cookiem.37.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:17.755665064 CET	192.168.2.4	1.1.1.1	0xba25	Standard query (0)	turing.captcha.gtimg.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 17:21:59.933784008 CET	1.1.1.1	192.168.2.4	0xa614	No error (0)	a.clickdata.37wan.com		159.75.141.43	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:21:59.933784008 CET	1.1.1.1	192.168.2.4	0xa614	No error (0)	a.clickdata.37wan.com		106.55.79.146	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:02.977432966 CET	1.1.1.1	192.168.2.4	0xf516	No error (0)	gameapp.37.com		180.188.25.9	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.842061043 CET	1.1.1.1	192.168.2.4	0x1f72	No error (0)	img1.37wanimg.com	img1.37wanimg.com.volcgslb.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:22:04.842061043 CET	1.1.1.1	192.168.2.4	0x1f72	No error (0)	img1.37wanimg.com.volcgslb.com	sx-img-all.volcgtm.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:22:04.842061043 CET	1.1.1.1	192.168.2.4	0x1f72	No error (0)	sx-img-all.volcgtm.com		111.6.1.212	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.842061043 CET	1.1.1.1	192.168.2.4	0x1f72	No error (0)	sx-img-all.volcgtm.com		111.48.138.87	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.842061043 CET	1.1.1.1	192.168.2.4	0x1f72	No error (0)	sx-img-all.volcgtm.com		111.174.12.90	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.842061043 CET	1.1.1.1	192.168.2.4	0x1f72	No error (0)	sx-img-all.volcgtm.com		113.219.195.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.842061043 CET	1.1.1.1	192.168.2.4	0x1f72	No error (0)	sx-img-all.volcgtm.com		116.162.28.180	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.842061043 CET	1.1.1.1	192.168.2.4	0x1f72	No error (0)	sx-img-all.volcgtm.com		116.162.51.228	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.842061043 CET	1.1.1.1	192.168.2.4	0x1f72	No error (0)	sx-img-all.volcgtm.com		119.36.124.218	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.842061043 CET	1.1.1.1	192.168.2.4	0x1f72	No error (0)	sx-img-all.volcgtm.com		183.204.211.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.842061043 CET	1.1.1.1	192.168.2.4	0x1f72	No error (0)	sx-img-all.volcgtm.com		183.204.211.215	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.842061043 CET	1.1.1.1	192.168.2.4	0x1f72	No error (0)	sx-img-all.volcgtm.com		61.184.9.172	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.858546019 CET	1.1.1.1	192.168.2.4	0x1318	No error (0)	img2.37wanimg.com	img2.37wanimg.com.volcgslb.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:22:04.858546019 CET	1.1.1.1	192.168.2.4	0x1318	No error (0)	img2.37wanimg.com.volcgslb.com	sx-img-all.volcgtm.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:22:04.858546019 CET	1.1.1.1	192.168.2.4	0x1318	No error (0)	sx-img-all.volcgtm.com		111.6.1.212	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.858546019 CET	1.1.1.1	192.168.2.4	0x1318	No error (0)	sx-img-all.volcgtm.com		111.48.138.87	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.858546019 CET	1.1.1.1	192.168.2.4	0x1318	No error (0)	sx-img-all.volcgtm.com		111.174.12.90	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.858546019 CET	1.1.1.1	192.168.2.4	0x1318	No error (0)	sx-img-all.volcgtm.com		113.219.195.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.858546019 CET	1.1.1.1	192.168.2.4	0x1318	No error (0)	sx-img-all.volcgtm.com		116.162.28.180	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.858546019 CET	1.1.1.1	192.168.2.4	0x1318	No error (0)	sx-img-all.volcgtm.com		116.162.51.228	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.858546019 CET	1.1.1.1	192.168.2.4	0x1318	No error (0)	sx-img-all.volcgtm.com		119.36.124.218	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.858546019 CET	1.1.1.1	192.168.2.4	0x1318	No error (0)	sx-img-all.volcgtm.com		183.204.211.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.858546019 CET	1.1.1.1	192.168.2.4	0x1318	No error (0)	sx-img-all.volcgtm.com		183.204.211.215	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:04.858546019 CET	1.1.1.1	192.168.2.4	0x1318	No error (0)	sx-img-all.volcgtm.com		61.184.9.172	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.332793951 CET	1.1.1.1	192.168.2.4	0xb5b0	No error (0)	d.wanyouxi7.com	d.wanyouxi7.com.wscdns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:22:05.332793951 CET	1.1.1.1	192.168.2.4	0xb5b0	No error (0)	d.wanyouxi7.com.wscdns.com		163.171.133.72	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.332793951 CET	1.1.1.1	192.168.2.4	0xb5b0	No error (0)	d.wanyouxi7.com.wscdns.com		163.171.128.148	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.332793951 CET	1.1.1.1	192.168.2.4	0xb5b0	No error (0)	d.wanyouxi7.com.wscdns.com		163.171.132.119	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.332793951 CET	1.1.1.1	192.168.2.4	0xb5b0	No error (0)	d.wanyouxi7.com.wscdns.com		138.113.27.66	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.365748882 CET	1.1.1.1	192.168.2.4	0xd3d5	No error (0)	ptres.37.com	ptres.37.com.volcgslb.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:22:05.365748882 CET	1.1.1.1	192.168.2.4	0xd3d5	No error (0)	ptres.37.com.volcgslb.com	sx-img-all.volcgtm.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:22:05.365748882 CET	1.1.1.1	192.168.2.4	0xd3d5	No error (0)	sx-img-all.volcgtm.com		183.204.211.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.365748882 CET	1.1.1.1	192.168.2.4	0xd3d5	No error (0)	sx-img-all.volcgtm.com		183.204.211.215	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.365748882 CET	1.1.1.1	192.168.2.4	0xd3d5	No error (0)	sx-img-all.volcgtm.com		61.184.9.172	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.365748882 CET	1.1.1.1	192.168.2.4	0xd3d5	No error (0)	sx-img-all.volcgtm.com		111.6.1.212	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.365748882 CET	1.1.1.1	192.168.2.4	0xd3d5	No error (0)	sx-img-all.volcgtm.com		111.48.138.87	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.365748882 CET	1.1.1.1	192.168.2.4	0xd3d5	No error (0)	sx-img-all.volcgtm.com		111.174.12.90	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.365748882 CET	1.1.1.1	192.168.2.4	0xd3d5	No error (0)	sx-img-all.volcgtm.com		113.219.195.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.365748882 CET	1.1.1.1	192.168.2.4	0xd3d5	No error (0)	sx-img-all.volcgtm.com		116.162.28.180	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.365748882 CET	1.1.1.1	192.168.2.4	0xd3d5	No error (0)	sx-img-all.volcgtm.com		116.162.51.228	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:05.365748882 CET	1.1.1.1	192.168.2.4	0xd3d5	No error (0)	sx-img-all.volcgtm.com		119.36.124.218	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:14.005032063 CET	1.1.1.1	192.168.2.4	0x942b	No error (0)	regapi.37.com		180.188.25.9	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:14.441118002 CET	1.1.1.1	192.168.2.4	0x5d31	No error (0)	my.37.com		180.188.25.9	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:14.934621096 CET	1.1.1.1	192.168.2.4	0x243f	No error (0)	turing.captcha.qcloud.com	ins-taraok4w.ias.tencent-cloud.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:22:14.934621096 CET	1.1.1.1	192.168.2.4	0x243f	No error (0)	ins-taraok4w.ias.tencent-cloud.net		43.154.254.89	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:14.934621096 CET	1.1.1.1	192.168.2.4	0x243f	No error (0)	ins-taraok4w.ias.tencent-cloud.net		43.154.254.185	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:15.358445883 CET	1.1.1.1	192.168.2.4	0x7c45	No error (0)	cm.he2d.com	p2019.q1qfc323.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:22:15.358445883 CET	1.1.1.1	192.168.2.4	0x7c45	No error (0)	p2019.q1qfc323.com		139.9.125.189	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:15.358445883 CET	1.1.1.1	192.168.2.4	0x7c45	No error (0)	p2019.q1qfc323.com		193.112.116.230	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:16.936907053 CET	1.1.1.1	192.168.2.4	0x2e56	No error (0)	cookiem.37.com	p.huluwa8.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:22:16.936907053 CET	1.1.1.1	192.168.2.4	0x2e56	No error (0)	p.huluwa8.com	p2019.q1qfc323.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:22:16.936907053 CET	1.1.1.1	192.168.2.4	0x2e56	No error (0)	p2019.q1qfc323.com		193.112.116.230	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:16.936907053 CET	1.1.1.1	192.168.2.4	0x2e56	No error (0)	p2019.q1qfc323.com		139.9.125.189	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	turing.captcha.gtimg.com	turing.captcha.gtimg.com.cdn.dnsv1.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	turing.captcha.gtimg.com.cdn.dnsv1.com.cn	1z8kxno0.sched.sma-dk.tdnsstic1.cn		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	1z8kxno0.sched.sma-dk.tdnsstic1.cn		60.221.17.65	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	1z8kxno0.sched.sma-dk.tdnsstic1.cn		60.221.17.244	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	1z8kxno0.sched.sma-dk.tdnsstic1.cn		36.248.54.59	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	1z8kxno0.sched.sma-dk.tdnsstic1.cn		122.189.171.106	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	1z8kxno0.sched.sma-dk.tdnsstic1.cn		42.177.83.225	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	1z8kxno0.sched.sma-dk.tdnsstic1.cn		14.205.93.60	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	1z8kxno0.sched.sma-dk.tdnsstic1.cn		221.204.15.89	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	1z8kxno0.sched.sma-dk.tdnsstic1.cn		36.248.43.254	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	1z8kxno0.sched.sma-dk.tdnsstic1.cn		221.204.15.88	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	1z8kxno0.sched.sma-dk.tdnsstic1.cn		116.177.242.69	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	1z8kxno0.sched.sma-dk.tdnsstic1.cn		221.204.15.87	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	1z8kxno0.sched.sma-dk.tdnsstic1.cn		42.177.83.115	A (IP address)	IN (0x0001)	false
Oct 31, 2024 17:22:18.208426952 CET	1.1.1.1	192.168.2.4	0xba25	No error (0)	1z8kxno0.sched.sma-dk.tdnsstic1.cn		36.250.243.20	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gameapp.37.com

my.37.com

turing.captcha.qcloud.com

turing.captcha.gtimg.com

img1.37wanimg.com

img2.37wanimg.com

ptres.37.com

a.clickdata.37wan.com

regapi.37.com

cm.he2d.com

cookiem.37.com

https:

d.wanyouxi7.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	159.75.141.43	80	7344	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:21:59.948915005 CET	288	OUT	GET /controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=417&ext_1=2&ext_2=wd_37cs&ext_3=921614&ext_4=2D9765A5A2ED4CE2ADBD5F7D47905931&ext_5=dc76deab4f96ab09d9dcaf79af94e8d7&ext_6=2&browser_type=3000 HTTP/1.1 User-Agent: HTTPDownloader Host: a.clickdata.37wan.com
Oct 31, 2024 17:22:02.053667068 CET	377	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 16:22:01 GMT Content-Type: text/plain;charset=utf-8; Transfer-Encoding: chunked Connection: keep-alive Server: openresty Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, OPTIONS Data Raw: 32 36 0d 0a 7b 22 63 6f 64 65 22 3a 31 2c 22 6d 73 67 22 3a 22 73 65 6e 64 20 64 61 74 61 20 73 75 63 63 65 73 73 21 22 7d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 26{"code":1,"msg":"send data success!"}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	180.188.25.9	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:02.988563061 CET	613	OUT	GET /controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, / Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: gameapp.37.com Connection: Keep-Alive
Oct 31, 2024 17:22:04.120419979 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 31 Oct 2024 16:22:03 GMT Content-Type: text/html;charset=UTF-8 Connection: close Set-Cookie: PHPSESSID=r8n5i200li7ekleljhb17avtb1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; path=/; domain=37.com Set-Cookie: client_type=3; path=/; domain=37.com Content-Encoding: gzip server-timing: inner; dur=79 Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b5 5a 7b 73 d3 56 16 ff bb cc f4 3b a8 62 5b 92 82 2c c9 76 e2 b7 3b 34 94 60 86 d0 10 28 29 9e ce 30 57 0f db 8a f5 42 92 ed 38 29 33 30 b3 b4 dd 6e 69 e9 ce f6 c5 32 db c7 2e 1d 66 bb 6d 77 a7 33 6d 77 4b db 0f 43 9c c0 5f fb 15 f6 9c ab 87 25 5b 81 50 40 26 96 74 ef 3d e7 fc ce b9 e7 71 ef c5 d5 67 14 4b f6 86 b6 ca 74 3c 43 af ef ab e2 8d d1 89 d9 ae b1 1b 1d 16 1b 54 a2 d4 f7 31 70 55 0d d5 23 8c dc 21 8e ab 7a 35 f6 95 33 47 b9 22 cb f0 41 a7 a7 79 ba 5a 1f fd f2 cd ce 57 df 56 79 ff 2d 46 66 12 43 ad b1 2d c7 32 3d d5 54 58 46 a6 0f c0 a6 43 4c 10 14 b1 d1 Data Ascii: Z{sV;b[,v;4`()0WB8)30ni2.fmw3mwKC_%[P@&t=qgKt<CT1pU#!z53G"AyZWVy-FfC-2=TXFCL
Oct 31, 2024 17:22:04.120464087 CET	208	IN	Data Raw: 35 b3 cb 38 aa 5e 63 5d 6f a8 ab 6e 47 55 3d 96 e9 38 6a ab c6 f2 bc 66 b4 c5 4c ae 30 20 26 3c 65 64 cb e0 d7 36 e4 0b bc ec ba bc ac 6b c0 8f 6f 83 1c 31 03 0d 2f 78 35 b1 90 13 72 25 b1 90 cd 45 fc f7 55 79 5f a1 aa 64 29 c3 40 a6 a2 f5 19 59 Data Ascii: 58^c]onGU=8jfL0 &<ed6ko1/x5r%EUy_d)@Y'[cLA*[mh'i`#"a}X;is:s~:F'3sUMG?^n_tLf=Y`hdKMszx
Oct 31, 2024 17:22:04.120475054 CET	1236	IN	Data Raw: fb 7e 8a da 03 b4 58 bc 9f 8e 99 50 d4 86 f1 03 0b 8d 3b fa f6 8d 9d cf 2e ef 59 d1 88 30 a6 ec b8 2d 54 76 dc 12 53 36 6a 7c 3c ca 86 f3 0f 5f 96 a7 a6 ce 2e 95 82 98 e4 8e 2a 77 25 6b 3d c2 13 36 30 f4 41 55 d2 a5 a7 33 e1 c8 14 1b 8e 9a 2e 0c Data Ascii: ~XP;.Y0-TvS6j\|<_.*w%k=60AU3.l7=vLB6F#x%H]xpw/PL2CM>pC8Vy }KL84gCH@l;!X:A"{e0i!y0n^,<ydB4/K<
Oct 31, 2024 17:22:04.120485067 CET	156	IN	Data Raw: c1 e8 ca cd 88 52 6b 31 33 cc 33 21 05 13 67 ea 33 f6 c7 2b 1a 01 c7 da fe ec 87 d1 ed f7 12 03 30 5d 52 d2 05 d7 c5 a0 ac d2 bd 58 3d e3 5e e0 7c 9a cd 70 39 5f 26 92 6b e9 3d 4f ad 78 96 5d 86 f2 66 af 57 74 b5 e5 95 e7 e8 e3 86 bf c6 2f 8b 82 Data Ascii: Rk133!g3+0]RX=^\|p9_&k=Ox]fWt/ Vl(.7SgqlS?/@/Y{Nn\1HGT.Apsdu3CL6mF
Oct 31, 2024 17:22:04.120654106 CET	1236	IN	Data Raw: b9 59 60 5f 01 66 ed 8e 57 ce e6 e0 39 5d 99 42 a8 0a c2 a9 48 44 ee b6 1d ab 67 2a 65 cf 21 26 94 2a 07 9c 80 e9 39 fa 4c 90 b2 a6 1d 06 ea 27 3d 7b d3 0c d2 56 c1 6f 2c c3 b0 4c de 07 97 e5 a5 76 12 67 c6 36 db b3 8c 69 c1 06 da 56 89 57 39 3f Data Ascii: Y`_fW9]BHDge!&9L'={Vo,Lvg6iVW9?Q(+Rqs&pn~sPbstZC\|0O`6Mabwz<Ee4<X2LcIiye#Y4*J0$,''D11G/\mC-2\f XP[:
Oct 31, 2024 17:22:04.120665073 CET	188	IN	Data Raw: af 2a 01 0e 22 e9 aa 32 91 44 e5 9e e3 c2 ab e2 1f 7c dd 8f 30 29 3d cc c1 55 de df 6e b3 95 c4 a6 fc 77 33 2c fe 36 83 9d cd 10 db 56 4d 65 26 dc a1 cf 26 c7 25 77 f7 6b 6e 92 49 86 ac 91 f5 99 e4 79 00 5e 90 d3 cb d1 e9 db 7d 8f 5a 7c be 59 41 Data Ascii: *"2D\|0)=Unw3,6VMe&&%wknIy^}Z\|YA?:`O3O#G`1nOU-3ix`euz+i.&Z.43=9U5L$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	111.6.1.212	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:04.853686094 CET	576	OUT	GET /jzcq/css/client/game1.css?t=1730391723 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:06.300555944 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: text/css Transfer-Encoding: chunked Connection: keep-alive Age: 0 Cache-Control: max-age=2592000 Content-Encoding: gzip Expires: Sat, 30 Nov 2024 16:22:05 GMT Last-Modified: Mon, 27 Dec 2021 04:19:53 GMT Vary: Accept-Encoding Via: cache15.sxmp,pic03.hnxxcm X-Bdcdn-Cache-Status: TCP_MISS,TCP_MISS X-Request-Id: 618680c3d18f8e0d122847d13c706959 X-Request-Ip: 173.254.250.77 X-Response-Cache: miss X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:05 GMT Data Raw: 62 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 5a 5f 72 a4 bc 11 7f f7 29 14 bb 52 95 6f 6b 98 81 61 98 7f 7e c9 4d b6 04 68 66 88 19 60 41 e3 b1 d7 e5 c7 1c 20 cf b9 43 72 80 54 72 9b 54 e5 bb 45 ba 5b 42 08 10 b3 5e af b7 bc 16 20 b5 7e fd bf 5b f0 e7 e4 c4 eb 46 48 76 7f 91 07 6f 7b ff 78 77 77 92 e7 7c c6 e2 32 7d 9d b1 34 7b 9e b1 a6 e2 c5 8c 65 87 9a 9f c5 ec 14 cc d8 69 39 63 15 4c c9 cb e4 e9 db a5 94 02 2e 6b 31 e3 71 5c cf 98 38 c3 dc f3 11 96 f1 73 35 6b ce 3c 07 6a 8d ac cb 02 ef 5d e2 59 0c cf 67 29 dc 4c 25 fc a6 33 76 81 71 9e cd ee 0e 99 c8 53 c0 32 63 87 b2 06 2a 39 8f 05 3e 12 47 51 a4 33 c9 e3 1c 36 4a 78 25 b3 12 f0 48 85 50 1e ca 12 56 c8 93 e0 40 4a d6 38 84 df 74 c6 6b 99 25 b8 82 37 59 4a 0b 8b 67 de c0 8e 42 f2 2c 87 c1 21 3b 1a 62 b0 f7 f1 02 2c 30 a4 26 80 08 92 83 bf a7 63 5d 5e 80 d5 b3 28 2e 33 56 70 94 86 48 d4 9a e6 72 3e f3 fa 95 bd c1 ff c7 ac d8 fb 8f 15 4f d3 ac 38 c2 28 2e 6b 58 0e 83 f2 22 f3 ac 10 30 7a bf e3 c0 78 51 5d 00 6d 7c 91 b2 2c d8 5b b7 c0 d0 e8 16 [TRUNCATED] Data Ascii: b9aZ_r)Roka~Mhf`A CrTrTE[B^ ~[FHvo{xww\|2}4{ei9cL.k1q\8s5k<j]Yg)L%3vqS2c9>GQ36Jx%HPV@J8tk%7YJgB,!;b,0&c]^(.3VpHr>O8(.kX"0zxQ]m\|,[hEYXCYH}^YV\rghp&R5GN\|&%evA{`2bN7`oc?gi#9}/>A":<=YSuO0D!;\"v\|U61mrq r-x25.qyYh*kO`%0ON"ySnS^T$E;8veWc:<X<o(ZT
Oct 31, 2024 17:22:06.300586939 CET	1236	IN	Data Raw: 82 13 64 42 24 d2 16 9b 87 46 fc 11 52 5f cb c2 41 2d 96 85 d7 dc 14 7a eb 16 cc 67 bb ea 85 11 8b 7d ad 6b 39 2c d1 1d b4 20 96 5b 18 93 a8 ec 1b 64 d5 4a 2a 09 e0 13 b5 2d 83 0e 6c 23 6a 90 a1 07 d0 e6 7f a9 7a 80 b5 2a 0f 91 88 62 6e e0 b7 4e Data Ascii: dB$FR_A-zg}k9, [dJ-l#jzbnNb !wQ\-2vEEPW\}KanRQ 68Xx2n358+'U$\<;ik7x1d:2H(j3(>;vWIwT\qb,
Oct 31, 2024 17:22:06.300601959 CET	424	IN	Data Raw: f4 b7 3b cf 79 92 00 1b 18 b4 f5 2d ef 24 5f cd 6d 93 d0 a0 9f 5c a5 eb 7e f3 4b 76 62 d1 e2 03 22 dc ac 4e b7 41 18 84 14 69 72 e8 2d f2 57 cc 11 a2 31 a9 e1 03 07 57 6e 56 23 c3 6a b8 c3 e1 98 d7 0e 3f 42 55 bb 13 52 da 9f f7 11 58 ce 31 ec ea Data Ascii: ;y-$_m\~Kvb"NAir-W1WnV#j?BURX1tobqD:lkiApTbC$UtROA1H3CQu5MXxi-u572+L#p"uZ3?k69l,9^w=NBC}>;O3)[/-M
Oct 31, 2024 17:22:06.300614119 CET	642	IN	Data Raw: 80 bf fd c3 c3 5e 43 a5 8c 60 a0 b3 81 8a 2d 9b 18 42 54 47 b4 bd e8 fa 10 f8 fe ce df 8d cc ec c1 d2 9d 0a 72 11 02 e9 3d 70 48 7c 8d a6 de 1d 76 79 f8 c2 b2 73 83 5e 60 25 d5 38 ad 22 a0 ea 41 05 69 7d 28 6e 91 53 a7 e9 7a 3b bb 33 a6 e0 34 76 Data Ascii: ^C`-BTGr=pH\|vys^`%8"Ai}(nSz;34v NY[5k;OL=7v;(y<p;6hCnbpg4'd](O\>Ru\}e'N_APF@M(5Y'PFX8Q&ByrHr;mu
Oct 31, 2024 17:22:06.301129103 CET	642	IN	Data Raw: 80 bf fd c3 c3 5e 43 a5 8c 60 a0 b3 81 8a 2d 9b 18 42 54 47 b4 bd e8 fa 10 f8 fe ce df 8d cc ec c1 d2 9d 0a 72 11 02 e9 3d 70 48 7c 8d a6 de 1d 76 79 f8 c2 b2 73 83 5e 60 25 d5 38 ad 22 a0 ea 41 05 69 7d 28 6e 91 53 a7 e9 7a 3b bb 33 a6 e0 34 76 Data Ascii: ^C`-BTGr=pH\|vys^`%8"Ai}(nSz;34v NY[5k;OL=7v;(y<p;6hCnbpg4'd](O\>Ru\}e'N_APF@M(5Y'PFX8Q&ByrHr;mu
Oct 31, 2024 17:22:06.774164915 CET	570	OUT	GET /jzcq/css/client/game1/kv-ico.png HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:07.256825924 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: image/png Content-Length: 912 Connection: keep-alive Age: 2505797 Cache-Control: max-age=2592000 Content-Encoding: gzip Etag: "59438b1e-764" Expires: Fri, 01 Nov 2024 16:18:50 GMT Last-Modified: Fri, 16 Jun 2017 07:39:10 GMT Vary: Accept-Encoding X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: 0a19ff7cb6bc940fd8c4beaba853c0a9 X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:07 GMT via: pic03.hnxxcm Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 53 5d 6c 14 55 14 3e cd 36 c5 40 9a 10 9f 40 1e bc cc 82 d1 c4 dd d9 d9 76 4b 77 e8 42 ba 3b bb ed 46 a6 94 ed 46 ab 2f 74 76 e6 b6 3b 29 f3 d3 99 db ee 6e 83 51 8b 62 c0 3f 4c 48 fc a1 a6 12 45 22 08 44 8d 08 56 d0 28 3e 90 2c a0 46 08 3f 35 d1 04 21 e1 85 07 7e da 20 e1 7a 67 e9 96 c4 b8 c6 27 9f f8 92 99 7b cf cd f7 9d 7b ce b9 e7 6c e9 ee ea 68 9c ff d0 7c 00 68 4c 77 4a 19 b6 2e 61 df 82 07 7c ec 7f 78 aa e1 36 5b 16 93 64 2f e9 b1 fa 49 41 71 30 b4 6b 56 0e a3 b4 a1 0c e0 0c 56 b4 d2 d0 71 dc 06 e0 f3 eb d9 5e d2 2b af 11 55 cb 08 2a 1e 27 58 34 6c f0 d0 b6 ba 68 2b ea 20 26 28 87 07 74 33 c6 5d 9d fc 86 43 ba 16 e3 9e 8a c8 21 d9 4e e0 bc de 39 ea e0 9e d1 ae ac 3a 3a a8 46 35 6e f5 2a d4 56 14 99 03 03 13 05 15 8d 0d a6 2b 16 63 5c c5 af c8 f6 de 31 cf a1 0a 85 0c c6 b8 bb 41 f5 ca dd 28 61 39 18 45 82 91 80 1a 12 9a d1 8a 68 50 88 08 cd ad c2 e3 28 1c 12 9a f8 50 13 2f 34 05 84 b0 18 8a 8a 42 04 cd 82 63 b7 39 5a bf 98 91 52 b3 77 31 2b c6 e5 09 b1 45 9e 2f [TRUNCATED] Data Ascii: S]lU>6@@vKwB;FF/tv;)nQb?LHE"DV(>,F?5!~ zg'{{lh\|hLwJ.a\|x6[d/IAq0kVVq^+U'X4lh+ &(t3]C!N9::F5nV+c\1A(a9EhP(P/4Bc9ZRw1+E/BSrx!0#Lz:MtDaj=tg!/QjsldxfK63=\bemV;o[6J$g?V6]NK1u]R$OI+ $Y[5NUd6IU&kj^>c%^VKg{ko;\|lvwX_Odl6(@zIK1)t@=t?q{@?;{@w[
Oct 31, 2024 17:22:07.256961107 CET	235	IN	Data Raw: 0d 3b 73 b0 31 0d 7f be 01 b7 de 84 99 2d 70 73 33 dc 78 11 ae bf 00 f5 f5 f5 3e 9f af ae ae ae 32 a7 f7 71 1f ff 2b 2e 3e d1 89 d8 c2 93 4c 57 8f 37 08 ff 1d f0 cc ae d6 69 26 dd 96 96 da b3 c5 f3 da 8f 17 1e 1c 43 0b 1b fa 52 2b 17 2d d7 9e fe Data Ascii: ;s1-ps3x>2q+.>LW7i&CR+-</#Oqd#vyDL^z\>S^ZyQybZd2u/>>T^lcb?MUSYW8{.P\|2x@f/tKv,d
Oct 31, 2024 17:22:08.002487898 CET	433	OUT	GET /jzcq/js/client/game1.js?t=1730391727 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:08.504734039 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: application/x-javascript Transfer-Encoding: chunked Connection: keep-alive Age: 0 Cache-Control: max-age=2592000 Content-Encoding: gzip Expires: Sat, 30 Nov 2024 16:22:08 GMT Last-Modified: Mon, 27 Dec 2021 04:19:54 GMT Vary: Accept-Encoding Via: cache61.jnmp,pic03.hnxxcm X-Bdcdn-Cache-Status: TCP_MISS,TCP_MISS X-Request-Id: 5eff243581f03df45d5ab1a3928aab81 X-Request-Ip: 173.254.250.77 X-Response-Cache: miss X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:08 GMT Data Raw: 35 63 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 18 cb 6e db 46 f0 6e c0 ff b0 66 8c 88 4e 24 52 4e 53 04 50 2c b7 86 6d d8 02 64 bb b1 e4 06 41 5b 08 2b 6a 25 ae 2d 91 02 b9 92 eb 38 02 7a 6b 2f 2d 5a a0 c7 7e 40 fb 05 3d e6 6b 9a e4 33 3a b3 7c 88 8f 25 2d 07 08 d0 43 07 30 4c ce ce fb b5 43 99 8f d6 d7 c8 23 62 8d 39 73 04 21 23 3a 61 c6 a5 2f 71 5f d2 99 b0 5d 8f d8 d4 79 6d 07 98 01 15 8c 3c a9 6f 3f ad d5 9f d6 b6 9f 21 d2 5c 5f d3 87 33 c7 12 dc 75 74 b2 59 25 9d 17 55 32 73 06 6c c8 1d 36 20 5b b7 eb 6b 40 06 30 a7 5e a8 66 9f 34 89 c3 ae 81 d2 d8 0f 10 63 ea fb fa 6d 40 87 80 66 b4 06 0d 72 c0 86 74 36 16 47 f2 b5 ba 3c 07 3b 68 7c 7a 00 2f 27 4c d0 c4 39 f2 9f c2 5f 4a 02 22 12 34 53 3a 62 1d fe 1a 68 3e af d7 13 f8 b1 3b 3a 9c 83 51 0d 92 30 08 c1 9f 59 0d 12 bb ba 95 3d 46 48 7b 64 f8 57 7c da 75 3b cc 9b 33 4f bf 5d 6c 3d 4f 73 2c 12 5a 11 86 94 27 14 10 8f f9 44 a9 85 8e 99 27 e4 b9 31 f1 47 24 27 76 f9 9a d4 e0 b1 95 fc 22 ee 14 ff 17 a8 e6 43 12 53 18 be 74 ac c7 07 6a 5a 84 4c 40 e0 [TRUNCATED] Data Ascii: 5c9nFnfN$RNSP,mdA[+j%-8zk/-Z~@=k3:\|%-C0LC#b9s!#:a/q_]ym<o?!\_3utY%U2sl6 [k@0^f4cm@frt6G<;h\|z/'L9_J"4S:bh>;:Q0Y=FH{dW\|u;3O]l=Os,Z'D'1G$'v"CStjZL@y>/{e3c>[Q]JiJJu%{3Z$;\y4r_( OT$E6/2#:&Z..63g$lud=&fSSp] 4>(9+.cA~#Hd65CP-SLmE\p_"/r+bD`g"9po9:+kC/xY6=gG'-o\oE4\`\|!Jl6RdEz
Oct 31, 2024 17:22:08.504851103 CET	824	IN	Data Raw: c9 0a e5 83 62 94 bc 8b 3b 22 82 42 64 44 62 69 ff a1 88 14 7a 85 70 47 44 0a a3 99 ba 9b d3 43 2f 90 96 bb 35 ef 9a c7 08 72 94 a0 19 24 1c 26 49 d3 f2 f3 04 21 9c 29 48 50 da fe 08 ca c1 82 90 69 2d 84 fb 8e 17 84 15 46 0c c2 c7 8f 19 84 8f 1b Data Ascii: b;"BdDbizpGDC/5r$&I!)HPi-F5e!?r$6FO%ST@2TPY'p55bqX#8OH6gS,$TR)aM4\|s9 8letPa,a$:$i:2
Oct 31, 2024 17:22:08.505928993 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 31, 2024 17:22:08.507271051 CET	426	OUT	GET /jzcq/css/client/game1/dot.png HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:08.906675100 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: image/png Content-Length: 979 Connection: keep-alive Accept-Ranges: bytes Age: 1215620 Cache-Control: max-age=2592000 Etag: "59438b1e-3d3" Expires: Sat, 16 Nov 2024 14:41:48 GMT Last-Modified: Fri, 16 Jun 2017 07:39:10 GMT X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: 3dab8645dd4cffbb84f2409aa27492e0 X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:08 GMT via: pic03.hnxxcm Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 09 00 00 00 09 08 03 00 00 00 d7 4f f6 22 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 03 23 69 54 58 74 58 4d 4c 3a 63 6f 6d 2e 61 64 6f 62 65 2e 78 6d 70 00 00 00 00 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78 3a 78 6d 70 6d 65 74 61 20 78 6d 6c 6e 73 3a 78 3d 22 61 64 6f 62 65 3a 6e 73 3a 6d 65 74 61 2f 22 20 78 3a 78 6d 70 74 6b 3d 22 41 64 6f 62 65 20 58 4d 50 20 43 6f 72 65 20 35 2e 35 2d 63 30 31 34 20 37 39 2e 31 35 31 34 38 31 2c 20 32 30 31 33 2f 30 33 2f 31 33 2d 31 32 3a 30 39 3a 31 35 20 20 20 20 20 20 20 20 22 3e 20 3c 72 64 66 3a 52 44 46 20 78 6d 6c 6e 73 3a 72 64 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 30 32 2f 32 32 2d 72 64 66 2d 73 79 6e 74 61 78 2d 6e 73 23 22 3e 20 3c 72 64 66 3a 44 65 73 [TRUNCATED] Data Ascii: PNGIHDRO"tEXtSoftwareAdobe ImageReadyqe<#iTXtXML:com.adobe.xmp<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:054A843D491511E7A6F080A422EEECBC" xmpMM:DocumentID="xmp.did:054A843E491511E7A6F080A422EEECBC"> <xmpMM:DerivedFrom stRef
Oct 31, 2024 17:22:08.906809092 CET	277	IN	Data Raw: 3a 69 6e 73 74 61 6e 63 65 49 44 3d 22 78 6d 70 2e 69 69 64 3a 30 35 34 41 38 34 33 42 34 39 31 35 31 31 45 37 41 36 46 30 38 30 41 34 32 32 45 45 45 43 42 43 22 20 73 74 52 65 66 3a 64 6f 63 75 6d 65 6e 74 49 44 3d 22 78 6d 70 2e 64 69 64 3a 30 Data Ascii: :instanceID="xmp.iid:054A843B491511E7A6F080A422EEECBC" stRef:documentID="xmp.did:054A843C491511E7A6F080A422EEECBC"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>qPLTE!h7tRNS0J&IDATxb`a10
Oct 31, 2024 17:22:08.908061981 CET	436	OUT	GET /www2015/images/common/third-logo-24.png HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:09.313183069 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: image/png Content-Length: 1604 Connection: keep-alive Accept-Ranges: bytes Age: 1657176 Cache-Control: max-age=2592000 Etag: "57b106f5-644" Expires: Mon, 11 Nov 2024 12:02:33 GMT Last-Modified: Mon, 15 Aug 2016 00:04:05 GMT X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: 34c720ddf4350ad6ab91717a0e9fe29f X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:09 GMT via: pic03.hnxxcm Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 18 00 00 00 68 08 03 00 00 00 dc 8b c0 0b 00 00 02 c7 50 4c 54 45 00 00 00 ff ff ff 0a a8 0a 33 88 ff eb 3c 28 0a a8 0a 33 88 ff eb 3c 28 0a a8 0a 33 88 ff eb 3c 28 0a a8 0a 33 88 ff eb 3c 28 0a a8 0a 33 88 ff eb 3c 28 0a a8 0a 33 88 ff eb 3c 28 0a a8 0a 33 88 ff eb 3c 28 0a a8 0a 33 88 ff eb 3c 28 0a a8 0a 33 88 ff eb 3c 28 0a a8 0a 33 88 ff eb 3c 28 0a a8 0a 0b a8 0b 0c a9 0c 0d a9 0d 0f aa 0f 12 ab 12 16 ac 16 21 b0 21 22 b1 22 2f b5 2f 33 88 ff 35 89 ff 35 b7 35 39 8c ff 3a 8c ff 3a b9 3a 3d 8e ff 3f 8f ff 43 bc 43 44 92 ff 46 93 ff 48 be 48 49 bf 49 4d 97 ff 4f 98 ff 52 c2 52 54 c2 54 55 9c ff 60 a2 ff 60 c6 60 61 a3 ff 65 a5 ff 6a a8 ff 6e ab ff 6f ab ff 71 cd 71 72 cd 72 76 af ff 76 ce 76 77 b0 ff 7c b2 ff 80 d2 80 82 d3 82 83 d3 83 85 b8 ff 87 d4 87 88 d5 88 89 ba ff 89 d5 89 8c d6 8c 91 d8 91 9d c6 ff a3 c9 ff a4 df a4 a6 cb ff a9 cd ff ab e1 ab ad cf ff ae e2 ae b4 e4 b4 bb d7 ff bb e7 bb bd d9 ff bf e8 bf c1 db ff c2 dc ff c2 ea c2 [TRUNCATED] Data Ascii: PNGIHDRhPLTE3<(3<(3<(3<(3<(3<(3<(3<(3<(3<(!!""//35559:::=?CCDFHHIIMORRTTU```aejnoqqrrvvvw\|<(>*>+?+A.B/C0D0G5I6K8N<P>TBVEXFZI[K\K^M`PbRcSdTgWk\l]n_n`rcxjxkykzl{m\|oqvwy{}~
Oct 31, 2024 17:22:09.313237906 CET	903	IN	Data Raw: fd eb e9 fd ec ea fd ed eb fd f0 ee fd fe fd fd fe ff fe f0 ef fe f4 f2 fe f5 f4 fe f6 f5 fe f7 f7 fe f8 f7 fe ff fe ff fb fb ff fc fc ff fd fd ff ff ff 4e 3a 8a f3 00 00 00 20 74 52 4e 53 00 00 28 28 28 29 29 29 66 66 66 67 67 67 82 82 82 84 84 Data Ascii: N: tRNS((()))fffgggQiIDATHS[TA%]bbEEEVl,&v}z~x3swJk0Z+9lA2y_sf;3<N<Vp
Oct 31, 2024 17:22:13.878204107 CET	433	OUT	GET /www2015/images/reglog/200x42.png?v=1 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:14.283483982 CET	1073	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: image/png Content-Length: 539 Connection: keep-alive Accept-Ranges: bytes Age: 1764830 Cache-Control: max-age=2592000 Etag: "581aa718-21b" Expires: Sun, 10 Nov 2024 06:08:24 GMT Last-Modified: Thu, 03 Nov 2016 02:55:20 GMT X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: f6f9d218da060aeeb3680128cf74c965 X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:14 GMT via: pic03.hnxxcm Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 c8 00 00 00 2a 08 03 00 00 00 c1 0a e4 25 00 00 01 1d 50 4c 54 45 ff ff ff f5 80 00 f6 82 00 f6 83 00 f6 84 00 f6 86 0d f6 88 0c f6 88 10 f6 89 0e f7 84 00 f7 85 00 f7 86 00 f7 87 00 f8 88 00 f8 89 00 f8 8a 00 f8 8b 00 f8 a9 52 f9 8c 00 f9 8d 00 f9 8e 00 f9 8f 00 f9 aa 52 fa 90 00 fa 91 00 fa 92 00 fb 93 00 fb 94 00 fb 94 01 fb 95 00 fb 95 02 fb 96 00 fc 97 00 fc 98 00 fc 99 00 fc 9a 00 fd 9b 00 fd 9c 00 fd 9d 00 fd eb d7 fd ec d8 fe 9e 00 fe 9f 00 fe a0 00 fe a2 02 fe a5 0c fe a6 0e ff a2 04 ff a3 00 ff a4 02 ff a4 03 ff a4 04 ff a5 05 ff a5 06 ff a6 08 ff a6 09 ff a7 0b ff a7 0c ff a8 0e ff a8 10 ff a9 10 ff a9 11 ff aa 13 ff ab 15 ff ab 17 ff ac 19 ff ad 1b ff ad 1d ff ae 1f ff af 20 ff af 22 ff af 24 ff b0 24 ff b1 26 ff b1 28 ff b2 2a ff b3 2c ff b3 2e ff b4 30 ff b5 31 ff b5 33 ff b6 35 ff b7 36 ff b7 38 ff b8 39 ff b8 3b ff b9 3c ff b9 3d ff b9 3e ff ba 3f ff ba 40 ff c0 52 ff c1 52 ff f1 d8 ff f2 da b8 94 42 c9 00 00 00 01 74 52 4e 53 [TRUNCATED] Data Ascii: PNGIHDR%PLTERR "$$&(,.0135689;<=>?@RRBtRNS@fIDAT1QFWdKk"$sha8m5lvn`(FiFhC`!0PC`EC`!0PC`b!0adc>q;7wd1b'IENDB`
Oct 31, 2024 17:22:14.548599005 CET	426	OUT	GET /www/css/images/common/ico.png HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:14.950808048 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: image/png Content-Length: 5411 Connection: keep-alive Accept-Ranges: bytes Age: 2060499 Cache-Control: max-age=2592000 Etag: "55856c03-1523" Expires: Wed, 06 Nov 2024 20:00:35 GMT Last-Modified: Sat, 20 Jun 2015 13:34:59 GMT X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: f403fd4f2bfa9c3ee674c621c07ade82 X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:14 GMT via: pic03.hnxxcm Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 13 00 00 05 d1 08 03 00 00 00 4b 96 56 e6 00 00 02 fa 50 4c 54 45 00 00 00 ff 66 01 7a bc e6 96 bf 3f 6b d3 ed ff ff ff bc bc bc 75 75 75 ff 9b 1f eb f8 ff 4b 8a d2 cd cd cd c6 c6 c6 f1 f1 f1 fe fe fa cf da e0 ac 6f 09 f5 f5 f6 ff b8 3e e1 53 01 f8 f8 f8 f5 3c 04 fa 55 33 d1 d1 d2 fb fb fc 43 a7 0c fc b8 0c c2 c2 c3 92 92 91 f3 94 16 40 9d d9 f5 b9 47 24 78 d8 ea ea eb ff f4 ba 53 53 53 de de df b7 b8 b8 fd c6 02 6b 9d 00 fe a1 00 ff f7 9b ff fc f1 f1 f0 d5 72 72 72 ff ed 30 fe db 05 9c 19 12 fe fb d6 5a a5 32 fb cc 34 cc 68 0f 64 9b cf e5 e5 e5 f8 ff ff de 47 2b e8 f5 fc fc a7 38 fe f5 c7 d8 02 00 fd da 52 f9 a8 93 fe 99 77 ee fe fe e2 ab 59 d7 d7 d7 e9 5a 47 c5 4e 4d fc 69 46 bd 9e 54 fb c0 55 98 99 99 fe fd 49 fd e8 6d 6f a1 d8 fc d2 ce a7 91 6c e1 9e 1a 6b ae 48 5f de 2a e5 f2 fa ff fd e6 fc 64 73 28 26 30 fa e2 db fe fa f8 6f a3 02 fc f5 ee d5 b1 81 e2 f0 f6 d3 de e4 d9 e4 ea df 6e 01 13 0f 12 e0 35 20 fd 87 65 fe 83 33 fb ed e7 dd c9 9e [TRUNCATED] Data Ascii: PNGIHDRKVPLTEfz?kuuuKo>S<U3C@G$xSSSkrrr0Z24hdG+8RwYZGNMiFTUImolkH_ds(&0on5 e3@l2;BC\-nio8/s\pey41x#y-Mn9bGs]NzX5{\|~hpmPAWzYcDH/urh4[DUKoqJJY{q[rUfJ`(`\'b5w<<I7zO`\OP
Oct 31, 2024 17:22:14.950834036 CET	1236	IN	Data Raw: 5f 9c 5a ad e9 6a 63 f9 a6 1b eb f7 e5 d5 ff e0 d3 d9 f3 e8 ab 1d ea 9a 04 d1 bd ae f7 9a 5b e8 ff d7 6e 43 41 de e3 a0 e8 f5 f2 91 8c a4 8f 52 3f d6 f3 ff 6b 6c 67 e7 18 1b 6c 6f 72 c3 c8 fc 80 bc 4f ba 83 8a e0 ff ee 66 1d 20 e5 fd cd b7 a9 a3 Data Ascii: _Zjc[nCAR?klglorOf 5zPE29tRNS@fIDATxXSWsrj@iR$(ada1E@Q@u{:VNg/<9EQ6xys/9wr
Oct 31, 2024 17:22:35.636288881 CET	436	OUT	GET /jzcq/css/client/game1/btn-log-short.jpg HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:36.106542110 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: image/jpeg Content-Length: 2329 Connection: keep-alive Age: 8377 Cache-Control: max-age=2592000 Content-Encoding: gzip Expires: Sat, 30 Nov 2024 14:02:58 GMT Last-Modified: Fri, 16 Jun 2017 07:39:10 GMT Vary: Accept-Encoding Via: cache64.tzmp,pic03.hnxxcm X-Bdcdn-Cache-Status: TCP_MISS,TCP_HIT X-Request-Id: e0a8cd40c56b2049ae1c40b560a3bf3b X-Request-Ip: 173.254.250.77 X-Response-Cache: parent_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:35 GMT Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8c 54 07 54 53 69 16 7e a9 b4 a8 44 8a 48 18 89 41 01 67 0c c9 4b 21 05 01 21 21 88 a8 20 20 45 54 36 0d 89 48 02 49 20 09 03 16 50 50 10 46 40 2c d8 06 c5 86 88 6b 41 ec 8c 0a 82 e0 5a 40 44 14 75 90 32 82 8a 42 44 10 27 64 5e 38 a2 b3 7b 5c 77 ef 39 ef 9d 77 ef fd ee fd bf ef ff ff fb f4 8f f4 ed 80 8d 8f 5a 12 0d 00 7e 7e 3f 02 c6 c0 57 d3 bf 06 b0 dc 44 61 ac 06 80 01 48 c8 9f 03 85 da 11 aa 18 a5 32 9e 4d 22 49 15 2e 7c 91 4c 20 76 11 ca e2 48 6a 7e 3c 09 74 21 93 80 39 9e ea 78 be 30 56 ac c4 0b c4 2b 25 52 77 c2 db 4b 55 04 bc 44 e4 4e 08 a3 2f 24 2f 8c e7 88 63 24 f3 92 e5 e2 e0 e4 45 21 c2 e4 58 21 4b 44 f0 f4 c0 cf 51 b3 d5 71 f1 71 62 25 1f af 8e 5b 2d 55 b0 d5 ee 84 b1 e6 6c e8 db 10 26 11 f0 63 10 65 ac 3b c1 cb 90 c0 87 2f 0c c4 73 64 72 31 9e ee 42 27 0a c9 20 0d cf 60 b9 80 74 90 c6 04 67 e3 29 64 90 4a 22 53 49 20 95 08 52 d8 64 16 1b a4 e3 3f 1b 01 5a 4d 2e 8a 66 07 71 79 9f d7 82 3c 77 c2 67 51 2a 95 ca 45 45 75 91 c9 57 92 40 16 8b 45 22 53 48 14 0a [TRUNCATED] Data Ascii: TTSi~DHAgK!!! ET6HI PPF@,kAZ@Du2BD'd^8{\w9wZ~~?WDaH2M"I.\|L vHj~<t!9x0V+%RwKUDN/$/c$E!X!KDQqqb%[-Ul&ce;/sdr1B' `tg)dJ"SI Rd?ZM.fqy<wgQ*EEuW@E"SHB&JbP.WJdRdJwa\B\_se+o!x1)H%b_jBlrt(\01N,UqPE$ "SxT2CAoq(L&3{\|I,AcQ rd/IJT(\|un-#2yLz2E,NwHE2b>%IbO.1[b&H LgR4>Ed"+ZHdL\/w$?.x/#9_H,&G8&"LH$F
Oct 31, 2024 17:22:57.784804106 CET	430	OUT	GET /jzcq/css/client/game1/btn-reg.jpg HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:58.835599899 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: image/jpeg Content-Length: 8042 Connection: keep-alive Age: 8400 Cache-Control: max-age=2592000 Content-Encoding: gzip Etag: "59438b1e-2113" Expires: Sat, 30 Nov 2024 14:02:58 GMT Last-Modified: Fri, 16 Jun 2017 07:39:10 GMT Vary: Accept-Encoding Via: cache07.jhmp03,pic03.hnxxcm X-Bdcdn-Cache-Status: TCP_MISS,TCP_HIT X-Request-Id: eb3a40d660ffd02b0ab7368ee441e826 X-Request-Ip: 173.254.250.77 X-Response-Cache: parent_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:58 GMT Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 76 05 54 5c cd b2 ee 10 9c 20 c1 12 24 c0 04 02 04 67 06 d7 21 d8 00 41 82 3b 04 19 24 30 0c 0c 4e 90 04 77 0b 12 20 c1 dd 9d 04 87 e0 16 34 38 04 0f ee 3e c0 23 ff 3d ff 39 f7 bd 75 de b9 b7 d6 da 7b 75 77 d5 57 fd 7d dd 55 7b ed bb a9 bb 25 00 85 8c 9b b5 05 00 20 2f cf 0a c0 01 fc cb ee 76 00 c4 d2 ce 66 36 ee 00 34 00 c6 fd 5c f4 7e 69 09 dd d5 ca c9 c9 5e 98 8b cb ce 91 d3 c4 1c 61 0a e3 34 43 c0 b9 dc 4c ec b9 40 9c dc 5c 00 51 88 9b bd 89 99 0d cc 09 68 0a b3 b4 b6 13 a3 df 6f 68 a1 07 5a 9b 8b d1 6b f3 29 71 2b d9 4b c1 ac ac e5 3c 90 30 75 0f 65 0d 33 0f 1b 33 21 73 7a 88 38 50 d4 4d d8 0d 6e 0f 87 39 99 00 dd e0 b6 76 8e c2 6e 62 f4 7f 25 17 be 1f ff 59 e6 a2 07 fe 15 e2 64 23 46 ff f2 8f 03 a8 a3 f4 1a 28 85 40 c2 80 7c 9c 7c 1c 66 dc 20 5e a0 80 10 27 88 0f c4 2b 08 62 07 82 b9 41 3c 5c dc 3c 5c 20 1e 0e 10 58 98 5b 48 18 c4 07 fc 87 d1 df ef 86 34 b7 10 56 93 96 fd c7 5e f7 33 31 fa 7f 88 72 75 75 e5 74 e5 e1 44 20 2d b9 40 42 42 42 5c dc 60 2e 30 98 e3 [TRUNCATED] Data Ascii: vT\ $g!A;$0Nw 48>#=9u{uwW}U{% /vf64\~i^a4CL@\QhohZk)q+K<0ue33!sz8PMn9vnb%Yd#F(@\|\|f ^'+bA<\<\ X[H4V^31ruutD -@BBB\`.0>0G35gnbpv[^IitnR9"fpg#[i3f$/-F46<R\|2< $[%XW%H[+A /y`)IvN&vf#VX3qB 5+hJIq>mk;s#+[f.DLA\|<&B&BffBfq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49735	111.6.1.212	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:04.854091883 CET	574	OUT	GET /jzcq/js/client/game1.js?t=1730391723 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:06.301259995 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: application/x-javascript Transfer-Encoding: chunked Connection: keep-alive Age: 0 Cache-Control: max-age=2592000 Content-Encoding: gzip Expires: Sat, 30 Nov 2024 16:22:05 GMT Last-Modified: Mon, 27 Dec 2021 04:19:54 GMT Vary: Accept-Encoding Via: cache20.czmp,pic03.hnxxcm X-Bdcdn-Cache-Status: TCP_MISS,TCP_MISS X-Request-Id: 9c487b2ec58d02fa2a769f40fc754cd1 X-Request-Ip: 173.254.250.77 X-Response-Cache: miss X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:05 GMT Data Raw: 35 63 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 18 cb 6e db 46 f0 6e c0 ff b0 66 8c 88 4e 24 52 4e 53 04 50 2c b7 86 6d d8 02 64 bb b1 e4 06 41 5b 08 2b 6a 25 ae 2d 91 02 b9 92 eb 38 02 7a 6b 2f 2d 5a a0 c7 7e 40 fb 05 3d e6 6b 9a e4 33 3a b3 7c 88 8f 25 2d 07 08 d0 43 07 30 4c ce ce fb b5 43 99 8f d6 d7 c8 23 62 8d 39 73 04 21 23 3a 61 c6 a5 2f 71 5f d2 99 b0 5d 8f d8 d4 79 6d 07 98 01 15 8c 3c a9 6f 3f ad d5 9f d6 b6 9f 21 d2 5c 5f d3 87 33 c7 12 dc 75 74 b2 59 25 9d 17 55 32 73 06 6c c8 1d 36 20 5b b7 eb 6b 40 06 30 a7 5e a8 66 9f 34 89 c3 ae 81 d2 d8 0f 10 63 ea fb fa 6d 40 87 80 66 b4 06 0d 72 c0 86 74 36 16 47 f2 b5 ba 3c 07 3b 68 7c 7a 00 2f 27 4c d0 c4 39 f2 9f c2 5f 4a 02 22 12 34 53 3a 62 1d fe 1a 68 3e af d7 13 f8 b1 3b 3a 9c 83 51 0d 92 30 08 c1 9f 59 0d 12 bb ba 95 3d 46 48 7b 64 f8 57 7c da 75 3b cc 9b 33 4f bf 5d 6c 3d 4f 73 2c 12 5a 11 86 94 27 14 10 8f f9 44 a9 85 8e 99 27 e4 b9 31 f1 47 24 27 76 f9 9a d4 e0 b1 95 fc 22 ee 14 ff 17 a8 e6 43 12 53 18 be 74 ac c7 07 6a 5a 84 4c 40 e0 [TRUNCATED] Data Ascii: 5c9nFnfN$RNSP,mdA[+j%-8zk/-Z~@=k3:\|%-C0LC#b9s!#:a/q_]ym<o?!\_3utY%U2sl6 [k@0^f4cm@frt6G<;h\|z/'L9_J"4S:bh>;:Q0Y=FH{dW\|u;3O]l=Os,Z'D'1G$'v"CStjZL@y>/{e3c>[Q]JiJJu%{3Z$;\y4r_( OT$E6/2#:&Z..63g$lud=&fSSp] 4>(9+.cA~#Hd65CP-SLmE\p_"/r+bD`g"9po9:+kC/xY6=gG'-o\oE4\`\|!Jl6RdEz
Oct 31, 2024 17:22:06.301271915 CET	212	IN	Data Raw: c9 0a e5 83 62 94 bc 8b 3b 22 82 42 64 44 62 69 ff a1 88 14 7a 85 70 47 44 0a a3 99 ba 9b d3 43 2f 90 96 bb 35 ef 9a c7 08 72 94 a0 19 24 1c 26 49 d3 f2 f3 04 21 9c 29 48 50 da fe 08 ca c1 82 90 69 2d 84 fb 8e 17 84 15 46 0c c2 c7 8f 19 84 8f 1b Data Ascii: b;"BdDbizpGDC/5r$&I!)HPi-F5e!?r$6FO%ST@2TPY'p55bqX#8OH6gS,$TR)aM4\|s9 8letPa,a$
Oct 31, 2024 17:22:06.301282883 CET	612	IN	Data Raw: bb e8 1e f7 ba af be 3a 24 0f 1f 92 0d 89 69 b7 f6 3a bd bd fd fd b3 8b d3 ae da 14 84 84 32 6d 87 4f 46 c4 f7 ac 66 c5 34 e1 71 db f8 ec d9 35 75 e0 c9 b0 dc 89 79 7d 7d 6d 5a be 0f 27 f0 95 e0 9b 18 fa 9e cf 05 33 b9 e5 d6 34 f2 38 63 c7 63 18 Data Ascii: :$i:2mOFf4q5uy}}mZ'348ccfSgTMP4+s MN47hbraq&i )61vH}t_#HGfcgs9CaSs[sM~\|Go&Yt
Oct 31, 2024 17:22:06.301294088 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 31, 2024 17:22:06.301599026 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 31, 2024 17:22:06.773926973 CET	570	OUT	GET /jzcq/css/client/game1/rem_on.png HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:07.269928932 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: image/png Content-Length: 1078 Connection: keep-alive Age: 2443286 Cache-Control: max-age=2592000 Content-Encoding: gzip Expires: Sat, 02 Nov 2024 09:40:41 GMT Last-Modified: Fri, 16 Jun 2017 07:39:10 GMT Vary: Accept-Encoding X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: 76736ea00734abf7da8cab947d6bad4c X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:07 GMT via: pic03.hnxxcm Data Raw: 1f 8b 08 00 00 00 00 00 00 03 eb 0c f0 73 e7 e5 92 e2 62 60 60 e0 f5 f4 70 09 02 d2 7c 20 cc c1 0c 24 35 a6 dd 7d 0c a4 24 4b 5c 23 4a 82 f3 d3 4a ca 13 8b 52 19 1c 53 f2 93 52 15 3c 73 13 d3 53 83 52 13 53 2a 0b 4f a6 da 30 30 30 2b 67 86 44 94 44 f8 fa 58 25 e7 e7 ea 25 82 d4 e8 55 e4 16 30 80 80 8d 7d 45 41 62 72 76 6a 89 42 52 6a 7a 66 9e ad d2 fb dd fb 95 14 32 53 6c 95 c2 4d 7d 0d 7c 0b 9c 53 33 32 3d aa 8a 52 83 ab fc 42 92 ab b2 93 2d 53 94 ec ed 14 6c 2a ac 80 06 e4 a6 96 24 2a 54 e4 e6 e4 15 5b 55 d8 2a 81 cd b5 02 b2 41 c2 fa 4a 0a 60 25 25 d9 b6 4a 10 47 45 f8 06 28 38 e7 17 a5 2a 98 ea 99 ea 26 1b 18 9a 28 98 5b ea 19 9a 1a 9a 58 18 ea 28 18 19 18 1a eb 1b 18 eb 1b 1a eb 1a 1a 59 19 58 5a 19 9a 2a 40 81 12 d0 b6 a2 94 34 ab 20 17 37 a8 5d 40 9e ad 52 46 49 49 81 95 be 7e 79 79 b9 5e b9 b1 5e 7e 51 ba be a1 a5 a5 a5 be 81 91 be 91 91 2e 50 85 6e 71 65 5e 49 62 85 6e 5e b1 32 cc 04 97 d4 e2 e4 a2 cc 82 92 cc fc 3c 05 10 3f 31 29 bf b4 c4 56 49 09 e6 85 dc 02 b8 b1 79 c5 d0 60 02 06 98 7e [TRUNCATED] Data Ascii: sb``p\| $5}$K\#JJRSR<sSRSO000+gDDX%%U0}EAbrvjBRjzf2SlM}\|S32=RB-Sl$T[UAJ`%%JGE(8&([X(YXZ@4 7]@RFII~yy^^~Q.Pnqe^Ibn^2<?1)VIy`~EbK0U"UuqHeA~Pjq~iQ20ARKBs`___k5Zy$%zE23SM\\-L-]M,]M]az]KsSJ`zSzMp\2qyP)bS>1h1&nxO&"`n`1fW`nGz~dFN[TYwL1iO[lQYU"#""""+"""'d"d*`,),,"R`$'&!!,"
Oct 31, 2024 17:22:07.270136118 CET	380	IN	Data Raw: 22 ca c9 64 24 c9 13 60 67 1a 68 6f e6 61 61 10 ea 68 11 64 6f e6 63 65 14 ec 60 ee 6b 6d ec 65 69 18 e2 68 e1 67 63 e2 6d 65 e4 6f 6b ea 63 6d ec 6b 63 22 ce c9 ac 29 c4 a1 23 c2 15 60 6b 1a e2 60 11 68 67 16 64 6f ee 69 61 e8 65 69 24 ce ce 24 Data Ascii: "d$`ghoaahdoce`kmeihgcmeokcmkc")#`k`hgdoiaei$$(($$(($(.F(;@$/?Z]BG<]C*n; 0p7[4={4-n;\4i2XgHrK_rw\|{nj}d.'=
Oct 31, 2024 17:22:07.999295950 CET	435	OUT	GET /jzcq/css/client/game1.css?t=1730391727 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:08.465065956 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: text/css Transfer-Encoding: chunked Connection: keep-alive Age: 0 Cache-Control: max-age=2592000 Content-Encoding: gzip Expires: Sat, 30 Nov 2024 16:22:08 GMT Last-Modified: Mon, 27 Dec 2021 04:19:53 GMT Vary: Accept-Encoding Via: cache15.sxmp,pic03.hnxxcm X-Bdcdn-Cache-Status: TCP_MISS,TCP_MISS X-Request-Id: 1db42260693e54ef4e083acbfe0c8dfc X-Request-Ip: 173.254.250.77 X-Response-Cache: miss X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:08 GMT Data Raw: 62 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 5a 5f 72 a4 bc 11 7f f7 29 14 bb 52 95 6f 6b 98 81 61 98 7f 7e c9 4d b6 04 68 66 88 19 60 41 e3 b1 d7 e5 c7 1c 20 cf b9 43 72 80 54 72 9b 54 e5 bb 45 ba 5b 42 08 10 b3 5e af b7 bc 16 20 b5 7e fd bf 5b f0 e7 e4 c4 eb 46 48 76 7f 91 07 6f 7b ff 78 77 77 92 e7 7c c6 e2 32 7d 9d b1 34 7b 9e b1 a6 e2 c5 8c 65 87 9a 9f c5 ec 14 cc d8 69 39 63 15 4c c9 cb e4 e9 db a5 94 02 2e 6b 31 e3 71 5c cf 98 38 c3 dc f3 11 96 f1 73 35 6b ce 3c 07 6a 8d ac cb 02 ef 5d e2 59 0c cf 67 29 dc 4c 25 fc a6 33 76 81 71 9e cd ee 0e 99 c8 53 c0 32 63 87 b2 06 2a 39 8f 05 3e 12 47 51 a4 33 c9 e3 1c 36 4a 78 25 b3 12 f0 48 85 50 1e ca 12 56 c8 93 e0 40 4a d6 38 84 df 74 c6 6b 99 25 b8 82 37 59 4a 0b 8b 67 de c0 8e 42 f2 2c 87 c1 21 3b 1a 62 b0 f7 f1 02 2c 30 a4 26 80 08 92 83 bf a7 63 5d 5e 80 d5 b3 28 2e 33 56 70 94 86 48 d4 9a e6 72 3e f3 fa 95 bd c1 ff c7 ac d8 fb 8f 15 4f d3 ac 38 c2 28 2e 6b 58 0e 83 f2 22 f3 ac 10 30 7a bf e3 c0 78 51 5d 00 6d 7c 91 b2 2c d8 5b b7 c0 d0 e8 16 [TRUNCATED] Data Ascii: b9aZ_r)Roka~Mhf`A CrTrTE[B^ ~[FHvo{xww\|2}4{ei9cL.k1q\8s5k<j]Yg)L%3vqS2c9>GQ36Jx%HPV@J8tk%7YJgB,!;b,0&c]^(.3VpHr>O8(.kX"0zxQ]m\|,[hEYXCYH}^YV\rghp&R5GN\|&%evA{`2bN7`oc?gi#9}/>A":<=YSuO0D!;\"v\|U61mrq r-x25.qyYh*kO`%0ON"ySnS^T$E;8veWc:<X<o(ZT
Oct 31, 2024 17:22:08.465082884 CET	1236	IN	Data Raw: 82 13 64 42 24 d2 16 9b 87 46 fc 11 52 5f cb c2 41 2d 96 85 d7 dc 14 7a eb 16 cc 67 bb ea 85 11 8b 7d ad 6b 39 2c d1 1d b4 20 96 5b 18 93 a8 ec 1b 64 d5 4a 2a 09 e0 13 b5 2d 83 0e 6c 23 6a 90 a1 07 d0 e6 7f a9 7a 80 b5 2a 0f 91 88 62 6e e0 b7 4e Data Ascii: dB$FR_A-zg}k9, [dJ-l#jzbnNb !wQ\-2vEEPW\}KanRQ 68Xx2n358+'U$\<;ik7x1d:2H(j3(>;vWIwT\qb,
Oct 31, 2024 17:22:08.465097904 CET	424	IN	Data Raw: f4 b7 3b cf 79 92 00 1b 18 b4 f5 2d ef 24 5f cd 6d 93 d0 a0 9f 5c a5 eb 7e f3 4b 76 62 d1 e2 03 22 dc ac 4e b7 41 18 84 14 69 72 e8 2d f2 57 cc 11 a2 31 a9 e1 03 07 57 6e 56 23 c3 6a b8 c3 e1 98 d7 0e 3f 42 55 bb 13 52 da 9f f7 11 58 ce 31 ec ea Data Ascii: ;y-$_m\~Kvb"NAir-W1WnV#j?BURX1tobqD:lkiApTbC$UtROA1H3CQu5MXxi-u572+L#p"uZ3?k69l,9^w=NBC}>;O3)[/-M
Oct 31, 2024 17:22:08.467547894 CET	642	IN	Data Raw: 80 bf fd c3 c3 5e 43 a5 8c 60 a0 b3 81 8a 2d 9b 18 42 54 47 b4 bd e8 fa 10 f8 fe ce df 8d cc ec c1 d2 9d 0a 72 11 02 e9 3d 70 48 7c 8d a6 de 1d 76 79 f8 c2 b2 73 83 5e 60 25 d5 38 ad 22 a0 ea 41 05 69 7d 28 6e 91 53 a7 e9 7a 3b bb 33 a6 e0 34 76 Data Ascii: ^C`-BTGr=pH\|vys^`%8"Ai}(nSz;34v NY[5k;OL=7v;(y<p;6hCnbpg4'd](O\>Ru\}e'N_APF@M(5Y'PFX8Q&ByrHr;mu
Oct 31, 2024 17:22:08.486951113 CET	426	OUT	GET /jzcq/css/client/game1/reg.jpg HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:08.899939060 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: image/jpeg Content-Length: 41066 Connection: keep-alive Age: 1215620 Cache-Control: max-age=2592000 Content-Encoding: gzip Etag: "59438b1e-a44a" Expires: Sat, 16 Nov 2024 14:41:48 GMT Last-Modified: Fri, 16 Jun 2017 07:39:10 GMT Vary: Accept-Encoding X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: 7f0f1a632160649a6c61a0c50335d249 X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:08 GMT via: pic03.hnxxcm Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b4 b9 75 5c 9b 4f b7 2f 1a dc 9d 00 c5 5d 82 06 77 77 8a 13 bc 14 2f 01 82 7b 29 d2 a2 29 ee 45 0a c5 2d 58 09 5a a0 05 82 d3 e2 50 a0 a5 68 71 2b 14 8a 1e fa 3b ef bb f7 b9 f7 ec b3 ef f9 e7 ce 27 79 3e 33 6b 96 7c d7 ac 59 33 eb 49 ee 17 ee 57 01 34 6a 41 50 67 00 40 4b 0b 04 c0 05 fc 67 bb df 07 90 a9 fa 3b b8 05 03 d0 00 98 0f 63 d9 07 d2 2a 46 a0 8b 9f 9f 97 b4 a0 a0 87 af 80 9d a3 a7 bd 93 80 83 27 4c 30 c8 ce 4b 10 2c 20 24 08 90 55 08 f2 b2 73 70 73 f2 63 b6 77 7a 06 f5 90 63 3d ea ec 61 65 86 3a ca b1 9a 89 e9 0a e9 7a a9 38 b9 40 35 43 7c 9c 8c 43 f4 4c 1c 42 dc 1c a4 1c 59 15 e4 99 65 83 a4 83 60 5e 30 27 3f 3b e6 20 98 bb 87 af 74 90 1c eb 3f ca a5 1f fa 7f c9 82 ac cc ff b0 f8 b9 c9 b1 2a fd 9d 60 36 d7 35 60 56 f1 f4 71 62 16 13 10 e3 77 10 02 8b 32 4b 48 09 80 c5 c0 a2 92 60 3e 66 61 21 b0 88 a0 90 88 20 58 84 1f 2c 2c 2d 24 25 0d 16 63 fe 57 63 7d b0 e6 e3 e8 2c 6d a4 aa fe 2f 5b 0f 23 39 d6 7f 39 15 18 18 28 10 28 22 e0 e9 f3 4c 10 2c 25 25 25 28 24 2c [TRUNCATED] Data Ascii: u\O/]ww/{))E-XZPhq+;'y>3k\|Y3IW4jAPg@Kg;cF'L0K, $Uspscwzc=ae:z8@5C\|CLBYe`^0'?; t?`65`Vqbw2KH`>fa! X,,-$%cWc},m/[#99(("L,%%%($,(,goN>P/?+]yr`~g0Kn_`/'A#'_Ov/!(v0'?-U9GXLXJHX]DHELMV(KJ)$JKjJBBJjjj*pp,?e[Yi';?OOOO?O_O/fc6z8z:@}<a4$vIIHKK9;9H;Ks6I;o
Oct 31, 2024 17:22:08.899987936 CET	1236	IN	Data Raw: f7 3f 52 e0 61 f0 1f 49 e4 e4 f1 90 39 3e 0f 29 72 7f 08 20 fe c7 6d 80 e3 c7 87 54 44 bb 5f 02 44 01 b0 31 31 31 b1 30 b1 b1 b0 b0 f1 b0 1f be 04 b8 d8 d8 b8 04 84 f8 f8 04 f8 f8 84 a4 84 ff 34 52 42 62 12 52 12 62 42 0a 0a 4a 4a 0a 0a 7a 3a 3a Data Ascii: ?RaI9>)r mTD_D11104RBbRbBJJz:::zhh888DD44@2 _2\4]tk42:}?Z@'&:6>00$a`cc`<<}10X,`%Cl;VHJw8FeOF"T>/O8TD\|{TKS8
Oct 31, 2024 17:22:08.900002003 CET	424	IN	Data Raw: dc 20 9c 6f 23 18 99 70 7e db b5 b0 f3 5f e5 dc 03 42 c3 7b c3 9d c5 73 dd bf 46 80 6c d7 4a 6a 28 8b 6e cd 61 94 af af c6 ba 93 49 0c db 4c 3f b8 06 9d ae ee cc 15 ee 86 2a f0 37 d5 13 4b f8 29 d0 dd ee 5f 8e fb 7a a8 6f cc dc a6 ce fc 40 1b e6 Data Ascii: o#p~_B{sFlJj(naIL?*7K)_zo@pFCBnN!Ap[gtnXAq2vvVw45.2giJu]002RL;d?zsj2FLFh"EdoPa& [z
Oct 31, 2024 17:22:13.878588915 CET	451	OUT	GET /www/css/images/common/dialog2/bg-dialog-avatar.png?v=1 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img1.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:14.733047009 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: image/png Content-Length: 1426 Connection: keep-alive Accept-Ranges: bytes Age: 2282966 Cache-Control: max-age=2592000 Etag: "55856c03-592" Expires: Mon, 04 Nov 2024 06:12:48 GMT Last-Modified: Sat, 20 Jun 2015 13:34:59 GMT X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: 64a81e0c104bb483f4fdc23d91c58594 X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:14 GMT via: pic03.hnxxcm Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 16 00 00 00 17 08 06 00 00 00 0f e8 bf 9e 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 03 23 69 54 58 74 58 4d 4c 3a 63 6f 6d 2e 61 64 6f 62 65 2e 78 6d 70 00 00 00 00 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78 3a 78 6d 70 6d 65 74 61 20 78 6d 6c 6e 73 3a 78 3d 22 61 64 6f 62 65 3a 6e 73 3a 6d 65 74 61 2f 22 20 78 3a 78 6d 70 74 6b 3d 22 41 64 6f 62 65 20 58 4d 50 20 43 6f 72 65 20 35 2e 35 2d 63 30 31 34 20 37 39 2e 31 35 31 34 38 31 2c 20 32 30 31 33 2f 30 33 2f 31 33 2d 31 32 3a 30 39 3a 31 35 20 20 20 20 20 20 20 20 22 3e 20 3c 72 64 66 3a 52 44 46 20 78 6d 6c 6e 73 3a 72 64 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 30 32 2f 32 32 2d 72 64 66 2d 73 79 6e 74 61 78 2d 6e 73 23 22 3e 20 3c 72 64 66 3a 44 65 73 [TRUNCATED] Data Ascii: PNGIHDRtEXtSoftwareAdobe ImageReadyqe<#iTXtXML:com.adobe.xmp<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:1502882C722711E4A5759AECD45DA7EC" xmpMM:DocumentID="xmp.did:1502882D722711E4A5759AECD45DA7EC"> <xmpMM:DerivedFrom stRe

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49736	111.6.1.212	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:04.864654064 CET	563	OUT	GET /2017/06/19141848xsCpC.jpg HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img2.37wanimg.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49738	163.171.133.72	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:05.340327978 CET	99	OUT	GET /yx/jzcq/wd_37cs/921614/app.ini HTTP/1.1 User-Agent: HTTPDownloader Host: d.wanyouxi7.com
Oct 31, 2024 17:22:06.396864891 CET	541	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 16:22:06 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Server: nginx/1.4.7 X-Via: 1.1 dianxun233:2 (Cdn Cache Server V2.0), 1.1 dj136:6 (Cdn Cache Server V2.0), 1.1 PS-CDG-01orF60:16 (Cdn Cache Server V2.0) x-ws-request-id: 6723aeae_PSfgblPAR2dz77_28077-3410 Data Raw: 61 38 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 34 2e 37 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a8<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.4.7</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49739	183.204.211.166	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:05.372267008 CET	1160	OUT	GET /js/sq/lib/sq.core.js?t=20140304 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ptres.37.com Connection: Keep-Alive Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49740	183.204.211.166	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:05.372406960 CET	1170	OUT	GET /js/sq/widget/sq.login.js?t=20230803101600 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ptres.37.com Connection: Keep-Alive Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49741	180.188.25.9	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:06.333461046 CET	1344	OUT	GET /controller/client.php?action=register&game_id=417&tpl_type=game2 HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, / Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: gameapp.37.com Connection: Keep-Alive Cookie: PHPSESSID=r8n5i200li7ekleljhb17avtb1; sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Oct 31, 2024 17:22:07.539261103 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 31 Oct 2024 16:22:07 GMT Content-Type: text/html;charset=UTF-8 Connection: close Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Encoding: gzip server-timing: inner; dur=141 Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b5 1a fb 73 13 d5 fa 67 99 f1 7f 58 97 ab b4 c2 76 1f 49 9b 77 1c 2c 52 c2 50 2c 05 a9 64 9c 61 f6 95 64 9b 7d b1 bb 49 9a 56 66 ca 8c 95 5e a4 52 bc 8a ca 70 e7 aa 57 b8 8c 0a 78 af 77 04 05 e5 8f a1 9b 94 9f ee bf 70 bf 73 f6 91 dd 24 ad 45 ca a6 cd ee 9e f3 bd cf f7 3a a7 cd bf 22 19 a2 d3 36 65 a2 e6 68 6a 71 4f 1e dd 08 95 d7 ab 05 72 b1 46 a2 01 99 97 8a 7b 08 b8 f2 9a ec f0 84 58 e3 2d 5b 76 0a e4 3b a7 0e 53 69 92 a0 fd 49 47 71 54 b9 e8 fe 7e b7 fb fd bd 3c ed bd 45 d0 74 5e 93 0b 64 c5 32 74 47 d6 25 92 10 f1 03 90 a9 f1 3a 30 0a c9 a8 8a 5e 27 2c 59 2d 90 b6 d3 56 65 bb 26 cb 0e 49 d4 2c b9 52 20 69 5a d1 aa ec 58 22 d5 e2 75 78 1a 13 0d 8d 9e 5f 14 cf d1 a2 6d d3 a2 aa 00 3d ba 0a 7c d8 31 18 78 c3 29 b0 a9 04 93 c8 b0 29 2e 15 d2 df 93 a7 3d 85 f2 82 21 b5 7d 9e 92 d2 24 44 95 b7 ed 02 89 c4 e2 15 5d b6 90 0c bc a3 34 65 78 a8 12 4e 4d b1 24 b0 06 86 0f 71 14 a9 40 c2 2c 55 31 2c 8d 0c 28 04 03 21 01 d2 e3 12 62 9a 01 a4 49 55 14 cb 76 08 93 b2 a8 86 6d f5 [TRUNCATED] Data Ascii: sgXvIw,RP,dad}IVf^RpWxwps$E:"6ehjqOrF{X-[v;SiIGqT~<Et^d2tG%:0^',Y-Ve&I,R iZX"ux_m=\|1x)).=!}$D]4exNM$q@,U1,(!bIUvmaXdr-[d}{]WthA#/!C\)cAM^lw6YhO)JKDQL4Dw8fw~t\|d\|wuVm.l<]:EF3[hMh&\|wva[-72]&1\t^vj;O/Yq<n<]\|anC`bMSyOa514!,_dY5ohp${V\'<beC<YO/wnvl^z_:>d<u!8:X@i@"-0}QM3PUPUY3@@ghI6cgA5%[t669 jT)fX0p&p.7RRlSYsW~xxK/}?\|EK1ln`wx
Oct 31, 2024 17:22:07.539294004 CET	185	IN	Data Raw: 53 81 3c 77 2e 54 c2 97 c6 a8 1a 5e 89 c1 8f 14 02 c0 08 a6 61 2b 8e 62 e8 85 7d 4b a4 3c 4e 66 c9 44 8a 52 74 49 5e 40 70 8a 8e 00 cf ef 0b 16 e5 c4 09 cf 02 7f 42 a2 96 0c 55 dd f9 03 a9 02 a0 1d 49 e6 03 f7 a4 83 c6 60 e3 f1 d7 cf 21 a1 22 18 Data Ascii: S<w.T^a+b}K<NfDRtI^@pBUI`!"( \|"Zq4N=/ye'Y&\|%ACyh+CUijBm~S*aS4
Oct 31, 2024 17:22:07.539304018 CET	1236	IN	Data Raw: 33 41 b3 19 36 c9 a6 93 e9 05 7b d2 9c 1c 9b 37 21 03 f0 2a 50 41 09 ba 3f d6 b0 08 71 ab 6d 75 0d 51 4c e7 61 a4 42 16 63 70 7f 48 28 b8 9e 49 75 76 a8 e8 c3 ae 21 ea 6c e1 17 e8 c2 8e 81 be f0 ad 3f 1f f6 cb b5 a0 e8 2d 59 1f 14 2f b0 8b 2e b7 Data Ascii: 3A6{7!PA?qmuQLaBcpH(Iuv!l?-Y/.lJ3,\C"l9!^=bSK\bd^H$GepT:"o'"l^d6obA35?hz\b"5\
Oct 31, 2024 17:22:07.539319038 CET	208	IN	Data Raw: 00 09 3b 33 36 f2 b6 de 14 46 52 b8 06 bc aa 54 f5 ac 08 86 96 ad dc eb 8b 06 9a 1c c6 9c e0 77 e2 25 a1 84 e1 5f 3f fa e2 c3 a3 b6 e4 67 0f 9c b4 7b 95 61 87 61 13 50 21 7c 62 5b 96 00 8d b7 eb 40 79 48 80 41 97 ea a5 77 26 67 98 bc a8 38 6d 78 Data Ascii: ;36FRTw%_?g{aaP!\|b[@yHAw&g8mx(!f1 &CY6cM7,WrZR^d-2f.EX!;K_PWbbTG
Oct 31, 2024 17:22:07.539427996 CET	853	IN	Data Raw: e9 76 22 ee fe cf 9b 44 7c ea 54 32 bd 90 4c 8f 55 95 4a 34 75 8c a3 78 f3 a3 66 88 48 04 da 5b 0e 89 57 af 4f 32 c3 de a2 2f d2 89 31 74 a2 6d 53 b0 95 38 30 38 da 5a 0a 12 2c 42 f3 95 4e a0 65 8e 1a 1f 0f f4 b9 41 8c 05 14 29 3f a8 83 c2 96 11 Data Ascii: v"D\|T2LUJ4uxfH[WO2/1tmS808Z,BNeA)?'GXY}5iY6'fe\*i"6yF>l7UA;,O"HjNUduq~+{t4fNaj\|qQC:2z[I78LNlK YO}5.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49742	111.6.1.212	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:08.016073942 CET	422	OUT	GET /2017/06/19141848xsCpC.jpg HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: img2.37wanimg.com Connection: Keep-Alive
Oct 31, 2024 17:22:09.193205118 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: image/jpeg Content-Length: 18275 Connection: keep-alive Access-Control-Allow-Headers: X-Requested-With Access-Control-Allow-Methods: GET,POST,OPTIONS Access-Control-Allow-Origin: * Age: 1645057 Cache-Control: max-age=2592000 Content-Encoding: gzip Etag: "59476cc8-490e" Expires: Mon, 11 Nov 2024 15:24:32 GMT Last-Modified: Mon, 19 Jun 2017 06:18:48 GMT Vary: Accept-Encoding X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: 61816d58b5ba3fd3d61a03f678e512b3 X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:09 GMT via: pic01.hnxxcm Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8c ba 05 50 5d cf d2 2f ba 71 77 77 77 db 1b 77 77 77 49 70 77 dd b8 05 77 0d ee ee 6e c1 09 6e 1b 0b 10 9c e0 c1 25 10 3c e4 26 ff 73 ce f7 dd fb de 57 f7 bd a9 9a aa d5 d3 32 bf 9e ee 5e 33 6b 6a fd 5e fd bd 0b 20 94 f1 b1 b3 06 00 14 14 98 01 88 80 ff 6e bf cf 01 58 d2 9e 16 0e be 00 28 00 ec 1f 5a f8 cf d0 2e 8c b7 2d 18 ec 2a c8 c1 e1 ec c1 6e 66 e9 62 6e c5 6e e1 e2 c4 e1 63 e6 ca 01 62 07 72 00 84 c5 7c 5c cd 2c 1c ac c0 94 e6 56 36 76 ce 22 d4 57 3d 03 d4 94 76 96 22 d4 7a 3c 2a 40 15 57 29 2b 5b 3b 79 3f 77 2b 2d 3f 55 6d 0b 3f 07 0b 01 4b 6a 31 51 4a 61 1f 41 1f 27 57 27 2b b0 19 a5 8f 93 a3 b3 87 a0 8f 08 f5 3f c6 05 ff 3c ff 1d e6 a0 a6 fc 47 04 ec 20 42 2d f1 97 41 a9 af a2 4e 29 e5 e2 6e 45 c9 c3 ce cb 66 01 e4 e5 a3 e4 13 60 07 f1 f0 f1 71 f3 b1 52 72 02 41 3c 1c 40 2e 0e 2e 20 1b 27 97 20 37 50 90 9b 93 f2 df 8d fa cf 6c ee 96 d6 82 9a d2 b2 ff 9e eb 0f 25 42 fd 6f a7 bc bd bd d9 bd b9 d8 5d dc 6d 38 40 02 02 02 1c 40 4e 0e 4e 4e b6 3f 12 6c 1e be ce 60 [TRUNCATED] Data Ascii: P]/qwwwwwwIpwwnn%<&sW2^3kj^ nX(Z.-nfbnncbr\|\,V6v"W=v"z<@W)+[;y?w+-?Um?Kj1QJaA'W'+?<G B-AN)nEf`qRrA<@.. ' 7Pl%Bo]m8@@NNN?l`36gXps8S]<"qUE=Vupt#NMW+9JXx:Y9Ep-,@<@NY.$JIpKqsH$\|?J<\ ,'//t=fV/]^
Oct 31, 2024 17:22:09.193231106 CET	212	IN	Data Raw: d8 c5 5d db c5 c5 f1 3f 19 a0 6e eb 02 76 f1 b0 75 71 a5 94 92 fa 27 e2 94 8c 7a 76 ce 96 2e de 1e 4c 7f 43 f4 6f b4 56 ee 76 5e 56 96 b2 ee 2e 4e 94 ff ac b1 a0 dd ff 80 c1 c2 cc ca 82 8f d7 12 c8 c6 c3 63 21 c0 66 c6 cb cd cb 66 6e c6 c9 cd 06 Data Ascii: ]?nvuq'zv.LCoVv^V.Nc!ffn2y,y\;?8I?J_EdrK?n,?)E(,<2G#* #"# #b0Q101
Oct 31, 2024 17:22:09.193239927 CET	1236	IN	Data Raw: d0 51 71 70 70 71 71 70 48 49 48 48 48 29 fe ab 41 21 20 20 a0 a1 a2 11 62 62 12 12 e3 61 e1 11 ff 37 e7 ff 67 fb 3d 04 c0 42 04 34 41 c9 c2 40 61 01 a0 b1 a0 60 b0 a0 7e 8f 00 36 ff e0 86 83 82 fa df de 30 30 00 28 68 58 38 78 04 28 00 0c 14 d4 Data Ascii: QqppqqpHIHHH)A! bba7g=B4A@a`~600(hX8x(@BB3Rp9%i !4HRU<(iN.EAoCaQ0)M%n8,ACoT L3JfuIa
Oct 31, 2024 17:22:09.193245888 CET	212	IN	Data Raw: bf a9 25 8c d3 ae 55 c0 32 d1 87 4a 49 a6 5a 67 96 66 14 0c 8e 39 28 96 47 c9 06 aa 60 1d db d4 8b b0 b3 de 16 ca 7d a4 70 6c 07 1e 2f 1e 9d 90 a9 b1 9d f8 a6 c6 f1 fa 65 78 56 7e 12 26 8d 2d 0e 19 1c c7 e2 d2 fd b1 31 df 6b e2 51 70 b9 73 24 f4 Data Ascii: %U2JIZgf9(G`}pl/exV~&-1kQps$zd{8LckR?+HLgSsw1p%/y{zPsDX}Jk:#2I.ics&<&{^DH=zf~S{#sF>
Oct 31, 2024 17:22:09.193315029 CET	1236	IN	Data Raw: 46 56 74 8a 66 6e 63 05 7b 75 04 ed de d1 e6 ea 64 98 b4 1e ad c1 9c c4 52 11 49 6a 05 71 2e 28 a8 1d 72 0f fa 72 b9 3a 75 48 a5 2e e0 fb e4 a4 f2 1e 28 7d 9d a3 cb bb 60 21 84 a7 2a 67 42 42 af d0 32 53 6e da e9 0e 7f ec 8c c9 a5 49 54 32 aa 41 Data Ascii: FVtfnc{udRIjq.(rr:uH.(}`!*gBB2SnIT2A Ps@`-Gy4qWW]k~"~#FCqyed\|JE%^nI.lPg~zjJ-nmALljm 2i3SOUOU=ZIZJcb
Oct 31, 2024 17:22:09.193413019 CET	1236	IN	Data Raw: e7 f8 d7 b2 df 80 bb 6f 14 8b 07 32 f2 7c d2 ac 79 24 f6 43 ab 93 ed 96 f0 29 1a fa ab f7 96 46 71 67 fb 71 1f cf fb c0 1e 2c e3 93 19 f4 7a a9 f8 cb d4 46 cb a9 99 a8 f1 e7 5d fb 3f f4 bf de a8 e3 6e 01 2c 8b c4 9e eb a8 12 dc f6 29 fb c5 61 d3 Data Ascii: o2\|y$C)Fqgq,zF]?n,)aowP1%(e4Wyeq0ogT5%S{98paJ\|i9UhxR)7orizG]vh4px!_W9iPY~[/~F#$#K %0/!y"#
Oct 31, 2024 17:22:09.193424940 CET	424	IN	Data Raw: 41 ed 66 c8 69 ae 38 f1 78 86 88 61 e9 0d b0 f9 52 a8 3a 48 31 eb 54 6a ac 94 71 7f dc 82 25 2b f4 de 55 04 50 ce f6 81 5e a5 a5 1a ce 52 ff 1c 8b 8e 10 b1 42 39 94 b1 61 f2 23 83 9c eb 3a 34 b3 e6 d6 08 d4 1b fa c4 7a 82 86 4a b9 1b 1a 8b 01 1a Data Ascii: Afi8xaR:H1Tjq%+UP^RB9a#:4zJ`4r<65Wi[16K?(0v B'C(y"aN220YmN{NyqTKecyCrFje]o*`nKF6gS
Oct 31, 2024 17:22:09.193727016 CET	1236	IN	Data Raw: 5f 67 df 69 57 65 39 89 98 49 e0 f7 8a 1e da 84 16 24 3e 0d 17 fc 2c fc d7 51 10 ea 8f 94 f7 6f 80 8c 52 90 fb 80 79 65 5e e3 6a f5 11 cb ca 3f fd 3b cb 3d b3 6f ec cf 53 df d8 e8 46 2d 88 b6 c0 dc 46 74 a3 71 65 56 55 62 49 99 58 b3 71 9f 1a e8 Data Ascii: _giWe9I$>,QoRye^j?;=oSF-FtqeVUbIXq:*FZ{,slmWI;nx?<]p~Aji[{e>isn&?`:cDX J5+/?C)o6p4\ kE7/%cU5oaKL
Oct 31, 2024 17:22:09.193746090 CET	212	IN	Data Raw: 58 4e 53 74 b8 17 5d a4 1c 8e 8b ce 12 d3 c6 b2 5d 17 5b e0 e1 86 c9 9f 96 40 ac f0 59 95 2b 85 1f 5e f5 0e f2 36 48 1a 93 a4 39 69 c8 05 ce 14 af 2a f9 7a a7 f3 5d fa 12 e5 88 a6 dd 28 3f 04 89 f3 3e 7d 53 d8 a4 b5 7d 77 35 c3 2e ac ab 15 99 fe Data Ascii: XNSt]][@Y+^6H9i*z](?>}S}w5.,)L&6ZE%TdYVTFu4U263}=F3j-<6J]lEeio\['
Oct 31, 2024 17:22:09.193751097 CET	1236	IN	Data Raw: 32 43 73 31 33 43 ef ba 14 6f 91 78 41 44 95 1a 38 0d e5 45 b8 ea 59 45 22 53 c3 f2 2e f4 39 34 29 b6 5a 5d 1c 94 1c 67 d1 6b e1 a3 99 4a 13 c9 7b b8 54 c4 af f7 fd a7 d0 1c 0c 82 e2 0c c0 b8 2e 27 2c 2d 5c 8b 78 66 de 49 9f ed 6b 09 fa 7b a1 1f Data Ascii: 2Cs13CoxAD8EYE"S.94)Z]gkJ{T.',-\xfIk{!r`~]_8ODik3b5xvcY joGzFo=9Wv\/."?tf<oTo.1+-Q%M$K:
Oct 31, 2024 17:22:09.198318958 CET	1236	IN	Data Raw: 97 bd c9 b2 c8 42 8e 4c 21 04 a4 20 b2 ab 07 24 ad bd f1 68 1b a1 24 56 bd 05 98 d4 57 65 f6 a2 bd c3 ca ad f4 99 92 f6 f3 c3 e9 68 40 15 92 c5 4b ab 56 fa dc 35 92 92 6e e7 b1 f7 05 7c ea 10 c7 ea e5 7e be ee 59 eb 30 19 1c 2a 2d 4a e6 e8 0f 1e Data Ascii: BL! $h$VWeh@KV5n\|~Y0*-JkJ=qp#x3)+e_%hXxKun$[N}}KE.q`p#!uL7}q:/;I/4W;=`G_c^hxw968W.g;^Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49743	183.204.211.166	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:08.016455889 CET	1019	OUT	GET /js/sq/lib/sq.core.js?t=20140304 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ptres.37.com Connection: Keep-Alive Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Oct 31, 2024 17:22:09.166678905 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: application/x-javascript Content-Length: 102584 Connection: keep-alive Accept-Ranges: bytes Access-Control-Allow-Methods: GET Access-Control-Allow-Origin: * Age: 995898 Cache-Control: max-age=2592000 Etag: "5bc69a12-190b8" Expires: Tue, 19 Nov 2024 03:43:50 GMT Last-Modified: Wed, 17 Oct 2018 02:10:26 GMT X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: 0fbadb202e36215eb6a157642791e58c X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:08 GMT via: pic03.zzcm06 Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 61 29 7b 76 61 72 20 62 3d 6f 62 5b 61 5d 3d 7b 7d 3b 72 65 74 75 72 6e 20 24 2e 65 61 63 68 28 61 2e 73 70 6c 69 74 28 62 62 29 2c 66 75 6e 63 74 69 6f 6e 28 61 2c 63 29 7b 62 5b 63 5d 3d 21 30 7d 29 2c 62 7d 66 75 6e 63 74 69 6f 6e 20 64 28 61 2c 63 2c 64 29 7b 69 66 28 64 3d 3d 3d 62 26 26 31 3d 3d 3d 61 2e 6e 6f 64 65 54 79 70 65 29 7b 76 61 72 20 65 3d 22 64 61 74 61 2d 22 2b 63 2e 72 65 70 6c 61 63 65 28 71 62 2c 22 2d 24 31 22 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 69 66 28 64 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 65 29 2c 22 73 74 72 69 6e 67 22 3d 3d 74 79 70 65 6f 66 20 64 29 7b 74 72 79 7b 64 3d 22 74 72 75 65 22 3d 3d 3d 64 3f 21 30 3a 22 66 61 6c 73 65 22 3d 3d 3d 64 3f 21 31 3a 22 6e 75 6c 6c 22 3d 3d 3d 64 3f 6e 75 6c 6c 3a 2b 64 2b 22 22 3d 3d 3d 64 3f 2b 64 3a 70 62 2e 74 65 73 74 28 64 29 3f 24 2e 70 61 72 73 65 4a 53 4f 4e 28 64 29 3a 64 7d 63 61 74 63 68 28 66 29 7b 7d 24 2e 64 61 74 [TRUNCATED] Data Ascii: !function(a,b){function c(a){var b=ob[a]={};return $.each(a.split(bb),function(a,c){b[c]=!0}),b}function d(a,c,d){if(d===b&&1===a.nodeType){var e="data-"+c.replace(qb,"-$1").toLowerCase();if(d=a.getAttribute(e),"string"==typeof d){try{d="true"===d?!0:"false"===d?!1:"null"===d?null:+d+""===d?+d:pb.test(d)?$.parseJSON(d):d}catch(f){}$.data(a,c,d)}else d=b}return d}function e(a){var b;for(b in a)if(("data"!==b\|\|!$.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function f(){return!1}function g(){return!0}function h(a){return!a\|\|!a.parentNode\|\|11===a.parentNode.nodeType}function i(a,b){do a=a[b];while(a&&1!=
Oct 31, 2024 17:22:09.166686058 CET	1236	IN	Data Raw: 3d 61 2e 6e 6f 64 65 54 79 70 65 29 3b 72 65 74 75 72 6e 20 61 7d 66 75 6e 63 74 69 6f 6e 20 6a 28 61 2c 62 2c 63 29 7b 69 66 28 62 3d 62 7c 7c 30 2c 24 2e 69 73 46 75 6e 63 74 69 6f 6e 28 62 29 29 72 65 74 75 72 6e 20 24 2e 67 72 65 70 28 61 2c Data Ascii: =a.nodeType);return a}function j(a,b,c){if(b=b\|\|0,$.isFunction(b))return $.grep(a,function(a,d){var e=!!b.call(a,d,a);return e===c});if(b.nodeType)return $.grep(a,function(a){return a===b===c});if("string"==typeof b){var d=$.grep(a,function(a)
Oct 31, 2024 17:22:09.166698933 CET	424	IN	Data Raw: 3a 22 6f 70 74 69 6f 6e 22 3d 3d 3d 63 3f 62 2e 73 65 6c 65 63 74 65 64 3d 61 2e 64 65 66 61 75 6c 74 53 65 6c 65 63 74 65 64 3a 22 69 6e 70 75 74 22 3d 3d 3d 63 7c 7c 22 74 65 78 74 61 72 65 61 22 3d 3d 3d 63 3f 62 2e 64 65 66 61 75 6c 74 56 61 Data Ascii: :"option"===c?b.selected=a.defaultSelected:"input"===c\|\|"textarea"===c?b.defaultValue=a.defaultValue:"script"===c&&b.text!==a.text&&(b.text=a.text),b.removeAttribute($.expando))}function o(a){return"undefined"!=typeof a.getElementsByTagName?a.
Oct 31, 2024 17:22:09.166750908 CET	1236	IN	Data Raw: 75 72 6e 20 62 3b 66 6f 72 28 76 61 72 20 63 3d 62 2e 63 68 61 72 41 74 28 30 29 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 2b 62 2e 73 6c 69 63 65 28 31 29 2c 64 3d 62 2c 65 3d 72 63 2e 6c 65 6e 67 74 68 3b 65 2d 2d 3b 29 69 66 28 62 3d 72 63 5b Data Ascii: urn b;for(var c=b.charAt(0).toUpperCase()+b.slice(1),d=b,e=rc.length;e--;)if(b=rc[e]+c,b in a)return b;return d}function r(a,b){return a=b\|\|a,"none"===$.css(a,"display")\|\|!$.contains(a.ownerDocument,a)}function s(a,b){for(var c,d,e=[],f=0,g=a.
Oct 31, 2024 17:22:09.166757107 CET	1236	IN	Data Raw: 29 2c 28 30 3e 64 7c 7c 6e 75 6c 6c 3d 3d 64 29 26 26 28 64 3d 61 2e 73 74 79 6c 65 5b 62 5d 29 2c 6c 63 2e 74 65 73 74 28 64 29 29 72 65 74 75 72 6e 20 64 3b 65 3d 66 26 26 28 24 2e 73 75 70 70 6f 72 74 2e 62 6f 78 53 69 7a 69 6e 67 52 65 6c 69 Data Ascii: ),(0>d\|\|null==d)&&(d=a.style[b]),lc.test(d))return d;e=f&&($.support.boxSizingReliable\|\|d===a.style[b]),d=parseFloat(d)\|\|0}return d+u(a,b,c\|\|(f?"border":"content"),e)+"px"}function w(a){if(nc[a])return nc[a];var b=$("<"+a+">").appendTo(P.body)
Oct 31, 2024 17:22:09.166762114 CET	1236	IN	Data Raw: 5b 68 5d 3f 68 3d 62 3a 28 63 2e 64 61 74 61 54 79 70 65 73 2e 75 6e 73 68 69 66 74 28 68 29 2c 68 3d 7a 28 61 2c 63 2c 64 2c 65 2c 68 2c 67 29 29 29 3b 72 65 74 75 72 6e 21 6c 26 26 68 7c 7c 67 5b 22 2a 22 5d 7c 7c 28 68 3d 7a 28 61 2c 63 2c 64 Data Ascii: [h]?h=b:(c.dataTypes.unshift(h),h=z(a,c,d,e,h,g)));return!l&&h\|\|g[""]\|\|(h=z(a,c,d,e,"",g)),h}function A(a,c){var d,e,f=$.ajaxSettings.flatOptions\|\|{};for(d in c)c[d]!==b&&((f[d]?a:e\|\|(e={}))[d]=c[d]);e&&$.extend(!0,a,e)}function B(a,c,d){var
Oct 31, 2024 17:22:09.166779041 CET	1236	IN	Data Raw: 29 7b 74 72 79 7b 72 65 74 75 72 6e 20 6e 65 77 20 61 2e 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50 22 29 7d 63 61 74 63 68 28 62 29 7b 7d 7d 66 75 6e 63 74 69 6f 6e 20 46 28 29 7b 72 65 74 75 Data Ascii: ){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}function F(){return setTimeout(function(){Vc=b},0),Vc=$.now()}function G(a,b){$.each(b,function(b,c){for(var d=(_c[b]\|\|[]).concat(_c["*"]),e=0,f=d.length;f>e;e++)if(d[e].call(a,b
Oct 31, 2024 17:22:09.166862011 CET	1236	IN	Data Raw: 65 2c 69 2e 6f 70 74 73 2e 63 6f 6d 70 6c 65 74 65 29 2e 66 61 69 6c 28 69 2e 6f 70 74 73 2e 66 61 69 6c 29 2e 61 6c 77 61 79 73 28 69 2e 6f 70 74 73 2e 61 6c 77 61 79 73 29 7d 66 75 6e 63 74 69 6f 6e 20 49 28 61 2c 62 29 7b 76 61 72 20 63 2c 64 Data Ascii: e,i.opts.complete).fail(i.opts.fail).always(i.opts.always)}function I(a,b){var c,d,e,f,g;for(c in a)if(d=$.camelCase(c),e=b[d],f=a[c],$.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=$.cssHooks[d],g&&"expand"in g){f=g.expand(f)
Oct 31, 2024 17:22:09.166868925 CET	1060	IN	Data Raw: 64 65 6e 3d 21 71 29 2c 71 3f 24 28 61 29 2e 73 68 6f 77 28 29 3a 6d 2e 64 6f 6e 65 28 66 75 6e 63 74 69 6f 6e 28 29 7b 24 28 61 29 2e 68 69 64 65 28 29 7d 29 2c 6d 2e 64 6f 6e 65 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 62 3b 24 2e 72 65 Data Ascii: den=!q),q?$(a).show():m.done(function(){$(a).hide()}),m.done(function(){var b;$.removeData(a,"fxshow",!0);for(b in o)$.style(a,b,o[b])});for(d=0;g>d;d++)e=p[d],j=m.createTween(e,q?h[e]:0),o[e]=h[e]\|\|$.style(a,e),e in h\|\|(h[e]=j.start,q&&(j.end
Oct 31, 2024 17:22:09.166975975 CET	1236	IN	Data Raw: 3f 3a 5c 73 2a 5c 5b 29 2b 2f 67 2c 68 62 3d 2f 5c 5c 28 3f 3a 5b 22 5c 5c 5c 2f 62 66 6e 72 74 5d 7c 75 5b 5c 64 61 2d 66 41 2d 46 5d 7b 34 7d 29 2f 67 2c 69 62 3d 2f 22 5b 5e 22 5c 5c 5c 72 5c 6e 5d 2a 22 7c 74 72 75 65 7c 66 61 6c 73 65 7c 6e Data Ascii: ?:\s\[)+/g,hb=/\\(?:["\\\/bfnrt]\|u[\da-fA-F]{4})/g,ib=/"[^"\\\r\n]"\|true\|false\|null\|-?(?:\d\d*\.\|)\d+(?:[eE][\-+]?\d+\|)/g,jb=/^-ms-/,kb=/-([\da-z])/gi,lb=function(a,b){return(b+"").toUpperCase()},mb=function(){P.addEventListener?(P.removeEve
Oct 31, 2024 17:22:09.171745062 CET	1236	IN	Data Raw: 6e 28 29 7b 72 65 74 75 72 6e 20 56 2e 63 61 6c 6c 28 74 68 69 73 29 7d 2c 67 65 74 3a 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 6e 75 6c 6c 3d 3d 61 3f 74 68 69 73 2e 74 6f 41 72 72 61 79 28 29 3a 30 3e 61 3f 74 68 69 73 5b 74 68 Data Ascii: n(){return V.call(this)},get:function(a){return null==a?this.toArray():0>a?this[this.length+a]:this[a]},pushStack:function(a,b,c){var d=$.merge(this.constructor(),a);return d.prevObject=this,d.context=this.context,"find"===b?d.selector=this.se
Oct 31, 2024 17:22:10.061788082 CET	1010	OUT	GET /js/sq/widget/sq.tab.js HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ptres.37.com Connection: Keep-Alive Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Oct 31, 2024 17:22:10.465122938 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: application/x-javascript Content-Length: 1679 Connection: keep-alive Accept-Ranges: bytes Access-Control-Allow-Methods: GET Access-Control-Allow-Origin: * Age: 218471 Cache-Control: max-age=2592000 Etag: "55856c03-68f" Expires: Thu, 28 Nov 2024 03:40:59 GMT Last-Modified: Sat, 20 Jun 2015 13:34:59 GMT X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: 01ba3a6c994bf37bb62d8270708537dd X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:10 GMT via: pic03.zzcm06 Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 76 61 72 20 64 3d 6e 65 77 20 63 2e 43 6c 61 73 73 28 63 2e 57 69 64 67 65 74 29 3b 64 2e 69 6e 63 6c 75 64 65 28 7b 69 6e 69 74 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 74 68 69 73 2e 6f 70 74 69 6f 6e 73 3d 7b 65 6c 3a 22 62 6f 64 79 22 2c 74 61 62 73 3a 22 6c 69 22 2c 70 61 6e 65 6c 73 3a 22 64 69 76 22 2c 65 76 65 6e 74 54 79 70 65 3a 22 63 6c 69 63 6b 22 2c 69 6e 64 65 78 3a 30 2c 61 75 74 6f 3a 21 31 2c 69 6e 74 65 72 76 61 6c 3a 35 65 33 2c 61 6e 69 6d 61 74 65 3a 7b 73 68 6f 77 3a 22 73 68 6f 77 22 2c 68 69 64 65 3a 22 68 69 64 65 22 7d 2c 63 75 72 72 65 6e 74 43 6c 61 73 73 3a 22 66 6f 63 75 73 22 7d 2c 61 2e 65 78 74 65 6e 64 28 74 68 69 73 2e 6f 70 74 69 6f 6e 73 2c 62 7c 7c 7b 7d 29 2c 74 68 69 73 2e 65 6c 3d 61 28 74 68 69 73 2e 6f 70 74 69 6f 6e 73 2e 65 6c 29 2c 74 68 69 73 2e 74 61 62 73 3d 61 28 74 68 69 73 2e 6f 70 74 69 6f 6e 73 2e 74 61 62 73 2c 74 68 69 73 2e 65 6c 29 2c 74 68 69 73 2e 70 61 6e 65 6c 73 3d 61 28 74 68 69 73 2e 6f [TRUNCATED] Data Ascii: !function(a,b,c){var d=new c.Class(c.Widget);d.include({init:function(b){this.options={el:"body",tabs:"li",panels:"div",eventType:"click",index:0,auto:!1,interval:5e3,animate:{show:"show",hide:"hide"},currentClass:"focus"},a.extend(this.options,b\|\|{}),this.el=a(this.options.el),this.tabs=a(this.options.tabs,this.el),this.panels=a(this.options.panels,this.el),this.el.attr("data-kid",this.id),this.change(this.options.index),this._events(),this.options.auto&&this.auto()},change:function(a){var b=this.options.currentClass;this.tabs.filter("."+b).removeClass(b),this.tabs.eq(a).addClass(b),this.panels.hide().eq(a)[this
Oct 31, 2024 17:22:10.470191956 CET	1013	OUT	GET /js/sq/widget/sq.statis.js HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ptres.37.com Connection: Keep-Alive Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Oct 31, 2024 17:22:10.877245903 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: application/x-javascript Content-Length: 6378 Connection: keep-alive Accept-Ranges: bytes Access-Control-Allow-Methods: GET Access-Control-Allow-Origin: * Age: 879639 Cache-Control: max-age=2592000 Etag: "5e93ca8d-18ea" Expires: Wed, 20 Nov 2024 12:01:31 GMT Last-Modified: Mon, 13 Apr 2020 02:12:29 GMT X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: f3f3ca3e1b842741f45f11d7a20e18b7 X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:10 GMT via: pic03.zzcm06 Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 76 61 72 20 64 2c 65 3d 7b 76 65 72 73 69 6f 6e 3a 22 31 2e 32 2e 32 22 2c 54 72 61 63 6b 3a 7b 7d 2c 54 72 69 67 67 65 72 3a 7b 75 72 6c 3a 22 2f 2f 61 2e 63 6c 69 63 6b 64 61 74 61 2e 33 37 77 61 6e 2e 63 6f 6d 2f 63 6f 6e 74 72 6f 6c 6c 65 72 2f 69 73 74 61 74 2e 63 6f 6e 74 72 6f 6c 6c 65 72 2e 70 68 70 22 2c 64 65 66 61 75 6c 74 73 3a 7b 70 6c 61 74 66 6f 72 6d 3a 22 33 37 77 61 6e 22 2c 69 74 65 6d 3a 22 22 2c 67 61 6d 65 5f 69 64 3a 22 22 2c 73 69 64 3a 22 22 2c 70 6f 73 69 74 69 6f 6e 3a 22 22 2c 65 78 74 5f 31 3a 22 22 2c 65 78 74 5f 32 3a 22 22 2c 65 78 74 5f 33 3a 22 22 2c 65 78 74 5f 34 3a 22 22 2c 65 78 74 5f 35 3a 22 22 2c 65 78 74 5f 36 3a 22 22 2c 6c 6f 67 69 6e 5f 61 63 63 6f 75 6e 74 3a 22 22 2c 62 72 6f 77 73 65 72 5f 74 79 70 65 3a 22 22 2c 75 73 65 72 5f 69 70 3a 22 22 7d 7d 2c 63 6f 6e 76 65 72 74 4d 61 70 3a 7b 62 61 69 64 75 5f 70 69 6e 70 61 69 3a 22 62 61 69 64 75 5f 70 70 7a 71 22 7d 2c 67 65 74 44 6f 63 52 65 66 65 72 72 [TRUNCATED] Data Ascii: !function(a,b,c){var d,e={version:"1.2.2",Track:{},Trigger:{url:"//a.clickdata.37wan.com/controller/istat.controller.php",defaults:{platform:"37wan",item:"",game_id:"",sid:"",position:"",ext_1:"",ext_2:"",ext_3:"",ext_4:"",ext_5:"",ext_6:"",login_account:"",browser_type:"",user_ip:""}},convertMap:{baidu_pinpai:"baidu_ppzq"},getDocReferrer:function(a){var b="",c=a\|\|document.referrer;return c&&(b=c.split("://")[1].split("/"),b=a?b[0]+"/"+b[1]:b[0]),b},convertPathToDomain:function(a){var b="",c=/^www.37.com\/([0-9a-z]+)$/;return a=this.getDocReferrer(a),c.test(a)&&(b=a.split("/")[1]+".37.com"),b},addDom:function(b,
Oct 31, 2024 17:22:11.028379917 CET	1032	OUT	GET /js/sq/widget/sq.clientclass2.js?t=1730391727 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ptres.37.com Connection: Keep-Alive Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Oct 31, 2024 17:22:13.254604101 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: application/x-javascript Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Methods: GET Access-Control-Allow-Origin: * Age: 1 Cache-Control: max-age=2592000 Content-Encoding: gzip Expires: Sat, 30 Nov 2024 16:22:13 GMT Last-Modified: Sun, 29 Sep 2019 03:09:32 GMT Vary: Accept-Encoding Via: cache49.czmp,pic03.zzcm06 X-Bdcdn-Cache-Status: TCP_MISS,TCP_MISS X-Request-Id: 9fceb02692dbb964ca104f704a3710c6 X-Request-Ip: 173.254.250.77 X-Response-Cache: miss X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:13 GMT Data Raw: 66 66 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e5 7d 6b 73 1c d7 75 e0 f7 fd 15 c3 16 03 76 6b 7a 06 33 00 9f 3d 6c 60 69 90 b2 e9 b5 44 5a a4 ac 38 20 8c ea d7 0c 9a 18 cc 0c bb 7b 00 42 33 53 45 7b 2d 59 91 2d c9 ae 8d e2 c7 2a 65 29 71 2a aa 4d 2c 39 b1 2b 62 2c 39 f9 31 26 40 fa 93 ff c2 9e 73 ee a3 ef ed ee 01 48 8a ce ee d6 0a 22 d0 7d 1f e7 9e 7b ee 79 dd d7 e9 5d 2f a9 6d 0d d3 2c 75 8d e5 73 cd 60 b8 63 74 4e 74 c7 83 20 8b 87 03 f3 a4 35 11 cf b5 57 23 ff c6 78 14 25 6b 5e bf 6f 7a b6 6f 4d 76 a1 6a e0 0e c6 fd 7e 27 4b f6 27 81 7b b2 39 f2 92 34 fa ea 8d 6b 2f 99 be 35 0b bc 2c d8 32 43 6b c2 0a cd d6 d6 d6 8d 51 70 39 ea 1a 75 6f 63 61 41 7b 6d 76 07 4d 6f 34 ea ef 9b 7a 72 18 75 ed 75 cf 0e 36 ac 99 c4 e4 f2 b0 80 08 b6 ce 90 99 b4 1d 89 bc 35 49 a2 6c 9c 0c 26 03 6f 27 72 8c 5e 94 05 c3 e1 76 1c 19 b3 d9 ac e3 bb fe 74 1a ac 7b 1b a6 65 ef c5 83 70 b8 d7 8c ee 66 51 32 f0 fa 4d 1d 7e 9a 25 f1 a0 17 77 f7 a1 4b 4a 9f 66 39 3e 79 89 9c 2c 76 68 47 76 d7 ee d9 5b ee e2 ba 71 eb d6 ad bb ad [TRUNCATED] Data Ascii: ffa}ksuvkz3=l`iDZ8 {B3SE{-Y-e)qM,9+b,91&@sH"}{y]/m,us`ctNt 5W#x%k^ozoMvj~'K'{94k/5,2CkQp9uocaA{mvMo4zruu65Il&o'r^vt{epfQ2M~%wKJf9>y,vhGv[qVvs]xXuehy@)/pfYSuDD-V}wzU1}k[^6KtpZFE/jvabV3vMxUB:`GD6N_q!g9*a?C,+CvdwpHd+#nouz?^s(%L0, \U
Oct 31, 2024 17:22:13.879044056 CET	1049	OUT	GET /js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ptres.37.com Connection: Keep-Alive Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Oct 31, 2024 17:22:14.376039982 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: application/x-javascript Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Methods: GET Access-Control-Allow-Origin: * Age: 0 Cache-Control: max-age=2592000 Content-Encoding: gzip Expires: Sat, 30 Nov 2024 16:22:14 GMT Last-Modified: Wed, 06 Jan 2016 09:20:16 GMT Vary: Accept-Encoding Via: cache72.sxmp,pic03.zzcm06 X-Bdcdn-Cache-Status: TCP_MISS,TCP_MISS X-Request-Id: c20e85f7b3f6d9eb54367b13c182f553 X-Request-Ip: 173.254.250.77 X-Response-Cache: miss X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:14 GMT Data Raw: 37 66 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 cd 6b 24 c7 15 ff 57 66 8b dd 99 6a 54 d3 d2 da 8b 0f 3d 6a e9 e0 0d f8 92 04 b3 0b 39 2c 1b 51 dd 55 3d 53 52 ab 7b d2 5d 23 69 32 33 87 1c 0c 61 89 63 5f 92 40 e2 83 8d 7d 30 01 af 03 81 04 42 4c fe 99 48 eb 9c f2 2f e4 bd aa ea af 51 6f 34 02 0f 48 5d 9f af de e7 ef bd aa 07 c9 22 8b b5 ca 33 ca 59 c4 62 6f 75 c1 8b 81 08 33 79 39 88 fd f7 53 5e 96 34 f6 7f a6 c4 54 6a 6f 22 7c 95 c5 e9 42 48 ba 52 99 d2 41 bd 37 f2 56 7a a6 4a bf 94 5a ab 6c 1a ae b4 d2 a9 0c b2 45 9a b2 68 a1 75 9e 95 b6 73 ce cb b3 e0 c1 01 d3 cb b9 0c c8 4c 9f a7 84 c5 79 a6 65 a6 03 42 d8 a5 12 7a 16 bc 77 70 c0 66 52 4d 67 30 c6 17 3a 27 8c cf e7 32 13 cf f3 40 e4 f1 e2 1c 16 fb 51 2e 96 0c 27 9f cd f2 4b a4 28 0a 3e c5 6f 8c 3c 3f d3 4b 38 9e 90 0d e3 be bc 02 ea 82 b6 f9 63 91 c7 4c bf 80 19 59 50 d7 93 17 40 b9 ac 7a 6e ad 5f 1d 32 1c da 61 68 56 4b f0 4c ea 6d 98 dd d8 a8 c3 5b 71 7a a9 32 91 5f 7a 70 44 a9 7e 29 ed f1 f3 22 bf 5a ba 66 5e 2a 5c eb 55 67 a7 3e 6c 24 71 [TRUNCATED] Data Ascii: 7fdXk$WfjT=j9,QU=SR{]#i23ac_@}0BLH/Qo4H]"3Ybou3y9S^4Tjo"\|BHRA7VzJZlEhusLyeBzwpfRMg0:'2@Q.'K(>o<?K8cLYP@zn_2ahVKLm[qz2_zpD~)"Zf^\Ug>l$q3/O)a:cG:{1+d_2.\$v<,<nq6(v#SE7ACN#_0%k>$aGDT0DwK6~}oVm3>pC.%:PH)_Y9:mAU>Jy[8S]oc`9$0v s!zAioW~BU#CEB
Oct 31, 2024 17:22:16.565685987 CET	956	OUT	GET /js/sq/lib/sq.core.js HTTP/1.1 Accept: / Referer: http://regapi.37.com/proxy_yk.html Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ptres.37.com Connection: Keep-Alive Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Oct 31, 2024 17:22:16.970139027 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: application/x-javascript Content-Length: 102584 Connection: keep-alive Accept-Ranges: bytes Access-Control-Allow-Methods: GET Access-Control-Allow-Origin: * Age: 1738122 Cache-Control: max-age=2592000 Etag: "5bc69a12-190b8" Expires: Sun, 10 Nov 2024 13:33:34 GMT Last-Modified: Wed, 17 Oct 2018 02:10:26 GMT X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: 768810aa018d1931767f1a1e2c796d10 X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:16 GMT via: pic03.zzcm06 Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 61 29 7b 76 61 72 20 62 3d 6f 62 5b 61 5d 3d 7b 7d 3b 72 65 74 75 72 6e 20 24 2e 65 61 63 68 28 61 2e 73 70 6c 69 74 28 62 62 29 2c 66 75 6e 63 74 69 6f 6e 28 61 2c 63 29 7b 62 5b 63 5d 3d 21 30 7d 29 2c 62 7d 66 75 6e 63 74 69 6f 6e 20 64 28 61 2c 63 2c 64 29 7b 69 66 28 64 3d 3d 3d 62 26 26 31 3d 3d 3d 61 2e 6e 6f 64 65 54 79 70 65 29 7b 76 61 72 20 65 3d 22 64 61 74 61 2d 22 2b 63 2e 72 65 70 6c 61 63 65 28 71 62 2c 22 2d 24 31 22 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 69 66 28 64 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 65 29 2c 22 73 74 72 69 6e 67 22 3d 3d 74 79 70 65 6f 66 20 64 29 7b 74 72 79 7b 64 3d 22 74 72 75 65 22 3d 3d 3d 64 3f 21 30 3a 22 66 61 6c 73 65 22 3d 3d 3d 64 3f 21 31 3a 22 6e 75 6c 6c 22 3d 3d 3d 64 3f 6e 75 6c 6c 3a 2b 64 2b 22 22 3d 3d 3d 64 3f 2b 64 3a 70 62 2e 74 65 73 74 28 64 29 3f 24 2e 70 61 72 73 65 4a 53 4f 4e 28 64 29 3a 64 7d 63 61 74 63 68 28 66 29 7b 7d 24 2e 64 61 74 [TRUNCATED] Data Ascii: !function(a,b){function c(a){var b=ob[a]={};return $.each(a.split(bb),function(a,c){b[c]=!0}),b}function d(a,c,d){if(d===b&&1===a.nodeType){var e="data-"+c.replace(qb,"-$1").toLowerCase();if(d=a.getAttribute(e),"string"==typeof d){try{d="true"===d?!0:"false"===d?!1:"null"===d?null:+d+""===d?+d:pb.test(d)?$.parseJSON(d):d}catch(f){}$.data(a,c,d)}else d=b}return d}function e(a){var b;for(b in a)if(("data"!==b\|\|!$.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function f(){return!1}function g(){return!0}function h(a){return!a\|\|!a.parentNode\|\|11===a.parentNode.nodeType}function i(a,b){do a=a[b];while(a&&1!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49744	183.204.211.166	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:08.016638041 CET	1029	OUT	GET /js/sq/widget/sq.login.js?t=20230803101600 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ptres.37.com Connection: Keep-Alive Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Oct 31, 2024 17:22:10.862617016 CET	1236	IN	HTTP/1.1 200 OK Server: Byte-nginx Content-Type: application/x-javascript Content-Length: 39151 Connection: keep-alive Accept-Ranges: bytes Access-Control-Allow-Methods: GET Access-Control-Allow-Origin: * Age: 429344 Cache-Control: max-age=2592000 Etag: "64ddd1ab-98ef" Expires: Mon, 25 Nov 2024 17:06:26 GMT Last-Modified: Thu, 17 Aug 2023 07:52:11 GMT X-Bdcdn-Cache-Status: TCP_HIT X-Request-Id: 29ec7bf2ee6c5c3d311df708745bdcc4 X-Request-Ip: 173.254.250.77 X-Response-Cache: edge_hit X-Response-Cinfo: 173.254.250.77 X-Tt-Trace-Tag: id=5 Date: Thu, 31 Oct 2024 16:22:10 GMT via: pic05.zzcm06 Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 24 2c 53 51 2c 75 6e 64 65 66 69 6e 65 64 29 7b 77 69 6e 64 6f 77 2e 62 48 54 54 50 53 45 6e 61 62 6c 65 64 3d 30 2c 77 69 6e 64 6f 77 2e 6a 75 6d 70 4c 6f 67 69 6e 50 61 67 65 3d 30 2c 77 69 6e 64 6f 77 2e 74 68 69 72 64 52 65 6c 6f 61 64 3d 30 3b 76 61 72 20 69 65 3d 21 21 77 69 6e 64 6f 77 2e 41 63 74 69 76 65 58 4f 62 6a 65 63 74 2c 69 65 36 3d 69 65 26 26 21 77 69 6e 64 6f 77 2e 58 4d 4c 48 74 74 70 52 65 71 75 65 73 74 2c 69 65 38 3d 69 65 26 26 21 21 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 4d 6f 64 65 2c 69 65 37 3d 69 65 26 26 21 69 65 36 26 26 21 69 65 38 2c 64 74 64 48 74 74 70 73 46 61 69 6c 3d 24 2e 44 65 66 65 72 72 65 64 28 29 3b 69 66 28 53 51 26 26 28 21 53 51 2e 4c 6f 67 69 6e 7c 7c 21 53 51 2e 4c 6f 67 69 6e 2e 76 65 72 73 69 6f 6e 29 29 7b 76 61 72 20 6a 75 6d 70 44 6f 6d 61 69 6e 73 3d 5b 22 62 62 73 2e 33 37 2e 63 6f 6d 22 2c 22 6b 66 2e 33 37 2e 63 6f 6d 22 2c 22 63 68 61 74 2e 6f 6e 6c 69 6e 65 2e 6b 66 2e 33 37 2e 63 6f 6d 22 2c 22 63 [TRUNCATED] Data Ascii: !function($,SQ,undefined){window.bHTTPSEnabled=0,window.jumpLoginPage=0,window.thirdReload=0;var ie=!!window.ActiveXObject,ie6=ie&&!window.XMLHttpRequest,ie8=ie&&!!document.documentMode,ie7=ie&&!ie6&&!ie8,dtdHttpsFail=$.Deferred();if(SQ&&(!SQ.Login\|\|!SQ.Login.version)){var jumpDomains=["bbs.37.com","kf.37.com","chat.online.kf.37.com","chatkf.37.com","admin2013.37wan.com"];$(document).ready(function(){$.inArray(location.hostname,jumpDomains)>-1?(window.jumpLoginPage=!0,window.thirdReload=!0):window.document.domain="37.com",window.httpsStatis=function(a){var b="//pt.clickdata.37wan.com/ps.gif?id=21&la={la}&ck={ck
Oct 31, 2024 17:22:10.862634897 CET	212	IN	Data Raw: 7d 26 63 66 3d 7b 63 66 7d 26 72 66 3d 7b 72 66 7d 26 65 78 74 3d 7b 65 7d 22 2e 72 65 70 6c 61 63 65 28 22 7b 63 6b 7d 22 2c 53 51 2e 63 6f 6f 6b 69 65 28 22 74 67 5f 75 76 22 29 29 2e 72 65 70 6c 61 63 65 28 22 7b 63 66 7d 22 2c 65 6e 63 6f 64 Data Ascii: }&cf={cf}&rf={rf}&ext={e}".replace("{ck}",SQ.cookie("tg_uv")).replace("{cf}",encodeURIComponent(location.hostname+location.pathname)).replace("{rf}",encodeURIComponent(document.referrer)).replace("{e}",a),c=new I
Oct 31, 2024 17:22:10.862662077 CET	1236	IN	Data Raw: 6d 61 67 65 2c 64 3d 53 51 2e 63 6f 6f 6b 69 65 28 22 70 61 73 73 70 6f 72 74 5f 33 37 77 61 6e 5f 63 6f 6d 22 29 2c 65 3d 22 22 3b 64 26 26 64 2e 69 6e 64 65 78 4f 66 28 22 7c 22 29 3e 30 26 26 28 65 3d 64 2e 73 70 6c 69 74 28 22 7c 22 29 5b 31 Data Ascii: mage,d=SQ.cookie("passport_37wan_com"),e="";d&&d.indexOf("\|")>0&&(e=d.split("\|")[1]),c.src=b.replace("{la}",e)+"&t="+Math.random()};var a=new Image,b=0,c=navigator.userAgent.toLowerCase(),d=0;"http:"===window.location.protocol&&/chrome/.test(c
Oct 31, 2024 17:22:10.862720013 CET	212	IN	Data Raw: 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 69 66 28 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 28 62 3e 61 3f 22 22 3a 65 28 70 61 72 73 65 49 6e 74 28 61 2f 62 29 29 29 2b 28 28 61 25 3d 62 29 3e 33 35 Data Ascii: (function(a,b,c,d,e,f){if(e=function(a){return(b>a?"":e(parseInt(a/b)))+((a%=b)>35?String.fromCharCode(a+29):a.toString(36))},!"".replace(/^/,String)){for(;c--;)f[e(c)]=d[c]\|\|e(c);d=[function(a){return f[a]}],e=f
Oct 31, 2024 17:22:10.862731934 CET	1236	IN	Data Raw: 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 22 5c 5c 77 2b 22 7d 2c 63 3d 31 7d 66 6f 72 28 3b 63 2d 2d 3b 29 64 5b 63 5d 26 26 28 61 3d 61 2e 72 65 70 6c 61 63 65 28 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c 62 22 2b 65 28 63 29 2b 22 5c 5c Data Ascii: unction(){return"\\w+"},c=1}for(;c--;)d[c]&&(a=a.replace(new RegExp("\\b"+e(c)+"\\b","g"),d[c]));return a}('e 5="F+/";m q(d){e 1,i,c;e 9,b,g;c=d.l;i=0;1="";x(i<c){9=d.k(i++)&v;f(i==c){1+=5.8(9>>2);1+=5.8((9&h)<<4);1+="==";r}b=d.k(i++);f(i==c){
Oct 31, 2024 17:22:10.862744093 CET	212	IN	Data Raw: 28 28 22 22 2b 69 29 2e 33 28 29 2b 67 29 3b 6c 20 6b 28 32 2e 68 28 22 2e 22 29 29 7d 27 2c 32 35 2c 32 35 2c 22 7c 7c 76 7c 63 68 61 72 43 6f 64 65 41 74 7c 70 75 73 68 7c 4d 61 74 68 7c 76 61 72 7c 6c 65 6e 67 74 68 7c 65 6e 63 6f 64 65 55 52 Data Ascii: ((""+i).3()+g);l k(2.h("."))}',25,25,"\|\|v\|charCodeAt\|push\|Math\|var\|length\|encodeURIComponent\|for\|\|10\|cryp\|function\|random\|floor\|50\|join\|\|\|__rsa\|return\|charAt\|if\|else".split("\|"),0,{}));var L,verifyCode,t='<style
Oct 31, 2024 17:22:10.862869024 CET	1236	IN	Data Raw: 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 2e 72 2d 63 6f 76 65 72 20 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 3b 77 69 64 74 68 3a 31 30 30 25 3b 70 6f 73 69 Data Ascii: type="text/css">.r-cover {display:none;overflow:hidden;z-index:100;width:100%;position:absolute;left:0;top:0;height:100%;background:#000;opacity:0.5;filter:alpha(opacity=50);}.r-dialog {display:none;top:40px;padding-top:27px;_padding-top:25px;
Oct 31, 2024 17:22:10.862936974 CET	212	IN	Data Raw: 6c 69 64 20 23 30 30 65 37 66 66 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 30 20 34 70 78 20 23 64 36 65 35 65 61 3b 7d 2e 72 2d 64 69 61 6c 6f 67 2d 74 65 78 74 2d 65 72 72 6f 72 20 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 Data Ascii: lid #00e7ff;box-shadow:inset 0 0 4px #d6e5ea;}.r-dialog-text-error {border-color:#efb7bc;}.r-dialog-text-error:focus{border-color:#f78690;box-shadow:inset 0 0 2px #efb7bc;background-color:#ecd5db;}.r-dialog-panel
Oct 31, 2024 17:22:10.863342047 CET	1236	IN	Data Raw: 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 3b 7d 2e 72 2d 64 69 61 6c 6f 67 2d 70 61 6e 65 6c 2d 6c 6f 67 20 2e 72 2d 64 69 61 6c 6f 67 2d 74 Data Ascii: {display:none;position:relative;padding:10px 20px;}.r-dialog-panel-log .r-dialog-tip{color:#f00;}.r-dialog-panel-log p {margin-bottom:13px;}.r-dialog-panel-log .r-right {width:73px;}.r-dialog .btn-s-2 {margin-top:5px;}.r-right {display:inline-
Oct 31, 2024 17:22:10.863370895 CET	212	IN	Data Raw: 72 67 69 6e 2d 72 69 67 68 74 3a 32 70 78 3b 7d 2e 72 2d 64 69 61 6c 6f 67 2d 69 63 6f 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 77 69 64 74 68 3a 31 36 70 78 3b 68 65 69 67 68 74 3a 31 36 70 78 3b 70 6f 73 69 74 69 6f 6e Data Ascii: rgin-right:2px;}.r-dialog-ico{display:inline-block;width:16px;height:16px;position:relative;top:4px;left:10px;*top:-1px;_top:3px;}.r-dialog-ico-error,.r-dialog-ico-right{background:transparent url(//img1.37wanimg
Oct 31, 2024 17:22:10.867801905 CET	1236	IN	Data Raw: 2e 63 6f 6d 2f 77 77 77 2f 63 73 73 2f 69 6d 61 67 65 73 2f 63 6f 6d 6d 6f 6e 2f 69 63 6f 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 7d 2e 72 2d 64 69 61 6c 6f 67 2d 69 63 6f 2d 65 72 72 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 Data Ascii: .com/www/css/images/common/ico.png) no-repeat;}.r-dialog-ico-error{background-position:0 -679px;}.r-dialog-ico-right{background-position:0 -659px;}.r-dialog-ico-pending{background:transparent url(//img1.37wanimg.com/www/css/images/common/loadi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	159.75.141.43	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:13.504615068 CET	635	OUT	GET /controller/istat.controller.php?platform=37wan&item=u3tfl5ftfl&game_id=417&sid=&position=1&ext_1=4&ext_2=wd_37cs&ext_3=921614&ext_4=&ext_5=gy&ext_6=&login_account=&browser_type=&user_ip=&refer=wd_37cs&uid=921614&page=4&t=1730391732770 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: a.clickdata.37wan.com Connection: Keep-Alive
Oct 31, 2024 17:22:14.555814028 CET	377	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 16:22:14 GMT Content-Type: text/plain;charset=utf-8; Transfer-Encoding: chunked Connection: keep-alive Server: openresty Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, OPTIONS Data Raw: 32 36 0d 0a 7b 22 63 6f 64 65 22 3a 31 2c 22 6d 73 67 22 3a 22 73 65 6e 64 20 64 61 74 61 20 73 75 63 63 65 73 73 21 22 7d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 26{"code":1,"msg":"send data success!"}0
Oct 31, 2024 17:22:18.778271914 CET	288	OUT	GET /controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=417&ext_1=4&ext_2=wd_37cs&ext_3=921614&ext_4=2D9765A5A2ED4CE2ADBD5F7D47905931&ext_5=dc76deab4f96ab09d9dcaf79af94e8d7&ext_6=2&browser_type=3000 HTTP/1.1 User-Agent: HTTPDownloader Host: a.clickdata.37wan.com
Oct 31, 2024 17:22:19.130207062 CET	377	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 16:22:18 GMT Content-Type: text/plain;charset=utf-8; Transfer-Encoding: chunked Connection: keep-alive Server: openresty Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, OPTIONS Data Raw: 32 36 0d 0a 7b 22 63 6f 64 65 22 3a 31 2c 22 6d 73 67 22 3a 22 73 65 6e 64 20 64 61 74 61 20 73 75 63 63 65 73 73 21 22 7d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 26{"code":1,"msg":"send data success!"}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49749	180.188.25.9	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:14.063551903 CET	1113	OUT	GET /proxy_yk.html HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: regapi.37.com Connection: Keep-Alive Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Oct 31, 2024 17:22:16.559185028 CET	481	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 31 Oct 2024 16:22:16 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding server-timing: inner; dur=73 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 74 69 74 6c 65 3e 33 37 2d 70 72 6f 78 79 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 2f 70 74 72 65 73 2e 33 37 2e 63 6f 6d 2f 6a 73 2f 73 71 2f 6c 69 62 2f 73 71 2e 63 6f 72 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 0d 0a 09 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 3d 20 27 33 37 2e 63 6f 6d 27 3b 0d 0a 09 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 2e 79 6b 70 72 6f 78 79 44 69 73 61 62 6c 65 64 53 63 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><title>37-proxy</title><script type="text/javascript" src="//ptres.37.com/js/sq/lib/sq.core.js"></script><script type="text/javascript"> document.domain = '37.com';window.parent.ykproxyDisabledSc();</script></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49753	139.9.125.189	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:15.364939928 CET	393	OUT	GET /1/ HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: cm.he2d.com Connection: Keep-Alive
Oct 31, 2024 17:22:16.530667067 CET	633	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Thu, 31 Oct 2024 16:22:16 GMT Content-Type: text/html Content-Length: 154 Connection: keep-alive P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: u=uK4jZ7lpa5IBAAAALNcr; Expires=Sun, 29-Oct-34 16:22:16 GMT; Domain=he2d.com; Path=/ Location: http://cookiem.37.com/sys/?u=uK4jZ7lpa5IBAAAALNcr&fdata= Expires: Thu, 31 Oct 2024 16:22:15 GMT Cache-Control: no-cache Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49756	193.112.116.230	80	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 17:22:16.943264008 CET	1024	OUT	GET /sys/?u=uK4jZ7lpa5IBAAAALNcr&fdata= HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Connection: Keep-Alive Host: cookiem.37.com Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Oct 31, 2024 17:22:17.967518091 CET	396	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 31 Oct 2024 16:22:17 GMT Content-Type: image/gif Content-Length: 0 Connection: keep-alive Set-Cookie: tg_uv=uK4jZ7lpa5IBAAAALNcr; Expires=Sun, 29-Oct-34 16:22:17 GMT; Domain=37.com; Path=/ Expires: Thu, 31 Oct 2024 16:22:16 GMT Cache-Control: no-cache P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49750	180.188.25.9	443	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 16:22:16 UTC	1016	OUT	GET /httpsEnable.gif?t=1730391733433 HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: my.37.com Connection: Keep-Alive Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
2024-10-31 16:22:17 UTC	327	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 31 Oct 2024 16:22:16 GMT Content-Type: image/gif Content-Length: 43 Connection: close Last-Modified: Thu, 31 Oct 2024 03:36:17 GMT ETag: "6722fb31-2b" Expires: Sat, 30 Nov 2024 16:22:16 GMT Cache-Control: max-age=2592000 Accept-Ranges: bytes server-timing: inner; dur=112
2024-10-31 16:22:17 UTC	43	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 ff ff ff 00 00 00 21 f9 04 00 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b Data Ascii: GIF89a!,D;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49751	43.154.254.89	443	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 16:22:16 UTC	416	OUT	GET /TCaptcha.js HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: turing.captcha.qcloud.com Connection: Keep-Alive
2024-10-31 16:22:17 UTC	249	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 16:22:17 GMT Content-Type: text/javascript Content-Length: 55614 Connection: close P3P: CP=CAO PSA OUR Server: Trpc httpd Server: tencent http server Accept-Ranges: bytes Cache-Control: max-age=600
2024-10-31 16:22:17 UTC	2580	IN	Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 7b 7d 3b 66 75 6e 63 74 69 6f 6e 20 6e 28 72 29 7b 69 66 28 74 5b 72 5d 29 72 65 74 75 72 6e 20 74 5b 72 5d 2e 65 78 70 6f 72 74 73 3b 76 61 72 20 6f 3d 74 5b 72 5d 3d 7b 69 3a 72 2c 6c 3a 21 31 2c 65 78 70 6f 72 74 73 3a 7b 5f 5f 65 73 4d 6f 64 75 6c 65 3a 20 75 6e 64 65 66 69 6e 65 64 7d 7d 3b 72 65 74 75 72 6e 20 65 5b 72 5d 2e 63 61 6c 6c 28 6f 2e 65 78 70 6f 72 74 73 2c 6f 2c 6f 2e 65 78 70 6f 72 74 73 2c 6e 29 2c 6f 2e 6c 3d 21 30 2c 6f 2e 65 78 70 6f 72 74 73 7d 6e 2e 6d 3d 65 2c 6e 2e 63 3d 74 2c 6e 2e 64 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 72 29 7b 6e 2e 6f 28 65 2c 74 29 7c 7c 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 65 2c 74 2c 7b 65 6e 75 6d 65 72 61 62 6c Data Ascii: !function(e){var t={};function n(r){if(t[r])return t[r].exports;var o=t[r]={i:r,l:!1,exports:{__esModule: undefined}};return e[r].call(o.exports,o,o.exports,n),o.l=!0,o.exports}n.m=e,n.c=t,n.d=function(e,t,r){n.o(e,t)\|\|Object.defineProperty(e,t,{enumerabl
2024-10-31 16:22:17 UTC	4096	IN	Data Raw: 6e 63 61 74 28 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 74 29 29 5d 7d 7d 3b 74 2e 67 65 74 50 65 72 66 6f 72 6d 61 6e 63 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 2c 6e 3b 69 66 28 77 69 6e 64 6f 77 2e 70 65 72 66 6f 72 6d 61 6e 63 65 26 26 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 2e 70 65 72 66 6f 72 6d 61 6e 63 65 2e 67 65 74 45 6e 74 72 69 65 73 42 79 54 79 70 65 29 7b 76 61 72 20 6f 3d 5b 5d 2c 69 3d 7b 7d 2c 61 3d 77 69 6e 64 6f 77 2e 70 65 72 66 6f 72 6d 61 6e 63 65 2e 67 65 74 45 6e 74 72 69 65 73 42 79 54 79 70 65 28 22 72 65 73 6f 75 72 63 65 22 29 2c 63 3d 5b 22 78 6d 6c 68 74 74 70 72 65 71 75 65 73 74 22 2c 22 73 63 72 69 70 74 22 2c 22 69 66 72 61 6d 65 22 2c 22 69 6d 67 22 2c Data Ascii: ncat(encodeURIComponent(t))]}};t.getPerformance=function(e){var t,n;if(window.performance&&"function"==typeof window.performance.getEntriesByType){var o=[],i={},a=window.performance.getEntriesByType("resource"),c=["xmlhttprequest","script","iframe","img",
2024-10-31 16:22:17 UTC	4096	IN	Data Raw: 73 63 72 69 70 74 6f 72 28 74 2c 6e 29 3b 6f 26 26 28 22 67 65 74 22 69 6e 20 6f 3f 74 2e 5f 5f 65 73 4d 6f 64 75 6c 65 3a 21 6f 2e 77 72 69 74 61 62 6c 65 26 26 21 6f 2e 63 6f 6e 66 69 67 75 72 61 62 6c 65 29 7c 7c 28 6f 3d 7b 65 6e 75 6d 65 72 61 62 6c 65 3a 21 30 2c 67 65 74 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 5b 6e 5d 7d 7d 29 2c 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 65 2c 72 2c 6f 29 7d 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 2c 72 29 7b 72 3d 3d 3d 75 6e 64 65 66 69 6e 65 64 26 26 28 72 3d 6e 29 2c 65 5b 72 5d 3d 74 5b 6e 5d 7d 29 2c 6f 3d 74 68 69 73 26 26 74 68 69 73 2e 5f 5f 65 78 70 6f 72 74 53 74 61 72 7c 7c 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 66 6f 72 28 76 61 72 20 6e 20 69 6e 20 Data Ascii: scriptor(t,n);o&&("get"in o?t.__esModule:!o.writable&&!o.configurable)\|\|(o={enumerable:!0,get:function(){return t[n]}}),Object.defineProperty(e,r,o)}:function(e,t,n,r){r===undefined&&(r=n),e[r]=t[n]}),o=this&&this.__exportStar\|\|function(e,t){for(var n in
2024-10-31 16:22:17 UTC	3200	IN	Data Raw: 52 52 4f 52 22 2c 65 2e 4c 4f 41 44 5f 45 52 52 4f 52 3d 22 4c 4f 41 44 5f 45 52 52 4f 52 22 7d 28 74 2e 45 72 72 6f 72 54 69 63 6b 65 74 54 79 70 65 45 6e 75 6d 7c 7c 28 74 2e 45 72 72 6f 72 54 69 63 6b 65 74 54 79 70 65 45 6e 75 6d 3d 7b 7d 29 29 2c 74 2e 67 65 74 45 72 72 6f 72 54 69 63 6b 65 74 3d 72 2c 74 2e 67 65 74 45 72 72 6f 72 52 65 73 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 6e 2c 69 29 7b 72 65 74 75 72 6e 7b 72 65 74 3a 30 2c 72 61 6e 64 73 74 72 3a 6f 28 29 2c 74 69 63 6b 65 74 3a 72 28 65 2c 6e 7c 7c 22 22 2c 69 29 2c 65 72 72 6f 72 43 6f 64 65 3a 74 2e 45 72 72 6f 72 43 6f 64 65 5b 65 5d 2c 65 72 72 6f 72 4d 65 73 73 61 67 65 3a 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 7d 7d 2c 74 2e 67 65 74 52 61 6e 64 53 74 72 3d 6f 7d 2c 66 75 6e 63 74 Data Ascii: RROR",e.LOAD_ERROR="LOAD_ERROR"}(t.ErrorTicketTypeEnum\|\|(t.ErrorTicketTypeEnum={})),t.getErrorTicket=r,t.getErrorRes=function(e,n,i){return{ret:0,randstr:o(),ticket:r(e,n\|\|"",i),errorCode:t.ErrorCode[e],errorMessage:e.toLowerCase()}},t.getRandStr=o},funct
2024-10-31 16:22:17 UTC	1424	IN	Data Raw: 2c 45 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 66 6f 72 28 76 61 72 20 6e 20 69 6e 20 74 29 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 74 5b 6e 5d 26 26 74 5b 6e 5d 2e 6c 65 6e 67 74 68 3e 30 29 7b 66 6f 72 28 76 61 72 20 72 3d 30 3b 72 3c 74 5b 6e 5d 2e 6c 65 6e 67 74 68 3b 72 2b 2b 29 69 66 28 68 28 74 5b 6e 5d 5b 72 5d 2c 65 29 29 72 65 74 75 72 6e 22 3f 22 3d 3d 3d 6e 3f 76 6f 69 64 20 30 3a 6e 7d 65 6c 73 65 20 69 66 28 68 28 74 5b 6e 5d 2c 65 29 29 72 65 74 75 72 6e 22 3f 22 3d 3d 3d 6e 3f 76 6f 69 64 20 30 3a 6e 3b 72 65 74 75 72 6e 20 74 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 28 22 2a 22 29 3f 74 5b 22 2a 22 5d 3a 65 7d 2c 52 3d 7b 4d 45 3a 22 34 2e 39 30 22 2c 22 4e 54 20 33 2e 31 31 22 3a 22 4e 54 33 2e 35 31 22 2c 22 Data Ascii: ,E=function(e,t){for(var n in t)if("object"==typeof t[n]&&t[n].length>0){for(var r=0;r<t[n].length;r++)if(h(t[n][r],e))return"?"===n?void 0:n}else if(h(t[n],e))return"?"===n?void 0:n;return t.hasOwnProperty("")?t[""]:e},R={ME:"4.90","NT 3.11":"NT3.51","
2024-10-31 16:22:17 UTC	4096	IN	Data Raw: 2c 5b 6c 2c 5b 63 2c 22 55 43 42 72 6f 77 73 65 72 22 5d 5d 2c 5b 2f 6d 69 63 72 6f 6d 2e 2b 5c 62 71 62 63 6f 72 65 5c 2f 28 5b 5c 77 5c 2e 5d 2b 29 2f 69 2c 2f 5c 62 71 62 63 6f 72 65 5c 2f 28 5b 5c 77 5c 2e 5d 2b 29 2e 2b 6d 69 63 72 6f 6d 2f 69 2c 2f 6d 69 63 72 6f 6d 65 73 73 65 6e 67 65 72 5c 2f 28 5b 5c 77 5c 2e 5d 2b 29 2f 69 5d 2c 5b 6c 2c 5b 63 2c 22 57 65 43 68 61 74 22 5d 5d 2c 5b 2f 6b 6f 6e 71 75 65 72 6f 72 5c 2f 28 5b 5c 77 5c 2e 5d 2b 29 2f 69 5d 2c 5b 6c 2c 5b 63 2c 22 4b 6f 6e 71 75 65 72 6f 72 22 5d 5d 2c 5b 2f 74 72 69 64 65 6e 74 2e 2b 72 76 5b 3a 20 5d 28 5b 5c 77 5c 2e 5d 7b 31 2c 39 7d 29 5c 62 2e 2b 6c 69 6b 65 20 67 65 63 6b 6f 2f 69 5d 2c 5b 6c 2c 5b 63 2c 22 49 45 22 5d 5d 2c 5b 2f 79 61 28 3f 3a 73 65 61 72 63 68 29 3f 62 72 Data Ascii: ,[l,[c,"UCBrowser"]],[/microm.+\bqbcore\/([\w\.]+)/i,/\bqbcore\/([\w\.]+).+microm/i,/micromessenger\/([\w\.]+)/i],[l,[c,"WeChat"]],[/konqueror\/([\w\.]+)/i],[l,[c,"Konqueror"]],[/trident.+rv[: ]([\w\.]{1,9})\b.+like gecko/i],[l,[c,"IE"]],[/ya(?:search)?br
2024-10-31 16:22:17 UTC	176	IN	Data Raw: 70 70 6c 65 22 5d 2c 5b 73 2c 64 5d 5d 2c 5b 2f 28 6d 61 63 69 6e 74 6f 73 68 29 3b 2f 69 5d 2c 5b 61 2c 5b 75 2c 22 41 70 70 6c 65 22 5d 5d 2c 5b 2f 5c 62 28 73 68 2d 3f 5b 61 6c 74 76 7a 5d 3f 5c 64 5c 64 5b 61 2d 65 6b 6d 5d 3f 29 2f 69 5d 2c 5b 61 2c 5b 75 2c 22 53 68 61 72 70 22 5d 2c 5b 73 2c 70 5d 5d 2c 5b 2f 5c 62 28 28 3f 3a 61 67 5b 72 73 5d 5b 32 33 5d 3f 7c 62 61 68 32 3f 7c 73 68 74 3f 7c 62 74 76 29 2d 61 3f 5b 6c 77 5d 5c 64 7b 32 7d 29 5c 62 28 3f 21 2e 2b 64 5c 2f 73 29 2f 69 5d 2c 5b 61 2c 5b 75 2c 22 48 Data Ascii: pple"],[s,d]],[/(macintosh);/i],[a,[u,"Apple"]],[/\b(sh-?[altvz]?\d\d[a-ekm]?)/i],[a,[u,"Sharp"],[s,p]],[/\b((?:ag[rs][23]?\|bah2?\|sht?\|btv)-a?[lw]\d{2})\b(?!.+d\/s)/i],[a,[u,"H
2024-10-31 16:22:17 UTC	4096	IN	Data Raw: 75 61 77 65 69 22 5d 2c 5b 73 2c 64 5d 5d 2c 5b 2f 28 3f 3a 68 75 61 77 65 69 7c 68 6f 6e 6f 72 29 28 5b 2d 5c 77 20 5d 2b 29 5b 3b 5c 29 5d 2f 69 2c 2f 5c 62 28 6e 65 78 75 73 20 36 70 7c 5c 77 7b 32 2c 34 7d 65 3f 2d 5b 61 74 75 5d 3f 5b 6c 6e 5d 5b 5c 64 78 5d 5b 30 31 32 33 35 39 63 5d 5b 61 64 6e 5d 3f 29 5c 62 28 3f 21 2e 2b 64 5c 2f 73 29 2f 69 5d 2c 5b 61 2c 5b 75 2c 22 48 75 61 77 65 69 22 5d 2c 5b 73 2c 70 5d 5d 2c 5b 2f 5c 62 28 70 6f 63 6f 5b 5c 77 20 5d 2b 7c 6d 32 5c 64 7b 33 7d 6a 5c 64 5c 64 5b 61 2d 7a 5d 7b 32 7d 29 28 3f 3a 20 62 75 69 7c 5c 29 29 2f 69 2c 2f 5c 62 3b 20 28 5c 77 2b 29 20 62 75 69 6c 64 5c 2f 68 6d 5c 31 2f 69 2c 2f 5c 62 28 68 6d 5b 2d 5f 20 5d 3f 6e 6f 74 65 3f 5b 5f 20 5d 3f 28 3f 3a 5c 64 5c 77 29 3f 29 20 62 75 69 Data Ascii: uawei"],[s,d]],[/(?:huawei\|honor)([-\w ]+)[;\)]/i,/\b(nexus 6p\|\w{2,4}e?-[atu]?[ln][\dx][012359c][adn]?)\b(?!.+d\/s)/i],[a,[u,"Huawei"],[s,p]],[/\b(poco[\w ]+\|m2\d{3}j\d\d[a-z]{2})(?: bui\|\))/i,/\b; (\w+) build\/hm\1/i,/\b(hm[-_ ]?note?[_ ]?(?:\d\w)?) bui
2024-10-31 16:22:17 UTC	4096	IN	Data Raw: 7d 29 20 62 2f 69 5d 2c 5b 61 2c 5b 75 2c 22 44 65 6c 6c 22 5d 2c 5b 73 2c 64 5d 5d 2c 5b 2f 5c 62 28 71 28 3f 3a 6d 76 7c 74 61 29 5c 77 2b 29 20 62 2f 69 5d 2c 5b 61 2c 5b 75 2c 22 56 65 72 69 7a 6f 6e 22 5d 2c 5b 73 2c 64 5d 5d 2c 5b 2f 5c 62 28 3f 3a 62 61 72 6e 65 73 5b 26 20 5d 2b 6e 6f 62 6c 65 20 7c 62 6e 5b 72 74 5d 29 28 5b 5c 77 5c 2b 20 5d 2a 29 20 62 2f 69 5d 2c 5b 61 2c 5b 75 2c 22 42 61 72 6e 65 73 20 26 20 4e 6f 62 6c 65 22 5d 2c 5b 73 2c 64 5d 5d 2c 5b 2f 5c 62 28 74 6d 5c 64 7b 33 7d 5c 77 2b 29 20 62 2f 69 5d 2c 5b 61 2c 5b 75 2c 22 4e 75 56 69 73 69 6f 6e 22 5d 2c 5b 73 2c 64 5d 5d 2c 5b 2f 5c 62 28 6b 38 38 29 20 62 2f 69 5d 2c 5b 61 2c 5b 75 2c 22 5a 54 45 22 5d 2c 5b 73 2c 64 5d 5d 2c 5b 2f 5c 62 28 6e 78 5c 64 7b 33 7d 6a 29 20 62 Data Ascii: }) b/i],[a,[u,"Dell"],[s,d]],[/\b(q(?:mv\|ta)\w+) b/i],[a,[u,"Verizon"],[s,d]],[/\b(?:barnes[& ]+noble \|bn[rt])([\w\+ ]*) b/i],[a,[u,"Barnes & Noble"],[s,d]],[/\b(tm\d{3}\w+) b/i],[a,[u,"NuVision"],[s,d]],[/\b(k88) b/i],[a,[u,"ZTE"],[s,d]],[/\b(nx\d{3}j) b
2024-10-31 16:22:17 UTC	4096	IN	Data Raw: 42 65 72 72 79 22 5d 5d 2c 5b 2f 28 3f 3a 73 79 6d 62 69 61 6e 20 3f 6f 73 7c 73 79 6d 62 6f 73 7c 73 36 30 28 3f 3d 3b 29 7c 73 65 72 69 65 73 36 30 29 5b 2d 5c 2f 20 5d 3f 28 5b 5c 77 5c 2e 5d 2a 29 2f 69 5d 2c 5b 6c 2c 5b 63 2c 22 53 79 6d 62 69 61 6e 22 5d 5d 2c 5b 2f 6d 6f 7a 69 6c 6c 61 5c 2f 5b 5c 64 5c 2e 5d 2b 20 5c 28 28 3f 3a 6d 6f 62 69 6c 65 7c 74 61 62 6c 65 74 7c 74 76 7c 6d 6f 62 69 6c 65 3b 20 5b 5c 77 20 5d 2b 29 3b 20 72 76 3a 2e 2b 20 67 65 63 6b 6f 5c 2f 28 5b 5c 77 5c 2e 5d 2b 29 2f 69 5d 2c 5b 6c 2c 5b 63 2c 22 46 69 72 65 66 6f 78 20 4f 53 22 5d 5d 2c 5b 2f 77 65 62 30 73 3b 2e 2b 72 74 28 74 76 29 2f 69 2c 2f 5c 62 28 3f 3a 68 70 29 3f 77 6f 73 28 3f 3a 62 72 6f 77 73 65 72 29 3f 5c 2f 28 5b 5c 77 5c 2e 5d 2b 29 2f 69 5d 2c 5b 6c Data Ascii: Berry"]],[/(?:symbian ?os\|symbos\|s60(?=;)\|series60)[-\/ ]?([\w\.]*)/i],[l,[c,"Symbian"]],[/mozilla\/[\d\.]+ \((?:mobile\|tablet\|tv\|mobile; [\w ]+); rv:.+ gecko\/([\w\.]+)/i],[l,[c,"Firefox OS"]],[/web0s;.+rt(tv)/i,/\b(?:hp)?wos(?:browser)?\/([\w\.]+)/i],[l

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49757	60.221.17.65	443	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 16:22:19 UTC	432	OUT	GET /1/tcaptcha-frame.5e0f125a.js HTTP/1.1 Accept: / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: turing.captcha.gtimg.com Connection: Keep-Alive
2024-10-31 16:22:20 UTC	579	IN	HTTP/1.1 200 OK Last-Modified: Thu, 19 Sep 2024 09:45:28 GMT Etag: "df930d4526a65dfcad8e6610dd98419a" Content-Type: application/javascript Date: Fri, 20 Sep 2024 07:21:51 GMT Server: tencent-cos x-cos-hash-crc64ecma: 9558210536854378973 x-cos-request-id: NjZlZDIyOGZfZGE1NjUxMWVfMWMzOTlfMjA3MzU5Mw== x-cos-storage-class: MAZ_STANDARD x-cosindex-replication-status: Complete Content-Length: 176102 Accept-Ranges: bytes X-NWS-LOG-UUID: 8219902213701902639 Connection: close X-Cache-Lookup: Cache Hit Access-Control-Allow-Origin: * Cache-Control: max-age=2592000
2024-10-31 16:22:20 UTC	16384	IN	Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 7b 7d 3b 66 75 6e 63 74 69 6f 6e 20 61 28 69 29 7b 69 66 28 74 5b 69 5d 29 72 65 74 75 72 6e 20 74 5b 69 5d 2e 65 78 70 6f 72 74 73 3b 76 61 72 20 72 3d 74 5b 69 5d 3d 7b 69 3a 69 2c 6c 3a 21 31 2c 65 78 70 6f 72 74 73 3a 7b 5f 5f 65 73 4d 6f 64 75 6c 65 3a 20 75 6e 64 65 66 69 6e 65 64 7d 7d 3b 72 65 74 75 72 6e 20 65 5b 69 5d 2e 63 61 6c 6c 28 72 2e 65 78 70 6f 72 74 73 2c 72 2c 72 2e 65 78 70 6f 72 74 73 2c 61 29 2c 72 2e 6c 3d 21 30 2c 72 2e 65 78 70 6f 72 74 73 7d 61 2e 6d 3d 65 2c 61 2e 63 3d 74 2c 61 2e 64 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 69 29 7b 61 2e 6f 28 65 2c 74 29 7c 7c 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 65 2c 74 2c 7b 65 6e 75 6d 65 72 61 62 6c Data Ascii: !function(e){var t={};function a(i){if(t[i])return t[i].exports;var r=t[i]={i:i,l:!1,exports:{__esModule: undefined}};return e[i].call(r.exports,r,r.exports,a),r.l=!0,r.exports}a.m=e,a.c=t,a.d=function(e,t,i){a.o(e,t)\|\|Object.defineProperty(e,t,{enumerabl
2024-10-31 16:22:20 UTC	16384	IN	Data Raw: 64 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 6e 26 26 22 5f 5f 70 72 6f 74 6f 5f 5f 22 3d 3d 3d 74 2e 6e 61 6d 65 3f 6e 28 65 2c 74 2e 6e 61 6d 65 2c 7b 65 6e 75 6d 65 72 61 62 6c 65 3a 21 30 2c 63 6f 6e 66 69 67 75 72 61 62 6c 65 3a 21 30 2c 76 61 6c 75 65 3a 74 2e 6e 65 77 56 61 6c 75 65 2c 77 72 69 74 61 62 6c 65 3a 21 30 7d 29 3a 65 5b 74 2e 6e 61 6d 65 5d 3d 74 2e 6e 65 77 56 61 6c 75 65 7d 2c 6c 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 69 66 28 22 5f 5f 70 72 6f 74 6f 5f 5f 22 3d 3d 3d 74 29 7b 69 66 28 21 69 2e 63 61 6c 6c 28 65 2c 74 29 29 72 65 74 75 72 6e 3b 69 66 28 6f 29 72 65 74 75 72 6e 20 6f 28 65 2c 74 29 2e 76 61 6c 75 65 7d 72 65 74 75 72 6e 20 65 5b 74 5d 7d 3b 65 2e 65 78 70 6f 72 74 73 3d 66 75 6e 63 74 69 6f 6e 20 75 28 29 7b Data Ascii: d=function(e,t){n&&"__proto__"===t.name?n(e,t.name,{enumerable:!0,configurable:!0,value:t.newValue,writable:!0}):e[t.name]=t.newValue},l=function(e,t){if("__proto__"===t){if(!i.call(e,t))return;if(o)return o(e,t).value}return e[t]};e.exports=function u(){
2024-10-31 16:22:20 UTC	16384	IN	Data Raw: 5b 5c 77 5c 2e 5d 2a 29 2f 69 5d 2c 5b 6c 2c 5b 73 2c 22 53 79 6d 62 69 61 6e 22 5d 5d 2c 5b 2f 6d 6f 7a 69 6c 6c 61 5c 2f 5b 5c 64 5c 2e 5d 2b 20 5c 28 28 3f 3a 6d 6f 62 69 6c 65 7c 74 61 62 6c 65 74 7c 74 76 7c 6d 6f 62 69 6c 65 3b 20 5b 5c 77 20 5d 2b 29 3b 20 72 76 3a 2e 2b 20 67 65 63 6b 6f 5c 2f 28 5b 5c 77 5c 2e 5d 2b 29 2f 69 5d 2c 5b 6c 2c 5b 73 2c 22 46 69 72 65 66 6f 78 20 4f 53 22 5d 5d 2c 5b 2f 77 65 62 30 73 3b 2e 2b 72 74 28 74 76 29 2f 69 2c 2f 5c 62 28 3f 3a 68 70 29 3f 77 6f 73 28 3f 3a 62 72 6f 77 73 65 72 29 3f 5c 2f 28 5b 5c 77 5c 2e 5d 2b 29 2f 69 5d 2c 5b 6c 2c 5b 73 2c 22 77 65 62 4f 53 22 5d 5d 2c 5b 2f 77 61 74 63 68 28 3f 3a 20 3f 6f 73 5b 2c 5c 2f 5d 7c 5c 64 2c 5c 64 5c 2f 29 28 5b 5c 64 5c 2e 5d 2b 29 2f 69 5d 2c 5b 6c 2c 5b Data Ascii: [\w\.]*)/i],[l,[s,"Symbian"]],[/mozilla\/[\d\.]+ \((?:mobile\|tablet\|tv\|mobile; [\w ]+); rv:.+ gecko\/([\w\.]+)/i],[l,[s,"Firefox OS"]],[/web0s;.+rt(tv)/i,/\b(?:hp)?wos(?:browser)?\/([\w\.]+)/i],[l,[s,"webOS"]],[/watch(?: ?os[,\/]\|\d,\d\/)([\d\.]+)/i],[l,[
2024-10-31 16:22:20 UTC	16384	IN	Data Raw: 70 74 63 68 61 2d 64 79 5f 5f 69 6e 73 74 72 75 63 74 69 6f 6e 2d 69 63 6f 6e 22 2c 69 6e 73 74 72 75 63 74 69 6f 6e 45 72 72 6f 72 3a 22 74 65 6e 63 65 6e 74 2d 63 61 70 74 63 68 61 2d 64 79 5f 5f 69 6e 73 74 72 75 63 74 69 6f 6e 2d 65 72 72 6f 72 22 2c 72 69 67 68 74 54 6f 4c 65 66 74 3a 22 74 65 6e 63 65 6e 74 2d 63 61 70 74 63 68 61 2d 64 79 5f 5f 72 69 67 68 74 2d 74 6f 2d 6c 65 66 74 22 2c 63 61 70 54 69 74 6c 65 3a 22 74 65 6e 63 65 6e 74 2d 63 61 70 74 63 68 61 2d 64 79 5f 5f 74 69 74 6c 65 22 2c 73 6d 61 6c 6c 46 6f 6e 74 3a 22 74 65 6e 63 65 6e 74 2d 63 61 70 74 63 68 61 2d 64 79 5f 5f 73 6d 61 6c 6c 2d 66 6f 6e 74 73 69 7a 65 22 2c 6d 75 6c 74 69 4c 69 6e 65 3a 22 74 65 6e 63 65 6e 74 2d 63 61 70 74 63 68 61 2d 64 79 5f 5f 6d 75 6c 74 69 2d 6c Data Ascii: ptcha-dy__instruction-icon",instructionError:"tencent-captcha-dy__instruction-error",rightToLeft:"tencent-captcha-dy__right-to-left",capTitle:"tencent-captcha-dy__title",smallFont:"tencent-captcha-dy__small-fontsize",multiLine:"tencent-captcha-dy__multi-l
2024-10-31 16:22:20 UTC	16384	IN	Data Raw: 61 63 74 75 61 6c 20 6c 6f 63 61 74 69 6f 6e 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 43 61 70 74 63 68 61 20 74 65 61 6d 2e 22 5d 2c 6a 61 3a 5b 22 5c 75 33 30 62 62 5c 75 33 30 61 64 5c 75 33 30 65 35 5c 75 33 30 65 61 5c 75 33 30 63 36 5c 75 33 30 61 33 5c 75 38 61 38 64 5c 75 38 61 33 63 22 2c 22 5c 75 36 32 33 62 5c 75 33 30 38 62 22 2c 22 5c 75 33 30 62 37 5c 75 33 30 66 33 5c 75 33 30 64 37 5c 75 33 30 65 62 5c 75 33 30 65 32 5c 75 33 30 66 63 5c 75 33 30 63 39 22 2c 22 5c 75 34 65 30 30 5c 75 38 32 32 63 5c 75 33 30 65 32 5c 75 33 30 66 63 5c 75 33 30 63 39 22 2c 22 4f 4b 22 2c 22 5c 75 33 30 62 37 5c 75 33 30 66 33 5c 75 33 30 64 37 5c 75 33 30 65 62 5c 75 33 30 65 32 5c 75 33 30 66 63 5c 75 33 30 63 39 22 2c 22 5c 75 34 65 Data Ascii: actual location. Please contact the Captcha team."],ja:["\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8a8d\u8a3c","\u623b\u308b","\u30b7\u30f3\u30d7\u30eb\u30e2\u30fc\u30c9","\u4e00\u822c\u30e2\u30fc\u30c9","OK","\u30b7\u30f3\u30d7\u30eb\u30e2\u30fc\u30c9","\u4e
2024-10-31 16:22:20 UTC	16384	IN	Data Raw: 30 65 63 32 5c 75 30 65 64 64 5c 75 30 65 39 34 5c 75 30 65 38 37 5c 75 30 65 63 38 5c 75 30 65 62 32 5c 75 30 65 38 64 22 2c 22 5c 75 30 65 38 34 5c 75 30 65 62 33 5c 75 30 65 63 30 5c 75 30 65 61 62 5c 75 30 65 62 31 5c 75 30 65 39 39 5c 75 30 65 39 35 5c 75 30 65 62 34 5c 75 30 65 38 61 5c 75 30 65 62 62 5c 75 30 65 61 31 22 2c 22 5c 75 30 65 61 35 5c 75 30 65 61 64 5c 75 30 65 38 37 5c 75 30 65 63 33 5c 75 30 65 38 61 5c 75 30 65 63 39 5c 75 30 65 63 31 5c 75 30 65 38 34 5c 75 30 65 62 31 5c 75 30 65 39 61 5c 75 30 65 38 38 5c 75 30 65 62 32 5c 75 30 65 63 33 5c 75 30 65 64 64 5c 75 30 65 63 38 22 2c 22 5c 75 30 65 38 31 5c 75 30 65 62 32 5c 75 30 65 39 39 5c 75 30 65 63 32 5c 75 30 65 61 62 5c 75 30 65 62 63 5c 75 30 65 39 34 5c 75 30 65 61 65 5c 75 Data Ascii: 0ec2\u0edd\u0e94\u0e87\u0ec8\u0eb2\u0e8d","\u0e84\u0eb3\u0ec0\u0eab\u0eb1\u0e99\u0e95\u0eb4\u0e8a\u0ebb\u0ea1","\u0ea5\u0ead\u0e87\u0ec3\u0e8a\u0ec9\u0ec1\u0e84\u0eb1\u0e9a\u0e88\u0eb2\u0ec3\u0edd\u0ec8","\u0e81\u0eb2\u0e99\u0ec2\u0eab\u0ebc\u0e94\u0eae\u
2024-10-31 16:22:21 UTC	16384	IN	Data Raw: 29 7d 76 61 72 20 6f 3b 72 65 74 75 72 6e 5b 61 5d 2e 6a 6f 69 6e 28 22 5c 6e 22 29 7d 28 74 2c 65 29 3b 72 65 74 75 72 6e 20 74 5b 32 5d 3f 22 40 6d 65 64 69 61 20 22 2b 74 5b 32 5d 2b 22 7b 22 2b 61 2b 22 7d 22 3a 61 7d 29 2e 6a 6f 69 6e 28 22 22 29 7d 2c 74 2e 69 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 61 29 7b 22 73 74 72 69 6e 67 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 28 65 3d 5b 5b 6e 75 6c 6c 2c 65 2c 22 22 5d 5d 29 3b 66 6f 72 28 76 61 72 20 69 3d 7b 7d 2c 72 3d 30 3b 72 3c 74 68 69 73 2e 6c 65 6e 67 74 68 3b 72 2b 2b 29 7b 76 61 72 20 6e 3d 74 68 69 73 5b 72 5d 5b 30 5d 3b 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 6e 26 26 28 69 5b 6e 5d 3d 21 30 29 7d 66 6f 72 28 72 3d 30 3b 72 3c 65 2e 6c 65 6e 67 74 68 3b 72 2b 2b 29 7b 76 61 72 20 6f 3d Data Ascii: )}var o;return[a].join("\n")}(t,e);return t[2]?"@media "+t[2]+"{"+a+"}":a}).join("")},t.i=function(e,a){"string"==typeof e&&(e=[[null,e,""]]);for(var i={},r=0;r<this.length;r++){var n=this[r][0];"number"==typeof n&&(i[n]=!0)}for(r=0;r<e.length;r++){var o=
2024-10-31 16:22:21 UTC	16384	IN	Data Raw: 61 73 42 6f 72 64 65 72 3a 21 30 2c 75 6e 69 6f 6e 53 69 7a 65 54 79 70 65 3a 21 30 2c 69 73 4f 70 74 3a 21 30 7d 2c 76 74 74 5f 70 63 3a 7b 68 65 69 67 68 74 3a 33 36 30 2c 77 69 64 74 68 3a 33 36 30 2c 62 74 6e 5f 77 69 64 74 68 3a 32 39 38 7d 2c 64 72 61 67 3a 7b 73 69 7a 65 3a 5b 31 39 2c 31 39 5d 2c 68 61 73 42 6f 72 64 65 72 3a 21 30 2c 75 6e 69 6f 6e 53 69 7a 65 54 79 70 65 3a 21 30 2c 69 73 4f 70 74 3a 21 30 7d 2c 64 72 61 67 5f 70 63 3a 7b 68 65 69 67 68 74 3a 33 36 30 2c 77 69 64 74 68 3a 33 36 30 2c 62 74 6e 5f 77 69 64 74 68 3a 32 39 38 7d 2c 64 79 3a 7b 73 69 7a 65 3a 5b 31 39 2c 31 39 5d 2c 68 61 73 42 6f 72 64 65 72 3a 21 30 2c 75 6e 69 6f 6e 53 69 7a 65 54 79 70 65 3a 21 30 2c 69 73 4f 70 74 3a 21 30 7d 2c 64 79 5f 70 63 3a 7b 68 65 69 67 Data Ascii: asBorder:!0,unionSizeType:!0,isOpt:!0},vtt_pc:{height:360,width:360,btn_width:298},drag:{size:[19,19],hasBorder:!0,unionSizeType:!0,isOpt:!0},drag_pc:{height:360,width:360,btn_width:298},dy:{size:[19,19],hasBorder:!0,unionSizeType:!0,isOpt:!0},dy_pc:{heig
2024-10-31 16:22:21 UTC	16384	IN	Data Raw: 3d 22 74 63 61 70 74 63 68 61 5f 74 72 61 6e 73 66 6f 72 6d 22 29 3b 76 61 72 20 5f 3d 7b 70 6f 73 69 74 69 6f 6e 3a 67 2c 77 69 64 74 68 3a 22 22 2e 63 6f 6e 63 61 74 28 6e 75 6c 6c 3d 3d 3d 28 69 3d 74 68 69 73 2e 73 69 7a 65 53 43 29 7c 7c 76 6f 69 64 20 30 3d 3d 3d 69 3f 76 6f 69 64 20 30 3a 69 2e 77 69 64 74 68 2c 22 70 78 22 29 2c 68 65 69 67 68 74 3a 22 22 2e 63 6f 6e 63 61 74 28 6e 75 6c 6c 3d 3d 3d 28 6e 3d 74 68 69 73 2e 73 69 7a 65 53 43 29 7c 7c 76 6f 69 64 20 30 3d 3d 3d 6e 3f 76 6f 69 64 20 30 3a 6e 2e 68 65 69 67 68 74 2c 22 70 78 22 29 2c 74 6f 70 3a 6e 75 6c 6c 3d 3d 3d 28 6f 3d 74 68 69 73 2e 70 6f 73 53 43 29 7c 7c 76 6f 69 64 20 30 3d 3d 3d 6f 3f 76 6f 69 64 20 30 3a 6f 2e 74 6f 70 2c 6c 65 66 74 3a 6e 75 6c 6c 3d 3d 3d 28 73 3d 74 68 Data Ascii: ="tcaptcha_transform");var _={position:g,width:"".concat(null===(i=this.sizeSC)\|\|void 0===i?void 0:i.width,"px"),height:"".concat(null===(n=this.sizeSC)\|\|void 0===n?void 0:n.height,"px"),top:null===(o=this.posSC)\|\|void 0===o?void 0:o.top,left:null===(s=th
2024-10-31 16:22:21 UTC	16384	IN	Data Raw: 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 22 29 3a 28 72 2e 63 6c 61 73 73 4e 61 6d 65 3d 22 74 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 22 2c 72 2e 69 64 3d 22 74 63 61 70 74 63 68 61 5f 63 6f 6e 74 61 69 6e 65 72 22 2c 74 68 69 73 2e 5f 64 69 76 3d 72 29 3b 76 61 72 20 6f 3d 7b 77 69 64 74 68 3a 22 22 2e 63 6f 6e 63 61 74 28 69 2e 77 69 64 74 68 2c 22 70 78 22 29 2c 68 65 69 67 68 74 3a 22 22 2e 63 6f 6e 63 61 74 28 69 2e 68 65 69 67 68 74 2c 22 70 78 22 29 2c 6f 70 61 63 69 74 79 3a 22 31 22 7d 3b 6e 5b 22 64 65 66 61 75 6c 74 22 5d 2e 43 53 53 28 72 2c 6f 29 3b 76 61 72 20 73 3d 6e 75 6c 6c 3d 3d 3d 61 7c 7c 76 6f 69 64 20 30 3d 3d 3d 61 3f 76 6f 69 64 20 30 3a 61 2e 69 66 72 61 6d 65 3b 73 3f 28 30 2c 63 2e 61 64 64 44 6f 6d 43 6c 61 Data Ascii: aptcha-container"):(r.className="tcaptcha-container",r.id="tcaptcha_container",this._div=r);var o={width:"".concat(i.width,"px"),height:"".concat(i.height,"px"),opacity:"1"};n["default"].CSS(r,o);var s=null===a\|\|void 0===a?void 0:a.iframe;s?(0,c.addDomCla

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49760	43.154.254.89	443	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 16:22:23 UTC	538	OUT	GET /template/drag_ele.html HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, / Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: turing.captcha.qcloud.com Connection: Keep-Alive
2024-10-31 16:22:23 UTC	233	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 16:22:23 GMT Content-Type: text/html Content-Length: 60039 Connection: close P3P: CP=CAO PSA OUR Pragma: No-cache Server: Trpc httpd Server: tencent http server Accept-Ranges: bytes
2024-10-31 16:22:23 UTC	1172	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6d 75 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 6e 64 65 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 3e 3c 74 69 74 6c 65 3e e9 aa 8c e8 af 81 e7 a0 81 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 77 69 6e 64 6f 77 2e 53 65 74 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 53 65 74 3f 53 65 74 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 76 61 72 20 61 70 69 44 6f 6d 61 69 6e 3d 77 69 6e 64 6f 77 2e 6e 61 6d 65 3b 77 69 6e 64 6f 77 2e 54 43 61 70 74 63 68 61 41 70 69 44 6f 6d 61 69 Data Ascii: <!DOCTYPE html><html lang="mul"><head><meta charset="UTF-8"><meta name="renderer" content="webkit"><title></title><script type="text/javascript">window.Set="undefined"!=typeof Set?Set:function(){};var apiDomain=window.name;window.TCaptchaApiDomai
2024-10-31 16:22:23 UTC	4096	IN	Data Raw: 75 6e 63 74 69 6f 6e 28 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 76 61 72 20 6e 3d 2f 5e 5b 5c 5d 2c 3a 7b 7d 5c 73 5d 2a 24 2f 2c 72 3d 2f 5c 5c 28 3f 3a 5b 22 5c 5c 5c 2f 62 66 6e 72 74 5d 7c 75 5b 30 2d 39 61 2d 66 41 2d 46 5d 7b 34 7d 29 2f 67 2c 6f 3d 2f 22 5b 5e 22 5c 5c 5c 6e 5c 72 5d 2a 22 7c 74 72 75 65 7c 66 61 6c 73 65 7c 6e 75 6c 6c 7c 2d 3f 5c 64 2b 28 3f 3a 5c 2e 5c 64 2a 29 3f 28 3f 3a 5b 65 45 5d 5b 2b 5c 2d 5d 3f 5c 64 2b 29 3f 2f 67 2c 69 3d 2f 28 3f 3a 5e 7c 3a 7c 2c 29 28 3f 3a 5c 73 2a 5c 5b 29 2b 2f 67 2c 65 3d 2f 5b 5c 5c 22 5c 75 30 30 30 30 2d 5c 75 30 30 31 66 5c 75 30 30 37 66 2d 5c 75 30 30 39 66 5c 75 30 30 61 64 5c 75 30 36 30 30 2d 5c 75 30 36 30 34 5c 75 30 37 30 66 5c 75 31 37 62 34 5c 75 31 37 62 35 5c 75 32 30 30 63 Data Ascii: unction(){"use strict";var n=/^[\],:{}\s]$/,r=/\\(?:["\\\/bfnrt]\|u[0-9a-fA-F]{4})/g,o=/"[^"\\\n\r]"\|true\|false\|null\|-?\d+(?:\.\d)?(?:[eE][+\-]?\d+)?/g,i=/(?:^\|:\|,)(?:\s\[)+/g,e=/[\\"\u0000-\u001f\u007f-\u009f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c
2024-10-31 16:22:23 UTC	4096	IN	Data Raw: 72 65 6d 3d 6e 2c 73 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 64 70 72 22 2c 31 29 3b 74 72 79 7b 76 61 72 20 72 3d 70 61 72 73 65 46 6c 6f 61 74 28 67 65 74 43 6f 6d 70 75 74 65 64 53 74 79 6c 65 28 73 29 2e 66 6f 6e 74 53 69 7a 65 29 3b 69 66 28 2e 35 3c 4d 61 74 68 2e 61 62 73 28 72 2d 6e 29 29 7b 76 61 72 20 61 3d 72 2f 6e 3b 73 2e 73 74 79 6c 65 2e 66 6f 6e 74 53 69 7a 65 3d 6e 2f 61 2b 22 70 78 22 7d 7d 63 61 74 63 68 28 64 29 7b 7d 69 66 28 21 65 29 73 77 69 74 63 68 28 65 3d 70 3f 77 69 6e 64 6f 77 2e 6f 72 69 65 6e 74 61 74 69 6f 6e 3a 6e 75 6c 6c 29 7b 63 61 73 65 20 39 30 3a 63 61 73 65 2d 39 30 3a 65 3d 22 6c 61 6e 64 73 63 61 70 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 30 3a 65 3d 22 70 6f 72 74 72 61 69 74 22 3b 62 72 65 Data Ascii: rem=n,s.setAttribute("data-dpr",1);try{var r=parseFloat(getComputedStyle(s).fontSize);if(.5<Math.abs(r-n)){var a=r/n;s.style.fontSize=n/a+"px"}}catch(d){}if(!e)switch(e=p?window.orientation:null){case 90:case-90:e="landscape";break;case 0:e="portrait";bre
2024-10-31 16:22:23 UTC	4096	IN	Data Raw: 29 3b 6c 65 66 74 3a 31 32 70 78 7d 7d 40 6b 65 79 66 72 61 6d 65 73 20 64 6f 74 30 7b 74 6f 7b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 28 31 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 28 31 29 3b 6c 65 66 74 3a 31 32 70 78 7d 7d 40 2d 77 65 62 6b 69 74 2d 6b 65 79 66 72 61 6d 65 73 20 64 6f 74 31 7b 74 6f 7b 6c 65 66 74 3a 32 38 70 78 7d 7d 40 6b 65 79 66 72 61 6d 65 73 20 64 6f 74 31 7b 74 6f 7b 6c 65 66 74 3a 32 38 70 78 7d 7d 40 2d 77 65 62 6b 69 74 2d 6b 65 79 66 72 61 6d 65 73 20 64 6f 74 32 7b 74 6f 7b 6c 65 66 74 3a 34 33 70 78 7d 7d 40 6b 65 79 66 72 61 6d 65 73 20 64 6f 74 32 7b 74 6f 7b 6c 65 66 74 3a 34 33 70 78 7d 7d 40 2d 77 65 62 6b 69 74 2d 6b 65 79 66 72 61 6d 65 73 20 64 6f 74 33 7b 38 30 25 7b 6c 65 Data Ascii: );left:12px}}@keyframes dot0{to{-webkit-transform:scale(1);transform:scale(1);left:12px}}@-webkit-keyframes dot1{to{left:28px}}@keyframes dot1{to{left:28px}}@-webkit-keyframes dot2{to{left:43px}}@keyframes dot2{to{left:43px}}@-webkit-keyframes dot3{80%{le
2024-10-31 16:22:23 UTC	528	IN	Data Raw: 7b 77 69 64 74 68 3a 31 30 30 25 3b 68 65 69 67 68 74 3a 61 75 74 6f 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 2e 62 6f 64 79 2d 77 72 61 70 20 2e 74 63 2d 62 67 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 6c 65 66 74 3a 30 3b 77 69 64 74 68 3a 31 30 30 25 3b 7a 2d 69 6e 64 65 78 3a 31 7d 2e 62 6f 64 79 2d 77 72 61 70 20 2e 74 63 2d 62 67 20 2e 74 63 2d 62 67 2d 69 6d 67 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 77 69 64 74 68 3a 31 30 30 25 3b 68 65 69 67 68 74 3a 61 75 74 6f 3b 6f 70 61 63 69 74 79 3a 30 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 6f 70 61 63 69 74 79 20 2e 35 73 3b 2d 6f 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 6f 70 61 63 69 74 79 20 Data Ascii: {width:100%;height:auto;display:block;visibility:hidden}.body-wrap .tc-bg{position:absolute;top:0;left:0;width:100%;z-index:1}.body-wrap .tc-bg .tc-bg-img{display:block;width:100%;height:auto;opacity:0;-webkit-transition:opacity .5s;-o-transition:opacity
2024-10-31 16:22:23 UTC	2848	IN	Data Raw: 79 2d 77 72 61 70 20 2e 74 63 2d 66 61 69 6c 20 2e 74 63 2d 66 61 69 6c 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23 39 39 39 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 36 36 70 78 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 32 35 25 7d 2e 62 6f 64 79 2d 77 72 61 70 20 2e 74 63 2d 66 61 69 6c 20 2e 74 63 2d 66 61 69 6c 2d 62 74 6e 7b 77 69 64 74 68 3a 34 34 70 78 3b 68 65 69 67 68 74 3a 32 38 70 78 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 61 75 74 6f 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 45 51 41 41 41 41 75 43 41 4d 41 41 41 Data Ascii: y-wrap .tc-fail .tc-fail-text{color:#999;font-size:15px;text-align:center;padding-top:66px;padding-top:25%}.body-wrap .tc-fail .tc-fail-btn{width:44px;height:28px;margin:10px auto;background:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEQAAAAuCAMAAA
2024-10-31 16:22:23 UTC	1424	IN	Data Raw: 61 70 20 2e 61 67 65 64 2d 69 63 6f 6e 2e 73 68 6f 77 2c 2e 62 6f 64 79 2d 77 72 61 70 20 2e 6e 6f 72 6d 61 6c 2d 76 65 72 69 66 79 2d 69 63 6f 6e 2e 73 68 6f 77 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 62 6f 64 79 2d 77 72 61 70 20 2e 74 63 2d 61 63 74 69 6f 6e 2e 74 63 2d 61 63 74 69 6f 6e 2d 2d 61 67 65 64 2c 2e 62 6f 64 79 2d 77 72 61 70 20 2e 74 63 2d 61 63 74 69 6f 6e 2e 74 63 2d 61 63 74 69 6f 6e 2d 2d 6e 6f 72 6d 61 6c 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 62 6f 64 79 2d 77 72 61 70 20 2e 74 63 2d 61 63 74 69 6f 6e 2e 74 63 2d 61 63 74 69 6f 6e 2d 2d 61 67 65 64 20 69 6d 67 2c 2e 62 6f 64 79 2d 77 72 61 70 20 2e 74 63 2d 61 63 74 69 6f 6e 2e 74 63 2d 61 63 74 69 6f 6e 2d 2d 6e 6f 72 6d 61 6c 20 69 6d 67 7b 77 Data Ascii: ap .aged-icon.show,.body-wrap .normal-verify-icon.show{display:block}.body-wrap .tc-action.tc-action--aged,.body-wrap .tc-action.tc-action--normal{display:inline-block}.body-wrap .tc-action.tc-action--aged img,.body-wrap .tc-action.tc-action--normal img{w
2024-10-31 16:22:23 UTC	2848	IN	Data Raw: 2d 66 61 69 6c 20 2e 74 63 2d 66 61 69 6c 2c 2e 62 6f 64 79 2d 77 72 61 70 20 2e 73 68 6f 77 2d 73 75 63 63 65 73 73 20 2e 74 63 2d 73 75 63 63 65 73 73 7b 76 69 73 69 62 69 6c 69 74 79 3a 76 69 73 69 62 6c 65 7d 2e 62 6f 64 79 2d 77 72 61 70 20 2e 68 69 64 65 2d 66 65 65 64 62 61 63 6b 20 2e 73 68 6f 77 2d 46 42 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 62 6f 64 79 2d 77 72 61 70 20 2e 73 68 6f 77 2d 65 6d 62 65 64 2d 6c 61 62 20 23 65 5f 6c 61 62 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 62 6f 64 79 2d 77 72 61 70 20 2e 73 68 6f 77 2d 63 6f 6d 70 61 6e 79 2d 6e 6f 74 65 20 2e 74 63 61 70 74 63 68 61 2d 6e 6f 74 65 2d 2d 63 6f 6d 70 61 6e 79 2c 2e 62 6f 64 79 2d 77 72 61 70 20 2e 73 68 6f 77 2d 65 72 72 6f 72 2d 74 69 70 20 2e 74 63 2d 6e 6f 74 Data Ascii: -fail .tc-fail,.body-wrap .show-success .tc-success{visibility:visible}.body-wrap .hide-feedback .show-FB{display:none}.body-wrap .show-embed-lab #e_lab{display:block}.body-wrap .show-company-note .tcaptcha-note--company,.body-wrap .show-error-tip .tc-not
2024-10-31 16:22:23 UTC	1424	IN	Data Raw: 78 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 33 70 78 3b 7a 2d 69 6e 64 65 78 3a 31 7d 2e 74 79 70 65 2d 65 6d 62 65 64 20 2e 74 63 2d 63 61 70 74 63 68 61 20 2e 74 63 2d 70 6f 70 75 70 2d 68 65 61 64 65 72 2d 77 72 61 70 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 74 79 70 65 2d 65 6d 62 65 64 20 2e 74 63 2d 63 61 70 74 63 68 61 20 2e 62 6f 64 79 2d 77 72 61 70 20 2e 74 63 2d 74 69 74 6c 65 2d 77 72 61 70 7b 68 65 69 67 68 74 3a 32 36 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 74 79 70 65 2d 65 6d 62 65 64 20 2e 74 63 2d 63 61 70 74 63 68 61 20 2e 62 6f 64 79 2d 77 72 61 70 20 2e 74 63 2d 74 69 74 6c 65 2d 77 72 61 70 20 2e 74 63 2d 74 69 74 6c 65 7b 66 6f 6e 74 2d 77 65 69 67 68 Data Ascii: x;border-radius:3px;z-index:1}.type-embed .tc-captcha .tc-popup-header-wrap{display:none}.type-embed .tc-captcha .body-wrap .tc-title-wrap{height:26px;overflow:hidden;position:relative}.type-embed .tc-captcha .body-wrap .tc-title-wrap .tc-title{font-weigh
2024-10-31 16:22:23 UTC	2848	IN	Data Raw: 62 65 64 20 2e 74 63 2d 63 61 70 74 63 68 61 20 2e 62 6f 64 79 2d 77 72 61 70 20 2e 74 63 2d 74 69 74 6c 65 2d 77 72 61 70 20 2e 74 63 61 70 74 63 68 61 2d 65 6d 62 65 64 20 2e 6e 6f 72 6d 61 6c 2d 76 65 72 69 66 79 2d 69 63 6f 6e 2e 73 68 6f 77 2c 2e 74 79 70 65 2d 65 6d 62 65 64 20 2e 74 63 2d 63 61 70 74 63 68 61 20 2e 62 6f 64 79 2d 77 72 61 70 20 2e 74 63 2d 74 69 74 6c 65 2d 77 72 61 70 20 2e 74 63 61 70 74 63 68 61 2d 65 6d 62 65 64 20 2e 76 65 72 69 66 79 2d 62 74 6e 2e 73 68 6f 77 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 74 79 70 65 2d 65 6d 62 65 64 20 2e 74 63 2d 63 61 70 74 63 68 61 20 2e 62 6f 64 79 2d 77 72 61 70 20 2e 74 63 2d 74 69 74 6c 65 2d 77 72 61 70 20 2e 74 63 61 70 74 63 68 61 2d 65 6d 62 65 64 20 2e 76 65 72 69 66 79 2d 62 Data Ascii: bed .tc-captcha .body-wrap .tc-title-wrap .tcaptcha-embed .normal-verify-icon.show,.type-embed .tc-captcha .body-wrap .tc-title-wrap .tcaptcha-embed .verify-btn.show{display:block}.type-embed .tc-captcha .body-wrap .tc-title-wrap .tcaptcha-embed .verify-b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49761	60.221.17.65	443	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 16:22:25 UTC	385	OUT	GET /1/dy-jy3.js HTTP/1.1 Accept: / Referer: https://turing.captcha.qcloud.com/template/drag_ele.html Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: turing.captcha.gtimg.com Connection: Keep-Alive
2024-10-31 16:22:25 UTC	580	IN	HTTP/1.1 200 OK Last-Modified: Mon, 03 Jun 2024 02:46:02 GMT Etag: "626436a6c87a002eb7e8a99c6f5f96b6" Content-Type: application/javascript Date: Mon, 17 Jun 2024 07:44:32 GMT Server: tencent-cos x-cos-hash-crc64ecma: 15729484442061824980 x-cos-request-id: NjY2ZmU5NjBfZDJiZDk0MGFfMTFjYjBfMTgxNGRiZg== x-cos-storage-class: MAZ_STANDARD x-cosindex-replication-status: Complete Content-Length: 89391 Accept-Ranges: bytes X-NWS-LOG-UUID: 11830128573201597978 Connection: close X-Cache-Lookup: Cache Hit Access-Control-Allow-Origin: * Cache-Control: max-age=2592000
2024-10-31 16:22:26 UTC	16384	IN	Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 2e 64 6f 63 75 6d 65 6e 74 3f 74 28 65 2c 21 30 29 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 66 28 21 65 2e 64 6f 63 75 6d 65 6e 74 29 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 6a 51 75 65 72 79 20 72 65 71 75 69 72 65 73 20 61 20 77 69 6e 64 6f 77 20 77 69 74 68 20 61 20 64 6f 63 75 6d 65 6e 74 22 29 3b 72 65 74 75 72 6e 20 74 28 65 29 7d 3a 74 28 65 29 7d 28 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 3f 77 69 6e Data Ascii: !function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?win
2024-10-31 16:22:26 UTC	16384	IN	Data Raw: 6c 65 28 61 3d 2b 2b 73 26 26 61 26 26 61 5b 6c 5d 7c 7c 28 64 3d 73 3d 30 29 7c 7c 75 2e 70 6f 70 28 29 29 69 66 28 28 78 3f 61 2e 6e 6f 64 65 4e 61 6d 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3d 3d 3d 66 3a 31 3d 3d 3d 61 2e 6e 6f 64 65 54 79 70 65 29 26 26 2b 2b 64 26 26 28 70 26 26 28 28 69 3d 28 6f 3d 61 5b 53 5d 7c 7c 28 61 5b 53 5d 3d 7b 7d 29 29 5b 61 2e 75 6e 69 71 75 65 49 44 5d 7c 7c 28 6f 5b 61 2e 75 6e 69 71 75 65 49 44 5d 3d 7b 7d 29 29 5b 68 5d 3d 5b 6b 2c 64 5d 29 2c 61 3d 3d 3d 65 29 29 62 72 65 61 6b 3b 72 65 74 75 72 6e 28 64 2d 3d 76 29 3d 3d 3d 67 7c 7c 64 25 67 3d 3d 30 26 26 30 3c 3d 64 2f 67 7d 7d 7d 2c 50 53 45 55 44 4f 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 6f 29 7b 76 61 72 20 74 2c 61 3d 62 2e 70 73 65 75 64 6f 73 5b 65 5d 7c Data Ascii: le(a=++s&&a&&a[l]\|\|(d=s=0)\|\|u.pop())if((x?a.nodeName.toLowerCase()===f:1===a.nodeType)&&++d&&(p&&((i=(o=a[S]\|\|(a[S]={}))[a.uniqueID]\|\|(o[a.uniqueID]={}))[h]=[k,d]),a===e))break;return(d-=v)===g\|\|d%g==0&&0<=d/g}}},PSEUDO:function(e,o){var t,a=b.pseudos[e]\|
2024-10-31 16:22:26 UTC	16384	IN	Data Raw: 61 6e 64 6f 2b 47 2e 75 69 64 2b 2b 7d 47 2e 75 69 64 3d 31 2c 47 2e 70 72 6f 74 6f 74 79 70 65 3d 7b 63 61 63 68 65 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 65 5b 74 68 69 73 2e 65 78 70 61 6e 64 6f 5d 3b 72 65 74 75 72 6e 20 74 7c 7c 28 74 3d 7b 7d 2c 56 28 65 29 26 26 28 65 2e 6e 6f 64 65 54 79 70 65 3f 65 5b 74 68 69 73 2e 65 78 70 61 6e 64 6f 5d 3d 74 3a 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 65 2c 74 68 69 73 2e 65 78 70 61 6e 64 6f 2c 7b 76 61 6c 75 65 3a 74 2c 63 6f 6e 66 69 67 75 72 61 62 6c 65 3a 21 30 7d 29 29 29 2c 74 7d 2c 73 65 74 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 29 7b 76 61 72 20 72 2c 69 3d 74 68 69 73 2e 63 61 63 68 65 28 65 29 3b 69 66 28 22 73 74 72 69 6e 67 22 3d 3d 74 79 70 65 6f Data Ascii: ando+G.uid++}G.uid=1,G.prototype={cache:function(e){var t=e[this.expando];return t\|\|(t={},V(e)&&(e.nodeType?e[this.expando]=t:Object.defineProperty(e,this.expando,{value:t,configurable:!0}))),t},set:function(e,t,n){var r,i=this.cache(e);if("string"==typeo
2024-10-31 16:22:26 UTC	16384	IN	Data Raw: 6c 75 65 29 3b 69 66 28 74 29 69 66 28 6e 29 66 6f 72 28 6f 3d 6f 7c 7c 76 65 28 65 29 2c 61 3d 61 7c 7c 76 65 28 63 29 2c 72 3d 30 2c 69 3d 6f 2e 6c 65 6e 67 74 68 3b 72 3c 69 3b 72 2b 2b 29 4f 65 28 6f 5b 72 5d 2c 61 5b 72 5d 29 3b 65 6c 73 65 20 4f 65 28 65 2c 63 29 3b 72 65 74 75 72 6e 20 30 3c 28 61 3d 76 65 28 63 2c 22 73 63 72 69 70 74 22 29 29 2e 6c 65 6e 67 74 68 26 26 79 65 28 61 2c 21 66 26 26 76 65 28 65 2c 22 73 63 72 69 70 74 22 29 29 2c 63 7d 2c 63 6c 65 61 6e 44 61 74 61 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 74 2c 6e 2c 72 2c 69 3d 53 2e 65 76 65 6e 74 2e 73 70 65 63 69 61 6c 2c 6f 3d 30 3b 76 6f 69 64 20 30 21 3d 3d 28 6e 3d 65 5b 6f 5d 29 3b 6f 2b 2b 29 69 66 28 56 28 6e 29 29 7b 69 66 28 74 3d 6e 5b 59 2e 65 78 Data Ascii: lue);if(t)if(n)for(o=o\|\|ve(e),a=a\|\|ve(c),r=0,i=o.length;r<i;r++)Oe(o[r],a[r]);else Oe(e,c);return 0<(a=ve(c,"script")).length&&ye(a,!f&&ve(e,"script")),c},cleanData:function(e){for(var t,n,r,i=S.event.special,o=0;void 0!==(n=e[o]);o++)if(V(n)){if(t=n[Y.ex

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49762	60.221.17.65	443	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 16:22:28 UTC	394	OUT	GET /1/dy-ele.16bf5dd7.js HTTP/1.1 Accept: / Referer: https://turing.captcha.qcloud.com/template/drag_ele.html Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: turing.captcha.gtimg.com Connection: Keep-Alive
2024-10-31 16:22:28 UTC	765	IN	HTTP/1.1 200 OK Last-Modified: Fri, 20 Sep 2024 09:36:25 GMT Etag: "c66dc8b719955848dd1bc2d0d3b1707d" Content-Type: application/javascript Date: Mon, 23 Sep 2024 07:16:49 GMT Server: tencent-cos x-cos-hash-crc64ecma: 3691018982348321311 x-cos-request-id: NjZmMTE1ZTFfNGFlZTdhMGJfY2NhYV8zZWVjMzYy x-cos-storage-class: MAZ_STANDARD x-cos-trace-id: OGVmYzZiMmQzYjA2OWNhODk0NTRkMTBiOWVmMDAxODc0OWRkZjk0ZDM1NmI1M2E2MTRlY2MzZDhmNmI5MWI1OWE4OGMxZjNjY2JiNTBmMTVmMWY1MzAzYzkyZGQ2ZWM4MzZkMTZiZDQxYTg4MzRiMzIwYzRkYTRjMWFkNDM3YjQ= x-cosindex-replication-status: Complete Content-Length: 170363 Accept-Ranges: bytes X-NWS-LOG-UUID: 7023734620979725911 Connection: close X-Cache-Lookup: Cache Hit Access-Control-Allow-Origin: * Cache-Control: max-age=2592000
2024-10-31 16:22:28 UTC	16384	IN	Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 65 3d 7b 7d 3b 66 75 6e 63 74 69 6f 6e 20 72 28 6e 29 7b 69 66 28 65 5b 6e 5d 29 72 65 74 75 72 6e 20 65 5b 6e 5d 2e 65 78 70 6f 72 74 73 3b 76 61 72 20 69 3d 65 5b 6e 5d 3d 7b 69 3a 6e 2c 6c 3a 21 31 2c 65 78 70 6f 72 74 73 3a 7b 5f 5f 65 73 4d 6f 64 75 6c 65 3a 20 75 6e 64 65 66 69 6e 65 64 7d 7d 3b 72 65 74 75 72 6e 20 74 5b 6e 5d 2e 63 61 6c 6c 28 69 2e 65 78 70 6f 72 74 73 2c 69 2c 69 2e 65 78 70 6f 72 74 73 2c 72 29 2c 69 2e 6c 3d 21 30 2c 69 2e 65 78 70 6f 72 74 73 7d 72 2e 6d 3d 74 2c 72 2e 63 3d 65 2c 72 2e 64 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 65 2c 6e 29 7b 72 2e 6f 28 74 2c 65 29 7c 7c 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 74 2c 65 2c 7b 65 6e 75 6d 65 72 61 62 6c Data Ascii: !function(t){var e={};function r(n){if(e[n])return e[n].exports;var i=e[n]={i:n,l:!1,exports:{__esModule: undefined}};return t[n].call(i.exports,i,i.exports,r),i.l=!0,i.exports}r.m=t,r.c=e,r.d=function(t,e,n){r.o(t,e)\|\|Object.defineProperty(t,e,{enumerabl
2024-10-31 16:22:29 UTC	16384	IN	Data Raw: 75 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 65 29 7b 6f 26 26 22 5f 5f 70 72 6f 74 6f 5f 5f 22 3d 3d 3d 65 2e 6e 61 6d 65 3f 6f 28 74 2c 65 2e 6e 61 6d 65 2c 7b 65 6e 75 6d 65 72 61 62 6c 65 3a 21 30 2c 63 6f 6e 66 69 67 75 72 61 62 6c 65 3a 21 30 2c 76 61 6c 75 65 3a 65 2e 6e 65 77 56 61 6c 75 65 2c 77 72 69 74 61 62 6c 65 3a 21 30 7d 29 3a 74 5b 65 2e 6e 61 6d 65 5d 3d 65 2e 6e 65 77 56 61 6c 75 65 7d 2c 64 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 65 29 7b 69 66 28 22 5f 5f 70 72 6f 74 6f 5f 5f 22 3d 3d 3d 65 29 7b 69 66 28 21 6e 2e 63 61 6c 6c 28 74 2c 65 29 29 72 65 74 75 72 6e 3b 69 66 28 61 29 72 65 74 75 72 6e 20 61 28 74 2c 65 29 2e 76 61 6c 75 65 7d 72 65 74 75 72 6e 20 74 5b 65 5d 7d 3b 74 2e 65 78 70 6f 72 74 73 3d 66 75 6e 63 74 69 6f 6e 20 6c 28 29 7b Data Ascii: u=function(t,e){o&&"__proto__"===e.name?o(t,e.name,{enumerable:!0,configurable:!0,value:e.newValue,writable:!0}):t[e.name]=e.newValue},d=function(t,e){if("__proto__"===e){if(!n.call(t,e))return;if(a)return a(t,e).value}return t[e]};t.exports=function l(){
2024-10-31 16:22:29 UTC	16384	IN	Data Raw: 5b 5c 77 5c 2e 5d 2a 29 2f 69 5d 2c 5b 64 2c 5b 73 2c 22 53 79 6d 62 69 61 6e 22 5d 5d 2c 5b 2f 6d 6f 7a 69 6c 6c 61 5c 2f 5b 5c 64 5c 2e 5d 2b 20 5c 28 28 3f 3a 6d 6f 62 69 6c 65 7c 74 61 62 6c 65 74 7c 74 76 7c 6d 6f 62 69 6c 65 3b 20 5b 5c 77 20 5d 2b 29 3b 20 72 76 3a 2e 2b 20 67 65 63 6b 6f 5c 2f 28 5b 5c 77 5c 2e 5d 2b 29 2f 69 5d 2c 5b 64 2c 5b 73 2c 22 46 69 72 65 66 6f 78 20 4f 53 22 5d 5d 2c 5b 2f 77 65 62 30 73 3b 2e 2b 72 74 28 74 76 29 2f 69 2c 2f 5c 62 28 3f 3a 68 70 29 3f 77 6f 73 28 3f 3a 62 72 6f 77 73 65 72 29 3f 5c 2f 28 5b 5c 77 5c 2e 5d 2b 29 2f 69 5d 2c 5b 64 2c 5b 73 2c 22 77 65 62 4f 53 22 5d 5d 2c 5b 2f 77 61 74 63 68 28 3f 3a 20 3f 6f 73 5b 2c 5c 2f 5d 7c 5c 64 2c 5c 64 5c 2f 29 28 5b 5c 64 5c 2e 5d 2b 29 2f 69 5d 2c 5b 64 2c 5b Data Ascii: [\w\.]*)/i],[d,[s,"Symbian"]],[/mozilla\/[\d\.]+ \((?:mobile\|tablet\|tv\|mobile; [\w ]+); rv:.+ gecko\/([\w\.]+)/i],[d,[s,"Firefox OS"]],[/web0s;.+rt(tv)/i,/\b(?:hp)?wos(?:browser)?\/([\w\.]+)/i],[d,[s,"webOS"]],[/watch(?: ?os[,\/]\|\d,\d\/)([\d\.]+)/i],[d,[
2024-10-31 16:22:29 UTC	16384	IN	Data Raw: 74 29 7d 29 7c 7c 22 6d 69 6e 69 70 72 6f 67 72 61 6d 22 3d 3d 3d 77 69 6e 64 6f 77 2e 5f 5f 77 78 6a 73 5f 65 6e 76 69 72 6f 6e 6d 65 6e 74 29 72 65 74 75 72 6e 20 69 3b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 22 6d 65 74 61 22 29 3b 74 72 79 7b 66 6f 72 28 76 61 72 20 75 3d 6e 28 61 29 2c 70 3d 75 2e 6e 65 78 74 28 29 3b 21 70 2e 64 6f 6e 65 3b 70 3d 75 2e 6e 65 78 74 28 29 29 7b 76 61 72 20 66 3d 70 2e 76 61 6c 75 65 3b 69 66 28 66 2e 68 74 74 70 45 71 75 69 76 2e 6d 61 74 63 68 28 2f 63 6f 6e 74 65 6e 74 2d 73 65 63 75 72 69 74 79 2d 70 6f 6c 69 63 79 2f 69 29 29 7b 76 61 72 20 68 3d 66 2e 63 6f 6e 74 65 6e 74 2e 6d 61 74 63 68 28 2f 66 72 61 6d 65 2d 73 72 63 2e 2a 3b 2f 69 29 3b 69 66 28 28 30 Data Ascii: t)})\|\|"miniprogram"===window.__wxjs_environment)return i;var a=document.querySelectorAll("meta");try{for(var u=n(a),p=u.next();!p.done;p=u.next()){var f=p.value;if(f.httpEquiv.match(/content-security-policy/i)){var h=f.content.match(/frame-src.*;/i);if((0
2024-10-31 16:22:29 UTC	16384	IN	Data Raw: 75 31 30 33 61 5c 75 31 30 33 38 5c 75 31 30 32 31 5c 75 31 30 33 31 5c 75 31 30 32 63 5c 75 31 30 30 34 5c 75 31 30 33 61 22 2c 22 5c 75 31 30 30 30 5c 75 31 30 33 64 5c 75 31 30 31 34 5c 75 31 30 33 61 5c 75 31 30 31 62 5c 75 31 30 30 30 5c 75 31 30 33 61 5c 75 31 30 32 31 5c 75 31 30 30 31 5c 75 31 30 33 62 5c 75 31 30 32 64 5c 75 31 30 31 34 5c 75 31 30 33 61 5c 75 31 30 31 63 5c 75 31 30 33 64 5c 75 31 30 31 34 5c 75 31 30 33 61 5c 75 31 30 31 35 5c 75 31 30 33 63 5c 75 31 30 32 65 5c 75 31 30 34 62 20 5c 75 31 30 31 31 5c 75 31 30 31 35 5c 75 31 30 33 61 5c 75 31 30 31 63 5c 75 31 30 32 66 5c 75 31 30 31 35 5c 75 31 30 33 61 5c 75 31 30 31 35 5c 75 31 30 32 62 5c 75 31 30 34 62 22 2c 22 5c 75 31 30 32 31 5c 75 31 30 31 30 5c 75 31 30 30 61 5c 75 31 Data Ascii: u103a\u1038\u1021\u1031\u102c\u1004\u103a","\u1000\u103d\u1014\u103a\u101b\u1000\u103a\u1021\u1001\u103b\u102d\u1014\u103a\u101c\u103d\u1014\u103a\u1015\u103c\u102e\u104b \u1011\u1015\u103a\u101c\u102f\u1015\u103a\u1015\u102b\u104b","\u1021\u1010\u100a\u1
2024-10-31 16:22:29 UTC	16384	IN	Data Raw: 30 65 32 31 5c 75 30 65 34 38 5c 75 30 65 31 35 5c 75 30 65 32 33 5c 75 30 65 30 37 5c 75 30 65 30 31 5c 75 30 65 33 31 5c 75 30 65 31 61 5c 75 30 65 31 35 5c 75 30 65 33 33 5c 75 30 65 34 31 5c 75 30 65 32 62 5c 75 30 65 31 39 5c 75 30 65 34 38 5c 75 30 65 30 37 5c 75 30 65 31 37 5c 75 30 65 33 35 5c 75 30 65 34 38 5c 75 30 65 31 35 5c 75 30 65 33 31 5c 75 30 65 34 39 5c 75 30 65 30 37 5c 75 30 65 30 38 5c 75 30 65 32 33 5c 75 30 65 33 34 5c 75 30 65 30 37 20 5c 75 30 65 34 32 5c 75 30 65 31 62 5c 75 30 65 32 33 5c 75 30 65 31 34 5c 75 30 65 31 35 5c 75 30 65 33 34 5c 75 30 65 31 34 5c 75 30 65 31 35 5c 75 30 65 34 38 5c 75 30 65 32 64 5c 75 30 65 31 37 5c 75 30 65 33 35 5c 75 30 65 32 31 20 43 61 70 74 63 68 61 22 5d 2c 74 72 3a 5b 22 44 6f 5c 75 30 31 Data Ascii: 0e21\u0e48\u0e15\u0e23\u0e07\u0e01\u0e31\u0e1a\u0e15\u0e33\u0e41\u0e2b\u0e19\u0e48\u0e07\u0e17\u0e35\u0e48\u0e15\u0e31\u0e49\u0e07\u0e08\u0e23\u0e34\u0e07 \u0e42\u0e1b\u0e23\u0e14\u0e15\u0e34\u0e14\u0e15\u0e48\u0e2d\u0e17\u0e35\u0e21 Captcha"],tr:["Do\u01
2024-10-31 16:22:29 UTC	16384	IN	Data Raw: 29 2c 5f 2c 64 2c 74 5b 65 2b 31 32 5d 2c 32 30 2c 2d 31 39 32 36 36 30 37 37 33 34 29 2c 67 3d 66 28 67 2c 5f 3d 66 28 5f 2c 64 3d 66 28 64 2c 70 2c 67 2c 5f 2c 74 5b 65 2b 35 5d 2c 34 2c 2d 33 37 38 35 35 38 29 2c 70 2c 67 2c 74 5b 65 2b 38 5d 2c 31 31 2c 2d 32 30 32 32 35 37 34 34 36 33 29 2c 64 2c 70 2c 74 5b 65 2b 31 31 5d 2c 31 36 2c 31 38 33 39 30 33 30 35 36 32 29 2c 5f 2c 64 2c 74 5b 65 2b 31 34 5d 2c 32 33 2c 2d 33 35 33 30 39 35 35 36 29 2c 67 3d 66 28 67 2c 5f 3d 66 28 5f 2c 64 3d 66 28 64 2c 70 2c 67 2c 5f 2c 74 5b 65 2b 31 5d 2c 34 2c 2d 31 35 33 30 39 39 32 30 36 30 29 2c 70 2c 67 2c 74 5b 65 2b 34 5d 2c 31 31 2c 31 32 37 32 38 39 33 33 35 33 29 2c 64 2c 70 2c 74 5b 65 2b 37 5d 2c 31 36 2c 2d 31 35 35 34 39 37 36 33 32 29 2c 5f 2c 64 2c 74 Data Ascii: ),_,d,t[e+12],20,-1926607734),g=f(g,_=f(_,d=f(d,p,g,_,t[e+5],4,-378558),p,g,t[e+8],11,-2022574463),d,p,t[e+11],16,1839030562),_,d,t[e+14],23,-35309556),g=f(g,_=f(_,d=f(d,p,g,_,t[e+1],4,-1530992060),p,g,t[e+4],11,1272893353),d,p,t[e+7],16,-155497632),_,d,t
2024-10-31 16:22:29 UTC	16384	IN	Data Raw: 5f 32 2f 69 2e 74 65 73 74 28 69 29 29 7b 74 2e 69 6e 66 6f 3d 22 6b 2d 74 6f 75 63 68 5f 74 6f 75 5f 63 68 5f 32 22 2c 28 65 3d 69 2e 6d 61 74 63 68 28 2f 6b 2d 74 6f 75 63 68 5f 74 6f 75 5f 63 68 5f 32 5c 2f 28 5b 5c 73 5d 2b 29 2f 69 29 29 26 26 28 74 2e 76 65 72 73 69 6f 6e 3d 65 5b 31 5d 29 7d 65 6c 73 65 20 69 66 28 2f 63 68 72 6f 6d 65 2f 69 2e 74 65 73 74 28 69 29 29 7b 74 2e 69 6e 66 6f 3d 22 63 68 72 6f 6d 65 22 2c 28 65 3d 69 2e 6d 61 74 63 68 28 2f 63 68 72 6f 6d 65 5c 2f 28 5b 5c 64 2e 5d 2b 29 2f 69 29 29 26 26 28 74 2e 76 65 72 73 69 6f 6e 3d 65 5b 31 5d 29 7d 65 6c 73 65 20 69 66 28 2f 73 61 66 61 72 69 2f 69 2e 74 65 73 74 28 69 29 26 26 2f 69 70 68 6f 6e 65 2f 69 2e 74 65 73 74 28 69 29 29 7b 76 61 72 20 65 3b 74 2e 69 6e 66 6f 3d 22 73 Data Ascii: _2/i.test(i)){t.info="k-touch_tou_ch_2",(e=i.match(/k-touch_tou_ch_2\/([\s]+)/i))&&(t.version=e[1])}else if(/chrome/i.test(i)){t.info="chrome",(e=i.match(/chrome\/([\d.]+)/i))&&(t.version=e[1])}else if(/safari/i.test(i)&&/iphone/i.test(i)){var e;t.info="s
2024-10-31 16:22:29 UTC	16384	IN	Data Raw: 75 6e 63 74 69 6f 6e 28 65 2c 72 29 7b 69 66 28 74 29 7b 76 61 72 20 6e 2c 69 3d 74 2e 45 76 65 6e 74 73 4c 69 73 74 5b 65 5d 3b 69 66 28 6e 75 6c 6c 3d 3d 3d 69 7c 7c 76 6f 69 64 20 30 3d 3d 3d 69 3f 76 6f 69 64 20 30 3a 69 2e 6c 65 6e 67 74 68 29 7b 69 3d 69 2e 73 6c 69 63 65 28 29 3b 66 6f 72 28 76 61 72 20 6f 3d 30 3b 6f 3c 69 2e 6c 65 6e 67 74 68 3b 6f 2b 2b 29 7b 6e 3d 69 5b 6f 5d 3b 74 72 79 7b 76 61 72 20 61 3d 6e 2e 63 61 6c 6c 62 61 63 6b 2e 61 70 70 6c 79 28 74 2c 5b 72 5d 29 3b 69 66 28 31 3d 3d 3d 6e 2e 74 79 70 65 26 26 74 2e 72 65 6d 6f 76 65 28 65 2c 6e 2e 63 61 6c 6c 62 61 63 6b 29 2c 21 31 3d 3d 3d 61 29 62 72 65 61 6b 7d 63 61 74 63 68 28 73 29 7b 74 68 72 6f 77 20 73 7d 7d 7d 72 65 74 75 72 6e 20 74 7d 7d 2c 74 68 69 73 2e 45 76 65 6e Data Ascii: unction(e,r){if(t){var n,i=t.EventsList[e];if(null===i\|\|void 0===i?void 0:i.length){i=i.slice();for(var o=0;o<i.length;o++){n=i[o];try{var a=n.callback.apply(t,[r]);if(1===n.type&&t.remove(e,n.callback),!1===a)break}catch(s){throw s}}}return t}},this.Even
2024-10-31 16:22:29 UTC	16384	IN	Data Raw: 72 6f 72 28 22 43 6c 61 73 73 20 65 78 74 65 6e 64 73 20 76 61 6c 75 65 20 22 2b 53 74 72 69 6e 67 28 65 29 2b 22 20 69 73 20 6e 6f 74 20 61 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 6f 72 20 6e 75 6c 6c 22 29 3b 66 75 6e 63 74 69 6f 6e 20 72 28 29 7b 74 68 69 73 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 74 7d 6e 28 74 2c 65 29 2c 74 2e 70 72 6f 74 6f 74 79 70 65 3d 6e 75 6c 6c 3d 3d 3d 65 3f 4f 62 6a 65 63 74 2e 63 72 65 61 74 65 28 65 29 3a 28 72 2e 70 72 6f 74 6f 74 79 70 65 3d 65 2e 70 72 6f 74 6f 74 79 70 65 2c 6e 65 77 20 72 29 7d 29 2c 6f 3d 74 68 69 73 26 26 74 68 69 73 2e 5f 5f 72 65 61 64 7c 7c 66 75 6e 63 74 69 6f 6e 28 74 2c 65 29 7b 76 61 72 20 72 3d 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 53 79 6d 62 6f 6c 26 26 74 5b 53 79 6d 62 Data Ascii: ror("Class extends value "+String(e)+" is not a constructor or null");function r(){this.constructor=t}n(t,e),t.prototype=null===e?Object.create(e):(r.prototype=e.prototype,new r)}),o=this&&this.__read\|\|function(t,e){var r="function"==typeof Symbol&&t[Symb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49763	43.154.254.89	443	7428	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 16:22:30 UTC	384	OUT	GET /dy-jy3.js HTTP/1.1 Accept: / Referer: https://turing.captcha.qcloud.com/template/drag_ele.html Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: turing.captcha.qcloud.com Connection: Keep-Alive
2024-10-31 16:22:31 UTC	249	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 16:22:31 GMT Content-Type: text/javascript Content-Length: 89391 Connection: close P3P: CP=CAO PSA OUR Server: Trpc httpd Server: tencent http server Accept-Ranges: bytes Cache-Control: max-age=600
2024-10-31 16:22:31 UTC	1156	IN	Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 2e 64 6f 63 75 6d 65 6e 74 3f 74 28 65 2c 21 30 29 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 66 28 21 65 2e 64 6f 63 75 6d 65 6e 74 29 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 6a 51 75 65 72 79 20 72 65 71 75 69 72 65 73 20 61 20 77 69 6e 64 6f 77 20 77 69 74 68 20 61 20 64 6f 63 75 6d 65 6e 74 22 29 3b 72 65 74 75 72 6e 20 74 28 65 29 7d 3a 74 28 65 29 7d 28 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 3f 77 69 6e Data Ascii: !function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?win
2024-10-31 16:22:31 UTC	4096	IN	Data Raw: 74 26 26 30 3c 74 26 26 74 2d 31 20 69 6e 20 65 29 7d 53 2e 66 6e 3d 53 2e 70 72 6f 74 6f 74 79 70 65 3d 7b 6a 71 75 65 72 79 3a 66 2c 63 6f 6e 73 74 72 75 63 74 6f 72 3a 53 2c 6c 65 6e 67 74 68 3a 30 2c 74 6f 41 72 72 61 79 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 73 2e 63 61 6c 6c 28 74 68 69 73 29 7d 2c 67 65 74 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 6e 75 6c 6c 3d 3d 65 3f 73 2e 63 61 6c 6c 28 74 68 69 73 29 3a 65 3c 30 3f 74 68 69 73 5b 65 2b 74 68 69 73 2e 6c 65 6e 67 74 68 5d 3a 74 68 69 73 5b 65 5d 7d 2c 70 75 73 68 53 74 61 63 6b 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 53 2e 6d 65 72 67 65 28 74 68 69 73 2e 63 6f 6e 73 74 72 75 63 74 6f 72 28 29 2c 65 29 3b 72 65 74 75 72 6e 20 74 2e 70 72 65 Data Ascii: t&&0<t&&t-1 in e)}S.fn=S.prototype={jquery:f,constructor:S,length:0,toArray:function(){return s.call(this)},get:function(e){return null==e?s.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=S.merge(this.constructor(),e);return t.pre
2024-10-31 16:22:31 UTC	4096	IN	Data Raw: 29 28 3f 3d 5b 5e 2d 5d 7c 24 29 22 2c 22 69 22 29 7d 2c 59 3d 2f 48 54 4d 4c 24 2f 69 2c 51 3d 2f 5e 28 3f 3a 69 6e 70 75 74 7c 73 65 6c 65 63 74 7c 74 65 78 74 61 72 65 61 7c 62 75 74 74 6f 6e 29 24 2f 69 2c 4a 3d 2f 5e 68 5c 64 24 2f 69 2c 4b 3d 2f 5e 5b 5e 7b 5d 2b 5c 7b 5c 73 2a 5c 5b 6e 61 74 69 76 65 20 5c 77 2f 2c 5a 3d 2f 5e 28 3f 3a 23 28 5b 5c 77 2d 5d 2b 29 7c 28 5c 77 2b 29 7c 5c 2e 28 5b 5c 77 2d 5d 2b 29 29 24 2f 2c 65 65 3d 2f 5b 2b 7e 5d 2f 2c 74 65 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c 5c 5c 5b 5c 5c 64 61 2d 66 41 2d 46 5d 7b 31 2c 36 7d 22 2b 4d 2b 22 3f 7c 5c 5c 5c 5c 28 5b 5e 5c 5c 72 5c 5c 6e 5c 5c 66 5d 29 22 2c 22 67 22 29 2c 6e 65 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 3d 22 30 78 22 2b 65 2e 73 6c 69 Data Ascii: )(?=[^-]\|$)","i")},Y=/HTML$/i,Q=/^(?:input\|select\|textarea\|button)$/i,J=/^h\d$/i,K=/^[^{]+\{\s*\[native \w/,Z=/^(?:#([\w-]+)\|(\w+)\|\.([\w-]+))$/,ee=/[+~]/,te=new RegExp("\\\\[\\da-fA-F]{1,6}"+M+"?\|\\\\([^\\r\\n\\f])","g"),ne=function(e,t){var n="0x"+e.sli
2024-10-31 16:22:31 UTC	4096	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 65 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 69 64 22 29 3d 3d 3d 74 7d 7d 2c 62 2e 66 69 6e 64 2e 49 44 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 69 66 28 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 26 26 45 29 7b 76 61 72 20 6e 3d 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 65 29 3b 72 65 74 75 72 6e 20 6e 3f 5b 6e 5d 3a 5b 5d 7d 7d 29 3a 28 62 2e 66 69 6c 74 65 72 2e 49 44 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 6e 3d 65 2e 72 65 70 6c 61 63 65 28 74 65 2c 6e 65 29 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 65 2e 67 Data Ascii: function(e){return e.getAttribute("id")===t}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n=t.getElementById(e);return n?[n]:[]}}):(b.filter.ID=function(e){var n=e.replace(te,ne);return function(e){var t="undefined"!=typeof e.g
2024-10-31 16:22:31 UTC	528	IN	Data Raw: 72 69 62 75 74 65 73 7c 7c 21 45 3f 65 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 74 29 3a 28 72 3d 65 2e 67 65 74 41 74 74 72 69 62 75 74 65 4e 6f 64 65 28 74 29 29 26 26 72 2e 73 70 65 63 69 66 69 65 64 3f 72 2e 76 61 6c 75 65 3a 6e 75 6c 6c 7d 2c 73 65 2e 65 73 63 61 70 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 28 65 2b 22 22 29 2e 72 65 70 6c 61 63 65 28 72 65 2c 69 65 29 7d 2c 73 65 2e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 53 79 6e 74 61 78 20 65 72 72 6f 72 2c 20 75 6e 72 65 63 6f 67 6e 69 7a 65 64 20 65 78 70 72 65 73 73 69 6f 6e 3a 20 22 2b 65 29 7d 2c 73 65 2e 75 6e 69 71 75 65 53 6f 72 74 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 2c 6e 3d 5b 5d 2c 72 Data Ascii: ributes\|\|!E?e.getAttribute(t):(r=e.getAttributeNode(t))&&r.specified?r.value:null},se.escape=function(e){return(e+"").replace(re,ie)},se.error=function(e){throw new Error("Syntax error, unrecognized expression: "+e)},se.uniqueSort=function(e){var t,n=[],r
2024-10-31 16:22:31 UTC	1424	IN	Data Raw: 29 72 65 74 75 72 6e 20 65 2e 74 65 78 74 43 6f 6e 74 65 6e 74 3b 66 6f 72 28 65 3d 65 2e 66 69 72 73 74 43 68 69 6c 64 3b 65 3b 65 3d 65 2e 6e 65 78 74 53 69 62 6c 69 6e 67 29 6e 2b 3d 6f 28 65 29 7d 65 6c 73 65 20 69 66 28 33 3d 3d 3d 69 7c 7c 34 3d 3d 3d 69 29 72 65 74 75 72 6e 20 65 2e 6e 6f 64 65 56 61 6c 75 65 7d 65 6c 73 65 20 77 68 69 6c 65 28 74 3d 65 5b 72 2b 2b 5d 29 6e 2b 3d 6f 28 74 29 3b 72 65 74 75 72 6e 20 6e 7d 2c 28 62 3d 73 65 2e 73 65 6c 65 63 74 6f 72 73 3d 7b 63 61 63 68 65 4c 65 6e 67 74 68 3a 35 30 2c 63 72 65 61 74 65 50 73 65 75 64 6f 3a 6c 65 2c 6d 61 74 63 68 3a 47 2c 61 74 74 72 48 61 6e 64 6c 65 3a 7b 7d 2c 66 69 6e 64 3a 7b 7d 2c 72 65 6c 61 74 69 76 65 3a 7b 22 3e 22 3a 7b 64 69 72 3a 22 70 61 72 65 6e 74 4e 6f 64 65 22 2c Data Ascii: )return e.textContent;for(e=e.firstChild;e;e=e.nextSibling)n+=o(e)}else if(3===i\|\|4===i)return e.nodeValue}else while(t=e[r++])n+=o(t);return n},(b=se.selectors={cacheLength:50,createPseudo:le,match:G,attrHandle:{},find:{},relative:{">":{dir:"parentNode",
2024-10-31 16:22:31 UTC	2848	IN	Data Raw: 3d 3d 3d 69 3a 22 21 3d 22 3d 3d 3d 72 3f 74 21 3d 3d 69 3a 22 5e 3d 22 3d 3d 3d 72 3f 69 26 26 30 3d 3d 3d 74 2e 69 6e 64 65 78 4f 66 28 69 29 3a 22 2a 3d 22 3d 3d 3d 72 3f 69 26 26 2d 31 3c 74 2e 69 6e 64 65 78 4f 66 28 69 29 3a 22 24 3d 22 3d 3d 3d 72 3f 69 26 26 74 2e 73 6c 69 63 65 28 2d 69 2e 6c 65 6e 67 74 68 29 3d 3d 3d 69 3a 22 7e 3d 22 3d 3d 3d 72 3f 2d 31 3c 28 22 20 22 2b 74 2e 72 65 70 6c 61 63 65 28 42 2c 22 20 22 29 2b 22 20 22 29 2e 69 6e 64 65 78 4f 66 28 69 29 3a 22 7c 3d 22 3d 3d 3d 72 26 26 28 74 3d 3d 3d 69 7c 7c 74 2e 73 6c 69 63 65 28 30 2c 69 2e 6c 65 6e 67 74 68 2b 31 29 3d 3d 3d 69 2b 22 2d 22 29 29 7d 7d 2c 43 48 49 4c 44 3a 66 75 6e 63 74 69 6f 6e 28 68 2c 65 2c 74 2c 67 2c 76 29 7b 76 61 72 20 79 3d 22 6e 74 68 22 21 3d 3d 68 Data Ascii: ===i:"!="===r?t!==i:"^="===r?i&&0===t.indexOf(i):"*="===r?i&&-1<t.indexOf(i):"$="===r?i&&t.slice(-i.length)===i:"~="===r?-1<(" "+t.replace(B," ")+" ").indexOf(i):"\|="===r&&(t===i\|\|t.slice(0,i.length+1)===i+"-"))}},CHILD:function(h,e,t,g,v){var y="nth"!==h
2024-10-31 16:22:31 UTC	4096	IN	Data Raw: 65 29 7d 2c 69 6e 70 75 74 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 51 2e 74 65 73 74 28 65 2e 6e 6f 64 65 4e 61 6d 65 29 7d 2c 62 75 74 74 6f 6e 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 65 2e 6e 6f 64 65 4e 61 6d 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 72 65 74 75 72 6e 22 69 6e 70 75 74 22 3d 3d 3d 74 26 26 22 62 75 74 74 6f 6e 22 3d 3d 3d 65 2e 74 79 70 65 7c 7c 22 62 75 74 74 6f 6e 22 3d 3d 3d 74 7d 2c 74 65 78 74 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3b 72 65 74 75 72 6e 22 69 6e 70 75 74 22 3d 3d 3d 65 2e 6e 6f 64 65 4e 61 6d 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 26 26 22 74 65 78 74 22 3d 3d 3d 65 2e 74 79 70 65 26 26 28 6e 75 6c 6c 3d 3d 28 74 3d 65 2e 67 65 74 41 74 74 72 69 62 75 Data Ascii: e)},input:function(e){return Q.test(e.nodeName)},button:function(e){var t=e.nodeName.toLowerCase();return"input"===t&&"button"===e.type\|\|"button"===t},text:function(e){var t;return"input"===e.nodeName.toLowerCase()&&"text"===e.type&&(null==(t=e.getAttribu
2024-10-31 16:22:31 UTC	4096	IN	Data Raw: 3a 72 29 29 29 2e 73 65 6c 65 63 74 6f 72 3d 65 7d 72 65 74 75 72 6e 20 61 7d 2c 67 3d 73 65 2e 73 65 6c 65 63 74 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 2c 72 29 7b 76 61 72 20 69 2c 6f 2c 61 2c 73 2c 75 2c 6c 3d 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 65 2c 63 3d 21 72 26 26 68 28 65 3d 6c 2e 73 65 6c 65 63 74 6f 72 7c 7c 65 29 3b 69 66 28 6e 3d 6e 7c 7c 5b 5d 2c 31 3d 3d 3d 63 2e 6c 65 6e 67 74 68 29 7b 69 66 28 32 3c 28 6f 3d 63 5b 30 5d 3d 63 5b 30 5d 2e 73 6c 69 63 65 28 30 29 29 2e 6c 65 6e 67 74 68 26 26 22 49 44 22 3d 3d 3d 28 61 3d 6f 5b 30 5d 29 2e 74 79 70 65 26 26 39 3d 3d 3d 74 2e 6e 6f 64 65 54 79 70 65 26 26 45 26 26 62 2e 72 65 6c 61 74 69 76 65 5b 6f 5b 31 5d 2e 74 79 70 65 5d 29 7b 69 66 28 21 28 74 3d 28 Data Ascii: :r))).selector=e}return a},g=se.select=function(e,t,n,r){var i,o,a,s,u,l="function"==typeof e&&e,c=!r&&h(e=l.selector\|\|e);if(n=n\|\|[],1===c.length){if(2<(o=c[0]=c[0].slice(0)).length&&"ID"===(a=o[0]).type&&9===t.nodeType&&E&&b.relative[o[1].type]){if(!(t=(
2024-10-31 16:22:31 UTC	4096	IN	Data Raw: 6f 72 28 6e 2c 65 29 29 29 7b 6f 2e 70 75 73 68 28 6e 29 3b 62 72 65 61 6b 7d 72 65 74 75 72 6e 20 74 68 69 73 2e 70 75 73 68 53 74 61 63 6b 28 31 3c 6f 2e 6c 65 6e 67 74 68 3f 53 2e 75 6e 69 71 75 65 53 6f 72 74 28 6f 29 3a 6f 29 7d 2c 69 6e 64 65 78 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 65 3f 22 73 74 72 69 6e 67 22 3d 3d 74 79 70 65 6f 66 20 65 3f 69 2e 63 61 6c 6c 28 53 28 65 29 2c 74 68 69 73 5b 30 5d 29 3a 69 2e 63 61 6c 6c 28 74 68 69 73 2c 65 2e 6a 71 75 65 72 79 3f 65 5b 30 5d 3a 65 29 3a 74 68 69 73 5b 30 5d 26 26 74 68 69 73 5b 30 5d 2e 70 61 72 65 6e 74 4e 6f 64 65 3f 74 68 69 73 2e 66 69 72 73 74 28 29 2e 70 72 65 76 41 6c 6c 28 29 2e 6c 65 6e 67 74 68 3a 2d 31 7d 2c 61 64 64 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b Data Ascii: or(n,e))){o.push(n);break}return this.pushStack(1<o.length?S.uniqueSort(o):o)},index:function(e){return e?"string"==typeof e?i.call(S(e),this[0]):i.call(this,e.jquery?e[0]:e):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(e,t){

Target ID:	0
Start time:	12:21:55
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe"
Imagebase:	0x400000
File size:	1'647'950 bytes
MD5 hash:	5E96050ED8827EFEB9C90D59CE708F10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:21:58
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /setupsucc
Imagebase:	0x450000
File size:	1'488'880 bytes
MD5 hash:	75A7CC387D1E24DE8BA1275E81A840D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 54%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:22:01
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun
Imagebase:	0x450000
File size:	1'488'880 bytes
MD5 hash:	75A7CC387D1E24DE8BA1275E81A840D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.1%
Total number of Nodes:	1266
Total number of Limit Nodes:	34

Executed Functions

Function 0040323C Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 0040325B
SetErrorMode.KERNELBASE(00008001), ref: 00403266
OleInitialize.OLE32(00000000), ref: 0040326D

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

SHGetFileInfoA.SHELL32(0041F458,00000000,?,00000160,00000000,00000008), ref: 00403295

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,004236A0,NSIS Error), ref: 00405B73

GetCommandLineA.KERNEL32(004236A0,NSIS Error), ref: 004032AA
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",00000000), ref: 004032BD
CharNextA.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",00000020), ref: 004032E8
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040337B
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403390
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040339C
DeleteFileA.KERNELBASE(2052), ref: 004033AF
ExitProcess.KERNEL32(00000000), ref: 00403428
CoUninitialize.COMBASE(00000000), ref: 0040342D
ExitProcess.KERNEL32 ref: 0040344D
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",00000000,00000000), ref: 00403459
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403465
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403471
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403478
DeleteFileA.KERNEL32(0041F058,0041F058,?,00424000,?), ref: 004034C2
CopyFileA.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe,0041F058,00000001), ref: 004034D6
CloseHandle.KERNEL32(00000000,0041F058,0041F058,?,0041F058,00000000), ref: 00403503
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403558
ExitWindowsEx.USER32(00000002,00000000), ref: 00403594
ExitProcess.KERNEL32 ref: 004035B7

Strings

C:\Users\user\Desktop, xrefs: 0040345E, 00403463, 00403486
SeShutdownPrivilege, xrefs: 0040356A
C:\Users\user\AppData\Roaming\mk-jzcq, xrefs: 00403366, 004033FF, 0040347E, 00403487
NCRC, xrefs: 00403328
C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe, xrefs: 004034D1
C:\Users\user\AppData\Roaming\mk-jzcq, xrefs: 0040340A
~nsu.tmp, xrefs: 00403453
", xrefs: 0040330A
Error launching installer, xrefs: 004033E5
_?=, xrefs: 004033D6
\Temp, xrefs: 00403396
/D=, xrefs: 0040333E
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040324C
2052, xrefs: 004033AA
NSIS Error, xrefs: 0040329B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403370, 00403375, 0040338F, 0040339B, 00403458, 00403464, 00403470, 00403477, 00403517
"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe", xrefs: 004032B0, 004032B6, 004033CC

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe"$2052$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\mk-jzcq$C:\Users\user\AppData\Roaming\mk-jzcq$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 553446912-3275059682
Opcode ID: 12a15860763ed27b157ca737a9af8f9ad945b33dd426c8faa94cb20c8ad7d4db
Instruction ID: d9df3101e86bd055252ea398e1a167ecdf9755d8b7b18b8fa076e16bcd865dbe
Opcode Fuzzy Hash: 12a15860763ed27b157ca737a9af8f9ad945b33dd426c8faa94cb20c8ad7d4db
Instruction Fuzzy Hash: E191D231A087417EE7216F609D49B2B7EACEB01306F44457BF941B61E2C77CAE058B6E

Function 0040548B Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",74DF2EE0), ref: 004054A9
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\*.*,?,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",74DF2EE0), ref: 004054F3
lstrcatA.KERNEL32(?,00409010,?,C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\*.*,?,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",74DF2EE0), ref: 00405514
lstrlenA.KERNEL32(?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\*.*,?,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",74DF2EE0), ref: 0040551A
FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\*.*,?,?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\*.*,?,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",74DF2EE0), ref: 0040552B
FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 004055DD
FindClose.KERNEL32(?), ref: 004055EE

Strings

C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\*.*, xrefs: 004054DD, 004054E3, 004054F2, 00405528
\*.*, xrefs: 004054ED
C:\Users\user\AppData\Local\Temp\, xrefs: 0040548B
"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe", xrefs: 00405495

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\*.*$\*.*
API String ID: 2035342205-784989711
Opcode ID: 7a19b7ea85d0f8bff8962d5b7d174e9fed4053393f49275f79294cdc09bf412a
Instruction ID: bc429f5d1e1b14784ce7e3564347ec6ed469848bfd5577fff983359c073685a4
Opcode Fuzzy Hash: 7a19b7ea85d0f8bff8962d5b7d174e9fed4053393f49275f79294cdc09bf412a
Instruction Fuzzy Hash: 0351F331904A447ADB216B218C45BBF3B79CF42728F54847BF905711E2CB3C5A82DE6E

Function 00405B88 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,0041FC78,00000000,00404F3C,0041FC78,00000000), ref: 00405C30
GetSystemDirectoryA.KERNEL32("C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun,00000400), ref: 00405CAB
GetWindowsDirectoryA.KERNEL32("C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun,00000400), ref: 00405CBE
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405CFA
SHGetPathFromIDListA.SHELL32(00000000,"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun), ref: 00405D08
CoTaskMemFree.OLE32(00000000), ref: 00405D13
lstrcatA.KERNEL32("C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D35
lstrlenA.KERNEL32("C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun,?,0041FC78,00000000,00404F3C,0041FC78,00000000), ref: 00405D87

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405C7A
"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun, xrefs: 00405BB1, 00405C78, 00405C95, 00405CAA, 00405CBD, 00405CD9, 00405D04, 00405D34, 00405D3A, 00405D52, 00405D65, 00405D80, 00405D86, 00405D91, 00405DBB
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D2F

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-326326404
Opcode ID: ec1cfc953701c68b2a4bf792a6f5f2f7cf4c63635bb1673da603afab52f17940
Instruction ID: 2bb53c71d9fe9ef1e56bc14ab20fd8486271744d1d3ead2cb2ad614034e11287
Opcode Fuzzy Hash: ec1cfc953701c68b2a4bf792a6f5f2f7cf4c63635bb1673da603afab52f17940
Instruction Fuzzy Hash: D7510131A04A04AAEF205F64DC88B7B3BA4DF55324F14823BE911B62D0D33C59829E4E

Function 00402020 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409368,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D

Strings

C:\Users\user\AppData\Roaming\mk-jzcq, xrefs: 004020AB

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\mk-jzcq
API String ID: 123533781-4000781333
Opcode ID: 20f8b56c3263d051d76756f701b26ac218ff209cd135641c8178b13e20f06e8d
Instruction ID: 0b92ce9401c32f92a97655b67b17bc3e2e7042a2ba93bb40bff56c30807ccd12
Opcode Fuzzy Hash: 20f8b56c3263d051d76756f701b26ac218ff209cd135641c8178b13e20f06e8d
Instruction Fuzzy Hash: 94418E75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54

Function 00406131 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction ID: 7fe690cacb8e5da35aefc448adc87e2f65dc6f56ff44dc44b78e187fa59068bd
Opcode Fuzzy Hash: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction Fuzzy Hash: 70F16871D00229CBDF28CFA8C8946ADBBB1FF44305F25816ED856BB281D7785A96CF44

Function 00405E61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,004224F0,C:\,0040577D,C:\,C:\,00000000,C:\,C:\,?,?,74DF2EE0,0040549F,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",74DF2EE0), ref: 00405E6C
FindClose.KERNEL32(00000000), ref: 00405E78

Strings

C:\, xrefs: 00405E61

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: a0d9290738f1f02d4b3743de2211279f78b4a64d0718c2c828088997ee3199ab
Instruction ID: f2fe444ddfa45285d6a9eb51d657c4c39712a0d2250b7f8498e11f87d01b5aa3
Opcode Fuzzy Hash: a0d9290738f1f02d4b3743de2211279f78b4a64d0718c2c828088997ee3199ab
Instruction Fuzzy Hash: 26D012359495206FC7001738AD0C85B7A58EF553347508B32F969F62E0C7B4AD51DAED

Function 00405E88 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction ID: 91087f9554edebef2dfdad95906e97f440013226b38390424b9c6ad62026e406
Opcode Fuzzy Hash: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction Fuzzy Hash: 0FE08C32A08511BBD3115B30ED0896B77A8EA89B41304083EF959F6290D734EC119BFA

Function 004036AF Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

lstrcatA.KERNEL32(2052,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000,00000006,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403720
lstrlenA.KERNEL32("C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun,?,?,?,"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun,00000000,C:\Users\user\AppData\Roaming\mk-jzcq,2052,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000,00000006,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe"), ref: 00403795
lstrcmpiA.KERNEL32(?,.exe), ref: 004037A8
GetFileAttributesA.KERNEL32("C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun), ref: 004037B3
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\mk-jzcq), ref: 004037FC

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

RegisterClassA.USER32 ref: 00403843
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 0040385B
CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403894
ShowWindow.USER32(00000005,00000000), ref: 004038CA
LoadLibraryA.KERNEL32(RichEd20), ref: 004038DB
LoadLibraryA.KERNEL32(RichEd32), ref: 004038E6
GetClassInfoA.USER32(00000000,RichEdit20A,00423640), ref: 004038F6
GetClassInfoA.USER32(00000000,RichEdit,00423640), ref: 00403903
RegisterClassA.USER32(00423640), ref: 0040390C
DialogBoxParamA.USER32(?,00000000,00403A45,00000000), ref: 0040392B

Strings

RichEdit20A, xrefs: 004038EE, 004038F4
C:\Users\user\AppData\Roaming\mk-jzcq, xrefs: 0040372F, 00403737, 004037CF, 004037D5, 004037E5
RichEdit, xrefs: 004038FD
Control Panel\Desktop\ResourceLocale, xrefs: 004036E3
.exe, xrefs: 004037A2
.DEFAULT\Control Panel\International, xrefs: 0040370B
"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun, xrefs: 00403763, 0040376B, 00403778, 004037C2, 004037C8
_Nb, xrefs: 00403852, 00403857
2052, xrefs: 004036CF, 0040371B
@6B, xrefs: 0040380B
RichEd32, xrefs: 004038E1
C:\Users\user\AppData\Local\Temp\, xrefs: 004036B3
RichEd20, xrefs: 004038D6
"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe", xrefs: 004036BB

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun$"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe"$.DEFAULT\Control Panel\International$.exe$2052$@6B$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\mk-jzcq$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-1890030437
Opcode ID: 6dd8c866dd907658969a4a4875d5acd1ebd92cc4bf810ee3f5d51b3ace02576f
Instruction ID: 5edcd83abe1923a5ef33726047749e404321c8c293ca1ea02831498dc8d0bb6f
Opcode Fuzzy Hash: 6dd8c866dd907658969a4a4875d5acd1ebd92cc4bf810ee3f5d51b3ace02576f
Instruction Fuzzy Hash: A961A3B16442007FD720AF659D45E2B3AADEB4475AF40457FF940B22E1D77CAD01CA2E

Function 00402C72 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C86
GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe,00000400), ref: 00402CA2

Part of subcall function 0040583D: GetFileAttributesA.KERNELBASE(00000003,00402CB5,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe,80000000,00000003), ref: 00405841
Part of subcall function 0040583D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe,80000000,00000003), ref: 00402CEB
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E32

Strings

soft, xrefs: 00402D62
C:\Users\user\Desktop, xrefs: 00402CCD, 00402CD2, 00402CD8
Inst, xrefs: 00402D59
Error launching installer, xrefs: 00402CC2
Null, xrefs: 00402D6B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E7B
C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe, xrefs: 00402C8C, 00402C9B, 00402CAF, 00402CCC
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C72, 00402E4A
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EC9
"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe", xrefs: 00402C7F

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-110751896
Opcode ID: c0b58b8176f9646a97db1db810dac46c81e9ebfb5e8e95adea3b2f0509715702
Instruction ID: 0b72a330c31c6d4d52753dad6a5c3012229d4666e6dae103a7747cbc92612fb8
Opcode Fuzzy Hash: c0b58b8176f9646a97db1db810dac46c81e9ebfb5e8e95adea3b2f0509715702
Instruction Fuzzy Hash: B761E231A40215ABDB20DF64DE49B9E7BB4EB04315F20407BF904B62D2D7BC9E458B9C

Function 00401734 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun,C:\Users\user\AppData\Roaming\mk-jzcq,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun,"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun,00000000,00000000,"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun,C:\Users\user\AppData\Roaming\mk-jzcq,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,004236A0,NSIS Error), ref: 00405B73

Part of subcall function 00404F04: lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

Strings

"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun, xrefs: 00401750, 00401759, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
RunAfterSetup, xrefs: 00401801, 0040181D
C:\Users\user\AppData\Roaming\mk-jzcq, xrefs: 00401761

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun$C:\Users\user\AppData\Roaming\mk-jzcq$RunAfterSetup
API String ID: 1941528284-1456259220
Opcode ID: 4a064dd92ac6ffdc7d2c6b4c6fc98292a3e6d5490fafcca7b07ea43f8b63d73b
Instruction ID: ca24b6133afb507e547736dc5ab02d451b7f1a2d30e0a517c5ad6537af4b780a
Opcode Fuzzy Hash: 4a064dd92ac6ffdc7d2c6b4c6fc98292a3e6d5490fafcca7b07ea43f8b63d73b
Instruction Fuzzy Hash: 8441C131900515BBCB10BFB5DD46EAF3A79EF01369B24433BF511B11E1D63C9A418AAD

Function 00402F18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402F3F
ReadFile.KERNELBASE(00409130,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130), ref: 00402F6C
ReadFile.KERNELBASE(00413040,00004000,?,00000000,00409130,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402FC6
WriteFile.KERNELBASE(00000000,00413040,?,000000FF,00000000,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402FDE

Strings

@0A, xrefs: 00402FA6

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: @0A
API String ID: 2113905535-1363546919
Opcode ID: 3fc20a6f8204afd4db5be5275d6ec1a2b538eb21de19a3adc5be7867336c551b
Instruction ID: f0f891dec1baa82fcb152a6e3a42d02399587e043c2e4755ce28507b82245ee9
Opcode Fuzzy Hash: 3fc20a6f8204afd4db5be5275d6ec1a2b538eb21de19a3adc5be7867336c551b
Instruction Fuzzy Hash: 3F315731501249EBDB21CF55DD40A9E7FBCEB843A5F20407AFA05A6190D3789F81DBA9

Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32(?), ref: 00402725
WriteFile.KERNELBASE(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
GlobalFree.KERNELBASE(00000000), ref: 0040273E
CloseHandle.KERNELBASE(FFFFFD66,?,?,000000F0), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 6a9f9e03234ab5bf5e394379d93ad3354b9b1830e35b83e5fa95684e592760ec
Instruction ID: 719c612f4f238206e278f6e296a81204df483451b361404a9b6a09c3536a307a
Opcode Fuzzy Hash: 6a9f9e03234ab5bf5e394379d93ad3354b9b1830e35b83e5fa95684e592760ec
Instruction Fuzzy Hash: F831AD71C00128BBDF216FA4CD89DAE7E79EF08364F10423AF920772E0C6795D419BA8

Function 00403043 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403058

Part of subcall function 004031F1: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,?), ref: 004031FF

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000), ref: 0040308B
WriteFile.KERNELBASE(0040B040,0040C711,00000000,00000000,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403145
SetFilePointer.KERNELBASE(00263AD8,00000000,00000000,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403197

Strings

@0A, xrefs: 004030B8

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: @0A
API String ID: 2146148272-1363546919
Opcode ID: 5717bb92db8eceb84bcfa3312431b9880db34fb8e18b0e02550951cbdd57df69
Instruction ID: c862c83604f3b109b9ae356e59bf9e99270c6d64ee518f880403d0392c1b0dc8
Opcode Fuzzy Hash: 5717bb92db8eceb84bcfa3312431b9880db34fb8e18b0e02550951cbdd57df69
Instruction Fuzzy Hash: 4B41ABB25042029FD710CF29EE4096A7FBDF748356705423BE501BA2E1CB3C6E099B9E

Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404F04: lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Strings

?B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: ?B
API String ID: 2987980305-117478770
Opcode ID: 8a5e19ada2a0501c23d939e05fc9a3d0d7d0ee5640c0e41b76e5c8575941fe9f
Instruction ID: 83c29b7dad20212888764ed045f323035a642c1bbb84e8da84d377f5f563bf0e
Opcode Fuzzy Hash: 8a5e19ada2a0501c23d939e05fc9a3d0d7d0ee5640c0e41b76e5c8575941fe9f
Instruction Fuzzy Hash: D621EE72D04216EBCF207FA4DE49A6E75B06B44399F204237F511B52E0D77C4D41965E

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004056ED: CharNextA.USER32(0040549F,?,C:\,00000000,00405751,C:\,C:\,?,?,74DF2EE0,0040549F,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",74DF2EE0), ref: 004056FB
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 00405700
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 0040570F

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\mk-jzcq,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Roaming\mk-jzcq, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Roaming\mk-jzcq
API String ID: 3751793516-4000781333
Opcode ID: 79158bb1b9e0f9446a8291b1140989ad94052719e68ebd3d846b01836d69eb3e
Instruction ID: c38907cd9fbddcdb820990ab727de55d75fa8bca08f123d111df4852c942a759
Opcode Fuzzy Hash: 79158bb1b9e0f9446a8291b1140989ad94052719e68ebd3d846b01836d69eb3e
Instruction Fuzzy Hash: 7E010431D08141AFDB216F751D4497F27B0AA56369728073FF891B22E2C63C0942962E

Function 0040586C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040587F
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405899

Strings

nsa, xrefs: 00405878
C:\Users\user\AppData\Local\Temp\, xrefs: 0040586C, 0040586F
"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe", xrefs: 00405873

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3161504887
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 7bdb262dbebad2fb51735791196b4a750b565e3ebaa120aaaad2cbe3184e43fd
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: B1F0A73734820876E7105E55DC04B9B7F9DDF91760F14C027FE44DA1C0D6B49954C7A5

Function 004053C6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A8,Error launching installer), ref: 004053EB
CloseHandle.KERNEL32(?), ref: 004053F8

Strings

Error launching installer, xrefs: 004053D9
C:\Users\user\AppData\Local\Temp\, xrefs: 004053C6

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-1785902839
Opcode ID: 3b814a6f076d0ba9038e170a1e0f3647fdefee354992cb10a65e7e77ca0a2381
Instruction ID: 069b69ca15cd8b990da55ccc95fe3be7356009797bdfa18ab8f6d6c8c96e71ef
Opcode Fuzzy Hash: 3b814a6f076d0ba9038e170a1e0f3647fdefee354992cb10a65e7e77ca0a2381
Instruction Fuzzy Hash: A3E0ECB4A00219BFDB00AF64ED49AAB7BBDEB00305F90C522A911E2150D775D8118AB9

Function 00402303 Relevance: 6.1, APIs: 4, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402341
lstrlenA.KERNEL32(0040A370,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.KERNELBASE(?,?,?,?,0040A370,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040239A
RegCloseKey.ADVAPI32(?,?,?,0040A370,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040247D

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: a542455d9f9526f25a51f1532c83397ec4fb85749294bc37414485deefa1f1b8
Instruction ID: d7b132d9018d44432a73f3315d2b91b6aa1600c7a927e9fa70905f900517fa5a
Opcode Fuzzy Hash: a542455d9f9526f25a51f1532c83397ec4fb85749294bc37414485deefa1f1b8
Instruction Fuzzy Hash: BA1160B1E00209BFEB10AFA0DE49EAF767CFB54398F10413AF905B61D0D7B85D019669

Function 0040573A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,004236A0,NSIS Error), ref: 00405B73

Part of subcall function 004056ED: CharNextA.USER32(0040549F,?,C:\,00000000,00405751,C:\,C:\,?,?,74DF2EE0,0040549F,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",74DF2EE0), ref: 004056FB
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 00405700
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 0040570F

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,74DF2EE0,0040549F,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",74DF2EE0), ref: 0040578D
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,74DF2EE0,0040549F,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",74DF2EE0), ref: 0040579D

Strings

C:\, xrefs: 00405740, 00405745, 0040574B, 00405786, 0040578C, 00405794, 0040579C

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 716f681fdc2f335f171507b78212e4fdddf35da2e6b413ee0daba6d976a18fc7
Instruction ID: 7155b9e5202267c574e320c9449d9087b3e4f671a0d42f3ce7b213b6d11f415d
Opcode Fuzzy Hash: 716f681fdc2f335f171507b78212e4fdddf35da2e6b413ee0daba6d976a18fc7
Instruction Fuzzy Hash: A1F0F425104D509AC72636395C09EAF1A55CE833A4F48053FF894B32D1CB3C8943EDAE

Function 00403208 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00403229

Strings

2052, xrefs: 00403230
C:\Users\user\AppData\Local\Temp\, xrefs: 00403209, 0040320E, 00403214, 00403220, 00403228, 0040322F

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 2052$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-3975672531
Opcode ID: 6efbcda31fdcc81e1bc9b7455ac61b895c89039b7b6caaf7bbff9198608db7ec
Instruction ID: 28437e5e833f6c5712a3d87292ca06883de7807d6adf700678bf42288e0e849f
Opcode Fuzzy Hash: 6efbcda31fdcc81e1bc9b7455ac61b895c89039b7b6caaf7bbff9198608db7ec
Instruction Fuzzy Hash: 11D0C922656E3032C651363A3C0AFDF091C8F5271AF55847BF908B40D64B6C5A5259EF

Function 0040361A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",00000000,74DF2EE0,004035F1,00000000,0040342D,00000000), ref: 00403634
GlobalFree.KERNEL32(00000000), ref: 0040363B

Strings

"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe", xrefs: 0040362C

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe"
API String ID: 1100898210-3302343205
Opcode ID: 594683390acbace1feb38ee5af495b240e475f157c4d409b541952378f73dbd9
Instruction ID: 07f203a12dc211ea1540440f4769086933c1ddaa55d0411da1bb29b7fd771b51
Opcode Fuzzy Hash: 594683390acbace1feb38ee5af495b240e475f157c4d409b541952378f73dbd9
Instruction Fuzzy Hash: 8FE08C32804420ABC6216F55EC0579A7768AB48B22F028536E900BB3A083743C464BDC

Function 00406566 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction ID: 319d18918fa2cc3741333e20ed782d5c303dd2f769888eebbc994f2124d7c2e6
Opcode Fuzzy Hash: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction Fuzzy Hash: 29A15171E00229CBDF28CFA8C8547ADBBB1FF44305F15812AD856BB281D7789A96DF44

Function 00406767 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction ID: 868f2ec1f3ea74d7de1394d818727f69d5aca31e92bf34b5737afca42cfaef71
Opcode Fuzzy Hash: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction Fuzzy Hash: 6E913171D00229CBEF28CF98C8547ADBBB1FF44305F15812AD856BB281C7789A9ADF44

Function 0040647D Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction ID: e06b97397237a54a8f7c6fae7a0c48c933f493286525731b7b3672fa0d973436
Opcode Fuzzy Hash: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction Fuzzy Hash: 678155B1D00229CFDF24CFA8C8447ADBBB1FB44305F25816AD456BB281D7789A96CF54

Function 00405F82 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction ID: 3ccfc7c80e99de65fa6db0e0edc8679980b1d0ea62cd2807200041591328ae3c
Opcode Fuzzy Hash: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction Fuzzy Hash: D98187B1D00229CBDF24CFA8C8447AEBBB1FB44305F11816AD856BB2C1C7785A96CF44

Function 004063D0 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction ID: 235c9a1f152390887c8e3346b3cf8cf745e7d176c25095dba4735a56a8f4339d
Opcode Fuzzy Hash: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction Fuzzy Hash: 80714371D00229CBDF28CFA8C8447ADBBF1FB48305F15806AD846BB281D7395A96DF54

Function 004064EE Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction ID: 067b91939e33353516387f96afd3df60e22fb0a2a23546be1218d687de4ca84d
Opcode Fuzzy Hash: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction Fuzzy Hash: 14715371E00229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7799996DF54

Function 0040643A Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction ID: fa01dbb36adddbb747bc37ce8d7c8691094d52a97b4972d7f98645f49a39bfe1
Opcode Fuzzy Hash: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction Fuzzy Hash: B3715671D00229CBEF28CF98C844BADBBB1FF44305F11816AD856BB281C7795A56DF54

Function 00401E1B Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00404F04: lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

Part of subcall function 004053C6: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A8,Error launching installer), ref: 004053EB
Part of subcall function 004053C6: CloseHandle.KERNEL32(?), ref: 004053F8

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E55
GetExitCodeProcess.KERNELBASE(?,?), ref: 00401E65
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401E8A

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: 45ab694d93d3c8083ca874a04595ab13abe68012b6660c3dff7b3237667625b0
Instruction ID: 355628b0c836e6669011c6779fae97b23835f6d082b04fdd633ca662238f37b1
Opcode Fuzzy Hash: 45ab694d93d3c8083ca874a04595ab13abe68012b6660c3dff7b3237667625b0
Instruction Fuzzy Hash: 19019271D04215EBCF11AF91CD8599E7A75EB40358F20403BFA05B51E1C3794A82DBDE

Function 00405A4D Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00405C89,00000000,00000002,?,00000002,?,?,00405C89,80000002,Software\Microsoft\Windows\CurrentVersion,?,"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun,?), ref: 00405A76
RegQueryValueExA.ADVAPI32(?,?,00000000,00405C89,?,00405C89), ref: 00405A97
RegCloseKey.ADVAPI32(?), ref: 00405AB8

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
Instruction ID: 1f5187eb0d206272966296eac295dca0b6851c7ebc3b2299c22a00064415c0d3
Opcode Fuzzy Hash: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
Instruction Fuzzy Hash: 5E01487114020AEFDB128F64EC84AEB3FACEF14394F004526F945E6120D335D964DFA5

Function 004035BD Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,0040342D,00000000), ref: 004035CF
CloseHandle.KERNEL32(FFFFFFFF,00000000,0040342D,00000000), ref: 004035E3

Strings

C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\, xrefs: 004035F3

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\
API String ID: 2962429428-4099994125
Opcode ID: d5091cb339cf9ca4b2a17f3525511bedeea9812c5bf65782ecb3b679df28d270
Instruction ID: 5c77e6c533590f6c422f1e12d180fd4ee44bb6ddfd602f374d0031013ab669df
Opcode Fuzzy Hash: d5091cb339cf9ca4b2a17f3525511bedeea9812c5bf65782ecb3b679df28d270
Instruction Fuzzy Hash: 3AE08C30900610AAC234AF7CAE4594A3A1C9B413327248722F538F21F2C738AE824AAD

Function 00402267 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,!N~,?,000003FF,00000000), ref: 00402297

Strings

!N~, xrefs: 0040228E, 00402292

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileString
String ID: !N~
API String ID: 1096422788-529124213
Opcode ID: 83959307df37686c86d75e4de7286cd2fa4b3ebc5ce89ae33a3a58613c6f73fc
Instruction ID: 21cd7503a9a85725414fd2f210def48a3ed87e9b9f52c0cacc02f36f79452d1c
Opcode Fuzzy Hash: 83959307df37686c86d75e4de7286cd2fa4b3ebc5ce89ae33a3a58613c6f73fc
Instruction Fuzzy Hash: E4E04F71900208BBDB50AFA1CD49DAE3AA8BF043C4F100129FA10AB1C1DBB89541AB55

Function 004023AF Relevance: 3.1, APIs: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B00: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B28

RegQueryValueExA.KERNELBASE(00000000,00000000,?,000003FF,?,?,?,?,00000033), ref: 004023DF
RegCloseKey.ADVAPI32(?,?,?,0040A370,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040247D

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: eab15ab1fb9436d0461565b65d9f839641e6776e667b8b400d8ef67e93707a70
Instruction ID: 12193c1ceb89264442681d64ce78cd47003ed4e83c7ffe784dc41c43057f06db
Opcode Fuzzy Hash: eab15ab1fb9436d0461565b65d9f839641e6776e667b8b400d8ef67e93707a70
Instruction Fuzzy Hash: C111E371900205EFDB15DF64CA889AF7BB4EF14348F20807FE442B72C1D2B88A45EB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C

Function 00401D95 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DAB
EnableWindow.USER32(00000000,00000000), ref: 00401DB6

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 01184a99a098fa4f7b5ffd0caf4b96e4eb64a91bfbc6cfc84e1934e58c82cbe0
Instruction ID: 0a77d41913575adca2a7ede6e8d56263b744db67c7fbf003078f88b8ecd5966f
Opcode Fuzzy Hash: 01184a99a098fa4f7b5ffd0caf4b96e4eb64a91bfbc6cfc84e1934e58c82cbe0
Instruction Fuzzy Hash: 24E0C272F08210DBD710FBB4AE899AE3274DB403A9B10453BF503F20C1D6B89C8196EE

Function 0040583D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CB5,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe,80000000,00000003), ref: 00405841
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Function 0040581E Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,00405629,?,?,?), ref: 00405822
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405834

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 89544605ef234ac14ed66c3b065a2d642d1346908a696065e0ba681aeed38476
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: F8C04CB1808501ABD7056B24EF0D81F7B66EF50325B108B35F5A9E00F0C7355C66DA1A

Function 00402223 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040225C

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: b6116c209c80720ea8c5b66b32d343bdc214f8bf2523826a10554ae8e2aaa3ef
Instruction ID: 7f0f3d0bfb11d3a69440f7e30d7772d63b8707f304f836d716d69bda9ce5b450
Opcode Fuzzy Hash: b6116c209c80720ea8c5b66b32d343bdc214f8bf2523826a10554ae8e2aaa3ef
Instruction Fuzzy Hash: 31E04871F002656BDBA07AF14F8D97F115C7B84344F14027EBA15762C6E9BC4D416169

Function 00402B00 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B28

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b5dfad00fa1cd151fd60990f5b06a3c2bada7c6ed29f77274f64d0dacc55a64b
Instruction ID: c0cb2249de0b0b7c7cf81be38287cf815beb59390f5746c35b3b1e544e0707b9
Opcode Fuzzy Hash: b5dfad00fa1cd151fd60990f5b06a3c2bada7c6ed29f77274f64d0dacc55a64b
Instruction Fuzzy Hash: BFE08676640108BFDB50DFA4ED4BFD637ECB704340F008421B608D7091C678F5409B68

Function 004031BF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00413040,0040B040,004030C4,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000), ref: 004031D6

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 4c5c04567c480c11bae84e94003d2882b37cb3083c3cc1db03504fe221b835f3
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: DAE08631500119BBCF215E619C00A973B5CEB09362F008033FA04E9190D532DB109BA5

Function 004031F1 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,?), ref: 004031FF

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Non-executed Functions

Function 00405042 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004050A1
GetDlgItem.USER32(?,000003EE), ref: 004050B0
GetClientRect.USER32(?,?), ref: 004050ED
GetSystemMetrics.USER32(00000015), ref: 004050F5
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405116
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405127
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 0040513A
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405148
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040515B
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040517D
ShowWindow.USER32(?,00000008), ref: 00405191
GetDlgItem.USER32(?,000003EC), ref: 004051B2
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004051C2
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004051DB
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 004051E7
GetDlgItem.USER32(?,000003F8), ref: 004050BF

Part of subcall function 00403F4D: SendMessageA.USER32(00000028,?,00000001,00403D7E), ref: 00403F5B

GetDlgItem.USER32(?,000003EC), ref: 00405204
CreateThread.KERNEL32(00000000,00000000,Function_00004FD6,00000000), ref: 00405212
CloseHandle.KERNEL32(00000000), ref: 00405219
ShowWindow.USER32(00000000), ref: 0040523D
ShowWindow.USER32(?,00000008), ref: 00405242
ShowWindow.USER32(00000008), ref: 00405289
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052BB
CreatePopupMenu.USER32 ref: 004052CC
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004052E1
GetWindowRect.USER32(?,?), ref: 004052F4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405318
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405353
OpenClipboard.USER32(00000000), ref: 00405363
EmptyClipboard.USER32 ref: 00405369
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405372
GlobalLock.KERNEL32(00000000), ref: 0040537C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405390
GlobalUnlock.KERNEL32(00000000), ref: 004053A8
SetClipboardData.USER32(00000001,00000000), ref: 004053B3
CloseClipboard.USER32 ref: 004053B9

Strings

{, xrefs: 004052A8

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 15bcaaf7b9c2500fdfc7a15f58e923324fe2155ddd01929f033f26ccd8a03658
Instruction ID: b28aa7ce0402c6385ba5b6cd868a6258f1d07b471923b7bae974b2a68da01879
Opcode Fuzzy Hash: 15bcaaf7b9c2500fdfc7a15f58e923324fe2155ddd01929f033f26ccd8a03658
Instruction Fuzzy Hash: 34A14870904208FFDB219F60DD89AAE7F79FB08355F00417AFA05BA2A0C7795A41DF69

Function 00404853 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 0040486A
GetDlgItem.USER32(?,00000408), ref: 00404877
GlobalAlloc.KERNEL32(00000040,?), ref: 004048C3
LoadBitmapA.USER32(0000006E), ref: 004048D6
SetWindowLongA.USER32(?,000000FC,00404E54), ref: 004048F0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404904
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404918
SendMessageA.USER32(?,00001109,00000002), ref: 0040492D
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404939
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040494B
DeleteObject.GDI32(?), ref: 00404950
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040497B
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404987
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A1C
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A47
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A5B
GetWindowLongA.USER32(?,000000F0), ref: 00404A8A
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A98
ShowWindow.USER32(?,00000005), ref: 00404AA9
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404BAC
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C11
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C26
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404C4A
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C70
ImageList_Destroy.COMCTL32(?), ref: 00404C85
GlobalFree.KERNEL32(?), ref: 00404C95
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D05
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404DAE
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404DBD
InvalidateRect.USER32(?,00000000,00000001), ref: 00404DDD
ShowWindow.USER32(?,00000000), ref: 00404E2B
GetDlgItem.USER32(?,000003FE), ref: 00404E36
ShowWindow.USER32(00000000), ref: 00404E3D

Strings

M, xrefs: 00404A03
, xrefs: 00404E15
N, xrefs: 00404AE7

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: bc836f97d9874f4f727094095d6c382577d8705a5fdd7ffcfefc5c205b7b8112
Instruction ID: 91af9d563adbb526dddc39620d8b288a2aea1bcbb5731436b9e02a5cfbe7d22d
Opcode Fuzzy Hash: bc836f97d9874f4f727094095d6c382577d8705a5fdd7ffcfefc5c205b7b8112
Instruction Fuzzy Hash: AB029FB0E00209AFDB21DF54DD45AAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Function 00404356 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004043A2
SetWindowTextA.USER32(?,?), ref: 004043CF
SHBrowseForFolderA.SHELL32(?,0041F870,?), ref: 00404484
CoTaskMemFree.OLE32(00000000), ref: 0040448F
lstrcmpiA.KERNEL32("C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun,004204A0), ref: 004044C1
lstrcatA.KERNEL32(?,"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun), ref: 004044CD
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044DD

Part of subcall function 0040540B: GetDlgItemTextA.USER32(?,?,00000400,00404510), ref: 0040541E

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

GetDiskFreeSpaceA.KERNEL32(0041F468,?,?,0000040F,?,0041F468,0041F468,?,00000000,0041F468,?,?,000003FB,?), ref: 00404596
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B1
SetDlgItemTextA.USER32(00000000,00000400,0041F458), ref: 0040462A

Strings

A, xrefs: 0040447D
"C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun, xrefs: 004044BB, 004044C0, 004044CB
C:\Users\user\AppData\Roaming\mk-jzcq, xrefs: 004044AA

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun$A$C:\Users\user\AppData\Roaming\mk-jzcq
API String ID: 2246997448-2049553869
Opcode ID: 8a3aad76447270b687e8e1509915f8df1e24d5d4c23db986a95c4726ded8d1ea
Instruction ID: fa341535892c43c3a67d7fcafb17cb6574160925603278dae289bcadb551eaae
Opcode Fuzzy Hash: 8a3aad76447270b687e8e1509915f8df1e24d5d4c23db986a95c4726ded8d1ea
Instruction Fuzzy Hash: 2D9170B1900218BBDB11AFA1CD84AAF7BB8EF45314F10847BF704B6291D77C9A41DB59

Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: fec3e59c21f88b2afe0d858e3cd58f666a30441cfee8bf2827fa80150cba7d73
Instruction ID: b3d2387cb92b068db8966d6a1439c3c253679041c8135bb289436d91baf53d0e
Opcode Fuzzy Hash: fec3e59c21f88b2afe0d858e3cd58f666a30441cfee8bf2827fa80150cba7d73
Instruction Fuzzy Hash: 42F0A072A04201DBD700EBB49A89AEEB7789B51328F60067BE111F20C1C6B85A459B2E

Function 00403A45 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A81
ShowWindow.USER32(?), ref: 00403A9E
DestroyWindow.USER32 ref: 00403AB2
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403ACE
GetDlgItem.USER32(?,?), ref: 00403AEF
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403B03
IsWindowEnabled.USER32(00000000), ref: 00403B0A
GetDlgItem.USER32(?,00000001), ref: 00403BB8
GetDlgItem.USER32(?,00000002), ref: 00403BC2
SetClassLongA.USER32(?,000000F2,?), ref: 00403BDC
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C2D
GetDlgItem.USER32(?,00000003), ref: 00403CD3
ShowWindow.USER32(00000000,?), ref: 00403CF4
EnableWindow.USER32(?,?), ref: 00403D06
EnableWindow.USER32(?,?), ref: 00403D21
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D37
EnableMenuItem.USER32(00000000), ref: 00403D3E
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D56
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D69
lstrlenA.KERNEL32(004204A0,?,004204A0,004236A0), ref: 00403D92
SetWindowTextA.USER32(?,004204A0), ref: 00403DA1
ShowWindow.USER32(?,0000000A), ref: 00403ED5

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 0ca44dad19ebef12785e3fca4310d205a7ec76f049bba6dd02c4170e1792f308
Instruction ID: 1b558320748e03173a152966608fa9e4bba3452d5179f8dde3fdb5243a6fbb8a
Opcode Fuzzy Hash: 0ca44dad19ebef12785e3fca4310d205a7ec76f049bba6dd02c4170e1792f308
Instruction Fuzzy Hash: 21C18071A04204BBDB216F21ED45E2B3E7DEB4970AF40053EF541B12E1C739AA42DB6E

Function 00404060 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040EB
GetDlgItem.USER32(00000000,000003E8), ref: 004040FF
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411D
GetSysColor.USER32(?), ref: 0040412E
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413D
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040414C
lstrlenA.KERNEL32(?), ref: 00404156
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404164
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404173
GetDlgItem.USER32(?,0000040A), ref: 004041D6
SendMessageA.USER32(00000000), ref: 004041D9
GetDlgItem.USER32(?,000003E8), ref: 00404204
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404244
LoadCursorA.USER32(00000000,00007F02), ref: 00404253
SetCursor.USER32(00000000), ref: 0040425C
ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040426F
LoadCursorA.USER32(00000000,00007F00), ref: 0040427C
SetCursor.USER32(00000000), ref: 0040427F
SendMessageA.USER32(00000111,00000001,00000000), ref: 004042AB
SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BF

Strings

N, xrefs: 004041F2
@.B, xrefs: 00404264
open, xrefs: 00404267

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @.B$N$open
API String ID: 3615053054-3815657624
Opcode ID: e8b988e3949f0b6d91b1b58256fef292242953983a672fd1ea6cb44b2e1e2ed0
Instruction ID: 7761d7a6ce13443680711406d70bf9c6d022160e69bfd2fffc9b265f6460a43d
Opcode Fuzzy Hash: e8b988e3949f0b6d91b1b58256fef292242953983a672fd1ea6cb44b2e1e2ed0
Instruction Fuzzy Hash: 4661B2B1A40209BFEB109F60DC45F6A3B69FB44755F10817AFB04BA2D1C7B8A951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,004236A0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5

Function 004058B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405649,?,00000000,000000F1,?), ref: 00405901
GetShortPathNameA.KERNEL32(?,00422630,00000400), ref: 0040590A
GetShortPathNameA.KERNEL32(00000000,004220A8,00000400), ref: 00405927
wsprintfA.USER32 ref: 00405945
GetFileSize.KERNEL32(00000000,00000000,004220A8,C0000000,00000004,004220A8,?,?,?,00000000,000000F1,?), ref: 00405980
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 0040598F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004059A5
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA8,00000000,-0000000A,00409350,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004059EB
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004059FD
GlobalFree.KERNEL32(00000000), ref: 00405A04
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A0B

Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Strings

0&B, xrefs: 004058EF
[Rename], xrefs: 004059B5, 004059C7
%s=%s, xrefs: 0040593B

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$0&B$[Rename]
API String ID: 3772915668-951905037
Opcode ID: 73d0c5d55c6a66a5fc5f40039b5a9282ef929e2af51c157191695387f36ba956
Instruction ID: 8912a0e40cac8f66f34925055924fb713260e7a12edb00ecfb1cfbef244c1689
Opcode Fuzzy Hash: 73d0c5d55c6a66a5fc5f40039b5a9282ef929e2af51c157191695387f36ba956
Instruction Fuzzy Hash: D9411332B05B11BBD3216B61AD88F6B3A5CDB84715F140136FE05F22C2E678A801CEBD

Function 00405DC8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DC9, 00405E04
*?|<>/":, xrefs: 00405E10
"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe", xrefs: 00405DCE

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-935584088
Opcode ID: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction ID: 3b6179abbfe29fc78842bf11aa846075366cc437f950451d76d565b88bc2b460
Opcode Fuzzy Hash: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction Fuzzy Hash: A0110861805B9129EB3227284C48BBB7F89CF66754F18447FD8C4722C2C67C5D429FAD

Function 00403F7F Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403F9C
GetSysColor.USER32(00000000), ref: 00403FB8
SetTextColor.GDI32(?,00000000), ref: 00403FC4
SetBkMode.GDI32(?,?), ref: 00403FD0
GetSysColor.USER32(?), ref: 00403FE3
SetBkColor.GDI32(?,?), ref: 00403FF3
DeleteObject.GDI32(?), ref: 0040400D
CreateBrushIndirect.GDI32(?), ref: 00404017

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 4cc26f8bf5fc777f430f8318c3ba194748f169832e683f7fcd21add738ba3f9d
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: C221C371904705ABCB209F78DD08B4BBBF8AF40711F048A29F992F26E0C738E904CB55

Function 00404F04 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: c16ae44753e0492e8ebf0dec6d4426dfb74cf51d03073e062323e975129af71d
Instruction ID: 33d69ec58002f5e3cec48cf4aa7ac502a1da6879986bf9ca4026f821734cd723
Opcode Fuzzy Hash: c16ae44753e0492e8ebf0dec6d4426dfb74cf51d03073e062323e975129af71d
Instruction Fuzzy Hash: C4219D71A00108BBDF119FA5CD849DEBFB9EB49354F14807AFA04B6290C3389E45CBA8

Function 00402BD3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BEB
GetTickCount.KERNEL32 ref: 00402C09
wsprintfA.USER32 ref: 00402C37

Part of subcall function 00404F04: lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C5B
ShowWindow.USER32(00000000,00000005), ref: 00402C69

Part of subcall function 00402BB7: MulDiv.KERNEL32(00000000,00000064,00020F8F), ref: 00402BCC

Strings

... %d%%, xrefs: 00402C31

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: f8ace1eb95c0e61b2c61dafef86db0eeb17deac8452a01d8f5baf0090805ef89
Instruction ID: c44cf6bb529b7c61e0c77009ed50883557557090b8ffabf6f859222ef57aaf40
Opcode Fuzzy Hash: f8ace1eb95c0e61b2c61dafef86db0eeb17deac8452a01d8f5baf0090805ef89
Instruction Fuzzy Hash: C6016170949210EBD7215F61EE4DA9F7B78AB04701B14403BF502B11E5C6BC9A01CBAE

Function 004047D3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004047EE
GetMessagePos.USER32 ref: 004047F6
ScreenToClient.USER32(?,?), ref: 00404810
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404822
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404848

Strings

f, xrefs: 00404824

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 01d6173a61c3c3b4b037133c9a52f1e04ee3049876a8ff08b59bebc5d15cf036
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: BA018075D40218BADB00DB94CC41BFEBBBCAB55711F10412ABB00B61C0C3B46501CB95

Function 00402B3B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
wsprintfA.USER32 ref: 00402B8A
SetWindowTextA.USER32(?,?), ref: 00402B9A
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BAC

Strings

unpacking data: %d%%, xrefs: 00402B78, 00402B88
verifying installer: %d%%, xrefs: 00402B7F

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a19141f3df1e0a3c8b8c2abcbd515ef60a2dd56e778219f0b9cb34bd20a9fb2d
Instruction ID: 39266fd7d8b3d51d4259f470751267aa52f8e49dbca779dff7f29341b6a717b4
Opcode Fuzzy Hash: a19141f3df1e0a3c8b8c2abcbd515ef60a2dd56e778219f0b9cb34bd20a9fb2d
Instruction Fuzzy Hash: AFF03671900109ABEF255F51DD0ABEE3779FB00305F008036FA05B51D1D7F9AA559F99

Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 90165163457562f2d2db0d0e016cf4740f9c141c2854e05e69f214c53397e3bf
Instruction ID: 3ec7b1818cbfc33efeafaf7017db19c7c479205e5d6f4ff66fb244667a93d6f3
Opcode Fuzzy Hash: 90165163457562f2d2db0d0e016cf4740f9c141c2854e05e69f214c53397e3bf
Instruction Fuzzy Hash: 93112971A00009FFDF319F90DE49EAF7B7DEB44385B104436F905A10A0DBB59E51AE69

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CC5
GetClientRect.USER32(00000000,?), ref: 00401CD2
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 70cca8153c69b2e132429069c22b9ddf05dbb7ba62a9a7cfa9b79a9bcebcea9b
Instruction ID: de7316f9b9f1bcc3f0c1dff9ae5dc63c91f1472c52c052d8cf8a0da7f27950be
Opcode Fuzzy Hash: 70cca8153c69b2e132429069c22b9ddf05dbb7ba62a9a7cfa9b79a9bcebcea9b
Instruction Fuzzy Hash: D5F01DB2E04105BFD700EFA4EE89DAFB7BDEB44345B104576F602F2190C6789D018B69

Function 004046F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(004204A0,004204A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404611,000000DF,0000040F,00000400,00000000), ref: 0040477F
wsprintfA.USER32 ref: 00404787
SetDlgItemTextA.USER32(?,004204A0), ref: 0040479A

Strings

%u.%u%s%s, xrefs: 00404769

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 87794c8f90da6e594bd2e0cae66498bbfb5b9cbb1a5c5e50d1da5967a7fbc4b5
Instruction ID: e1128f73888b2767c9277aed1687fd20c93e739cc52df1aac9c0a45a5a8dde9d
Opcode Fuzzy Hash: 87794c8f90da6e594bd2e0cae66498bbfb5b9cbb1a5c5e50d1da5967a7fbc4b5
Instruction Fuzzy Hash: 7311E2736001243BDB10666D9C46EEF3699DBC6335F14423BFA25F61D1E938AC5286A8

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 4c88f05d798f5705ce1e1e18451d2fcf653d7f56610e9d44bad61831beeb824c
Instruction ID: 67abd366a37910a3fb0c7fe19d632a25016d3899897cc5a5bd850e91adcb6683
Opcode Fuzzy Hash: 4c88f05d798f5705ce1e1e18451d2fcf653d7f56610e9d44bad61831beeb824c
Instruction Fuzzy Hash: B721C4B1A44209BFEF01AFB4CE4AAAE7B75EF44344F14053EF602B60D1D6B84980E718

Function 00405659 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403226,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 0040565F
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403226,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405668
lstrcatA.KERNEL32(?,00409010), ref: 00405679

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405659

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: d5422d5486d5b384c4dcc02911800b35c31fcf4388d9dde419d5dff5703c7688
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: 8BD05272605A202ED2022A258C05E9B7A28CF06311B044866B540B2292C6386D818AEE

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: be50ba22476c795dccddfbd46c0b19e6aec7ed87346bdfd2eed6167faf837e67
Instruction ID: 178fa6cf4330108057832d0c189c0e5a27020503733a18e797ef1cc5e9d7aef6
Opcode Fuzzy Hash: be50ba22476c795dccddfbd46c0b19e6aec7ed87346bdfd2eed6167faf837e67
Instruction Fuzzy Hash: 52113A71A00108BEDB01EFA5DD819AEBBB9EB48344B20853AF501F61E1D7389A54DB28

Function 004056ED Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CharNextA.USER32(0040549F,?,C:\,00000000,00405751,C:\,C:\,?,?,74DF2EE0,0040549F,?,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe",74DF2EE0), ref: 004056FB
CharNextA.USER32(00000000), ref: 00405700
CharNextA.USER32(00000000), ref: 0040570F

Strings

C:\, xrefs: 004056EE

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 48d170df000bd52d6530e74bc6e21c30bbb8ee0efc11f7a91444a9d932de86af
Instruction ID: 78d2da9fff81111ace552b99da8146ab0c55ee08e32a6a48318d29482ea338b5
Opcode Fuzzy Hash: 48d170df000bd52d6530e74bc6e21c30bbb8ee0efc11f7a91444a9d932de86af
Instruction Fuzzy Hash: 5AF0A751945A219AEB3262AC4C44B7B5B9CDB95720F144437E100BB1D1C6BC4C82AFAA

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF74), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: d8d00129a0c809e423feca600faf407eaf54c466d4b244af4f30760ff25f5d33
Instruction ID: d83410998d1654a5337f8c322709d39cf2ce3a8a4f0330bc6585c9693e616625
Opcode Fuzzy Hash: d8d00129a0c809e423feca600faf407eaf54c466d4b244af4f30760ff25f5d33
Instruction Fuzzy Hash: E1F044F1A45342AEE7016770AE0ABA93B649725306F100576F541BA1E2C5BC10149B7F

Function 00403978 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,004236A0), ref: 00403A10

Strings

2052, xrefs: 0040397C, 00403986, 004039F7
C:\Users\user\AppData\Local\Temp\, xrefs: 00403979

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: TextWindow
String ID: 2052$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-3975672531
Opcode ID: 9a42cbf8a28c659a92ce9de243ac321228f9f300189a9516546428ecdf00a219
Instruction ID: 09623374405f0611f065d620c03919b516a5f167df25bc0d5edc66fe9dc562c0
Opcode Fuzzy Hash: 9a42cbf8a28c659a92ce9de243ac321228f9f300189a9516546428ecdf00a219
Instruction Fuzzy Hash: F611C2B1B005109BC730DF15D880A73767DEB84716369413BE94167391C77EAE028E58

Function 00404E54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404E8A
CallWindowProcA.USER32(?,00000200,?,?), ref: 00404EF8

Part of subcall function 00403F64: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403F76

Strings

, xrefs: 00404E62

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1a28ca64547386e1a64dd11c64f6ae458e1df03769ff3acb3952d776ac0a4b66
Instruction ID: 62f3a1a08e098275047049d4f9968a6b4933f6b7f921e7009373277d82a30415
Opcode Fuzzy Hash: 1a28ca64547386e1a64dd11c64f6ae458e1df03769ff3acb3952d776ac0a4b66
Instruction Fuzzy Hash: D1116D71900208BBDB21AF52DC4499B3669FB84369F00803BF6047A2E2C37C5A519BAD

Function 004024BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
WriteFile.KERNEL32(00000000,?,RunAfterSetup,00000000,?,?,00000000,00000011), ref: 004024FB

Strings

RunAfterSetup, xrefs: 004024CA, 004024EF

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWritelstrlen
String ID: RunAfterSetup
API String ID: 427699356-325633305
Opcode ID: aeb33319f1ae75ac5a293ebd3faabad394e91247697e6cefe37e7ee81cc22ed1
Instruction ID: 2c1f07a632d72534084a5ac00d75746702f795d1104bf50e8da4b719a2e94720
Opcode Fuzzy Hash: aeb33319f1ae75ac5a293ebd3faabad394e91247697e6cefe37e7ee81cc22ed1
Instruction Fuzzy Hash: BCF08972A44245FFD710EBB19E49EAF7668DB00348F14443BB142F51C2D6FC5982976D

Function 004056A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CDE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe,80000000,00000003), ref: 004056A6
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CDE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe,80000000,00000003), ref: 004056B4

Strings

C:\Users\user\Desktop, xrefs: 004056A0

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 6658d1b0ab05e5211e75f0b74aef41c49d7b43cb9628f8e009f88ad9fa15a52a
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: C5D0A772409DB02EF30352108C04B8F7A98CF17300F0948A2E440E21D0C27C5C818FFD

Function 004057B2 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004057D2
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004057E0
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Memory Dump Source

Source File: 00000000.00000002.1724718934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724632772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724749770.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724769922.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725028122.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: 042c172281cf084eebf1820456e7eb749b121a10276c912c68532230cfd8689c
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: BBF0A736249D51DBC2029B295C44E6FBEA4EF95355F14057EF440F3180D335AC11ABBB

Analysis Process: dqwhj_errwd.exePID: 7344, Parent PID: 7288COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.8%
Total number of Nodes:	1640
Total number of Limit Nodes:	67

Executed Functions

Function 00462F20 Relevance: 65.9, APIs: 22, Strings: 15, Instructions: 1189windowprocessCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000), ref: 0046340F
ShowWindow.USER32(00000000), ref: 0046342A
ShowWindow.USER32(00000000), ref: 00463443
_memset.LIBCMT ref: 00463532
_memset.LIBCMT ref: 00463562
StrCpyW.SHLWAPI(?,?), ref: 004635AB
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000220,00000000,00000000,?,?), ref: 004635E3
PostMessageW.USER32(00000000), ref: 00463686

Part of subcall function 00457360: std::_String_base::_Xlen.LIBCPMT ref: 004573BD
Part of subcall function 00457360: _memcpy_s.LIBCMT ref: 0045741E

Part of subcall function 0046EBD0: _memset.LIBCMT ref: 0046EC7D
Part of subcall function 0046EBD0: GetPrivateProfileStringW.KERNEL32(?,?,?,?,00000104,?), ref: 0046ECEF

Part of subcall function 00456FE0: std::_String_base::_Xlen.LIBCPMT ref: 0045702E
Part of subcall function 00456FE0: _memcpy_s.LIBCMT ref: 004570A9

Part of subcall function 0046E3B0: lstrlenW.KERNEL32(?,?,?,?,00000007,00000000,?,004816A6,?,?,004B4F70,00000000,?), ref: 0046E3F7
Part of subcall function 0046E3B0: lstrlenW.KERNEL32(004B450C,00000000,004B450A), ref: 0046E420

Strings

error, xrefs: 00463A45
/S /SQUPGRADE, xrefs: 0046356A
key, xrefs: 00463BBE
/S /SQUPGRADE, xrefs: 004636B3
lastUpgradeVer, xrefs: 00463157, 00463627, 00463780
7, xrefs: 00464262
currentversion, xrefs: 00462FEB
\OK, xrefs: 00463C81
version, xrefs: 0046301A, 004630D8, 00463182, 00463645, 0046379E
state, xrefs: 00463C27, 00463ECC, 004640EC
time, xrefs: 0046414C
,OK, xrefs: 004636ED
`OK, xrefs: 00463F25
=, xrefs: 0046415C
upgraderange, xrefs: 004630AD

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _memset$MessageShowString_base::_WindowXlen_memcpy_slstrlenstd::_$CreatePostPrivateProcessProfileString
String ID: /S /SQUPGRADE$,OK$/S /SQUPGRADE$7$=$\OK$`OK$currentversion$error$key$lastUpgradeVer$state$time$upgraderange$version
API String ID: 1659203067-963127966
Opcode ID: b2404295274f4c47d39c404889aeff31cb038e2716cf8930adb671a7889517d3
Instruction ID: 8d766800adf47e9a23b8faaa574e8ff2e4f220fc769fbf4f16828e525933daae
Opcode Fuzzy Hash: b2404295274f4c47d39c404889aeff31cb038e2716cf8930adb671a7889517d3
Instruction Fuzzy Hash: 3DB2A3705083809BD735EF65C845BDFB7E4AF84704F04496EF98947242EB789A48CBAB

Function 0047DFE0 Relevance: 40.7, APIs: 18, Strings: 5, Instructions: 417
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0047E03D
InternetCrackUrlW.WININET(?,?,00000000,0000003C), ref: 0047E0B3
InternetOpenW.WININET(HTTPDownloader,00000000,00000000,00000000,00000000), ref: 0047E0CE
InternetConnectW.WININET(00000000,?,?,?,?,00000003,00000000,00000000), ref: 0047E11A
InternetCloseHandle.WININET(00000000), ref: 0047E495
InternetCloseHandle.WININET(00000000), ref: 0047E4A4
InternetCloseHandle.WININET(?), ref: 0047E4AF
CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 0047E501
InternetReadFile.WININET(?,?,00002800,00000000), ref: 0047E568
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0047E5CF
CloseHandle.KERNEL32(00000000), ref: 0047E5E6

Strings

Content-Type: application/x-www-form-urlencoded; charset=UTF-8;, xrefs: 0047E170, 0047E194, 0047E195
GET, xrefs: 0047E1BA
<, xrefs: 0047E08D
POST, xrefs: 0047E162
HTTPDownloader, xrefs: 0047E0C9

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Internet$CloseHandle$File$ConnectCrackCreateOpenReadWrite_memset
String ID: <$Content-Type: application/x-www-form-urlencoded; charset=UTF-8;$GET$HTTPDownloader$POST
API String ID: 1421527622-246836014
Opcode ID: 48c8663b00465a6797a1c17b4897ae030462c433898ed869760fc1637174f6da
Instruction ID: 0b74eb504d167b019270e2a4ce9f90fcf256779fc82808f597aa11caa52a835c
Opcode Fuzzy Hash: 48c8663b00465a6797a1c17b4897ae030462c433898ed869760fc1637174f6da
Instruction Fuzzy Hash: 83F181701083419FE720DF25C845B9BB7E8BB88718F108B6EF5A9972D0D778D905CB9A

Function 00483070 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 162
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004830C0

Part of subcall function 00483860: _vswprintf_s.LIBCMT ref: 00483870

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,?), ref: 004830F1
DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 00483135
_memset.LIBCMT ref: 0048318B
DeviceIoControl.KERNEL32 ref: 0048320E
CloseHandle.KERNEL32(00000000,?,?,?,?,?), ref: 004832BA

Strings

\\.\PhysicalDrive%d, xrefs: 004830C6

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ControlDevice_memset$CloseCreateFileHandle_vswprintf_s
String ID: \\.\PhysicalDrive%d
API String ID: 1038176960-2935326385
Opcode ID: da542eeb89de7324432b8145120ca7ce58ba442e1ddd121a664c65cbc249384f
Instruction ID: f3898ba99fe75acfd9b1f1efb0af23f0974ef8e624e69a4ed446c6e77d0c0313
Opcode Fuzzy Hash: da542eeb89de7324432b8145120ca7ce58ba442e1ddd121a664c65cbc249384f
Instruction Fuzzy Hash: E26119B15083809ED360DF69C854BABBBE4BBC9704F044E2EF6D887291E7B89544CB57

Function 004834E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00483860: _vswprintf_s.LIBCMT ref: 00483870

CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,00000000), ref: 00483539
_memset.LIBCMT ref: 00483575
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002000,?,00000000), ref: 004835A3
_memset.LIBCMT ref: 004835FF
DeviceIoControl.KERNEL32(00000000,002D0C10,00000000,00000000,?,00002000,?,00000000), ref: 00483625
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00483666

Strings

\\.\PhysicalDrive%d, xrefs: 0048351B

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ControlDevice_memset$CloseCreateFileHandle_vswprintf_s
String ID: \\.\PhysicalDrive%d
API String ID: 1038176960-2935326385
Opcode ID: 39029b944d379be02082c04c6c92d5ba017d879924236a72e6ec1fe828d804ac
Instruction ID: cf365d9a303a816d5872ede22f580b52e5c7ab1f6516214c2db05c6edb1a7025
Opcode Fuzzy Hash: 39029b944d379be02082c04c6c92d5ba017d879924236a72e6ec1fe828d804ac
Instruction Fuzzy Hash: 0A4153B1504300AFD320EF69C885F6BB3E8BB88748F404E2EF55596651E774EA09CB96

Function 00483509 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00483860: _vswprintf_s.LIBCMT ref: 00483870

CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,00000000), ref: 00483539
_memset.LIBCMT ref: 00483575
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002000,?,00000000), ref: 004835A3
_memset.LIBCMT ref: 004835FF
DeviceIoControl.KERNEL32(00000000,002D0C10,00000000,00000000,?,00002000,?,00000000), ref: 00483625
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00483666

Strings

\\.\PhysicalDrive%d, xrefs: 0048351B

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ControlDevice_memset$CloseCreateFileHandle_vswprintf_s
String ID: \\.\PhysicalDrive%d
API String ID: 1038176960-2935326385
Opcode ID: 9eb62af13c80dab98ea1cfe9dc343091b5efebd0cd05ff24226a551f267b2d85
Instruction ID: 8339faf587d4618df9dfe7b0c4efb13d2807381d430c8089faac255bd272f8c1
Opcode Fuzzy Hash: 9eb62af13c80dab98ea1cfe9dc343091b5efebd0cd05ff24226a551f267b2d85
Instruction Fuzzy Hash: 8D4181B1504300AFD330EF29C885F6BB3E8BB88708F404E2DF55596681E774EA09CB95

Function 004697C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 004697CA
OleInitialize.OLE32(00000000), ref: 004697D2

Part of subcall function 00469AA0: GetCurrentThreadId.KERNEL32 ref: 00469ADB

LoadStringW.USER32(?,00000067,004C63CC,00000064), ref: 004697FE
LoadStringW.USER32(?,0000006D,37Lander,00000064), ref: 0046980A

Part of subcall function 00469840: LoadIconW.USER32 ref: 00469875
Part of subcall function 00469840: LoadCursorW.USER32(00000000,00007F00), ref: 00469886
Part of subcall function 00469840: RegisterClassExW.USER32 ref: 004698B4

Part of subcall function 00462220: EnterCriticalSection.KERNEL32(004C8338), ref: 0046280F
Part of subcall function 00462220: GetCurrentThreadId.KERNEL32 ref: 00462815
Part of subcall function 00462220: LeaveCriticalSection.KERNEL32(004C8338,004B5404,?), ref: 00462835

Part of subcall function 00469A00: DeleteCriticalSection.KERNEL32(004C8358,75C0EBF0,00000000,0046981F), ref: 004699EF

OleUninitialize.OLE32 ref: 0046981F
CoUninitialize.COMBASE ref: 00469825

Strings

37Lander, xrefs: 00469802

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Load$CriticalSection$CurrentInitializeStringThreadUninitialize$ClassCursorDeleteEnterIconLeaveRegister
String ID: 37Lander
API String ID: 2168486795-3989498111
Opcode ID: f8970c7fdd1a58161d9854213971ceda1e1f1ea0e2ea8fdf9579d02677123616
Instruction ID: 0b8ff4cd4dc6173925658e8260eb098cd5427f9daee228d13a25d85c01f946a5
Opcode Fuzzy Hash: f8970c7fdd1a58161d9854213971ceda1e1f1ea0e2ea8fdf9579d02677123616
Instruction Fuzzy Hash: 41F0623164035477C3207FA9AC0BF4A7B589F85B15F414227F902972F1DAF55920C6AE

Function 00480F30 Relevance: 7.6, APIs: 5, Instructions: 65
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,75A8E9B0,00000008), ref: 00480F4C
_memset.LIBCMT ref: 00480F68
Process32FirstW.KERNEL32 ref: 00480F7E
Process32NextW.KERNEL32(00000000,00000000), ref: 00480FC5
CloseHandle.KERNEL32(00000000), ref: 00480FD3

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
String ID:
API String ID: 2526126748-0
Opcode ID: fa3e16d3e49749b972a7e7c0dc76f3f7f5fe35e7cfb816d305fb43e3cd41f95d
Instruction ID: 3424d5d7b58fe7bbb6681ce520f497edc16338cbdc80c396e1de28dd831c2138
Opcode Fuzzy Hash: fa3e16d3e49749b972a7e7c0dc76f3f7f5fe35e7cfb816d305fb43e3cd41f95d
Instruction Fuzzy Hash: AB1126212202016AD670FB30CC56BEF7295AF24354F448E2AEB55862C0F7ADD509C79A

Function 0047F940 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0047F957

Part of subcall function 004909E3: __FF_MSGBANNER.LIBCMT ref: 00490A06
Part of subcall function 004909E3: __NMSG_WRITE.LIBCMT ref: 00490A0D
Part of subcall function 004909E3: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00497326,?,00000001,?,?,00498B6E,00000018,004BB660,0000000C,00498BFF), ref: 00490A5A

_malloc.LIBCMT ref: 0047F97C
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 0047F98C

Part of subcall function 0047F8F0: __snwprintf_s.LIBCMT ref: 0047F932

GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 0047F967

Part of subcall function 00490906: __lock.LIBCMT ref: 00490924
Part of subcall function 00490906: ___sbh_find_block.LIBCMT ref: 0049092F
Part of subcall function 00490906: ___sbh_free_block.LIBCMT ref: 0049093E
Part of subcall function 00490906: HeapFree.KERNEL32(00000000,?,004BB1F0,0000000C,0049AA02,00000000,?,00497326,?,00000001,?,?,00498B6E,00000018,004BB660,0000000C), ref: 0049096E
Part of subcall function 00490906: GetLastError.KERNEL32(?,00497326,?,00000001,?,?,00498B6E,00000018,004BB660,0000000C,00498BFF,?,?,?,0049AABC,0000000D), ref: 0049097F

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: AdaptersHeapInfo_malloc$AllocateErrorFreeLast___sbh_find_block___sbh_free_block__lock__snwprintf_s
String ID:
API String ID: 531247599-0
Opcode ID: 82d2b5489058df5650fbcd5bf811a472200cb9da8bfad8ae898285b73c30a68f
Instruction ID: ceda9a1a9c2a7177615b2b39df6d6a3ca0b38fe9052dbaf64be7fb8374001254
Opcode Fuzzy Hash: 82d2b5489058df5650fbcd5bf811a472200cb9da8bfad8ae898285b73c30a68f
Instruction Fuzzy Hash: 7111E9F26412106FAA50AA259C016FF73989E91724F24853FFD5987302EB2C9D4DD2DF

Function 00481040 Relevance: 61.6, APIs: 6, Strings: 29, Instructions: 307
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Hintsoft\PubwinClient,00000000,00000001,?,?,?,?,00481AE9), ref: 00481061
RegCloseKey.ADVAPI32(?,?,00481AE9), ref: 0048106C
RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Hintsoft\pubwin,00000000,00000001,?,?,00481AE9), ref: 0048108E
RegCloseKey.ADVAPI32(?,?,00481AE9), ref: 00481099

Strings

SOFTWARE\Hintsoft1\XunShanPro, xrefs: 00481131
SOFTWARE\MpSoft\VOD, xrefs: 004812B4
SOFTWARE\Hintsoft\PubwinClient, xrefs: 00481053
wbc.exe, xrefs: 00481286
DeepinStatus.exe, xrefs: 00481310
qK, xrefs: 004811EE
SOFTWARE\Sicent\wx2004Clt, xrefs: 004810AD, 004811B2
LBSserver.exe, xrefs: 004812CB
SOFTWARE\Goyoo\i8desk, xrefs: 0048111A
LrK, xrefs: 00481241
SOFTWARE\, xrefs: 0048118D
SOFTWARE\Grabsun\Netsense, xrefs: 004811D7
connetbar.exe, xrefs: 00481258
SOFTWARE\Hintsoft\pubwin, xrefs: 00481080
SOFTWARE\MpSoft\smenu, xrefs: 004810D5
\SOFTWARE\TyDyy.com, xrefs: 0048133E
SOFTWARE\Microsoft\jingzu, xrefs: 004810EC
SOFTWARE\iCafe8, xrefs: 00481103, 004811A4
SOFTWARE\SyncExpertNetBar, xrefs: 00481148
sunflowerTools.exe, xrefs: 0048129D
SOFTWARE\Sicent\WxAdv, xrefs: 004811C9
Txwu.exe, xrefs: 00481233
SOFTWARE\Richtech, xrefs: 00481176
SOFTWARE\MpSoft\scon, xrefs: 0048126F
QQmenu.exe, xrefs: 0048121C
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00481327
TLnbLdr.exe, xrefs: 004812F9
SOFTWARE\EYOOCLIENTSTATUS, xrefs: 0048115F
\QvodNetBar\install, xrefs: 004812E2

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseOpen
String ID: DeepinStatus.exe$LBSserver.exe$LrK$QQmenu.exe$SOFTWARE\$SOFTWARE\EYOOCLIENTSTATUS$SOFTWARE\Goyoo\i8desk$SOFTWARE\Grabsun\Netsense$SOFTWARE\Hintsoft1\XunShanPro$SOFTWARE\Hintsoft\PubwinClient$SOFTWARE\Hintsoft\pubwin$SOFTWARE\Microsoft\jingzu$SOFTWARE\MpSoft\VOD$SOFTWARE\MpSoft\scon$SOFTWARE\MpSoft\smenu$SOFTWARE\Richtech$SOFTWARE\Sicent\WxAdv$SOFTWARE\Sicent\wx2004Clt$SOFTWARE\SyncExpertNetBar$SOFTWARE\iCafe8$TLnbLdr.exe$Txwu.exe$\QvodNetBar\install$\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$\SOFTWARE\TyDyy.com$connetbar.exe$sunflowerTools.exe$wbc.exe$qK
API String ID: 47109696-2383407924
Opcode ID: 6f9cebfeffb35700dcd30f9e404912f790137225088574edcd11f76c126da9e7
Instruction ID: d1b5b36521313196ac4277a3f8b245642a7662761b19879cda208bbfd2829531
Opcode Fuzzy Hash: 6f9cebfeffb35700dcd30f9e404912f790137225088574edcd11f76c126da9e7
Instruction Fuzzy Hash: 9671646231415002DA24779DA4017ED83898FC53FAF2548BFFB46DBBE1CB5D8887A369

Function 0047F6D0 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 167
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0047F719
_memset.LIBCMT ref: 0047F739
MultiByteToWideChar.KERNEL32(00000000,00000000,00000008,0000000A,?,0000000A,?,?,?,?,00000000,00000000), ref: 0047F769
__snwprintf_s.LIBCMT ref: 0047F78A
RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020019,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0047F7AE

Strings

PnpInstanceID, xrefs: 0047F808
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection, xrefs: 0047F778
MediaSubType, xrefs: 0047F8A2
pci, xrefs: 0047F851

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _memset$ByteCharMultiOpenWide__snwprintf_s
String ID: MediaSubType$PnpInstanceID$System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection$pci
API String ID: 381994169-3020186376
Opcode ID: 7bee4e27d8735b5509b8323f3b0bd7e0064460ec98eb8221aef09604e1fdb847
Instruction ID: 68ccf66a788fb6ef1834f55c1c940ca3e03566432b3848b4e730f1c96edca0d3
Opcode Fuzzy Hash: 7bee4e27d8735b5509b8323f3b0bd7e0064460ec98eb8221aef09604e1fdb847
Instruction Fuzzy Hash: 065177B1504301AFD724EB50CC81FEB77ECAF98358F404A2EB58997191E778D509CBAA

Function 00462360 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 332
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(00000000), ref: 00462468
ShowWindow.USER32(00000000), ref: 0046247F

Part of subcall function 00453210: _memset.LIBCMT ref: 00453334

SendMessageW.USER32(00000000), ref: 004624C2

Part of subcall function 0049100C: _malloc.LIBCMT ref: 00491026

Strings

liK, xrefs: 0046246A, 00462477, 004625DE, 004625EA, 004625FB, 0046260A, 004626AB, 004626C3, 004626D1, 004626DF
liK, xrefs: 004623F7, 0046244D, 0046245A, 00462526, 00462626, 00462631, 00462642, 00462652, 00462697, 004626EF, 004626FD, 00462707, 00462713, 00462721, 0046272F

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ShowWindow$MessageSend_malloc_memset
String ID: liK$liK
API String ID: 414038305-3926822142
Opcode ID: fa81db6c443367ef772d26681c34548c224eae7daed8a408a9dfce91e5f2c2bc
Instruction ID: 8f9e0aeb898dc7f266b0a1927e8849a67004c0a1ab81777016583668f7966463
Opcode Fuzzy Hash: fa81db6c443367ef772d26681c34548c224eae7daed8a408a9dfce91e5f2c2bc
Instruction Fuzzy Hash: 26C19F756042009FD754DFA8D880F2AB7E5FBC8714F10863EF94987350EB79A845CBAA

Function 00491356 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___set_flsgetvalue.LIBCMT ref: 0049135C

Part of subcall function 0049A823: TlsGetValue.KERNEL32(?,00491361), ref: 0049A82C
Part of subcall function 0049A823: __decode_pointer.LIBCMT ref: 0049A83E
Part of subcall function 0049A823: TlsSetValue.KERNEL32(00000000,00491361), ref: 0049A84D

___fls_getvalue@4.LIBCMT ref: 00491367

Part of subcall function 0049A803: TlsGetValue.KERNEL32(?,?,0049136C,00000000), ref: 0049A811

___fls_setvalue@8.LIBCMT ref: 0049137A

Part of subcall function 0049A857: __decode_pointer.LIBCMT ref: 0049A868

GetLastError.KERNEL32(00000000,?,00000000), ref: 00491383
ExitThread.KERNEL32 ref: 0049138A
GetCurrentThreadId.KERNEL32 ref: 00491390
__freefls@4.LIBCMT ref: 004913B0
__IsNonwritableInCurrentImage.LIBCMT ref: 004913C3

Strings

tyI, xrefs: 004913B5, 004913BE, 004913CD

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID: tyI
API String ID: 1925773019-1564746261
Opcode ID: 721d66796f485deecd7ca905f60b5988f1d40e050f16060402ad67b46496c570
Instruction ID: d10a706e9920c5925dc9bc658f54789d9199cc170f726f1837abba009c902b3f
Opcode Fuzzy Hash: 721d66796f485deecd7ca905f60b5988f1d40e050f16060402ad67b46496c570
Instruction Fuzzy Hash: 70012174500201AFDB18BB62D909D5E7FA99F44348710857EEC05D7622DA3CC852CA9E

Function 004832F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00483860: _vswprintf_s.LIBCMT ref: 00483870

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?), ref: 00483356
_memset.LIBCMT ref: 0048337C
_memcpy_s.LIBCMT ref: 004833AF
DeviceIoControl.KERNEL32 ref: 004833E2
CloseHandle.KERNEL32(00000000), ref: 004834A6

Strings

\\.\Scsi%d:, xrefs: 0048332B
SCSIDISK, xrefs: 00483383

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memcpy_s_memset_vswprintf_s
String ID: SCSIDISK$\\.\Scsi%d:
API String ID: 2759781257-2176293039
Opcode ID: 6c3af13544b2f6531640b3a3abeb96af0f59d2ad8b7a4c0cdd5b5cd80fdf291c
Instruction ID: a9069b8b54287551b19e8d6eeed792e9de5c7add2b79ff23a32c34d8c56644a0
Opcode Fuzzy Hash: 6c3af13544b2f6531640b3a3abeb96af0f59d2ad8b7a4c0cdd5b5cd80fdf291c
Instruction Fuzzy Hash: D4415BB05083409BD334DF25C885B6BB7E4BBC8B05F40491EFAD996291E7B89548CB5A

Function 004913D9 Relevance: 10.6, APIs: 7, Instructions: 71
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___set_flsgetvalue.LIBCMT ref: 0049140A
__calloc_crt.LIBCMT ref: 00491416
__getptd.LIBCMT ref: 00491423
__initptd.LIBCMT ref: 0049142C
CreateThread.KERNEL32(?,?,00491356,00000000,?,?), ref: 0049145A
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00491464
__dosmaperr.LIBCMT ref: 0049147C

Part of subcall function 004974C6: __getptd_noexit.LIBCMT ref: 004974C6

Part of subcall function 00491735: __decode_pointer.LIBCMT ref: 00491740

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit__initptd
String ID:
API String ID: 3358092440-0
Opcode ID: e5322eb4d9cd110d5c34f2183c3930919b4e54033834b88694205051df2635b5
Instruction ID: dcf85f5cb9e4d9d4a37837c999e6d2c40302297bf75cdf65a592699783313585
Opcode Fuzzy Hash: e5322eb4d9cd110d5c34f2183c3930919b4e54033834b88694205051df2635b5
Instruction Fuzzy Hash: 7611EB72504206AFDF10BFA5DC4289F7FA4EF04368B10407FF50597161E7398911D7A9

Function 00463E69 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,00000000,?,?), ref: 00463F4F
PathFileExistsW.SHLWAPI(?,6A8A24C0), ref: 00463FF9

Strings

state, xrefs: 00463ECC
2, xrefs: 00463EF1
-, xrefs: 00463F71
`OK, xrefs: 00463F25

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: File$DeleteExistsPath
String ID: -$2$`OK$state
API String ID: 4234011339-3321876057
Opcode ID: 2b2f934eff8d96dea7dbd1bf805e83b930ae3555a5035a210f3fd53ffa6bc68a
Instruction ID: d56091164d234d8d986d1776879fb0b99a900cddfedeb522c7f2bd80e196af40
Opcode Fuzzy Hash: 2b2f934eff8d96dea7dbd1bf805e83b930ae3555a5035a210f3fd53ffa6bc68a
Instruction Fuzzy Hash: 9A31AF311083818FD779EB15C4557EEB7E9AFD5308F40895EE58913282DB385A09CBAB

Function 00469840 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconW.USER32 ref: 00469875
LoadCursorW.USER32(00000000,00007F00), ref: 00469886
RegisterClassExW.USER32 ref: 004698B4

Strings

0, xrefs: 00469849
37Lander, xrefs: 004698A8

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Load$ClassCursorIconRegister
String ID: 0$37Lander
API String ID: 738324305-3700166263
Opcode ID: 253854a41ad20a6928dc40bb6d517f7cc3dadfdbfb65e701117c28a6a50da902
Instruction ID: bb8fbe3425908a097d17c36c4967c81b074fd601eb329fc38815d0af35cbd1c6
Opcode Fuzzy Hash: 253854a41ad20a6928dc40bb6d517f7cc3dadfdbfb65e701117c28a6a50da902
Instruction Fuzzy Hash: 15F097B04083419FE700DF64C458B0BBFE4BB84348F408E1DF4999A2A1E3B9820DCF8A

Function 004912D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 19
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 004912EB

Part of subcall function 0049ADF0: __FindPESection.LIBCMT ref: 0049AE4B

__getptd_noexit.LIBCMT ref: 004912FB
__freeptd.LIBCMT ref: 00491305
ExitThread.KERNEL32 ref: 0049130E

Strings

tyI, xrefs: 004912DD, 004912E6, 004912F5

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
String ID: tyI
API String ID: 3182216644-1564746261
Opcode ID: 3a73914c3c5cb3d6189f7364bbd24c2e05a2457dea743dad82f7e5040d877e00
Instruction ID: 6ea73cb52972bfef8b4d13c950ae1d3cac9138abe717ee20206dfd0ae36e8746
Opcode Fuzzy Hash: 3a73914c3c5cb3d6189f7364bbd24c2e05a2457dea743dad82f7e5040d877e00
Instruction Fuzzy Hash: C5D0123404060267DF193766DD1D71A3E69BB41316F14057EF904D15B1DFA8D990C5BD

Function 00482C10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,00000000,0047FA5E,?,00000000,00481C22,?,00000007,00000008), ref: 00482C35
GetProcessAffinityMask.KERNEL32(00000000,00000004,00000008), ref: 00482C46

Strings

000806F8-00010800-7FFA3203-0F8BFBFF, xrefs: 00482C24, 00482C7F

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID: 000806F8-00010800-7FFA3203-0F8BFBFF
API String ID: 1231390398-3195693976
Opcode ID: 3a7f2daaf5fb419eb4f2608440b72b9bb797fc9cdf110d6d379fad633610175b
Instruction ID: 4f1874bbb1c0e56d45d82e758fcc547ccdd78befb8005049f115a70a38c9ee7c
Opcode Fuzzy Hash: 3a7f2daaf5fb419eb4f2608440b72b9bb797fc9cdf110d6d379fad633610175b
Instruction Fuzzy Hash: 6901B5362011185FD7609F19FC84BABB3E8FB81321F10497FF809C7610DAB59C459754

Function 0045FE30 Relevance: 6.1, APIs: 4, Instructions: 89windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 0045FE7F
DefWindowProcW.USER32(?,?,?,?,?,?,?,?), ref: 0045FEA8

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: 4f4f4d8a2f9febf20f2d0539e1ef2a5ac40012c6dbf35dca3c19c931f4af48ec
Instruction ID: aad86407ebda4bcd8d3816eb99924bf0949c9a3bf8d75d9e635288677960d575
Opcode Fuzzy Hash: 4f4f4d8a2f9febf20f2d0539e1ef2a5ac40012c6dbf35dca3c19c931f4af48ec
Instruction Fuzzy Hash: 9B21C57330410867D714DE6DAC49EAB7359EB89322F144637FE09C7692DA249C1483AA

Function 00469620 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(004B5420,00000000,00000000,00000000,00000000), ref: 0046963D
GetMessageW.USER32(004B5420,00000000,00000000,00000000), ref: 0046965F
TranslateMessage.USER32(004B5420), ref: 0046967C
DispatchMessageW.USER32(004B5420), ref: 00469683

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 7f96d1d111aa591b72bc74d7fefee1a6c7dc71fd5f331ebe01fdaebb0d61938d
Instruction ID: dc083664a1f2b947bd20b60bc784c35ccc1e182cc64421e4e691a837ee6eff82
Opcode Fuzzy Hash: 7f96d1d111aa591b72bc74d7fefee1a6c7dc71fd5f331ebe01fdaebb0d61938d
Instruction Fuzzy Hash: 1C115B303423056BE7245A68DC98BAB736CEF45344F644216E611DA2E0F7B9EC16869F

Function 00457360 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 004573BD
_memcpy_s.LIBCMT ref: 0045741E

Strings

about:blank, xrefs: 004573A2, 00457418

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String_base::_Xlen_memcpy_sstd::_
String ID: about:blank
API String ID: 923394732-258612819
Opcode ID: f0bba5e8c2535d8d4f984193eea386e54b7bdb6470c33940219f26a1d13095ee
Instruction ID: e10435239e2d429f34b11fd57d32cf50ea13ac9161265c5141ffbfed111157ca
Opcode Fuzzy Hash: f0bba5e8c2535d8d4f984193eea386e54b7bdb6470c33940219f26a1d13095ee
Instruction Fuzzy Hash: EF31B6713086008B8724DE59E9C482FB3EAEFD6312350493FED56CB612E738E849D769

Function 00461DB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

__localtime64_s.LIBCMT ref: 00461DE0
__cftof.LIBCMT ref: 00461DFC

Strings

%Y-%m-%d %H:%M:%S, xrefs: 00461DF1

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __cftof__localtime64_s
String ID: %Y-%m-%d %H:%M:%S
API String ID: 1985225485-1763325376
Opcode ID: 19365608cb843dc275f8ff1d03f1bdc8f5e803a6da692a4661076768d2a138bd
Instruction ID: f4631ec264e976ddc2c1a257e90104668739890aec5bc8aa07ba63c2ba026b82
Opcode Fuzzy Hash: 19365608cb843dc275f8ff1d03f1bdc8f5e803a6da692a4661076768d2a138bd
Instruction Fuzzy Hash: E6F0A4715143005BD760E724C942BFF76D4AF98705F04092EFD85C6250FA38E624C79B

Function 00481000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\MpSoft\smenu,00000000,00000001,-00000002,00000008,SOFTWARE\MpSoft\smenu,004810DF,?,00481AE9), ref: 00481016
RegCloseKey.ADVAPI32(-00000002,?,00481AE9), ref: 00481027

Strings

SOFTWARE\MpSoft\smenu, xrefs: 00481000, 0048100C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseOpen
String ID: SOFTWARE\MpSoft\smenu
API String ID: 47109696-256314576
Opcode ID: edf2fa2f7d5c9bf4f402438bf21270ceeb4d8c23434ee8f7ba6fea3dc985a463
Instruction ID: 873a400f418687dd1b0290f2988910c8e8de8bbb26455dcff6aab73918611d84
Opcode Fuzzy Hash: edf2fa2f7d5c9bf4f402438bf21270ceeb4d8c23434ee8f7ba6fea3dc985a463
Instruction Fuzzy Hash: AAD05BF51453047FF3009F50DCC9E6777ACEB54654F205A2FF54582521E6B1DC849B61

Function 0049100C Relevance: 4.5, APIs: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00491026

Part of subcall function 004909E3: __FF_MSGBANNER.LIBCMT ref: 00490A06
Part of subcall function 004909E3: __NMSG_WRITE.LIBCMT ref: 00490A0D
Part of subcall function 004909E3: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00497326,?,00000001,?,?,00498B6E,00000018,004BB660,0000000C,00498BFF), ref: 00490A5A

std::bad_alloc::bad_alloc.LIBCMT ref: 00491049

Part of subcall function 00490FF1: std::exception::exception.LIBCMT ref: 00490FFD

__CxxThrowException@8.LIBCMT ref: 0049106B

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::exception::exception
String ID:
API String ID: 3715980512-0
Opcode ID: cd827a9be48b88993810e250669b71114ca4f0e71a0b8a2ce180ffb4aad765b2
Instruction ID: a562860a76a56b82c36a29c0f9f00d3469ad090ebf969bc9d23e9f603e6992bb
Opcode Fuzzy Hash: cd827a9be48b88993810e250669b71114ca4f0e71a0b8a2ce180ffb4aad765b2
Instruction Fuzzy Hash: 64F0273150014776CF08BB22DC0BE9E3F699F40358B10403FF800A98A6DFAEEE84915C

Function 00482CA0 Relevance: 4.5, APIs: 3, Instructions: 29sleepCOMMON

Download Yara Rule

APIs

SetProcessAffinityMask.KERNEL32(?,?), ref: 00482CB6
Sleep.KERNEL32(00000000), ref: 00482CC2
SetProcessAffinityMask.KERNEL32(?,?), ref: 00482CE4

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: AffinityMaskProcess$Sleep
String ID:
API String ID: 398880829-0
Opcode ID: caba7f621f8367dc9632a05fb67698a6281ec647f0b71c79c7f8b4a1defc21e5
Instruction ID: 6a29e3d004cb85b80939e943fbf754084ed079af5d6c177f100555dac38e3dc1
Opcode Fuzzy Hash: caba7f621f8367dc9632a05fb67698a6281ec647f0b71c79c7f8b4a1defc21e5
Instruction Fuzzy Hash: B5F012753006019BD724EB61CA54E2F73E8AF54B42B50CD2EF856C3790D7B8D880DB28

Function 0046EBD0 Relevance: 3.1, APIs: 2, Instructions: 138COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046EC7D
GetPrivateProfileStringW.KERNEL32(?,?,?,?,00000104,?), ref: 0046ECEF

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: PrivateProfileString_memset
String ID:
API String ID: 52020338-0
Opcode ID: 58d4d9a12d8a1c13c3bdc0e298cca58a9983d4f703ca6481d5c757ef08a2c7cc
Instruction ID: 7f83581d13d0def05e9dc7bb50dbd6b326ec2913ab28b98ef96225f921faffdc
Opcode Fuzzy Hash: 58d4d9a12d8a1c13c3bdc0e298cca58a9983d4f703ca6481d5c757ef08a2c7cc
Instruction Fuzzy Hash: 34515EB59093819FC770EF16D989B9BB7E4FF84700F504A2EE58987251EB35A404CB8B

Function 0047EA70 Relevance: 3.1, APIs: 2, Instructions: 117COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 0047EB07
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000007,?,?,00000000,00000007), ref: 0047EB62

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseCreateEventHandle
String ID:
API String ID: 3369476804-0
Opcode ID: 696995c876d9bd120cc482a557da52048feac9fc48b4550984fbe6b5a2fe0974
Instruction ID: b350264dc4147bc7e307c44dcc38b95b4d1b717be00e288ae1ca8a26e8f303d0
Opcode Fuzzy Hash: 696995c876d9bd120cc482a557da52048feac9fc48b4550984fbe6b5a2fe0974
Instruction Fuzzy Hash: 7641B1716047019FD710DF26C881B4BBBE4FB48B14F108A6EF85A97781E778E804CB9A

Function 00456FE0 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0048F246: __EH_prolog3.LIBCMT ref: 0048F24D
Part of subcall function 0048F246: __CxxThrowException@8.LIBCMT ref: 0048F278

std::_String_base::_Xlen.LIBCPMT ref: 0045702E

Part of subcall function 0048F20E: __EH_prolog3.LIBCMT ref: 0048F215
Part of subcall function 0048F20E: __CxxThrowException@8.LIBCMT ref: 0048F240

_memcpy_s.LIBCMT ref: 004570A9

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Exception@8H_prolog3Throw$String_base::_Xlen_memcpy_sstd::_
String ID:
API String ID: 3844211992-0
Opcode ID: 720289a40c7c061592ea68e8ec4d969c94317678f6a8a50dd55772deedb361d6
Instruction ID: f21e3439a650652ffc0a1f5ff46f7abb2faf9bca960dd6b6fa18d8a96d25727f
Opcode Fuzzy Hash: 720289a40c7c061592ea68e8ec4d969c94317678f6a8a50dd55772deedb361d6
Instruction Fuzzy Hash: 133109323042048B8720EF68E9C082BF3E5EFA1716310497FE855CB292D735E94DC7A9

Function 004628F0 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004628F5
IsWindowVisible.USER32(00000000), ref: 00462956

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$ForegroundVisible
String ID:
API String ID: 4078700383-0
Opcode ID: 6c2a2a6aedfdef41d40a7406949041cc53637a456eb4ff2155e36027b6c71570
Instruction ID: dbfd2f92f8e45736d0589e1eac4db5aba1cb586b1420891682e528021164a8a2
Opcode Fuzzy Hash: 6c2a2a6aedfdef41d40a7406949041cc53637a456eb4ff2155e36027b6c71570
Instruction Fuzzy Hash: EF219DB53006019FD720EB28C884FA7B3A9AFC4314F15847AEA45CB320EB75AC45CB64

Function 00457A00 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00457A35
__CxxThrowException@8.LIBCMT ref: 00457A4C

Part of subcall function 0049100C: _malloc.LIBCMT ref: 00491026

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 2d11708e951f66f1bbfeb943cffffb7156bcdb5c63b3c3dea56af56483e606ab
Instruction ID: cb209e357de410b9f6be5aa6937413b319aab4f7ff5c2c38efa6f32b043c2e02
Opcode Fuzzy Hash: 2d11708e951f66f1bbfeb943cffffb7156bcdb5c63b3c3dea56af56483e606ab
Instruction Fuzzy Hash: 6CE02BF000820266D70CEB50D402A9F3A90AB90314F50CE7FF47A81592FB78821DC55A

Function 004794D0 Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,004C63CC,?,80000000,?,?,?,?,00000000,00000000,6A8A24C0,00000000), ref: 00479508
SetWindowTextW.USER32(00000000), ref: 00479526

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$CreateText
String ID:
API String ID: 1475799734-0
Opcode ID: f4705e4940b8a3e35563eb9e46f4814ad042d87e29dfe78a8f79b7a40099fdc0
Instruction ID: 8dbab90f993958bdcf4dc339e480c9814c1e6a3a84c8ebd0d0ae87665c36165d
Opcode Fuzzy Hash: f4705e4940b8a3e35563eb9e46f4814ad042d87e29dfe78a8f79b7a40099fdc0
Instruction Fuzzy Hash: 75F0C4B6214711EFE724CF54D845FABB3E9EB88710F508A1DB59A93280C774AC41CB75

Function 00491315 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00491321

Part of subcall function 0049AA11: __getptd_noexit.LIBCMT ref: 0049AA14
Part of subcall function 0049AA11: __amsg_exit.LIBCMT ref: 0049AA21

Part of subcall function 004912D8: __IsNonwritableInCurrentImage.LIBCMT ref: 004912EB
Part of subcall function 004912D8: __getptd_noexit.LIBCMT ref: 004912FB
Part of subcall function 004912D8: __freeptd.LIBCMT ref: 00491305
Part of subcall function 004912D8: ExitThread.KERNEL32 ref: 0049130E

__XcptFilter.LIBCMT ref: 00491342

Part of subcall function 0049AEAD: __getptd_noexit.LIBCMT ref: 0049AEB5

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 393088965-0
Opcode ID: f5ad1ecaf9697fbb3b3fdd7b3f19efb3fdce34d56f6aa1eb1820732396963618
Instruction ID: eb3b8a154f9ff80a9d8b7ccda9e470a4dcedd75806cdc21ee9ecfb491d638a9f
Opcode Fuzzy Hash: f5ad1ecaf9697fbb3b3fdd7b3f19efb3fdce34d56f6aa1eb1820732396963618
Instruction Fuzzy Hash: F0E086709406049FDF08FBA1C806F7E3B25DF04304F20009EF101672A1CB795D00DB69

Function 0049A40E Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0049A426

Part of subcall function 00498BE4: __mtinitlocknum.LIBCMT ref: 00498BFA
Part of subcall function 00498BE4: __amsg_exit.LIBCMT ref: 00498C06
Part of subcall function 00498BE4: EnterCriticalSection.KERNEL32(?,?,?,0049AABC,0000000D,004BB768,00000008,004913B5,?,00000000), ref: 00498C0E

__tzset_nolock.LIBCMT ref: 0049A437

Part of subcall function 00499CF9: __lock.LIBCMT ref: 00499D1B
Part of subcall function 00499CF9: __get_daylight.LIBCMT ref: 00499D30
Part of subcall function 00499CF9: __invoke_watson.LIBCMT ref: 00499D3F
Part of subcall function 00499CF9: __get_daylight.LIBCMT ref: 00499D4B
Part of subcall function 00499CF9: __invoke_watson.LIBCMT ref: 00499D5A
Part of subcall function 00499CF9: __get_daylight.LIBCMT ref: 00499D66
Part of subcall function 00499CF9: __invoke_watson.LIBCMT ref: 00499D75
Part of subcall function 00499CF9: ____lc_codepage_func.LIBCMT ref: 00499D7D
Part of subcall function 00499CF9: __getenv_helper_nolock.LIBCMT ref: 00499D9F
Part of subcall function 00499CF9: _strlen.LIBCMT ref: 00499DDD
Part of subcall function 00499CF9: __malloc_crt.LIBCMT ref: 00499DE4
Part of subcall function 00499CF9: _strlen.LIBCMT ref: 00499DFA

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __get_daylight__invoke_watson$__lock_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock
String ID:
API String ID: 4157481694-0
Opcode ID: efa1372f723a516f8b24e9aa1a5ba88a5edc37be958103b13e2e3824108b8269
Instruction ID: 19833e931c5f11f0dc61cde7fe2595e3ca9883150f85415b71ff37f66a74ae04
Opcode Fuzzy Hash: efa1372f723a516f8b24e9aa1a5ba88a5edc37be958103b13e2e3824108b8269
Instruction Fuzzy Hash: D2E08630480B149ACE526BA2580754D7AA0A710759B24413FB40415182CDF81A80CBDF

Function 00479A20 Relevance: 3.0, APIs: 2, Instructions: 15windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?), ref: 00479A2B
KiUserCallbackDispatcher.NTDLL(?), ref: 00479A3C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CallbackDispatcherFocusUser
String ID:
API String ID: 1077007772-0
Opcode ID: f994b1f74cbd1831d1b85f18eb22ad35cf21d0bc0ff321e4295e212436fa88c1
Instruction ID: bb7773964e8ef71ba955d02aebf272cb6af6adb2c12f103e1ad9569695426727
Opcode Fuzzy Hash: f994b1f74cbd1831d1b85f18eb22ad35cf21d0bc0ff321e4295e212436fa88c1
Instruction Fuzzy Hash: B9D0C735A0673147D7309F2878446C777986F057107454559FC45E3714D624AC4145F9

Function 004952EB Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 004952F3

Part of subcall function 004952C0: GetModuleHandleW.KERNEL32(mscoree.dll,?,004952F8,?,?,00490A1C,000000FF,0000001E,?,00497326,?,00000001,?,?,00498B6E,00000018), ref: 004952CA
Part of subcall function 004952C0: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004952DA

ExitProcess.KERNEL32 ref: 004952FC

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 9aefce685397eee3e5cb3b795e8f9929a957ca2e691bd246f1a8d1c19f4dc839
Instruction ID: c59aa8d9c9c3d78c0e19f0c909e42d31db0c819cb5838090b9a80c75a3e8b362
Opcode Fuzzy Hash: 9aefce685397eee3e5cb3b795e8f9929a957ca2e691bd246f1a8d1c19f4dc839
Instruction Fuzzy Hash: 3CB09231004248BBCF022F16DC0A88D3F6AEB803A0BA040B5F90809072DF72AD929A88

Function 0046EE10 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0046EEC5

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: ce289e096d241c7115d197daa36d8ed272433835fd6b12081072288fe2a56bba
Instruction ID: 6561ad3d167b71de5a7d25c991db639ad0bc42b41b63ca5051ce35f55beb3517
Opcode Fuzzy Hash: ce289e096d241c7115d197daa36d8ed272433835fd6b12081072288fe2a56bba
Instruction Fuzzy Hash: 484136759087809FD720EB22C941B4BB7E5BBC5714F504E2EF19983250EB799444CF8B

Function 0046EF80 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 0046F01F

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: PrivateProfile
String ID:
API String ID: 1469295129-0
Opcode ID: e3a41aba4ce8bd85f752e09b146e03af29bb6316ce5de6be51ab81ba82862784
Instruction ID: e591a3a2f12169ce2225fb19855776b091f3d6541356d65eed89ef14187511c6
Opcode Fuzzy Hash: e3a41aba4ce8bd85f752e09b146e03af29bb6316ce5de6be51ab81ba82862784
Instruction Fuzzy Hash: BF315775908780EFD710EB61D845B0BBBE4AB88714F504E2EF49583291EB79E448CF5B

Function 00498A38 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00498A4D

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 2ef8454525e160c3130ec3568d28e468a60707cf86a4edf41c630b0039d84ad3
Instruction ID: bbe32718e185d9d317ee28e33bf1540342c386835073c25cd7551310a96b38fd
Opcode Fuzzy Hash: 2ef8454525e160c3130ec3568d28e468a60707cf86a4edf41c630b0039d84ad3
Instruction Fuzzy Hash: F8D05E72990704AEEB009F756C08B2A3BDCA7883A5F10443AB90CC6260E674D990DA48

Function 00495507 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 00495513

Part of subcall function 004953DB: __lock.LIBCMT ref: 004953E9
Part of subcall function 004953DB: __decode_pointer.LIBCMT ref: 00495420
Part of subcall function 004953DB: __decode_pointer.LIBCMT ref: 00495435
Part of subcall function 004953DB: __decode_pointer.LIBCMT ref: 0049545F
Part of subcall function 004953DB: __decode_pointer.LIBCMT ref: 00495475
Part of subcall function 004953DB: __decode_pointer.LIBCMT ref: 00495482
Part of subcall function 004953DB: __initterm.LIBCMT ref: 004954B1
Part of subcall function 004953DB: __initterm.LIBCMT ref: 004954C1

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: b9d9d7431f6ee5fee030a0e8f5705fd9287922bd10aa8816768083ab13088074
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: F2B0923258420833EA212542AC03F463F1A87C0BA4E340021BA0C1D1A1A9E2B9618589

Non-executed Functions

Function 0049F60B Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 0049F642
___getlocaleinfo.LIBCMT ref: 0049F657
___getlocaleinfo.LIBCMT ref: 0049F66C
___getlocaleinfo.LIBCMT ref: 0049F681
___getlocaleinfo.LIBCMT ref: 0049F699
___getlocaleinfo.LIBCMT ref: 0049F6AE
___getlocaleinfo.LIBCMT ref: 0049F6C0
___getlocaleinfo.LIBCMT ref: 0049F6D5
___getlocaleinfo.LIBCMT ref: 0049F6ED
___getlocaleinfo.LIBCMT ref: 0049F702

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: 0a3cdc05b05325e8e3e957833f71a0927c83a54029c58aa3e8760ce2f9bc2230
Instruction ID: 5631648563a3985a9bd1070e9b72eed76cafe7681b0678ee4b6ac8b1b24996e2
Opcode Fuzzy Hash: 0a3cdc05b05325e8e3e957833f71a0927c83a54029c58aa3e8760ce2f9bc2230
Instruction Fuzzy Hash: 39E1EFB290061DBEEF11DAE1CC81EFF7BBDFB54748F04093AB255D2041EA74AA099764

Function 0046CA50 Relevance: 27.1, APIs: 9, Strings: 6, Instructions: 801timeCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0046CCC2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,The world,opera,knbcenter,Thunder,ThunderPlatform,Safari,Maxthon,iexplore), ref: 0046CCE5
_memset.LIBCMT ref: 0046CD25
GetLocalTime.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,The world,opera,knbcenter,Thunder,ThunderPlatform,Safari,Maxthon,iexplore), ref: 0046CDE8
__i64tow.LIBCMT ref: 0046CE87
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,?,?,0000000A,?,00000000,00000000), ref: 0046CEA4
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000010,-00000001,?,?,0000000A,?,00000000,00000000), ref: 0046CEDC
WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 0046D105
WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,00000000,00000000,00000000,00000000), ref: 0046D128

Part of subcall function 004521E0: __CxxThrowException@8.LIBCMT ref: 004521F2

Strings

SL, xrefs: 0046CE65
account=%s&server_id=%s&data=%s&RandomTime=%s, xrefs: 0046D01C
http://api.clogin.m2.6wtx.com?act=p&platform=37wan, xrefs: 0046D229
37wan, xrefs: 0046D170
The world,opera,knbcenter,Thunder,ThunderPlatform,Safari,Maxthon,iexplore, xrefs: 0046CA72
SL, xrefs: 0046CF90

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ByteCharMultiWide$Exception@8LocalThrowTime__i64tow_memset
String ID: SL$ SL$37wan$The world,opera,knbcenter,Thunder,ThunderPlatform,Safari,Maxthon,iexplore$account=%s&server_id=%s&data=%s&RandomTime=%s$http://api.clogin.m2.6wtx.com?act=p&platform=37wan
API String ID: 3756979958-1510206002
Opcode ID: 3c2a727bc8823f1db5be82e6031e7797b749613f4a8f430072eed0ac1d6b8186
Instruction ID: 0aca430738255b14be15ebb18b29521dbd20d944ed5d7277ce2ee5fc015623b4
Opcode Fuzzy Hash: 3c2a727bc8823f1db5be82e6031e7797b749613f4a8f430072eed0ac1d6b8186
Instruction Fuzzy Hash: D662B2719083809FD730EF25C881B9FB7E5BF85314F044A2EE49987251EB79A944CB9B

Function 00481510 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 437COMMON

Download Yara Rule

APIs

Part of subcall function 00457360: std::_String_base::_Xlen.LIBCPMT ref: 004573BD
Part of subcall function 00457360: _memcpy_s.LIBCMT ref: 0045741E

Part of subcall function 0046EBD0: _memset.LIBCMT ref: 0046EC7D
Part of subcall function 0046EBD0: GetPrivateProfileStringW.KERNEL32(?,?,?,?,00000104,?), ref: 0046ECEF

Part of subcall function 00456FE0: std::_String_base::_Xlen.LIBCPMT ref: 0045702E
Part of subcall function 00456FE0: _memcpy_s.LIBCMT ref: 004570A9

__time64.LIBCMT ref: 0048187F
GetCommandLineW.KERNEL32 ref: 00481A84

Strings

InstallTime, xrefs: 004817EF, 0048195F
Install, xrefs: 004815F8, 00481768, 0048181A, 00481986, 00481A61
GUID, xrefs: 004815C9, 00481741
/autorun, xrefs: 00481ABD
InstallType, xrefs: 00481A35
%Y-%m-%d %H:%M:%S, xrefs: 0048188C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String_base::_Xlen_memcpy_sstd::_$CommandLinePrivateProfileString__time64_memset
String ID: %Y-%m-%d %H:%M:%S$/autorun$GUID$Install$InstallTime$InstallType
API String ID: 3769783766-2240072467
Opcode ID: a13cc534ab09c11c992a7bccf6358f0b8c0297449d544e13e86e5a9fd996bc18
Instruction ID: f8578da067eec5ffaed7feaba109f4115225e5df4ad23c19ae1c24151db8d0f2
Opcode Fuzzy Hash: a13cc534ab09c11c992a7bccf6358f0b8c0297449d544e13e86e5a9fd996bc18
Instruction Fuzzy Hash: C202A2B19047409BD330EF2E954274BFBE4BF94714F548A2EE89987352E774A404CB9B

Function 0046C9B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0046C33B,6A8A24C0,?,?,?,00000000), ref: 0046C9BA
OpenProcessToken.ADVAPI32(00000000,?,?,?,0046C33B,6A8A24C0,?,?,?,00000000), ref: 0046C9C1
LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0046C9D7
CloseHandle.KERNEL32(?,?,?,?,0046C33B,6A8A24C0,?,?,?,00000000), ref: 0046C9E6
AdjustTokenPrivileges.ADVAPI32 ref: 0046CA24
CloseHandle.KERNEL32(00000000), ref: 0046CA33

Strings

SeDebugPrivilege, xrefs: 0046C9D0

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 158869116-2896544425
Opcode ID: c13a4a7b89cf3d054c3951653abf9a7c1ce14c4469b587597b52ddbe644deecb
Instruction ID: 90cb4d0c324881e26560fcc698642929e6987da2267650c744414569c0ee8f65
Opcode Fuzzy Hash: c13a4a7b89cf3d054c3951653abf9a7c1ce14c4469b587597b52ddbe644deecb
Instruction Fuzzy Hash: 2E0180B4208300ABD708DF60DD89B5B77E8BF8CB44F80495CF58DD6290E774D8889B2A

Function 0046F370 Relevance: 12.2, APIs: 8, Instructions: 245COMMON

Download Yara Rule

APIs

FindFirstUrlCacheEntryW.WININET(00000000,00000000,00001000), ref: 0046F3E0
FindNextUrlCacheEntryW.WININET(00000000,00000000,00001000), ref: 0046F42F
DeleteUrlCacheEntryW.WININET(?), ref: 0046F4AF
FindNextUrlCacheEntryW.WININET(?,00000000,00001000), ref: 0046F4E1
DeleteUrlCacheEntryW.WININET(?), ref: 0046F55E
FindNextUrlCacheEntryW.WININET(?,00000000,00001000), ref: 0046F58B
DeleteUrlCacheEntryW.WININET(?), ref: 0046F600
FindCloseUrlCache.WININET(?), ref: 0046F645

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Cache$Entry$Find$DeleteNext$CloseFirst
String ID:
API String ID: 3708369400-0
Opcode ID: afe03de2a8c6f34fbe8c93052e9770ea142665e227eed5a51643eb483b56996e
Instruction ID: 91910fac3f4f32210eb88c29b6123eb62a4d180bf695ff77324fb82ed8576dce
Opcode Fuzzy Hash: afe03de2a8c6f34fbe8c93052e9770ea142665e227eed5a51643eb483b56996e
Instruction Fuzzy Hash: D19194B1D002489BCF04EFE8D9955AEBBB5FF04308F14453EE406AB345E7359909CB95

Function 00455F40 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 325timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,6A8A24C0,?,?,?,00000007), ref: 00455F80
__i64tow.LIBCMT ref: 00455FE4

Part of subcall function 00491566: @x64toa@20.LIBCMT ref: 0049158F

Part of subcall function 00456810: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,00000000,00000000,00455FFC,?,?,?,00000007), ref: 0045682A
Part of subcall function 00456810: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,-00000010,-00000001,?,00000000,00000000,00455FFC,?,?,?,00000007), ref: 0045685D

Strings

37wan, xrefs: 00456064
SL, xrefs: 00456146
SL, xrefs: 00455FC3
http://api.clogin.m2.6wtx.com/?act=c&account=%s&server_id=%s&platform=37wan&RandomTime=%s, xrefs: 00456102

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ByteCharMultiWide$@x64toa@20LocalTime__i64tow
String ID: SL$ SL$37wan$http://api.clogin.m2.6wtx.com/?act=c&account=%s&server_id=%s&platform=37wan&RandomTime=%s
API String ID: 2349066956-4203433716
Opcode ID: 5078eba4650fcafd9441916a9b8d2eda82419d7d83499404722975c803e66079
Instruction ID: 358fb6873b3167d2ee149471ce040cc37500d8f9777c91baf94b390456f9c9b0
Opcode Fuzzy Hash: 5078eba4650fcafd9441916a9b8d2eda82419d7d83499404722975c803e66079
Instruction Fuzzy Hash: 5BD16C715083808FD720EF29C841B9FB7E4BFC5714F554A2EE88987252DB74A848CB9B

Function 00482250 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 291COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 004822B5

Strings

http://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=%s&ext_1=%d&ext_2=%s&ext_3=%s&, xrefs: 00482478
417, xrefs: 00482473
UninstallStat.tmp, xrefs: 00482528
%Y-%m-%d, xrefs: 004822C6
SL, xrefs: 004823D8

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __time64
String ID: SL$%Y-%m-%d$417$UninstallStat.tmp$http://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=%s&ext_1=%d&ext_2=%s&ext_3=%s&
API String ID: 399556195-1732036809
Opcode ID: d2a3b06bddd701adc8e70dc695264098700e1c822ad1987a3cd00140c50836fb
Instruction ID: 7889c8576c322177c7902b9c4010bb318260b4c24cb6e18954d36cbd71f0100b
Opcode Fuzzy Hash: d2a3b06bddd701adc8e70dc695264098700e1c822ad1987a3cd00140c50836fb
Instruction Fuzzy Hash: BFC1E171508380CFD724EF29C941B8FBBE5BF85314F448A2EE58997291DB78A904CB97

Function 0049089B Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004988E7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004988FC
UnhandledExceptionFilter.KERNEL32(004B22E4), ref: 00498907
GetCurrentProcess.KERNEL32(C0000409), ref: 00498923
TerminateProcess.KERNEL32(00000000), ref: 0049892A

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 2cd5d5bce79b26e5505cb758549dddb952c1a6614aa7a3c83bf3277c8c56f829
Instruction ID: 36024f22f90e44ea15db4ad8cb5bf8c402914e3e38b786aa2baf4f599fa2ab86
Opcode Fuzzy Hash: 2cd5d5bce79b26e5505cb758549dddb952c1a6614aa7a3c83bf3277c8c56f829
Instruction Fuzzy Hash: A821DEB8912A04DFDB80EF69FD88E593BE4FB58350F80413AE50886260DBB469C1CF5D

Function 004799A0 Relevance: 7.5, APIs: 5, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(00000000), ref: 004799AF
ShowWindow.USER32(00000000), ref: 004799CE
ShowWindow.USER32(00000000), ref: 004799DF
SetWindowPos.USER32(00000000), ref: 004799FA
SetForegroundWindow.USER32(00000000), ref: 00479A0D

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$Show$ForegroundIconic
String ID:
API String ID: 1000947208-0
Opcode ID: 4955dcd7e19a6ea95ba17fd945c5e34715d74dd4bfe385aaad848bd0a2b137a3
Instruction ID: 2116a4b8fac21c142b7035d1fc47d3eaf71599016e6798a00fa157a08390995a
Opcode Fuzzy Hash: 4955dcd7e19a6ea95ba17fd945c5e34715d74dd4bfe385aaad848bd0a2b137a3
Instruction Fuzzy Hash: 6801BB753001109FEA10AB69DC58F7A73E9AFD8700F168565F685C7360DE759D018BA4

Function 0045E050 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(QNE,00000000,00000000,004AD538,0045E01A,00000000,?,00000000,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,?,0045679A,Software\Microsoft\Windows\CurrentVersion\Run), ref: 0045E05A
LockResource.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,?,0045679A,Software\Microsoft\Windows\CurrentVersion\Run), ref: 0045E069
SizeofResource.KERNEL32(QNE,00000000,?,00000000,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,?,0045679A,Software\Microsoft\Windows\CurrentVersion\Run), ref: 0045E077

Strings

QNE, xrefs: 0045E051, 0045E057, 0045E076

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID: QNE
API String ID: 2853612939-4201859585
Opcode ID: 7c557c7c554e37542180ec2c127855f233ae36179ac92f2d49cea990e047d9b1
Instruction ID: dc0885a375040d6e432607a50f982c005d5d6ce59df89da3a0e7dca2cb761073
Opcode Fuzzy Hash: 7c557c7c554e37542180ec2c127855f233ae36179ac92f2d49cea990e047d9b1
Instruction Fuzzy Hash: 37F09633B001355A8B341BBAAC044BBBBDCD980FA73050577FF59D3251E2689D598168

Function 00479A60 Relevance: 6.3, APIs: 4, Instructions: 296COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00479AB2
BeginPaint.USER32(?,?), ref: 00479AC0
EndPaint.USER32(?,?,?,?), ref: 00479ADA

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Paint$Begin_memset
String ID:
API String ID: 3615005463-0
Opcode ID: 694fa0929ee65eabf1fdcbeadf1e50e1db09a93e89864183e8d89318afd6daa9
Instruction ID: 86c7a3d4742d993e21498bd98bd513f760e267ff46b375d09d0ab9f102117dd6
Opcode Fuzzy Hash: 694fa0929ee65eabf1fdcbeadf1e50e1db09a93e89864183e8d89318afd6daa9
Instruction Fuzzy Hash: 4EA118717182059FC744EF29E89196FB7E5EBC8310F00C92EF99AC7281EA35D8118BD6

Function 004A5EA9 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00055E67), ref: 004A5EAE

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6875c92adf67c2424c5276acefb2a4f91874f82b32b0b928fe5e5e670e9d24d9
Instruction ID: d2a5228785f4d99ec6689ce6f85fbf7cb814cfd5629d3980b46eadd284236a03
Opcode Fuzzy Hash: 6875c92adf67c2424c5276acefb2a4f91874f82b32b0b928fe5e5e670e9d24d9
Instruction Fuzzy Hash: D890223030000003830003300C2820230C00A0E2023800020A000C8020CB2000000828

Function 004778A0 Relevance: 42.2, APIs: 18, Strings: 10, Instructions: 215COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0047793B
LeaveCriticalSection.KERNEL32(004C52A4), ref: 0047794E
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 004779AB
LeaveCriticalSection.KERNEL32(004C52A4,?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 004779B8
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 00477A15
LeaveCriticalSection.KERNEL32(004C52A4,?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 00477A22
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 00477A7F
LeaveCriticalSection.KERNEL32(004C52A4,?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 00477A8C
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 00477AE9
LeaveCriticalSection.KERNEL32(004C52A4,?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 00477AF6
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 00477B53
LeaveCriticalSection.KERNEL32(004C52A4,?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 00477B60
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 00477BBD
LeaveCriticalSection.KERNEL32(004C52A4,?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 00477BCA
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 00477C27
LeaveCriticalSection.KERNEL32(004C52A4,?,?,?,?,?,?,?,?,?,?,?,004C52A4), ref: 00477C34
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,004C52A4), ref: 00477C91
LeaveCriticalSection.KERNEL32(004C52A4,?,?,?,?,?,?,?,004C52A4), ref: 00477C9E

Strings

4<K, xrefs: 00477A29
4<K, xrefs: 00477B67
4<K, xrefs: 00477955
4<K, xrefs: 00477A93
4<K, xrefs: 004779BF
4<K, xrefs: 00477BD1
CSQButton, xrefs: 00477CA5
4<K, xrefs: 004778E5
4<K, xrefs: 00477C36
4<K, xrefs: 00477AFD

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: 4<K$4<K$4<K$4<K$4<K$4<K$4<K$4<K$4<K$CSQButton
API String ID: 3168844106-2296648642
Opcode ID: 91ef481fabe76be68c1bf2ac597c64e36c106fb7d0efe504984d87024b96f00d
Instruction ID: f8a0f24bed20132faec729476e361becc5394f6b16f2bede376c018df58612bd
Opcode Fuzzy Hash: 91ef481fabe76be68c1bf2ac597c64e36c106fb7d0efe504984d87024b96f00d
Instruction Fuzzy Hash: CBC170B1A46B87AEC349DF7A89897C4FBA0BB19310F90836F907C86251C7746164CFD9

Function 0045DAD0 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 258commemoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0045DB37
GetWindowLongW.USER32(?,000000EC), ref: 0045DB47
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0045DB52
GetWindowLongW.USER32(?,000000EB), ref: 0045DB60
OleUninitialize.OLE32 ref: 0045DB72
OleInitialize.OLE32(00000000), ref: 0045DB80
GetWindowTextLengthW.USER32(?), ref: 0045DB87
__alloca_probe_16.LIBCMT ref: 0045DB9A
GetWindowTextW.USER32(?,00000000,00000001), ref: 0045DBDE
SetWindowTextW.USER32(?,004B450C), ref: 0045DBEA
GlobalAlloc.KERNEL32(00000042,00000000), ref: 0045DC06
GlobalLock.KERNEL32(00000000), ref: 0045DC22
GlobalUnlock.KERNEL32(00000000), ref: 0045DC3E
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 0045DC4B
SysFreeString.OLEAUT32(00000000), ref: 0045DC75
DefWindowProcW.USER32(?,?,?,00000000), ref: 0045DD96

Strings

Fju, xrefs: 0045DC4B
`<u, xrefs: 0045DC75, 0045DCDD, 0045DD32, 0045DD68

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$GlobalLong$Text$AllocCreateFreeInitializeLengthLockProcStreamStringUninitializeUnlock__alloca_probe_16
String ID: Fju$`<u
API String ID: 143364596-298536970
Opcode ID: f62c43ae6b3637ce4ae299522031c064ba6dffbf26250ad0cd6a7c0629753f38
Instruction ID: ae7b38f7abc503cd54fb6094407eb79d6bb9ef4f9d5e961998b001b3286afb1c
Opcode Fuzzy Hash: f62c43ae6b3637ce4ae299522031c064ba6dffbf26250ad0cd6a7c0629753f38
Instruction Fuzzy Hash: BB91C375D00204EFDB11DFA4CC44AAF7BB8AF49311F24425AF902A7352D778AD05CBA9

Function 0047A0D0 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 265COMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000), ref: 0047A225
LoadCursorW.USER32(00000000,00007F82), ref: 0047A23F
SetCursor.USER32(00000000), ref: 0047A246
LoadCursorW.USER32(00000000,00007F82), ref: 0047A286
SetCursor.USER32(00000000), ref: 0047A28D
LoadCursorW.USER32(00000000,00007F83), ref: 0047A2C0
SetCursor.USER32(00000000), ref: 0047A2C7
LoadCursorW.USER32(00000000,00007F83), ref: 0047A2FD
SetCursor.USER32(00000000), ref: 0047A304
LoadCursorW.USER32(00000000,00007F84), ref: 0047A332
SetCursor.USER32(00000000), ref: 0047A339
LoadCursorW.USER32(00000000,00007F84), ref: 0047A369
SetCursor.USER32(00000000), ref: 0047A370
LoadCursorW.USER32(00000000,00007F85), ref: 0047A39E
SetCursor.USER32(00000000), ref: 0047A3A5
LoadCursorW.USER32(00000000,00007F85), ref: 0047A3D2
SetCursor.USER32(00000000), ref: 0047A3D9

Strings

CSQButton, xrefs: 0047A13F
CSQIconButton, xrefs: 0047A170

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Cursor$Load$ClientRect
String ID: CSQButton$CSQIconButton
API String ID: 144240930-1883793265
Opcode ID: 5ebde127eadfec2af9c836d816f8363c8afb913aadd96e93f06ffb177be13ccd
Instruction ID: bd938d9d1ba32c1809078d0541e0adda0eaa51d22967692eb14997b25d879428
Opcode Fuzzy Hash: 5ebde127eadfec2af9c836d816f8363c8afb913aadd96e93f06ffb177be13ccd
Instruction Fuzzy Hash: 51A190756083809FE710DF64CC44B9E77E5AB89704F54861AFA698B3E1C778E850CB4A

Function 0046A6E0 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 252memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,6A8A24C0), ref: 0046A736
CoTaskMemAlloc.OLE32(00000000,?,6A8A24C0), ref: 0046A765
CoTaskMemFree.OLE32(00000000,?,6A8A24C0), ref: 0046A784
CharNextW.USER32 ref: 0046A7F4
CharNextW.USER32(00000000), ref: 0046A7FA
CharNextW.USER32(00000000), ref: 0046A800
CharNextW.USER32(00000000), ref: 0046A806
CharNextW.USER32 ref: 0046A860
CharNextW.USER32(48000000), ref: 0046A8CD
CoTaskMemFree.OLE32(?,48000000), ref: 0046A8FC
CharNextW.USER32(?,?,?,6A8A24C0), ref: 0046A974
CharNextW.USER32(00000000,48000000), ref: 0046A98B
CoTaskMemFree.OLE32(00000000,?,6A8A24C0), ref: 0046A9AE
CoTaskMemFree.OLE32(?), ref: 0046A9C7
CoTaskMemFree.OLE32(?), ref: 0046A9E0

Strings

HKCR, xrefs: 0046A7D4
HKCU{Software{Classes, xrefs: 0046A80D
}}, xrefs: 0046A8A8

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CharNext$Task$Free$Alloclstrlen
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 1502516646-1142484189
Opcode ID: 2c4c81f4ae547aaca1690164f85c2ad087d6b2eb33812c6d91a0fa9d5168a902
Instruction ID: 48f7f7cfe0475209fb521b918a977be2e0f803d88b13bedd7698c8dd9c62a7e7
Opcode Fuzzy Hash: 2c4c81f4ae547aaca1690164f85c2ad087d6b2eb33812c6d91a0fa9d5168a902
Instruction Fuzzy Hash: BF91AFB09087419FC710EF65C89462BB7E4BF98304F504A2EF989A7351E738C9598F9B

Function 00458430 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 236commemoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00458497
GetWindowLongW.USER32(?,000000EC), ref: 004584A7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004584B2
GetWindowLongW.USER32(?,000000EB), ref: 004584C0
OleUninitialize.OLE32 ref: 004584D2
OleInitialize.OLE32(00000000), ref: 004584E0
GetWindowTextLengthW.USER32(?), ref: 004584E7
__alloca_probe_16.LIBCMT ref: 004584FA
GetWindowTextW.USER32(?,00000000,00000001), ref: 0045853E
SetWindowTextW.USER32(?,004B450C), ref: 0045854A
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00458566
GlobalLock.KERNEL32(00000000), ref: 00458580
GlobalUnlock.KERNEL32(00000000), ref: 0045859C
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 004585A9
DefWindowProcW.USER32(?,?,?,?), ref: 004586A3

Strings

Fju, xrefs: 004585A9

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$GlobalLong$Text$AllocCreateInitializeLengthLockProcStreamUninitializeUnlock__alloca_probe_16
String ID: Fju
API String ID: 335951283-1243383758
Opcode ID: 8fba56b42ccdcea89520a580b33007d119e4b304378a2274b7d2526fb885e481
Instruction ID: 53bb00e6df03b1bff7c165b0929ff98e6583b398753f83b89572c5f7543aeb2e
Opcode Fuzzy Hash: 8fba56b42ccdcea89520a580b33007d119e4b304378a2274b7d2526fb885e481
Instruction Fuzzy Hash: 32817271A00205AFDB10DFA8CC44AAF7BB8AF45311F14465AE906F7292DF38DD45CB69

Function 00453540 Relevance: 30.2, APIs: 13, Strings: 4, Instructions: 437timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004794D0: CreateWindowExW.USER32(00000000,004C63CC,?,80000000,?,?,?,?,00000000,00000000,6A8A24C0,00000000), ref: 00479508
Part of subcall function 004794D0: SetWindowTextW.USER32(00000000), ref: 00479526

GetWindowLongW.USER32(00000000), ref: 004535AC
SetWindowLongW.USER32(00000000), ref: 004535CC

Part of subcall function 004775D0: FindResourceW.KERNEL32(00450000,?,PNG,?,?,?,?,004535ED,000000DB), ref: 004775E4
Part of subcall function 004775D0: FindResourceW.KERNEL32(00450000,?,00000002,?,?,?,?,004535ED,000000DB), ref: 004775F4
Part of subcall function 004775D0: LoadImageW.USER32(00450000,?,00000000,00000000,00000000,00002000), ref: 0047760C

LoadCursorW.USER32(00000000,00007F89), ref: 0045362E
LoadCursorW.USER32(00000000,00007F89), ref: 00453672

Part of subcall function 004775D0: LoadResource.KERNEL32(00450000,00000000,?,?,?,?,004535ED,000000DB), ref: 00477625
Part of subcall function 004775D0: FreeResource.KERNEL32(00000000,?,?,?,?,004535ED,000000DB), ref: 00477630

Part of subcall function 004775D0: LockResource.KERNEL32(00000000,?,?,?,?,004535ED,000000DB), ref: 0047763E
Part of subcall function 004775D0: SizeofResource.KERNEL32(00450000,00000000,?,?,?,?,004535ED,000000DB), ref: 00477648
Part of subcall function 004775D0: GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,004535ED,000000DB), ref: 00477653
Part of subcall function 004775D0: GlobalLock.KERNEL32(00000000), ref: 0047765C
Part of subcall function 004775D0: GlobalUnlock.KERNEL32(00000000), ref: 0047766E
Part of subcall function 004775D0: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00477682
Part of subcall function 004775D0: GlobalFree.KERNEL32(00000000), ref: 0047769C

Part of subcall function 004775D0: GlobalFree.KERNEL32(00000000), ref: 004776C9

LoadCursorW.USER32(00000000,00007F89), ref: 004536FA
LoadCursorW.USER32(00000000,00007F89), ref: 0045375E
LoadCursorW.USER32(00000000,00007F89), ref: 004537A2
LoadCursorW.USER32(00000000,00007F89), ref: 004537E6
LoadCursorW.USER32(00000000,00007F89), ref: 0045382A
LoadCursorW.USER32(00000000,00007F89), ref: 0045386E
LoadCursorW.USER32(00000000,00007F89), ref: 004538B3
SetTimer.USER32(00000000), ref: 00453AD9
SetTimer.USER32(00000000), ref: 00453AF4

Part of subcall function 00457360: std::_String_base::_Xlen.LIBCPMT ref: 004573BD
Part of subcall function 00457360: _memcpy_s.LIBCMT ref: 0045741E

Part of subcall function 0046EBD0: _memset.LIBCMT ref: 0046EC7D
Part of subcall function 0046EBD0: GetPrivateProfileStringW.KERNEL32(?,?,?,?,00000104,?), ref: 0046ECEF

Part of subcall function 00455F40: GetLocalTime.KERNEL32(?,6A8A24C0,?,?,?,00000007), ref: 00455F80
Part of subcall function 00455F40: __i64tow.LIBCMT ref: 00455FE4

Strings

ProcessList, xrefs: 00453B52
about:blank, xrefs: 0045394F
37Lander, xrefs: 0045358D
version, xrefs: 00453B7D

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Load$Cursor$GlobalResource$Window$Free$CreateFindLockLongTimer$AllocImageLocalPrivateProfileSizeofStreamStringString_base::_TextTimeUnlockXlen__i64tow_memcpy_s_memsetstd::_
String ID: 37Lander$ProcessList$about:blank$version
API String ID: 1392781319-630584912
Opcode ID: 7c1e7d41bd0656fdcda94b308f7c8bfd99c129b278c4e5269ec86839a40db9ec
Instruction ID: 8e1f7fae28eb0257d8fb9e3e9155c541f9e4e1bd5cdc9209d0f84e5dede9a050
Opcode Fuzzy Hash: 7c1e7d41bd0656fdcda94b308f7c8bfd99c129b278c4e5269ec86839a40db9ec
Instruction Fuzzy Hash: 7E02A031704341AFE314DFA8C885B9AB7E5BF88304F00462EF659972D2DBB4B914CB96

Function 0045F740 Relevance: 30.2, APIs: 13, Strings: 4, Instructions: 425COMMON

Download Yara Rule

APIs

Part of subcall function 004794D0: CreateWindowExW.USER32(00000000,004C63CC,?,80000000,?,?,?,?,00000000,00000000,6A8A24C0,00000000), ref: 00479508
Part of subcall function 004794D0: SetWindowTextW.USER32(00000000), ref: 00479526

GetWindowLongW.USER32(00000000), ref: 0045F7B2
SetWindowLongW.USER32(00000000), ref: 0045F7D4
GetWindowLongW.USER32(00000000), ref: 0045F7E5
SetWindowLongW.USER32(00000000), ref: 0045F80D
SetLayeredWindowAttributes.USER32(00000000), ref: 0045F826
LoadCursorW.USER32(00000000,00007F89), ref: 0045F90B
LoadCursorW.USER32(00000000,00007F89), ref: 0045F979
LoadCursorW.USER32(00000000,00007F89), ref: 0045F9D8
LoadCursorW.USER32(00000000,00007F89), ref: 0045FA46
LoadCursorW.USER32(00000000,00007F89), ref: 0045FAB4
LoadCursorW.USER32(00000000,00007F89), ref: 0045FB22
LoadCursorW.USER32(00000000,00007F89), ref: 0045FB91
LoadCursorW.USER32(00000000,00007F89), ref: 0045FD69

Strings

about:blank, xrefs: 0045FBB3
liK, xrefs: 0045F772, 0045F783
37Lander, xrefs: 0045F791
k, xrefs: 0045F958

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CursorLoad$Window$Long$AttributesCreateLayeredText
String ID: 37Lander$about:blank$k$liK
API String ID: 4084743896-3257193357
Opcode ID: fb5c4a6dca97bd00e7974fd19d5cbc6f52a91319551ef71b675788ba7b43caa8
Instruction ID: c2bc4217ca9161658d7524009d7b03f2f064de261320ec5ee44b76db6115a91b
Opcode Fuzzy Hash: fb5c4a6dca97bd00e7974fd19d5cbc6f52a91319551ef71b675788ba7b43caa8
Instruction Fuzzy Hash: 1D025E712087419FD304DF69C884F9AF7E5BF88704F10861DF25887392DBB4A949CB96

Function 0047BDB0 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 392COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 0047BE07
SetBkColor.GDI32(?,?), ref: 0047BE22
SetBkMode.GDI32(?,00000001), ref: 0047BE2F
SetTextColor.GDI32(?,?), ref: 0047BE53
SelectObject.GDI32(?,?), ref: 0047BE6C
DrawTextW.USER32(?,?,?,?,00000400), ref: 0047BEF8

Strings

..., xrefs: 0047C0A4, 0047C1BA, 0047C21B

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ColorText$DrawModeObjectSaveSelect
String ID: ...
API String ID: 1550268266-440645147
Opcode ID: 5c691edb4b7eb1a418a4f4100658a5c899409fcd539600ca1ade1a85c64a9012
Instruction ID: b6bf72ac57015833bb5306b59f3e494b3191bb252137b02cd618111ba7e8137c
Opcode Fuzzy Hash: 5c691edb4b7eb1a418a4f4100658a5c899409fcd539600ca1ade1a85c64a9012
Instruction Fuzzy Hash: 24F15EB1608381EFD724DF64C885B9BF7E5FB85304F508A2EF59983251DB34A848CB96

Function 0045A330 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 332COMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,00000000,00000000,00000507), ref: 0045A38C
IsWindow.USER32(?), ref: 0045A39B
GetSysColor.USER32(00000005), ref: 0045A3ED

Strings

Fju, xrefs: 0045A5CD

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$ColorRedraw
String ID: Fju
API String ID: 826266318-1243383758
Opcode ID: 97faf9a09f38d8cc4121642f98d162ef75843f1450646119fca9003bcffb18a0
Instruction ID: f5fbb35be1a4901e19ef32fa9bf3de730cd1cc3c9d91dda0a14588959476d7b0
Opcode Fuzzy Hash: 97faf9a09f38d8cc4121642f98d162ef75843f1450646119fca9003bcffb18a0
Instruction Fuzzy Hash: 97C1C1742042029FD710DF59C844B6B77E4AF88715F54861AFC84973A2D738EC5ACBAA

Function 0045DE30 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 109registrywindowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004C5340,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0045D9F2,00000000), ref: 0045DE42
RegisterWindowMessageW.USER32(WM_ATLGETHOST,?,?,?,?,?,?,?,?,?,?,?,0045D9F2,00000000,00000000), ref: 0045DE53
RegisterWindowMessageW.USER32(WM_ATLGETCONTROL,?,?,?,?,?,?,?,?,?,?,?,0045D9F2,00000000,00000000), ref: 0045DE5F
GetClassInfoExW.USER32(00450000,AtlAxWin90,?), ref: 0045DE80
LoadCursorW.USER32 ref: 0045DEBC
RegisterClassExW.USER32 ref: 0045DEE3

Part of subcall function 0045DDC0: __recalloc.LIBCMT ref: 0045DDFE

_memset.LIBCMT ref: 0045DF0E
GetClassInfoExW.USER32(00450000,AtlAxWinLic90,?), ref: 0045DF2A
LoadCursorW.USER32 ref: 0045DF6A
RegisterClassExW.USER32 ref: 0045DF91
LeaveCriticalSection.KERNEL32(004C5340,?,?,?,?,?,?,?,?,?,?,?,?,0045D9F2,00000000,00000000), ref: 0045DFBF

Strings

\SL, xrefs: 0045DEFD
AtlAxWinLic90, xrefs: 0045DF20, 0045DF85
\SL, xrefs: 0045DFA7
WM_ATLGETHOST, xrefs: 0045DE4E
WM_ATLGETCONTROL, xrefs: 0045DE55
AtlAxWin90, xrefs: 0045DE71, 0045DED7

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ClassRegister$CriticalCursorInfoLoadMessageSectionWindow$EnterLeave__recalloc_memset
String ID: AtlAxWin90$AtlAxWinLic90$WM_ATLGETCONTROL$WM_ATLGETHOST$\SL$\SL
API String ID: 2252124385-52169935
Opcode ID: e75e21cf92b41fa589d15c39691f869d0c2e29a34c5bfab980821189aaf7cb7d
Instruction ID: 3e3cfd94ea7384808bedb27aa5797e5816cc7be7ac25989607a4fe6645820348
Opcode Fuzzy Hash: e75e21cf92b41fa589d15c39691f869d0c2e29a34c5bfab980821189aaf7cb7d
Instruction Fuzzy Hash: 524149B18083409BC350DF55D844A6BFBF4EFD4755F800A2FF88593261D7B898498B9E

Function 004589F0 Relevance: 28.7, APIs: 19, Instructions: 162windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?,?,?,?), ref: 00458A14
GetClientRect.USER32(?,?), ref: 00458A2D
CreateSolidBrush.GDI32(?), ref: 00458A3A
FillRect.USER32(00000000,?,00000000), ref: 00458A4D
DeleteObject.GDI32(00000000), ref: 00458A54
EndPaint.USER32(?,?,?,?,?), ref: 00458A63
BeginPaint.USER32(?,00000008), ref: 00458A98
GetClientRect.USER32(?,?), ref: 00458AB1
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00458ACA
CreateCompatibleDC.GDI32(00000000), ref: 00458ADF
SelectObject.GDI32(00000000,00000000), ref: 00458AF1
CreateSolidBrush.GDI32(?), ref: 00458B06
FillRect.USER32(00000000,?,00000000), ref: 00458B19
DeleteObject.GDI32(00000000), ref: 00458B20
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00458B61
SelectObject.GDI32(00000000,?), ref: 00458B6D
DeleteDC.GDI32(00000000), ref: 00458B78
DeleteObject.GDI32(00000000), ref: 00458B7F
EndPaint.USER32(?,00000008), ref: 00458B8E

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Object$CreateDeletePaintRect$BeginBrushClientCompatibleFillSelectSolid$Bitmap
String ID:
API String ID: 671382356-0
Opcode ID: 3f112db0bcaee846284fa0b43204183465ad90b33ffbdb40b8c31d11e2c64257
Instruction ID: c82835b52f8c13f452313470388feaad480b7bacece02d6293dceb787ab4adf6
Opcode Fuzzy Hash: 3f112db0bcaee846284fa0b43204183465ad90b33ffbdb40b8c31d11e2c64257
Instruction Fuzzy Hash: 90517BB5204345AFD310DB64DD98F6BB7ECEB88705F004A2DFA4693261EB74E844CB69

Function 004514E0 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288windowCOMMON

Download Yara Rule

APIs

GdipGetImagePixelFormat.GDIPLUS(?,?), ref: 00451503
GdipGetImageHeight.GDIPLUS(?,?,?,?), ref: 00451562
GdipGetImageWidth.GDIPLUS(?,?,?,?,?,?), ref: 00451580
GdipGetImagePaletteSize.GDIPLUS(?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 004515C8
__alloca_probe_16.LIBCMT ref: 004515EE
_malloc.LIBCMT ref: 00451605

Part of subcall function 004909E3: __FF_MSGBANNER.LIBCMT ref: 00490A06
Part of subcall function 004909E3: __NMSG_WRITE.LIBCMT ref: 00490A0D
Part of subcall function 004909E3: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00497326,?,00000001,?,?,00498B6E,00000018,004BB660,0000000C,00498BFF), ref: 00490A5A

GdipGetImagePalette.GDIPLUS(?,00000008,00000000,80070057,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0045164A
GdipBitmapLockBits.GDIPLUS(?,?,00000001,?,?,00000000,?,?,?,?,?,?,?,?), ref: 004516FB

Strings

&, xrefs: 00451550

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Gdip$Image$Palette$AllocateBitmapBitsFormatHeapHeightLockPixelSizeWidth__alloca_probe_16_malloc
String ID: &
API String ID: 1016857358-3042966939
Opcode ID: b76bd2b327d1feefc0c61d3e262e55af8570c32e64f27fabdcb85d89279e7f69
Instruction ID: 86bf57d83cb3a27a84e94539885b6b6e371aa195c19b79f2942f1a4544911dcd
Opcode Fuzzy Hash: b76bd2b327d1feefc0c61d3e262e55af8570c32e64f27fabdcb85d89279e7f69
Instruction Fuzzy Hash: 00B171B1D00209AFDB14DFA9C880BAFB7B4EF48305F04852EED15A7352D738A944CBA5

Function 004775D0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00450000,?,PNG,?,?,?,?,004535ED,000000DB), ref: 004775E4
FindResourceW.KERNEL32(00450000,?,00000002,?,?,?,?,004535ED,000000DB), ref: 004775F4
LoadImageW.USER32(00450000,?,00000000,00000000,00000000,00002000), ref: 0047760C

Part of subcall function 00451890: GetObjectW.GDI32(?,00000054,?), ref: 004518A1

LoadResource.KERNEL32(00450000,00000000,?,?,?,?,004535ED,000000DB), ref: 00477625
FreeResource.KERNEL32(00000000,?,?,?,?,004535ED,000000DB), ref: 00477630

Strings

Fju, xrefs: 00477682
PNG, xrefs: 004775D9

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Resource$FindLoad$FreeImageObject
String ID: Fju$PNG
API String ID: 134311421-3866893982
Opcode ID: d39bed5bebf0aacdc43cb3f1946800484889ac50888324105adce312d43c749b
Instruction ID: e7e255f335e0971553519d8972e1535205034a203645da8e42d0b58b824c0f36
Opcode Fuzzy Hash: d39bed5bebf0aacdc43cb3f1946800484889ac50888324105adce312d43c749b
Instruction Fuzzy Hash: CA31C3726002046FD7046FBABC89DBB7BACDF867A6780817BF505D2231DB358C059638

Function 00453C00 Relevance: 25.8, APIs: 17, Instructions: 317timewindowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000), ref: 00453C79
KillTimer.USER32(00000000), ref: 00453CC9
SetTimer.USER32(00000000), ref: 00453D07
DefWindowProcW.USER32(?,?,?,?,?,?,?,?), ref: 00453E5F
KillTimer.USER32(00000000), ref: 00453E80

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Timer$Kill$MessageProcWindow
String ID:
API String ID: 3236577475-0
Opcode ID: 54b99f70ca12177865643cbfc6abdf2b2f95b4b6ee412400accdc6c49981bdbf
Instruction ID: d44fdddcd302fd5f654d503e7f5155f6076b92edf31f5f80bd70a8ad834ed446
Opcode Fuzzy Hash: 54b99f70ca12177865643cbfc6abdf2b2f95b4b6ee412400accdc6c49981bdbf
Instruction Fuzzy Hash: 3AA1A3727002049FD714DFB9DC99EABB3E8FB88312F504A6BF945C7281DA359D0487A9

Function 0046C2F0 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 355processCOMMON

Download Yara Rule

APIs

Part of subcall function 0046C9B0: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0046C33B,6A8A24C0,?,?,?,00000000), ref: 0046C9BA
Part of subcall function 0046C9B0: OpenProcessToken.ADVAPI32(00000000,?,?,?,0046C33B,6A8A24C0,?,?,?,00000000), ref: 0046C9C1
Part of subcall function 0046C9B0: LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0046C9D7
Part of subcall function 0046C9B0: CloseHandle.KERNEL32(?,?,?,?,0046C33B,6A8A24C0,?,?,?,00000000), ref: 0046C9E6

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0046C4A7
Process32NextW.KERNEL32(00000000,?), ref: 0046C4E5
Process32NextW.KERNEL32(?,?), ref: 0046C7BF
CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 0046C7D2

Strings

NETWPRK SERVICE, xrefs: 0046C747
SYSTEM, xrefs: 0046C711
lrising,RAVmonD,RAVmon,RAVtimer,rav,KAVsvc,KAVsvcUI,baiduan,baiduantray,taskmgr,chrome,foxmail,, xrefs: 0046C376
ekrn,avp,qqpcmgr,rsmain,qqexternal,txplatform,baidupinyin,SogouExplorer,, xrefs: 0046C413
.exe, xrefs: 0046C533
The world,opera,knbcenter,Thunder,ThunderPlatform,Safari,Maxthon,iexplore, xrefs: 0046C45F
LOCAL SERVICE, xrefs: 0046C72C
kav32,kavstare,kpfw32,Navapw32,Navapsvc,NMain,navw32,KVFW,KAVSvcUI,RAVmonD,RAVmon,RAVtimer,Rising,, xrefs: 0046C362
wps,Microsoft Excel,Microsoft Word,explorer,SogouCloud,wpscenter,firefox,youku,YY,UCBrowser,avnotify,, xrefs: 0046C3C7

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseHandleNextProcessProcess32$CreateCurrentLookupOpenPrivilegeSnapshotTokenToolhelp32Value
String ID: .exe$LOCAL SERVICE$NETWPRK SERVICE$SYSTEM$The world,opera,knbcenter,Thunder,ThunderPlatform,Safari,Maxthon,iexplore$ekrn,avp,qqpcmgr,rsmain,qqexternal,txplatform,baidupinyin,SogouExplorer,$kav32,kavstare,kpfw32,Navapw32,Navapsvc,NMain,navw32,KVFW,KAVSvcUI,RAVmonD,RAVmon,RAVtimer,Rising,$lrising,RAVmonD,RAVmon,RAVtimer,rav,KAVsvc,KAVsvcUI,baiduan,baiduantray,taskmgr,chrome,foxmail,$wps,Microsoft Excel,Microsoft Word,explorer,SogouCloud,wpscenter,firefox,youku,YY,UCBrowser,avnotify,
API String ID: 689045952-2500648686
Opcode ID: 595e7f867de6c6eaf5f8fc5bb75cdf2df5cc0a95619054bb7cf81001dec8457a
Instruction ID: 2f126f68549a894e352c4813244e619e128ef42524288b6f08633092aa23d619
Opcode Fuzzy Hash: 595e7f867de6c6eaf5f8fc5bb75cdf2df5cc0a95619054bb7cf81001dec8457a
Instruction Fuzzy Hash: 3CD182715183819FD720EB25C885BAFB7E5AF85314F10492FF59987391EB38A804CB9B

Function 0048FCCD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

____lc_handle_func.LIBCMT ref: 0048FD01
____lc_codepage_func.LIBCMT ref: 0048FD09
__GetLocaleForCP.LIBCPMT ref: 0048FD32
____mb_cur_max_l_func.LIBCMT ref: 0048FD48
MultiByteToWideChar.KERNEL32(?,00000009,?,00000002,?,00000000,00000000,00000001,false,00000000,00474EF8,00000000,false,?,?,?), ref: 0048FD67
____mb_cur_max_l_func.LIBCMT ref: 0048FD75
___pctype_func.LIBCMT ref: 0048FD9A
____mb_cur_max_l_func.LIBCMT ref: 0048FDC0
____mb_cur_max_l_func.LIBCMT ref: 0048FDD8
____mb_cur_max_l_func.LIBCMT ref: 0048FDF0
MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,00000000,00000000,00000001,false,00000000,00474EF8,00000000,false,?,?,?), ref: 0048FDFD
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,00000000,00000001,false,00000000,00474EF8,00000000,false,?,?,?), ref: 0048FE2E

Strings

false, xrefs: 0048FCD2

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ____mb_cur_max_l_func$ByteCharMultiWide$Locale____lc_codepage_func____lc_handle_func___pctype_func
String ID: false
API String ID: 3819326198-734881840
Opcode ID: d841079dddd0b693b69c07ba1e419ec1bbc21b88605c1deb6fd4529ab558b636
Instruction ID: ee25a2ab56dd49bedfe6a4ad2a164b28c38893ef3dfc49affeac5ab1d1a0f5b5
Opcode Fuzzy Hash: d841079dddd0b693b69c07ba1e419ec1bbc21b88605c1deb6fd4529ab558b636
Instruction Fuzzy Hash: 6641EE31104206AEDB216F21D845B6E7BE4EF00354F24897BFD56CA2A2EB38C994DB58

Function 00475E10 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 340windowCOMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(DoSuperCall param==), ref: 00475EA8
OutputDebugStringW.KERNEL32(?), ref: 00475EC3

Part of subcall function 0045ECB0: std::_String_base::_Xlen.LIBCPMT ref: 0045ECFF
Part of subcall function 0045ECB0: _memcpy_s.LIBCMT ref: 0045ED6A

PostMessageW.USER32(00000000), ref: 00476233
PostMessageW.USER32(00000000), ref: 00476250

Strings

weibo, xrefs: 00476149
wechat, xrefs: 00476165
e, xrefs: 00475F44
loginaccount, xrefs: 00475FBB
liK, xrefs: 0047606D, 0047607E, 004760BF, 004760EB, 00476117, 00476235, 00476248
DoSuperCall param==, xrefs: 00475EA3
thirdlogin, xrefs: 00475F5E
gameurl, xrefs: 00476018

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: DebugMessageOutputPostString$String_base::_Xlen_memcpy_sstd::_
String ID: DoSuperCall param==$e$gameurl$liK$loginaccount$thirdlogin$wechat$weibo
API String ID: 3265639714-507125882
Opcode ID: 64d1d1dd3cf683bf5c5cf9abe6410e0c60c0645365e12f64f9803e8e81d1aa86
Instruction ID: f252766a212b2fa7f7c3691f78f4f0bb94a3605109d55844640946457e67dfe8
Opcode Fuzzy Hash: 64d1d1dd3cf683bf5c5cf9abe6410e0c60c0645365e12f64f9803e8e81d1aa86
Instruction Fuzzy Hash: 82E191705093809FD770EF69C841BDFBBE4AF85308F50891EE59847242DB389909CBA7

Function 00452600 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 225memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 004526A8
VariantInit.OLEAUT32(?), ref: 004526CF
VariantClear.OLEAUT32(?), ref: 0045270B
VariantClear.OLEAUT32(?), ref: 00452712
VariantInit.OLEAUT32(?), ref: 00452748
VariantInit.OLEAUT32(?), ref: 0045274F
SysAllocString.OLEAUT32(Content-Type: application/x-www-form-urlencoded), ref: 00452760
SafeArrayCreate.OLEAUT32 ref: 004527BE
SafeArrayPutElement.OLEAUT32(00000000,00000000,00000000), ref: 004527DE
VariantClear.OLEAUT32 ref: 0045285C
VariantClear.OLEAUT32(?), ref: 00452863

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 00452756

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Variant$Clear$Init$AllocArraySafeString$CreateElement
String ID: Content-Type: application/x-www-form-urlencoded
API String ID: 2495145655-2811858139
Opcode ID: 11b1e9215c8da8a6290df8d9dc8f03a13e2d1dbab309d7473d2f4f86782ad62f
Instruction ID: eacf3052b9dade290c21c106f635dc27dc705a33f4e8734420b9dddda29ed3c1
Opcode Fuzzy Hash: 11b1e9215c8da8a6290df8d9dc8f03a13e2d1dbab309d7473d2f4f86782ad62f
Instruction Fuzzy Hash: E181B272504301AFC710DF68C984B5BB7E8FF89714F104A2EF95587261EB74E909CBA6

Function 0045CE80 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 128comCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32 ref: 0045CEF0
GetStockObject.GDI32(0000000D), ref: 0045CEF8
GetObjectW.GDI32(00000000,0000005C,?), ref: 0045CF0A
GetDC.USER32(?), ref: 0045CF6A
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045CF79
ReleaseDC.USER32(00000000), ref: 0045CFC0
OleCreateFontIndirect.OLEAUT32(?), ref: 0045CFEA

Strings

, xrefs: 0045CF44

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Object$Stock$CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 2212500748-3916222277
Opcode ID: 69255b3eee351b0de7e9b6009c44229e8a495f0264b08714bcfef4c58515191c
Instruction ID: 0291c4e61a5ea2fc2a70c04458133721e5e67c41f87b171ebbfb2d1d992be8ec
Opcode Fuzzy Hash: 69255b3eee351b0de7e9b6009c44229e8a495f0264b08714bcfef4c58515191c
Instruction Fuzzy Hash: F541BD715083019FD720EF64D850B5BBBE4BF88305F40492AF984D7291EB38D909CBAA

Function 0048EBC0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 68memorylibraryloaderCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,0048EC96,000000E9,0045B0E3,?,?,?,00476FCC,?,00476F18,?,?,?), ref: 0048EBC2
LoadLibraryA.KERNEL32(kernel32.dll,00000000,000000E9,00000000,?,00476FCC,?,00476F18,?,?,?), ref: 0048EBDB
GetProcAddress.KERNEL32(00000000,InterlockedPushEntrySList), ref: 0048EBF5
GetProcAddress.KERNEL32(00000000,InterlockedPopEntrySList), ref: 0048EC02
GetProcessHeap.KERNEL32(00000000,00000008,?,00476FCC,?,00476F18,?,?,?), ref: 0048EC34
HeapAlloc.KERNEL32(00000000,?,00476FCC,?,00476F18,?,?,?), ref: 0048EC37
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0048EC4D
GetProcessHeap.KERNEL32(00000000,00000000,?,00476FCC,?,00476F18,?,?,?), ref: 0048EC5A
HeapFree.KERNEL32(00000000,?,00476FCC,?,00476F18,?,?,?), ref: 0048EC5D

Strings

InterlockedPushEntrySList, xrefs: 0048EBEF
InterlockedPopEntrySList, xrefs: 0048EBF7
kernel32.dll, xrefs: 0048EBD6

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Heap$AddressProcProcess$AllocCompareExchangeFeatureFreeInterlockedLibraryLoadPresentProcessor
String ID: InterlockedPopEntrySList$InterlockedPushEntrySList$kernel32.dll
API String ID: 3830925854-2586642590
Opcode ID: 9a52b46e353b76ab764d194816a2032f8fe50282b9c734fc2b5d7941fc903d50
Instruction ID: f3847fa21dc12f88945c8c6675c221778bd69e0e957430169e1b67cd7a84ff9c
Opcode Fuzzy Hash: 9a52b46e353b76ab764d194816a2032f8fe50282b9c734fc2b5d7941fc903d50
Instruction Fuzzy Hash: A7118FB1A402419FDB60EFB6DC8CE5F7BE8EB48741B6409BAE505D3270E7349840CB68

Function 00451B10 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147memoryCOMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 00451B1C
FreeResource.KERNEL32(00000000,?,?,00000000), ref: 00451B27
LockResource.KERNEL32(00000000,?,?,00000000), ref: 00451B3A
SizeofResource.KERNEL32(00000000,00000000,?,?,00000000), ref: 00451B45
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000), ref: 00451B50
GlobalLock.KERNEL32(00000000), ref: 00451B59
GlobalUnlock.KERNEL32(00000000), ref: 00451B6B
CreateStreamOnHGlobal.OLE32 ref: 00451B81
GlobalFree.KERNEL32(00000000), ref: 00451BB0

Strings

Fju, xrefs: 00451B81

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Global$Resource$FreeLock$AllocCreateLoadSizeofStreamUnlock
String ID: Fju
API String ID: 2766553018-1243383758
Opcode ID: 713ee1ef5aa6061868998710a8e3c179249956b4008329ffba3cd1184cbaf9ed
Instruction ID: 31862a80de76183fe9b8c2042dd292381c1125a53ac3621dacf7b7598520bcfa
Opcode Fuzzy Hash: 713ee1ef5aa6061868998710a8e3c179249956b4008329ffba3cd1184cbaf9ed
Instruction Fuzzy Hash: 6F415B727042105BC3049B29DC95A3BBBE9EFD5286F08416FFC88DB372D635D80A87A5

Function 00451CC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00451D23
CreateCompatibleDC.GDI32(00000000), ref: 00451D2C
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00451D60
SelectObject.GDI32(?,00000000), ref: 00451D6E
FindResourceW.KERNEL32(00000000,000000AA,PNG), ref: 00451D80
UpdateLayeredWindow.USER32(00000000), ref: 00451DBB
DeleteObject.GDI32(00000000), ref: 00451DC2
ReleaseDC.USER32(00000000), ref: 00451DE0
ReleaseDC.USER32(00000000), ref: 00451DF0

Part of subcall function 00451B10: LoadResource.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 00451B1C
Part of subcall function 00451B10: FreeResource.KERNEL32(00000000,?,?,00000000), ref: 00451B27

Strings

PNG, xrefs: 00451D74

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Resource$CompatibleCreateObjectRelease$BitmapDeleteFindFreeLayeredLoadSelectUpdateWindow
String ID: PNG
API String ID: 3808468193-364855578
Opcode ID: 8bcc8a1b516d1fa73cfc1d21997ee42fcf066de73cb3651643da074119fcde5e
Instruction ID: f536792f324e07ec1903c0f8d2ca5faf65407612b49dc10bd8f80be2529636b3
Opcode Fuzzy Hash: 8bcc8a1b516d1fa73cfc1d21997ee42fcf066de73cb3651643da074119fcde5e
Instruction Fuzzy Hash: DF411B75204240AFD304DFA8C894E6AB7E9BFCC210F158A5DF599C7261DB34E905CBA6

Function 0045AD10 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 115COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0045AD41
GetClassInfoExW.USER32(00000000,?,?), ref: 0045AD82
GetClassInfoExW.USER32(00450000,?,?), ref: 0045AD97

Part of subcall function 0045E2A0: LeaveCriticalSection.KERNEL32(00000000,?,0045AE58), ref: 0045E2AC

LoadCursorW.USER32(?,?), ref: 0045ADE5
swprintf.LIBCMT ref: 0045AE10
GetClassInfoExW.USER32(?,?,?), ref: 0045AE35

Strings

@SL, xrefs: 0045ADB2
ATL:%p, xrefs: 0045AE05
0, xrefs: 0045AD7A
@SL, xrefs: 0045AD39

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ClassInfo$CriticalSection$CursorEnterLeaveLoadswprintf
String ID: 0$@SL$@SL$ATL:%p
API String ID: 366415442-808835525
Opcode ID: cce910475d7d63ccccdee4e5cff97489de1bffa76c58f28975c1641c00b3d60a
Instruction ID: 2b1baa6ad7a95c92a5bca59b767b2367fd2e70d8576841e71927a64ba600997a
Opcode Fuzzy Hash: cce910475d7d63ccccdee4e5cff97489de1bffa76c58f28975c1641c00b3d60a
Instruction Fuzzy Hash: 6341AE71500301DBDB14DF54C884A6B7BF8EF84752F0046AEED048B396E775D889CB9A

Function 004A20EF Relevance: 16.7, APIs: 11, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,004B1AA8,00000001,?,00000002,00000000,00000000,?,?,?,004A22D9,00000001,?,00000000,?,?), ref: 004A211E
GetLastError.KERNEL32(?,004A22D9,00000001,?,00000000,?,?,?,?,00000000,?,00000001,00000000,00000000,00000008,?), ref: 004A2130
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000002,00000000,00000000,?,?,?,004A22D9,00000001,?,00000000), ref: 004A2195
__alloca_probe_16.LIBCMT ref: 004A21B6
_malloc.LIBCMT ref: 004A21CA
_memset.LIBCMT ref: 004A21EA
MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,00000000,?,00000001,00000000,00000000,00000008,?,00000000), ref: 004A21FF
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004A220D
___ansicp.LIBCMT ref: 004A2241
___convertcp.LIBCMT ref: 004A2262

Part of subcall function 004A6455: GetCPInfo.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,004A22D9,00000001,?,00000000,?,?,?), ref: 004A64A0
Part of subcall function 004A6455: GetCPInfo.KERNEL32(?,00000001,?,004A22D9,00000001,?), ref: 004A64B9
Part of subcall function 004A6455: _strlen.LIBCMT ref: 004A64D7
Part of subcall function 004A6455: __alloca_probe_16.LIBCMT ref: 004A64F7
Part of subcall function 004A6455: _memset.LIBCMT ref: 004A654F
Part of subcall function 004A6455: MultiByteToWideChar.KERNEL32(?,00000001,?,004A22D9,?,00000000,?,?,?,?,?,?,?,004A22D9,00000001,?), ref: 004A6566
Part of subcall function 004A6455: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,004A22D9), ref: 004A6581

GetStringTypeA.KERNEL32(?,?,?,?,?,00000002,00000000,00000000,?,?,?,004A22D9,00000001,?,00000000,?), ref: 004A2282

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Info__alloca_probe_16_memset$ErrorLast___ansicp___convertcp_malloc_strlen
String ID:
API String ID: 1190950686-0
Opcode ID: 9ebd957ad742b4ab9dca44f61cfa64eae2e0c4079737444e84bd15da36552ebe
Instruction ID: ca4044ecca1d640bec734be1bf60d705fb3aeb433e7f15327cf516d7adb19d4d
Opcode Fuzzy Hash: 9ebd957ad742b4ab9dca44f61cfa64eae2e0c4079737444e84bd15da36552ebe
Instruction Fuzzy Hash: 3551D47250010AEFDF109F5CDD81EAF3BA9EB29350B14412BFA14D7260D7B8DD90AB98

Function 0047C6A0 Relevance: 16.6, APIs: 11, Instructions: 109COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0047C6C6
SaveDC.GDI32(00000000), ref: 0047C6CF
SetBkMode.GDI32(00000000,00000001), ref: 0047C6E0
SetTextColor.GDI32(00000000,?), ref: 0047C6EE

Part of subcall function 0047C4E0: DeleteObject.GDI32(?), ref: 0047C4F4
Part of subcall function 0047C4E0: CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000020,?), ref: 0047C53B

SelectObject.GDI32(00000000,?), ref: 0047C705
DrawTextW.USER32(00000000,?,?,?,00000400), ref: 0047C774
SelectObject.GDI32(00000000,000000FF), ref: 0047C780
SetTextColor.GDI32(00000000,00000000), ref: 0047C78C
SetBkMode.GDI32(00000000,?), ref: 0047C798
RestoreDC.GDI32(00000000,00000000), ref: 0047C79C
ReleaseDC.USER32(?,00000000), ref: 0047C7A7

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ObjectText$ColorModeSelect$CreateDeleteDrawFontReleaseRestoreSave
String ID:
API String ID: 336618730-0
Opcode ID: 2b495dac75e64a4d0fd103be3880c2d5d84c846ec633dc612106bfd60a6823b5
Instruction ID: c2ecf5e12c07408a4b411c62675657eddb110dcacc5cc5091127fbde78edc16b
Opcode Fuzzy Hash: 2b495dac75e64a4d0fd103be3880c2d5d84c846ec633dc612106bfd60a6823b5
Instruction Fuzzy Hash: 4E413A75508341AFD714DF25D8949ABBBF8FB89704F40492EF99A83210DB34E844CB56

Function 004601A0 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 234windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(00000000), ref: 00460349
PostMessageW.USER32(00000000), ref: 0046046B

Strings

server_id, xrefs: 0046029E
liK, xrefs: 00460494, 00460544
ErrorUrl, xrefs: 004604F2
wd_thirdlogin, xrefs: 00460218
Error, xrefs: 00460505
wd_entergame=1, xrefs: 00460403
otype, xrefs: 0046023F

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: MessagePost
String ID: Error$ErrorUrl$liK$otype$server_id$wd_entergame=1$wd_thirdlogin
API String ID: 410705778-2538194828
Opcode ID: 6eb80e03bc648c5e223cfc57b19e32379ac88fbd54bbe06af85f98dee07f37ea
Instruction ID: 31bc0bebfcf81387cf3749d870ffa86c0345eddb1a07bd2886f4546d3cd60ece
Opcode Fuzzy Hash: 6eb80e03bc648c5e223cfc57b19e32379ac88fbd54bbe06af85f98dee07f37ea
Instruction Fuzzy Hash: 519109716083805BD720FB25C842BDF77A06F45318F454B1FF969572C2DB7869088BAB

Function 00454C70 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 151registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,?,6A8A24C0), ref: 00454CBB
RegCloseKey.ADVAPI32(6A8A24C0), ref: 00454CCA
RegSetValueExW.ADVAPI32(?,004B3EA4,00000000,00000001,00000000,?,6A8A24C0,00000000), ref: 00454D5F
RegCloseKey.ADVAPI32(?,?,6A8A24C0,00000000), ref: 00454D6E
RegCloseKey.ADVAPI32(?,?,6A8A24C0,00000000), ref: 00454DD7

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00454C9A
SL, xrefs: 00454D17
/autorun, xrefs: 00454D29
"%s" %s, xrefs: 00454D2F

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Close$CreateValue
String ID: SL$"%s" %s$/autorun$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1009429713-3119874873
Opcode ID: 94f2a26e01806bcc2ccb59e9808b735e7fa9c06c5f4f7586942ca08cac502fc0
Instruction ID: ad26950a78ebc2173b09d4b9e0f4937c06680a10e17e3c0be48adcd92f2d6a78
Opcode Fuzzy Hash: 94f2a26e01806bcc2ccb59e9808b735e7fa9c06c5f4f7586942ca08cac502fc0
Instruction Fuzzy Hash: 26518675204B419FD304DB28C841B16B7E5FBC9334F148B2DE4698B2E2DB34A849CBA5

Function 00482F10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105fileCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000100,00000000,?,?,00482DCA,?), ref: 00482F39
SetPriorityClass.KERNEL32(00000000), ref: 00482F40
CreateFileW.KERNEL32(\\.\IDE21201.VXD,00000000,00000000,00000000,00000000,04000000,00000000), ref: 00482F55
_memset.LIBCMT ref: 00482F76
DeviceIoControl.KERNEL32(00000000,00000001,00000000,00000000,?,00000004,?,00000000), ref: 00482F90
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00482F97
GetCurrentProcess.KERNEL32(00000020), ref: 00483041
SetPriorityClass.KERNEL32(00000000), ref: 00483048

Strings

\\.\IDE21201.VXD, xrefs: 00482F50

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ClassCurrentPriorityProcess$CloseControlCreateDeviceFileHandle_memset
String ID: \\.\IDE21201.VXD
API String ID: 444835316-2881737880
Opcode ID: 2014904b35d2c918417bc42049f5ac8ea8779dfc31fea32a6a4d72ceff4cc6e7
Instruction ID: 0467865dda9919649a46b0e5cc838efed0772f43bd03ef37add006d4dd0a0195
Opcode Fuzzy Hash: 2014904b35d2c918417bc42049f5ac8ea8779dfc31fea32a6a4d72ceff4cc6e7
Instruction Fuzzy Hash: BD41D274504350ABD324DF56D889ABBBBF4FFC9B05F004A2EF99582290E3789584CB66

Function 00469260 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00469297

Part of subcall function 0049617B: RaiseException.KERNEL32(?,?,?,?), ref: 004961BD

__CxxThrowException@8.LIBCMT ref: 004692F7
__CxxThrowException@8.LIBCMT ref: 0046933A
__CxxThrowException@8.LIBCMT ref: 00469379
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0046939B

Strings

ios_base::eofbit set, xrefs: 0046933F
ios_base::failbit set, xrefs: 00469300
<UK, xrefs: 0046938C
ios_base::badbit set, xrefs: 004692A8

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Exception@8Throw$ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: <UK$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3368635868-612443383
Opcode ID: 6085d3225467ac03e9925a620202bd3e2b73570a5a00a299951d3613fb7f5b8d
Instruction ID: 008213f5f115a29bb514f38f548177f821b439fe8e70b2f6a695051f00ecff95
Opcode Fuzzy Hash: 6085d3225467ac03e9925a620202bd3e2b73570a5a00a299951d3613fb7f5b8d
Instruction Fuzzy Hash: 1731B4B1108740AED320DF55C846BCBFBE8AF88708F14491EF58957192D7F8A548CBAB

Function 00472170 Relevance: 15.4, APIs: 10, Instructions: 392COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 004721C7
std::_String_base::_Xlen.LIBCPMT ref: 004721F3
_memmove_s.LIBCMT ref: 0047227C
_memcpy_s.LIBCMT ref: 004722BA
_memmove_s.LIBCMT ref: 00472304
_memmove_s.LIBCMT ref: 0047239C
_memmove_s.LIBCMT ref: 00472425
_memmove_s.LIBCMT ref: 004724A8
_memmove_s.LIBCMT ref: 004724F0
_memmove_s.LIBCMT ref: 0047253F

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _memmove_s$String_base::_Xlenstd::_$_memcpy_s
String ID:
API String ID: 3470545318-0
Opcode ID: 772adb0a012017c813e47d33b435bbcd0ceb120b1dad5bb8fdaa679a1c345b01
Instruction ID: 7bd5197d4a5f709a925bace89eff7bd9f786be56681b1120e76b53a1d0333b02
Opcode Fuzzy Hash: 772adb0a012017c813e47d33b435bbcd0ceb120b1dad5bb8fdaa679a1c345b01
Instruction Fuzzy Hash: A4E154702042029F8B04CF68CAD48AF77E6FFC5308B548A5EE449D7319D778E946CB9A

Function 0046ACA0 Relevance: 15.3, APIs: 10, Instructions: 267stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0046AAC0: lstrcmpiW.KERNEL32(?,?,?,?,0046AD25,?,6A8A24C0,?,?,00000000), ref: 0046AB39

lstrlenW.KERNEL32(?,00000000), ref: 0046AD7E

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: lstrcmpilstrlen
String ID:
API String ID: 3649823140-0
Opcode ID: 4b62c6276f2a23dd608f45067179a7a6ee52167f9488ad8d50730b9b11104431
Instruction ID: e38185447ed3423f75394eaddc08c3e171453edc08aca935e3d678b4afde8974
Opcode Fuzzy Hash: 4b62c6276f2a23dd608f45067179a7a6ee52167f9488ad8d50730b9b11104431
Instruction Fuzzy Hash: 90A192B1A006089BCB24DF54CC85AEE73B5FF58700F14412BEA05E7250F7789A558BAB

Function 00460770 Relevance: 15.1, APIs: 10, Instructions: 116COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000), ref: 00460784
SetWindowLongW.USER32(00000000), ref: 004607B0
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004607C1
GetClientRect.USER32(00000000), ref: 004607D9
MoveWindow.USER32(?,0000009C,0000009C,00000032,00000032,00000000), ref: 004607F7
LoadCursorW.USER32(00000000,00007F89), ref: 0046081C
MoveWindow.USER32(?,00000180,000000C3,0000025C,0000014D,00000000), ref: 0046083F
ShowWindow.USER32(00000000), ref: 0046086F
SetWindowPos.USER32(00000000), ref: 004608B6
ShowWindow.USER32(00000000), ref: 004608CB

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$LongMoveShow$ClientCursorInfoLoadParametersRectSystem
String ID:
API String ID: 1741983491-0
Opcode ID: 6e2c8af7b4f7765086a0eeaf66897551ca18b0d134c0d74b9abc6b21b2f6afa4
Instruction ID: 08c6374872682f5156a9e0676e10ee84b2a3fff35d9684ac431bd8096a719f41
Opcode Fuzzy Hash: 6e2c8af7b4f7765086a0eeaf66897551ca18b0d134c0d74b9abc6b21b2f6afa4
Instruction Fuzzy Hash: 4D419F71204301AFE714DB68CC99F6B77E9FB88710F148728F699C72D0DA74E9008BA9

Function 00454FD0 Relevance: 15.1, APIs: 10, Instructions: 106windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32(00450000,0000009C), ref: 00454FE4
GetSubMenu.USER32(00000000,00000000), ref: 00454FF7
RemoveMenu.USER32(00000000,00000000,00000400,?,?,?), ref: 00455007
DestroyMenu.USER32(00000000,?,?,?), ref: 00455014
GetCursorPos.USER32(?), ref: 0045502D
TrackPopupMenu.USER32(00000000,00000102,?,?,00000000,00000000), ref: 00455054
DestroyMenu.USER32(00000000,?,?,?), ref: 0045505D
MessageBoxW.USER32(00000000,?,?,?), ref: 0045508D
ShowWindow.USER32(00000000,?,?,?), ref: 004550C4
Shell_NotifyIconW.SHELL32(00000002), ref: 004550E6

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Menu$Destroy$CursorIconLoadMessageNotifyPopupRemoveShell_ShowTrackWindow
String ID:
API String ID: 1946886820-0
Opcode ID: b81da3b0267436b96c9685b2ac0d4f2536b72e732dc6b4c89bda7e5191e5ae07
Instruction ID: 3e45ff658d012ce34cecbff8856bac4c090679f8ad5e337c2625bf9644107fe2
Opcode Fuzzy Hash: b81da3b0267436b96c9685b2ac0d4f2536b72e732dc6b4c89bda7e5191e5ae07
Instruction Fuzzy Hash: 41310B757003006BE7109F68EC59F7B77D4EB84B11F544539FE44C7391DA79A80987A8

Function 00493D6F Relevance: 15.1, APIs: 10, Instructions: 95COMMONLIBRARYCODE

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00493D88

Part of subcall function 0049735A: __calloc_impl.LIBCMT ref: 0049736B
Part of subcall function 0049735A: Sleep.KERNEL32(00000000), ref: 00497382

__calloc_crt.LIBCMT ref: 00493DAC
__calloc_crt.LIBCMT ref: 00493DC8
__copytlocinfo_nolock.LIBCMT ref: 00493DED
__setlocale_nolock.LIBCMT ref: 00493DFA
___removelocaleref.LIBCMT ref: 00493E06
___freetlocinfo.LIBCMT ref: 00493E0D
__setmbcp_nolock.LIBCMT ref: 00493E25
___removelocaleref.LIBCMT ref: 00493E3A
___freetlocinfo.LIBCMT ref: 00493E41

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 2969281212-0
Opcode ID: d61a02d513a0c167decf080a132058d1b59446339e87b2c402afeb961358976e
Instruction ID: fbf75c8e04b3c180a8645499aaec2325b821366e1f15fb2616211e6d00bef6f6
Opcode Fuzzy Hash: d61a02d513a0c167decf080a132058d1b59446339e87b2c402afeb961358976e
Instruction Fuzzy Hash: 5D21F631108200EFEF313F26D906D0B7FE5DF82B55B20443FF88856256EB399A00965D

Function 0045B730 Relevance: 15.1, APIs: 10, Instructions: 87COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0045B757

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5688718db02e0b8621874aed3173aa7d4e05a0784042e877c0f525d41222efc9
Instruction ID: 358af92afccdc4ea2d798142611b9d4f486b86f2a3a931319b48761a96daf99c
Opcode Fuzzy Hash: 5688718db02e0b8621874aed3173aa7d4e05a0784042e877c0f525d41222efc9
Instruction Fuzzy Hash: F831E1755082029FD301EF68C898B6BBBE8EF88305F50461AFC45C7362E774D848CBA9

Function 0047C1AC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DrawTextW.USER32(?,?,?,?,00000400), ref: 0047C290
InflateRect.USER32(?,00000000,?), ref: 0047C2E8
DrawTextW.USER32(?,?,00000008,?,?), ref: 0047C31C
SelectObject.GDI32(?,?), ref: 0047C328
SetTextColor.GDI32(?,?), ref: 0047C334
SetBkMode.GDI32(?,?), ref: 0047C340
RestoreDC.GDI32(?,?), ref: 0047C34C

Strings

..., xrefs: 0047C1BA

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Text$Draw$ColorInflateModeObjectRectRestoreSelect
String ID: ...
API String ID: 132038385-440645147
Opcode ID: 53cffef93b938ea175802bffb4e2cf09c295503aba823436a5a3fa383e747553
Instruction ID: b7ea7545b367b9266916cf9edf75954f80bd5f884aeafbc0486109a6bacbbb65
Opcode Fuzzy Hash: 53cffef93b938ea175802bffb4e2cf09c295503aba823436a5a3fa383e747553
Instruction Fuzzy Hash: 7E31FDB5208341AFD714DF24D985FABB7E9FB84300F40892DF98A83651D734E844CB56

Function 0047EBE0 Relevance: 13.6, APIs: 9, Instructions: 133synchronizationthreadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 0047EC50
WaitForSingleObject.KERNEL32(?,00001388), ref: 0047EC6D
TerminateThread.KERNEL32(?,00000000), ref: 0047EC80
CloseHandle.KERNEL32(?), ref: 0047EC8A
SetEvent.KERNEL32(?), ref: 0047ECA6
WaitForSingleObject.KERNEL32(?,00001388), ref: 0047ECC0
TerminateThread.KERNEL32(?,00000000), ref: 0047ECD3
CloseHandle.KERNEL32(?), ref: 0047ECDD
CloseHandle.KERNEL32(?), ref: 0047ECF2

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseHandle$EventObjectSingleTerminateThreadWait
String ID:
API String ID: 3210639814-0
Opcode ID: 460f5c018adfbd3ba8eb319a26c58651f50e8c1c433b299fdc4ae960c6da9feb
Instruction ID: 4325de8d991879bf0fea8c0f21b4704008ae504537373e408beb873f5e297962
Opcode Fuzzy Hash: 460f5c018adfbd3ba8eb319a26c58651f50e8c1c433b299fdc4ae960c6da9feb
Instruction Fuzzy Hash: 5B519F75600301DFDB24EF26C984A5BB7E5AF48314F10CAAAE85ED7761D738E801CB99

Function 0046C830 Relevance: 13.6, APIs: 9, Instructions: 125COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,6A8A24C0,00000000,?,00000007,?,?,?,?,00000000,Function_00045EE0,004BBC48,000000FE), ref: 0046C880
_memset.LIBCMT ref: 0046C8A6
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,?,?,?,00000000,Function_00045EE0,004BBC48,000000FE), ref: 0046C8C8
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?,?,?,?,?,?,?,?,00000000,Function_00045EE0,004BBC48,000000FE), ref: 0046C8EB
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,Function_00045EE0,004BBC48,000000FE), ref: 0046C8F1
_malloc.LIBCMT ref: 0046C903
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?,?,?,?,?,?,?,?,?,00000000,Function_00045EE0,004BBC48), ref: 0046C923
LookupAccountSidW.ADVAPI32(00000000,?,004C8400,?,?,?,?), ref: 0046C942
@_EH4_CallFilterFunc@8.LIBCMT ref: 0046C957

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Token$InformationOpenProcess$AccountCallErrorFilterFunc@8LastLookup_malloc_memset
String ID:
API String ID: 2783776201-0
Opcode ID: c1abfd5f0cd94333a7dca3fd6195c3dce1b1a67a7e27d734558829763eb678a6
Instruction ID: 1a6374f6af638c160608208eb200626235e8c8f2c2b8be018a800f24d84b4f77
Opcode Fuzzy Hash: c1abfd5f0cd94333a7dca3fd6195c3dce1b1a67a7e27d734558829763eb678a6
Instruction Fuzzy Hash: C64131B2A00209AFDB14DFA5DC85EFFB7B9EB48710F10462EF515E7280E67859048B69

Function 004611A0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 285COMMON

Download Yara Rule

APIs

Part of subcall function 004794D0: CreateWindowExW.USER32(00000000,004C63CC,?,80000000,?,?,?,?,00000000,00000000,6A8A24C0,00000000), ref: 00479508
Part of subcall function 004794D0: SetWindowTextW.USER32(00000000), ref: 00479526

GetWindowLongW.USER32(00000000), ref: 004611F4
SetWindowLongW.USER32(00000000), ref: 00461224
LoadCursorW.USER32(00000000,00007F89), ref: 0046135A
LoadCursorW.USER32(00000000,00007F89), ref: 004613CD

Strings

k, xrefs: 004613AB
about:blank, xrefs: 00461453
37Lander, xrefs: 004611DB

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$CursorLoadLong$CreateText
String ID: 37Lander$about:blank$k
API String ID: 3137564492-2532287797
Opcode ID: 7488253ed494fcb59139d0f3d920dac5865aa461229bd47792cd6db39b3ffd52
Instruction ID: e939c5e24bf81a2e35ab3a7de0b5f486a104f2d116e8e8da7e5b2028679babfc
Opcode Fuzzy Hash: 7488253ed494fcb59139d0f3d920dac5865aa461229bd47792cd6db39b3ffd52
Instruction Fuzzy Hash: 2DC19C71304341AFD704DF68C881F9AB7E5BF88704F14861DF699873A1DBB9A908CB96

Function 004763D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(WebSuperCall), ref: 0047647C
VariantInit.OLEAUT32(?), ref: 004764F4
SysAllocString.OLEAUT32(00000000), ref: 0047650F
VariantInit.OLEAUT32(?), ref: 0047651E
SysFreeString.OLEAUT32(?), ref: 00476580

Part of subcall function 004521E0: __CxxThrowException@8.LIBCMT ref: 004521F2

Strings

WebSuperCall, xrefs: 00476477
`<u, xrefs: 00476580

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String$AllocInitVariant$Exception@8FreeThrow
String ID: WebSuperCall$`<u
API String ID: 491998546-2164882518
Opcode ID: 33f8fb8ae9f728bc1c2c55807ede50f6cdb90433f2f3ba2fc7810d3c6a97aa99
Instruction ID: b88162becc209e5177e16599c522f05a67f0f5845b5cfca98829d4dd7b48ee27
Opcode Fuzzy Hash: 33f8fb8ae9f728bc1c2c55807ede50f6cdb90433f2f3ba2fc7810d3c6a97aa99
Instruction Fuzzy Hash: 0C614F75E00208AFDB00DFA9D980BDEB7F9FF48714F10855AE919A7341D779A904CBA8

Function 0045FF70 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 164windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,?,?,6A8A24C0), ref: 0045FFDD
MessageBoxW.USER32(00000000,?,?,6A8A24C0), ref: 00460010

Strings

http://jzcq.37.com/, xrefs: 00460149
http://bbs.37.com/list-3829-1.html, xrefs: 00460161
liK, xrefs: 0045FFC7, 0045FFD5
http://kf.37.com/, xrefs: 004600FC

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: MessageShowWindow
String ID: http://bbs.37.com/list-3829-1.html$http://jzcq.37.com/$http://kf.37.com/$liK
API String ID: 1109058218-1753702938
Opcode ID: 491912eb2ef1543e8380a6c2e3d3ad5dc4425e6f8fc1d0cb5656316da65ec73d
Instruction ID: f2401f5a2bff205cac036c8be267bbe6337b2317a46af8fe7a923a76a91341c0
Opcode Fuzzy Hash: 491912eb2ef1543e8380a6c2e3d3ad5dc4425e6f8fc1d0cb5656316da65ec73d
Instruction Fuzzy Hash: 06510A35604201AFC714EB64C881BEBB3A5EB56304F14462BF96547381FB39ED458BEB

Function 00458720 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 004587E4
SysFreeString.OLEAUT32(00000000), ref: 004587EF
SysAllocStringLen.OLEAUT32(00000000,?), ref: 00458802
_memset.LIBCMT ref: 00458828
SysFreeString.OLEAUT32(00000000), ref: 0045884D
SysFreeString.OLEAUT32 ref: 0045886A

Strings

`<u, xrefs: 004587EF, 0045884D, 0045886A

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String$Free$Alloc_memset
String ID: `<u
API String ID: 1448862277-3367579956
Opcode ID: de765a4182ed71d8b4414ca20c8f9254f1351241bceef4f3b85ecde07e7ba483
Instruction ID: 539720093868045b44335b41df32b0292ab1cff2c0b1d2a4e7408f2c5f76b2e6
Opcode Fuzzy Hash: de765a4182ed71d8b4414ca20c8f9254f1351241bceef4f3b85ecde07e7ba483
Instruction Fuzzy Hash: E9516EB12043469FD314DF18C880F6BB7E8EB88714F504A2EF94597291DF78D9098BAA

Function 00476910 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 150COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32(?,00000000), ref: 00476A24
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00476A32
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00476A40
SafeArrayUnaccessData.OLEAUT32(?), ref: 00476A47

Strings

javascript, xrefs: 0047699D
.exe, xrefs: 00476A6C
about:blank, xrefs: 004769B8

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessUnaccess
String ID: .exe$about:blank$javascript
API String ID: 440164815-1234980095
Opcode ID: 2074e9ecf8d50c3965057aac7283e1f804c581a2a00b4d9bdfaf195459caabe5
Instruction ID: b1b887aa040e32a599a07e34390b9a552d5b7f10ff1d5e2488efe3710080e567
Opcode Fuzzy Hash: 2074e9ecf8d50c3965057aac7283e1f804c581a2a00b4d9bdfaf195459caabe5
Instruction Fuzzy Hash: 0451E131608701AFD704DF24C881F9BB7A5FF85714F00862EF949972D1DBB8A909C79A

Function 00462220 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 147threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004656E0: GetCommandLineW.KERNEL32(00640000,?,?,?,?,?,004657B2,6A8A24C0,00320000,00640000), ref: 004656F0

EnterCriticalSection.KERNEL32(004C8338), ref: 0046280F
GetCurrentThreadId.KERNEL32 ref: 00462815
LeaveCriticalSection.KERNEL32(004C8338,004B5404,?), ref: 00462835

Part of subcall function 0045FDA0: GetWindowLongW.USER32(00000000), ref: 0045FDD0
Part of subcall function 0045FDA0: SetWindowLongW.USER32(00000000,?,00462283), ref: 0045FDF2
Part of subcall function 0045FDA0: GetWindowLongW.USER32(00000000), ref: 0045FE03
Part of subcall function 0045FDA0: SetWindowLongW.USER32(00000000,?,00462283), ref: 0045FE1F

Strings

liK, xrefs: 004622B0, 004622BE, 004622E5, 004622F1, 004622F8
\TK, xrefs: 00462843
liK, xrefs: 00462237, 0046225D, 00462279, 00462288, 00462302, 00462310, 00462337, 00462343, 0046234A

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LongWindow$CriticalSection$CommandCurrentEnterLeaveLineThread
String ID: \TK$liK$liK
API String ID: 3332472655-4282743499
Opcode ID: 7460a67f78fbf2eaf05eae9e8ff602b65565ec80d3fbfccd62f19ec1f40b70b1
Instruction ID: 80f1c7be952597dcf7251686c5fae30d8966762df70b3530c30b3ba2a1e359e1
Opcode Fuzzy Hash: 7460a67f78fbf2eaf05eae9e8ff602b65565ec80d3fbfccd62f19ec1f40b70b1
Instruction Fuzzy Hash: 5451E0B1904300ABC740EF59C844B5FBBE4EB84718F408A2FF48497311EB79A9098B9F

Function 004742A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004742CB
std::_Lockit::_Lockit.LIBCPMT ref: 004742F1
std::bad_exception::bad_exception.LIBCMT ref: 00474375
__CxxThrowException@8.LIBCMT ref: 00474384
std::_Lockit::_Lockit.LIBCPMT ref: 00474399
std::locale::facet::facet_Register.LIBCPMT ref: 004743B4

Strings

bad cast, xrefs: 0047436C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: cb5094c541da561e7913b5257211b25cc7f540ed401702930480dd872bd3062c
Instruction ID: 3846ec0aa1f03b98f7cc3dbc8eb5dba0f4b0fa5a83c33afbc9478108843361ef
Opcode Fuzzy Hash: cb5094c541da561e7913b5257211b25cc7f540ed401702930480dd872bd3062c
Instruction Fuzzy Hash: C631A6715042008FC754EF55D881FBE73E0EB94724F508A2EE86D97291DB38A948CB9A

Function 004743F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0047441B
std::_Lockit::_Lockit.LIBCPMT ref: 00474441
std::bad_exception::bad_exception.LIBCMT ref: 004744C5
__CxxThrowException@8.LIBCMT ref: 004744D4
std::_Lockit::_Lockit.LIBCPMT ref: 004744E9
std::locale::facet::facet_Register.LIBCPMT ref: 00474504

Strings

bad cast, xrefs: 004744BC

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: df6f861da6196e3dfd731daee6d993cad7d32d2d8a4c4bf046bb4b1e4d7430e7
Instruction ID: d3a205cada47c4f6e2b17422379c13f1091f1152368bad40577da3d16e0025ff
Opcode Fuzzy Hash: df6f861da6196e3dfd731daee6d993cad7d32d2d8a4c4bf046bb4b1e4d7430e7
Instruction Fuzzy Hash: B031C4315043009FC754EF50C981FAF77A0FB94728F504A2EF966972E1DB38A948CB9A

Function 0048E400 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0048E42B
std::_Lockit::_Lockit.LIBCPMT ref: 0048E451
std::bad_exception::bad_exception.LIBCMT ref: 0048E4D5
__CxxThrowException@8.LIBCMT ref: 0048E4E4
std::_Lockit::_Lockit.LIBCPMT ref: 0048E4F9
std::locale::facet::facet_Register.LIBCPMT ref: 0048E514

Strings

bad cast, xrefs: 0048E4CC

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: 64530b563a5f8cbc901cd90dd4d2e63f71b3d7246c42bd4f040aa855f4b9dc05
Instruction ID: b60350b7fba4df6a092cceffe492aa9c0cdce7f03517310e4f108b20e84882be
Opcode Fuzzy Hash: 64530b563a5f8cbc901cd90dd4d2e63f71b3d7246c42bd4f040aa855f4b9dc05
Instruction Fuzzy Hash: E831BF314042009FC754FF12D981B5E73E0FB54B28F504A6EE866972D1EB38A948CB9A

Function 0048E550 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0048E57B
std::_Lockit::_Lockit.LIBCPMT ref: 0048E5A1
std::bad_exception::bad_exception.LIBCMT ref: 0048E625
__CxxThrowException@8.LIBCMT ref: 0048E634
std::_Lockit::_Lockit.LIBCPMT ref: 0048E649
std::locale::facet::facet_Register.LIBCPMT ref: 0048E664

Strings

bad cast, xrefs: 0048E61C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: 0eb7d5080010c766d05ce255d060b8231c311de44ca90ed4fb56c365d6ae050f
Instruction ID: dcc44fd8db99cd18a2f305eb9ee35ff073df6e7759548c8afc65cc63fdc81c4f
Opcode Fuzzy Hash: 0eb7d5080010c766d05ce255d060b8231c311de44ca90ed4fb56c365d6ae050f
Instruction Fuzzy Hash: CF319F71514710DFC714FF16D881F5E77A0FB64728F500A2EE852A72E1EB38A948CB9A

Function 00468A70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00468A9B
std::_Lockit::_Lockit.LIBCPMT ref: 00468AC1
std::bad_exception::bad_exception.LIBCMT ref: 00468B45
__CxxThrowException@8.LIBCMT ref: 00468B54
std::_Lockit::_Lockit.LIBCPMT ref: 00468B69
std::locale::facet::facet_Register.LIBCPMT ref: 00468B84

Strings

bad cast, xrefs: 00468B3C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: de754fb50fffa0e23f99db6c987679418b7657d1dc3682847906864a2cd4edc5
Instruction ID: 2258890d47642f120ded1befae32c30e41ba0cbe10f1e1874d926501aa86013c
Opcode Fuzzy Hash: de754fb50fffa0e23f99db6c987679418b7657d1dc3682847906864a2cd4edc5
Instruction Fuzzy Hash: 8D3192B15047008BC754EF14D881F5E77A4BB54B28F440B2FF855572A1EB78B988CB9B

Function 00475700 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0047572B
std::_Lockit::_Lockit.LIBCPMT ref: 00475751
std::bad_exception::bad_exception.LIBCMT ref: 004757D5
__CxxThrowException@8.LIBCMT ref: 004757E4
std::_Lockit::_Lockit.LIBCPMT ref: 004757F9
std::locale::facet::facet_Register.LIBCPMT ref: 00475814

Strings

bad cast, xrefs: 004757CC

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: 6f6850748c55b9caed2a6b35fd8139620a6da5dce571dced0f5439879a16d485
Instruction ID: 535f8bb01e5281409105de10cca60dd3e97ff4aa5fa1112fddaa23ca5685b124
Opcode Fuzzy Hash: 6f6850748c55b9caed2a6b35fd8139620a6da5dce571dced0f5439879a16d485
Instruction Fuzzy Hash: 3331A635414B00CFC718EF15C881F9E77A0FB54728F544A2EE45A9B291DB78A988CB9A

Function 00467DA0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00467DCB
std::_Lockit::_Lockit.LIBCPMT ref: 00467DF1
std::bad_exception::bad_exception.LIBCMT ref: 00467E75
__CxxThrowException@8.LIBCMT ref: 00467E84
std::_Lockit::_Lockit.LIBCPMT ref: 00467E99
std::locale::facet::facet_Register.LIBCPMT ref: 00467EB4

Strings

bad cast, xrefs: 00467E6C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: 5e8e825e873c7e4616732c0cf727d5534b149469d7220bc700d67d7652860e8e
Instruction ID: 8bd326d6dec701de42d05e5e6e2070a4565f66d17761507178b39e33197b1d4f
Opcode Fuzzy Hash: 5e8e825e873c7e4616732c0cf727d5534b149469d7220bc700d67d7652860e8e
Instruction Fuzzy Hash: 4131BF715083008FC714EF11D981B5E73E0FB54728F500A6EE866972E1EB39AD48CB9B

Function 00459A70 Relevance: 12.2, APIs: 8, Instructions: 165comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004B4AAC,00000000,00000001,004B4A6C,?,6A8A24C0,?,?,?), ref: 00459B4F

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: cc3d95f15fb27299137ebfd6806c8ffa0e7bb071ec4a9d7b8dc3eebf16643c1b
Instruction ID: 3e9892cb8424a598bd859128bad0a1c8d7a4cdb34b520f347074df10d5b4c7cf
Opcode Fuzzy Hash: cc3d95f15fb27299137ebfd6806c8ffa0e7bb071ec4a9d7b8dc3eebf16643c1b
Instruction Fuzzy Hash: 3851D534204341EFD721EF589C44B6777E5EB88702F80492FFD8686296E3B89C49876E

Function 00454A50 Relevance: 12.1, APIs: 8, Instructions: 120windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32(00450000,00000095), ref: 00454A64
GetSubMenu.USER32(00000000,00000000), ref: 00454A77
RemoveMenu.USER32(00000000,00000000,00000400,?,?,?,?,00454204,?,?), ref: 00454A87
DestroyMenu.USER32(00000000,?,?,?,?,00454204,?,?), ref: 00454A8E
ClientToScreen.USER32(00000000), ref: 00454ADE

Part of subcall function 00454BA0: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,00000000,?,?,?,?,00454204,?,?), ref: 00454BB8

CheckMenuItem.USER32(00000000,00008008,00000000), ref: 00454AFB
TrackPopupMenu.USER32(00000000,00000102,?,?,00000000,00000000), ref: 00454B22
DestroyMenu.USER32(00000000,?,?,?,?,00454204,?,?), ref: 00454B2B

Part of subcall function 00454C00: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104), ref: 00454C20

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Menu$Destroy$CheckClientFileItemLoadModuleNameOpenPopupRemoveScreenTrack
String ID:
API String ID: 1726955596-0
Opcode ID: 892a6775a48081360d0717321da4aa7e86fd566b7c3b685db195bd2eb99b9146
Instruction ID: 7846e2f3bb81263a0edf48a01da8296ecd22805e0fc7acc1100c37038d484ca6
Opcode Fuzzy Hash: 892a6775a48081360d0717321da4aa7e86fd566b7c3b685db195bd2eb99b9146
Instruction Fuzzy Hash: 4A3105753003015BD300EFA8EC45F6BB7E8EBC4712F50452AF904CB252EA79E84A87A5

Function 0045C830 Relevance: 12.1, APIs: 8, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0045C86C
SysFreeString.OLEAUT32(00000000), ref: 0045C89E
SysStringLen.OLEAUT32(?), ref: 0045C8AF
SysStringLen.OLEAUT32(?), ref: 0045C8BA
CoTaskMemAlloc.OLE32(00000002), ref: 0045C8C1
SysFreeString.OLEAUT32(?), ref: 0045C8D3

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String$AllocFree$Task
String ID:
API String ID: 1511711959-0
Opcode ID: 8be8b1e735e3eca81ee14caa4f15ea2bb4aa219aecc8d77c51195ee9b4093bac
Instruction ID: 89f085b8ad5de90c82a6b6f48751e9e51199e5a43079d384608f4bbae795a907
Opcode Fuzzy Hash: 8be8b1e735e3eca81ee14caa4f15ea2bb4aa219aecc8d77c51195ee9b4093bac
Instruction Fuzzy Hash: 61218D726053185FD310AB69AC8096BB3E8BBC8755F00462BF944E7312C779DD158BE5

Function 00455280 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 213COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 004552DB

Part of subcall function 00490FA0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000000,004552E0,00000000,?,?,?), ref: 00490FAB
Part of subcall function 00490FA0: __aulldiv.LIBCMT ref: 00490FCB

Strings

CurAccountInfos.tmp, xrefs: 0045545A
SL, xrefs: 004552C3
http://api.clogin.m2.6wtx.com/?act=m&ope=k&platform=37wan&server_id=%s&account=%s&timestamp=%s, xrefs: 004553AB
SL, xrefs: 00455342
%ld, xrefs: 004552E5

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: SL$ SL$%ld$CurAccountInfos.tmp$http://api.clogin.m2.6wtx.com/?act=m&ope=k&platform=37wan&server_id=%s&account=%s&timestamp=%s
API String ID: 2893107130-262625809
Opcode ID: d36d1b73edfb9150ad391b4432be251883a2d85362e9d77bfcee3663deb33cf3
Instruction ID: ca71ae2c30dcaef2dcfeda7bddf1996331d07c9c20297ccb7ee6688149b2514c
Opcode Fuzzy Hash: d36d1b73edfb9150ad391b4432be251883a2d85362e9d77bfcee3663deb33cf3
Instruction Fuzzy Hash: A781A0716087808FD320DF29D841B5BB7E5FFC5714F548A2EE8998B352D778A808CB96

Function 00454030 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,?,?), ref: 00454079

Strings

http://jzcq.37.com/, xrefs: 004541BF
http://bbs.37.com/list-3829-1.html, xrefs: 004541DE
http://kf.37.com/, xrefs: 00454164

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ShowWindow
String ID: http://bbs.37.com/list-3829-1.html$http://jzcq.37.com/$http://kf.37.com/
API String ID: 1268545403-209637737
Opcode ID: 15fc45ae690398999941970bc4d3544b08269fe83f2ae8c931544c44622e7f6b
Instruction ID: af3b15c4d05596e53b887ea0c9ea2d4f919f378a550c242077cb1eee6f27bd44
Opcode Fuzzy Hash: 15fc45ae690398999941970bc4d3544b08269fe83f2ae8c931544c44622e7f6b
Instruction Fuzzy Hash: 30510B3770010047C710EA99E4809EAF391E7E431AF50457BFD59CF341EA266D9AC7E9

Function 0046E7C0 Relevance: 10.6, APIs: 7, Instructions: 146COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,6A8A24C0,00000007,?,004B6608), ref: 0046E802
PathFileExistsW.SHLWAPI(00000000,004B6608,-00000002), ref: 0046E85A
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0046E866
PathFileExistsW.SHLWAPI(?,00000000,004B6608,-00000002), ref: 0046E8AD
CreateDirectoryW.KERNEL32(?,00000000), ref: 0046E8C8
PathFileExistsW.SHLWAPI(00000000,004B6608), ref: 0046E911
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0046E919

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ExistsFilePath$CreateDirectory
String ID:
API String ID: 3245115503-0
Opcode ID: 9a1eb6150bc2c7564f058fa452fa151373df09a72915a3b0479f718baa45607a
Instruction ID: 4b461e0a2fc56c71fb0729a2205dde4d94cedcacf14e3a5f0b877fa318eca12b
Opcode Fuzzy Hash: 9a1eb6150bc2c7564f058fa452fa151373df09a72915a3b0479f718baa45607a
Instruction Fuzzy Hash: 69518EB56083009FDB50EF25D881A5BB7E8AF85B18F440A2EF94597250F739E9088B5B

Function 00454890 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,iexplore,00000004,00000000,00000005), ref: 00454922
GetLastError.KERNEL32 ref: 00454929
ShellExecuteW.SHELL32(00000000,open,00000004,00000000,00000000,00000005), ref: 0045493D

Strings

open, xrefs: 0045491B, 00454936
iexplore, xrefs: 00454916
wd_returnlogin=1, xrefs: 004549DB

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ExecuteShell$ErrorLast
String ID: iexplore$open$wd_returnlogin=1
API String ID: 599085185-2353386407
Opcode ID: 1af83c8e9055328f976cb967c8b526c8106afb12c9145fda36f5400855097783
Instruction ID: 0acdea1ed5b4c9fde38ff97d9e7478599178faa28b7e367835ed3e0a2f653c3f
Opcode Fuzzy Hash: 1af83c8e9055328f976cb967c8b526c8106afb12c9145fda36f5400855097783
Instruction Fuzzy Hash: 9741D3716483009FC710EF24CC42B9BB7E0FF85705F514A2EF9499B291E678A949CB4A

Function 0046B0B0 Relevance: 10.6, APIs: 7, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(6A8A24C0,?,00000000,?,?,?,?,00000000,?), ref: 0046B0F5
RegCloseKey.ADVAPI32(?), ref: 0046B10C
RegEnumKeyExW.ADVAPI32 ref: 0046B15A
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 0046B194
RegCloseKey.ADVAPI32(?), ref: 0046B1A3
RegCloseKey.ADVAPI32(?), ref: 0046B1C5
RegCloseKey.ADVAPI32(?), ref: 0046B1F1

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Close$Enum$Open
String ID:
API String ID: 4245071059-0
Opcode ID: 8ba33d8f4f364a88df1fda1bf270e6ef30011d127a3137aa651bf8a12b73226f
Instruction ID: 7dcabbb370e12dc9fece64f625a2497b312858fc165b639d0e9bfd8f0b5e946a
Opcode Fuzzy Hash: 8ba33d8f4f364a88df1fda1bf270e6ef30011d127a3137aa651bf8a12b73226f
Instruction Fuzzy Hash: A64162B5508309AFC310DF55D99499BBBECEB89794F40092EF545D3210E734E9848BA7

Function 0045AEF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0045AF6F
GetWindowLongW.USER32(?,000000FC), ref: 0045AF84
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 0045AF99
GetWindowLongW.USER32(?,000000FC), ref: 0045AFB4
SetWindowLongW.USER32(?,000000FC,?), ref: 0045AFC6

Strings

$, xrefs: 0045AF36

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 30aeb968268711938c4dfdaaddf6a85755b3112e411b3978f5aad88ef8fe1982
Instruction ID: cf2bf5ca6b90cf6f906a5a72a727895d7b4c4e9b43cd3eb4324c8a569174446a
Opcode Fuzzy Hash: 30aeb968268711938c4dfdaaddf6a85755b3112e411b3978f5aad88ef8fe1982
Instruction Fuzzy Hash: B14105B1608700AFC364DF5AD88081BFBF8FF88714F508A1EF99A83661D731E8458B56

Function 0047BF5C Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

DrawTextW.USER32(?,?,?,?,00000400), ref: 0047C00B
DrawTextW.USER32(?,?,00000008,?,?), ref: 0047C11B
OffsetRect.USER32(?,00000000,?), ref: 0047C133
DrawTextW.USER32(?,?,?,?,00000400), ref: 0047C290
InflateRect.USER32(?,00000000,?), ref: 0047C2E8
SelectObject.GDI32(?,?), ref: 0047C328
SetTextColor.GDI32(?,?), ref: 0047C334
SetBkMode.GDI32(?,?), ref: 0047C340
RestoreDC.GDI32(?,?), ref: 0047C34C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Text$Draw$Rect$ColorInflateModeObjectOffsetRestoreSelect
String ID:
API String ID: 2947364971-0
Opcode ID: d7b8eaa79297e75d0affc2487f6111269f8f472df7ed43e81cccc2cbbb75a167
Instruction ID: 900e3b15d92e344850ee595a8805e5c512b86baf3e90639c373570fc262fee36
Opcode Fuzzy Hash: d7b8eaa79297e75d0affc2487f6111269f8f472df7ed43e81cccc2cbbb75a167
Instruction Fuzzy Hash: F3414C71108381DFD724DB24D885FAFB7E8FB84704F508A1EF59A83251DB34A849CB9A

Function 0047BF86 Relevance: 10.6, APIs: 7, Instructions: 104COMMON

Download Yara Rule

APIs

DrawTextW.USER32(?,?,?,?,00000400), ref: 0047C00B
DrawTextW.USER32(?,?,00000008,?,?), ref: 0047C11B
OffsetRect.USER32(?,00000000,?), ref: 0047C133
SelectObject.GDI32(?,?), ref: 0047C328
SetTextColor.GDI32(?,?), ref: 0047C334
SetBkMode.GDI32(?,?), ref: 0047C340
RestoreDC.GDI32(?,?), ref: 0047C34C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Text$Draw$ColorModeObjectOffsetRectRestoreSelect
String ID:
API String ID: 1428641515-0
Opcode ID: 8be519a8002589268b127e4015302a8a0f84d498f09e580424cf1b63011d5972
Instruction ID: 0cba42a6647803a0ecad2659b4e9388c99b8245b74a54b6ace05e3d53c3f53cc
Opcode Fuzzy Hash: 8be519a8002589268b127e4015302a8a0f84d498f09e580424cf1b63011d5972
Instruction Fuzzy Hash: 08412CB1508380DFD724DB64D885FAFB7E8FB84704F508A1EF59A83251DB34A849CB96

Function 0047BF84 Relevance: 10.6, APIs: 7, Instructions: 103COMMON

Download Yara Rule

APIs

DrawTextW.USER32(?,?,?,?,00000400), ref: 0047C00B
DrawTextW.USER32(?,?,00000008,?,?), ref: 0047C11B
OffsetRect.USER32(?,00000000,?), ref: 0047C133
SelectObject.GDI32(?,?), ref: 0047C328
SetTextColor.GDI32(?,?), ref: 0047C334
SetBkMode.GDI32(?,?), ref: 0047C340
RestoreDC.GDI32(?,?), ref: 0047C34C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Text$Draw$ColorModeObjectOffsetRectRestoreSelect
String ID:
API String ID: 1428641515-0
Opcode ID: 6fa2a93bd1c93144b86d8b75bb3772fffc932304016607483d28977bc8bde4ff
Instruction ID: 4b51e9b4e4ecd6ff976239d5faa2bbe0ec30e8b2707a8278d351bbdfee3252fe
Opcode Fuzzy Hash: 6fa2a93bd1c93144b86d8b75bb3772fffc932304016607483d28977bc8bde4ff
Instruction Fuzzy Hash: 1A412DB1108340DFD724DB64D885FAFB7E8FB84704F508A1EF59A83251DB34A849CB9A

Function 00488270 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00488304
__CxxThrowException@8.LIBCMT ref: 0048837C
__CxxThrowException@8.LIBCMT ref: 004883F7

Strings

Type is not convertible to int, xrefs: 004883BF
Real out of signed integer range, xrefs: 00488344
integer out of signed integer range, xrefs: 004882D2

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Exception@8Throw
String ID: Real out of signed integer range$Type is not convertible to int$integer out of signed integer range
API String ID: 2005118841-3748601619
Opcode ID: cd2cc83ed9ca415f482d9a6909bb0c0e07d12e6b0ffba1f19b896d25679f8339
Instruction ID: ba50063c11d9c420ad19b7c16f512edabaa1d7314222c9f771d14a8587a41e84
Opcode Fuzzy Hash: cd2cc83ed9ca415f482d9a6909bb0c0e07d12e6b0ffba1f19b896d25679f8339
Instruction Fuzzy Hash: 4841D3B1008780DBD724DB60D842B9AB7B8FB84704F904A6FF48952691EBBD5408CB6A

Function 00488440 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 100COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004884B9
__CxxThrowException@8.LIBCMT ref: 00488562
__CxxThrowException@8.LIBCMT ref: 004885BC

Strings

Real out of unsigned integer range, xrefs: 0048852A
Negative integer can not be converted to unsigned integer, xrefs: 00488487
Type is not convertible to uint, xrefs: 00488584

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Exception@8Throw
String ID: Negative integer can not be converted to unsigned integer$Real out of unsigned integer range$Type is not convertible to uint
API String ID: 2005118841-1738163505
Opcode ID: 892273d6c02e3c0470505d8e9c60be528918d1a4d961e0610e689f995a27285a
Instruction ID: d7807cff9dadbae159f474284b7286e759698cba5559bf26482c7f7f606633f3
Opcode Fuzzy Hash: 892273d6c02e3c0470505d8e9c60be528918d1a4d961e0610e689f995a27285a
Instruction Fuzzy Hash: A0416E71048780EED724DF20D942B9FB7E8FB84700F908E6EE59946281EBBD9504CB5A

Function 0049D1C6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0049D1D2

Part of subcall function 0049AA11: __getptd_noexit.LIBCMT ref: 0049AA14
Part of subcall function 0049AA11: __amsg_exit.LIBCMT ref: 0049AA21

__amsg_exit.LIBCMT ref: 0049D1F2
__lock.LIBCMT ref: 0049D202
InterlockedDecrement.KERNEL32(?), ref: 0049D21F
InterlockedIncrement.KERNEL32(02752D10), ref: 0049D24A

Strings

P)L, xrefs: 0049D229

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID: P)L
API String ID: 4271482742-2832295410
Opcode ID: 0f7f55e5f4b268a5579b28812104b2752eab9fa85489777fef9df5b214d43bfb
Instruction ID: eb9fd8221c055ce0803b7793560e37f2d9030505a9972e35624170b3cc9df5b4
Opcode Fuzzy Hash: 0f7f55e5f4b268a5579b28812104b2752eab9fa85489777fef9df5b214d43bfb
Instruction Fuzzy Hash: 0A01C431D01B119BDF11AB659905B5EBF60AF14B10F14017BE810A7390CBBCAD81DBDE

Function 0046E550 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 21COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,iexplore,http://bbs.37.com/list-3829-1.html,00000000,00000005), ref: 0046E568
GetLastError.KERNEL32(?,?), ref: 0046E56F
ShellExecuteW.SHELL32(00000000,open,http://bbs.37.com/list-3829-1.html,00000000,00000000,00000005), ref: 0046E583

Strings

open, xrefs: 0046E561, 0046E57C
http://bbs.37.com/list-3829-1.html, xrefs: 0046E55B, 0046E57B
iexplore, xrefs: 0046E55C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ExecuteShell$ErrorLast
String ID: http://bbs.37.com/list-3829-1.html$iexplore$open
API String ID: 599085185-2126830628
Opcode ID: b1e91681495725d99911f4e0bb08e31edcfeaad604661616499763f4535a35f0
Instruction ID: 8c1eb33d6c0cc48ece5731ecb44815a53c3d55b97f053e049ade3efc39a9b163
Opcode Fuzzy Hash: b1e91681495725d99911f4e0bb08e31edcfeaad604661616499763f4535a35f0
Instruction Fuzzy Hash: BDD09E263C571436F27022A66C0FF9726549BA5F62F770256F709B90D065D85041497D

Function 0048D4E0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 00468570: std::_Lockit::_Lockit.LIBCPMT ref: 0046857F

Part of subcall function 0048E550: std::_Lockit::_Lockit.LIBCPMT ref: 0048E57B
Part of subcall function 0048E550: std::_Lockit::_Lockit.LIBCPMT ref: 0048E5A1

std::_Lockit::_Lockit.LIBCPMT ref: 0048D560
_localeconv.LIBCMT ref: 0048D5E8
_strcspn.LIBCMT ref: 0048D741

Strings

e, xrefs: 0048D600
nK, xrefs: 0048DA56

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LockitLockit::_std::_$_localeconv_strcspn
String ID: e$nK
API String ID: 331173946-3770435244
Opcode ID: bebaeb7541b970768005302361a1a28b2c2dc530988121103aeb63a73bad952d
Instruction ID: ac6688e129d5b07f4b3a92a389c4c40485fc5b843711bd174184e4b2531d7263
Opcode Fuzzy Hash: bebaeb7541b970768005302361a1a28b2c2dc530988121103aeb63a73bad952d
Instruction Fuzzy Hash: 34124875A093809FD324EF19C840B9FBBE5AFC9304F04892EF5899B391D774A905CB96

Function 0046F3BB Relevance: 9.2, APIs: 6, Instructions: 177COMMON

Download Yara Rule

APIs

FindFirstUrlCacheEntryW.WININET(00000000,00000000,00001000), ref: 0046F3E0
FindNextUrlCacheEntryW.WININET(00000000,00000000,00001000), ref: 0046F42F
DeleteUrlCacheEntryW.WININET(?), ref: 0046F4AF
FindNextUrlCacheEntryW.WININET(?,00000000,00001000), ref: 0046F4E1
DeleteUrlCacheEntryW.WININET(?), ref: 0046F55E
FindNextUrlCacheEntryW.WININET(?,00000000,00001000), ref: 0046F58B
DeleteUrlCacheEntryW.WININET(?), ref: 0046F600
FindCloseUrlCache.WININET(?), ref: 0046F645

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Cache$Entry$Find$DeleteNext$CloseFirst
String ID:
API String ID: 3708369400-0
Opcode ID: 0de4a32fce4ab745438554ee713e7abad8d5ea404efafa0d65a8808aff16794d
Instruction ID: cf55d725a8ae84f24105661ee508930aac53b84e643a7a88960073db17b51a96
Opcode Fuzzy Hash: 0de4a32fce4ab745438554ee713e7abad8d5ea404efafa0d65a8808aff16794d
Instruction Fuzzy Hash: 6661E7B1D00244EBCF04EFE8E89559EBB75FF14308F14453EE8069B315E635990ACB9A

Function 004A2070 Relevance: 9.2, APIs: 6, Instructions: 152COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,004B1AA8,00000001,?,00000002,00000000,00000000,?,?,?,004A22D9,00000001,?,00000000,?,?), ref: 004A211E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000002,00000000,00000000,?,?,?,004A22D9,00000001,?,00000000), ref: 004A2195
__alloca_probe_16.LIBCMT ref: 004A21B6
_memset.LIBCMT ref: 004A21EA

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide__alloca_probe_16_memset
String ID:
API String ID: 9217213-0
Opcode ID: 014e4d13ff6ad88a40d365eca239c6927b2721715d5ba4ba39326f464009b625
Instruction ID: 9a1f2b5e59a1c9c305880485b9089f1f6af703c614c4616396cacdc250f37928
Opcode Fuzzy Hash: 014e4d13ff6ad88a40d365eca239c6927b2721715d5ba4ba39326f464009b625
Instruction Fuzzy Hash: 4D514631508286AFDB05CF28CC80A9BBFB4FF56350B5986AFE9008A552D77CDD95C784

Function 0046B300 Relevance: 9.1, APIs: 6, Instructions: 132COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,?,00000000,?,?,0046BBEB), ref: 0046B33C
CharNextW.USER32(00000000,?,?,?,00000000,?,?,0046BBEB), ref: 0046B35D
CharNextW.USER32(00000000,?,?,?,00000000,?,?,0046BBEB), ref: 0046B376
CharNextW.USER32(?,?,?,?,00000000,?,?,0046BBEB), ref: 0046B37D
CharNextW.USER32(00000000,?,?,?,00000000,?,?,0046BBEB), ref: 0046B3CB

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 8095ed71cf0ed68adecaa95dce92e1c2fd9a595f8b7ae0a2c98e14729c37ee84
Instruction ID: 7ec9b836b617f8c34db605df8a829ce5597e1261540d52a72caed04c56ceecf4
Opcode Fuzzy Hash: 8095ed71cf0ed68adecaa95dce92e1c2fd9a595f8b7ae0a2c98e14729c37ee84
Instruction Fuzzy Hash: 14418E713042128AD7249F39D880677B3E5FFA9321BA4496BD882C3355FB39D8C1C79A

Function 0046BCE0 Relevance: 9.1, APIs: 6, Instructions: 127libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,6A8A24C0,?,?,?,?,?,?,?,?,004AE190,000000FF), ref: 0046BD44
FindResourceW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,004AE190,000000FF), ref: 0046BD65
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,004AE190,000000FF), ref: 0046BE3B

Part of subcall function 0045CE60: GetLastError.KERNEL32 ref: 0045CE60

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Library$ErrorFindFreeLastLoadResource
String ID:
API String ID: 3418355812-0
Opcode ID: 65f52464bf232e19c8f3a216d6228f2406941e72eb213a4b6f0ea7fb6e2b3344
Instruction ID: 2ea9d052d79e66eaeaf236ee518c0e20681dd0414eafbc212ea777b1169f8b23
Opcode Fuzzy Hash: 65f52464bf232e19c8f3a216d6228f2406941e72eb213a4b6f0ea7fb6e2b3344
Instruction Fuzzy Hash: 774152B19001599FCB10EF54CD85AEE77B8FF48314F50412EEA09EB251E7385E85CBAA

Function 00451E00 Relevance: 9.1, APIs: 6, Instructions: 76COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000), ref: 00451E12
SetWindowLongW.USER32(00000000), ref: 00451E3E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00451E4F
GetClientRect.USER32(00000000), ref: 00451E66
SetWindowPos.USER32(00000000), ref: 00451EC2
ShowWindow.USER32(00000000), ref: 00451ED7

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$Long$ClientInfoParametersRectShowSystem
String ID:
API String ID: 3719960163-0
Opcode ID: 76536baa52cbf26c7128254cc4f4ec70317c2d1dfc4331806bf4f1ef27ce1e1d
Instruction ID: 4bffc79954e1fe554e0c0a900234a624fd4675323296e32b5d28b008282d92b6
Opcode Fuzzy Hash: 76536baa52cbf26c7128254cc4f4ec70317c2d1dfc4331806bf4f1ef27ce1e1d
Instruction Fuzzy Hash: 83216D75204201AFE704DBACDC59F2E77E9EB88715F148B28F695C72E0CB34E9048B69

Function 0045B526 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0045B556
ClientToScreen.USER32(?,?), ref: 0045B565
GetParent.USER32(?), ref: 0045B56B
ScreenToClient.USER32(00000000,?), ref: 0045B584
ScreenToClient.USER32(00000000,?), ref: 0045B590
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0045B5B1

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ClientScreen$MoveParentWindow
String ID:
API String ID: 2420994850-0
Opcode ID: 9c1bb385306a3c535eece63b73d3fb483d0a878d06c07ea0be39e25e0cef87f3
Instruction ID: 18e653d4b60890c953e5823d1acf8e32abec826994276a5bc17c25a4fc8c3b8e
Opcode Fuzzy Hash: 9c1bb385306a3c535eece63b73d3fb483d0a878d06c07ea0be39e25e0cef87f3
Instruction Fuzzy Hash: 9211B376608316AF9704CF69D894C6BB7E9EB88710F04891EB94983720E730E909CBA5

Function 00497EA1 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 00497EC9

Part of subcall function 004964A8: __getptd.LIBCMT ref: 004964B6
Part of subcall function 004964A8: __getptd.LIBCMT ref: 004964C4

__getptd.LIBCMT ref: 00497ED3

Part of subcall function 0049AA11: __getptd_noexit.LIBCMT ref: 0049AA14
Part of subcall function 0049AA11: __amsg_exit.LIBCMT ref: 0049AA21

__getptd.LIBCMT ref: 00497EE1
__getptd.LIBCMT ref: 00497EEF
__getptd.LIBCMT ref: 00497EFA
_CallCatchBlock2.LIBCMT ref: 00497F20

Part of subcall function 0049654D: __CallSettingFrame@12.LIBCMT ref: 00496599

Part of subcall function 00497FC7: __getptd.LIBCMT ref: 00497FD6
Part of subcall function 00497FC7: __getptd.LIBCMT ref: 00497FE4

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 908de64c21c0d4976b1f20a7e0da9f5a5b47559057f5a1fbe76a8a68fb20d69c
Instruction ID: 0403cf0fc881673c1189185547b0f2265d1630ff2b451c0d1c55c4718bec102a
Opcode Fuzzy Hash: 908de64c21c0d4976b1f20a7e0da9f5a5b47559057f5a1fbe76a8a68fb20d69c
Instruction Fuzzy Hash: B311C971C40209EFDF00EFA5D945AAD7BB0FF04319F50806EF814A7251EB789A119B95

Function 00459C70 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00459C91
GetDeviceCaps.GDI32(00000000,00000058), ref: 00459CA2
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00459CAB
ReleaseDC.USER32(00000000,00000000), ref: 00459CB2
MulDiv.KERNEL32(000009EC,?,?), ref: 00459CCB
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00459CD9

Part of subcall function 004521E0: __CxxThrowException@8.LIBCMT ref: 004521F2

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CapsDevice$Exception@8ReleaseThrow
String ID:
API String ID: 3795711691-0
Opcode ID: cd0b35e7eedd3c1df3776cdd6a9f1cf189d187749d510c9d2db85e9342d853fa
Instruction ID: a92cf6081987181cd0e2fbadc2411c11e7903c5512216d3dbbe276343a60b094
Opcode Fuzzy Hash: cd0b35e7eedd3c1df3776cdd6a9f1cf189d187749d510c9d2db85e9342d853fa
Instruction Fuzzy Hash: B1F0A4B1140715AFF300ABA5CD16F5B3F98EF56352F00022AFF04A7291DAB158048BA9

Function 00459CF0 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00459D11
GetDeviceCaps.GDI32(00000000,00000058), ref: 00459D22
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00459D2B
ReleaseDC.USER32(00000000,00000000), ref: 00459D32
MulDiv.KERNEL32(?,00000000,000009EC), ref: 00459D4B
MulDiv.KERNEL32(00000000,?,000009EC), ref: 00459D59

Part of subcall function 004521E0: __CxxThrowException@8.LIBCMT ref: 004521F2

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CapsDevice$Exception@8ReleaseThrow
String ID:
API String ID: 3795711691-0
Opcode ID: db8f5a3cb210ea8119d4b3451d816d27959ddd8b72b95421032e1d39f3c7541f
Instruction ID: eaf4a4ddd8230664de2c2190e1ecd8efaed1ea3b11e5ae5345f65141435d644e
Opcode Fuzzy Hash: db8f5a3cb210ea8119d4b3451d816d27959ddd8b72b95421032e1d39f3c7541f
Instruction Fuzzy Hash: BBF0A4B5140715BFE300AB64DC16F5B3F98EF46352F00412AFF04A7292DAB49C048BA8

Function 004511E0 Relevance: 9.0, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00451212
EnterCriticalSection.KERNEL32(004C52A4,00000000,?,?,00451C98,?,?,?), ref: 00451223
EnterCriticalSection.KERNEL32(004C52A4), ref: 00451239
GdiplusShutdown.GDIPLUS(00000000), ref: 00451245
LeaveCriticalSection.KERNEL32(004C52A4), ref: 00451255
LeaveCriticalSection.KERNEL32(004C52A4), ref: 0045125C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
String ID:
API String ID: 4268643673-0
Opcode ID: d7e3052a4157dfa1ec0cd8ef011841dbed692370b30a53fa60be931536f6df5f
Instruction ID: fcb3195d209cb240ef41b34e2dca909906d7d8df88caa43a0c8afc4124b7e11a
Opcode Fuzzy Hash: d7e3052a4157dfa1ec0cd8ef011841dbed692370b30a53fa60be931536f6df5f
Instruction Fuzzy Hash: A6018F75541240AF8B509FAA9C80909BFE4BE453193B481FFE108EB262C376E447CFA9

Function 0046BEF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0045BBD0: InitializeCriticalSection.KERNEL32(0000002C,6A8A24C0,0000002C,00000000,00000000,000000FE), ref: 0045BC0B

GetModuleHandleW.KERNEL32(00000000), ref: 0046C016
lstrlenW.KERNEL32(?), ref: 0046C088
GetModuleFileNameW.KERNEL32(00450000,?,00000104), ref: 0046BFC5

Part of subcall function 0046A3A0: EnterCriticalSection.KERNEL32(?,6A8A24C0,00000000,?,?,00000000,?,004AC598,000000FF,00469F91,?,Module,?), ref: 0046A3DC
Part of subcall function 0046A3A0: LeaveCriticalSection.KERNEL32(?), ref: 0046A3FA

Strings

Module_Raw, xrefs: 0046C0CA
Module, xrefs: 0046C028, 0046C0AD

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalSection$Module$EnterFileHandleInitializeLeaveNamelstrlen
String ID: Module$Module_Raw
API String ID: 3611900445-3885325121
Opcode ID: 294a6a1e02d7e74f834b0182adc1ed0afe361406b19cf44d24d8ae135f26a07d
Instruction ID: 7c62141b23a1daaa10d0d3d71e3c744fc1d3823270eb130567fc7c98cd645320
Opcode Fuzzy Hash: 294a6a1e02d7e74f834b0182adc1ed0afe361406b19cf44d24d8ae135f26a07d
Instruction Fuzzy Hash: 3E5191721083419BC714EF69C8809AFB3E5BF89304F44492EF5C9D3251EB7999498B9B

Function 00469DD0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0045BBD0: InitializeCriticalSection.KERNEL32(0000002C,6A8A24C0,0000002C,00000000,00000000,000000FE), ref: 0045BC0B

GetModuleHandleW.KERNEL32(00000000), ref: 00469EEB
lstrlenW.KERNEL32(?), ref: 00469F5D
GetModuleFileNameW.KERNEL32(00450000,?,00000104), ref: 00469E9A

Part of subcall function 0046A3A0: EnterCriticalSection.KERNEL32(?,6A8A24C0,00000000,?,?,00000000,?,004AC598,000000FF,00469F91,?,Module,?), ref: 0046A3DC
Part of subcall function 0046A3A0: LeaveCriticalSection.KERNEL32(?), ref: 0046A3FA

Strings

Module_Raw, xrefs: 00469F9F
Module, xrefs: 00469EFD, 00469F82

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalSection$Module$EnterFileHandleInitializeLeaveNamelstrlen
String ID: Module$Module_Raw
API String ID: 3611900445-3885325121
Opcode ID: 15aca851d32b5dd30f55ffa907b303fa41304d67b84060c27af9033e8453f5fd
Instruction ID: 27fda43161d37b5bcb869cc14ec55d46f6350029655faf643a645feb3788eddc
Opcode Fuzzy Hash: 15aca851d32b5dd30f55ffa907b303fa41304d67b84060c27af9033e8453f5fd
Instruction Fuzzy Hash: 21515E711083419FC724EF25C88199FB3E9ABC8304F45492EF58993251EBB99D49CB9B

Function 00488130 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 004881CD
__CxxThrowException@8.LIBCMT ref: 00488211

Strings

Type is not convertible to string, xrefs: 004881E3
false, xrefs: 004881B4, 004881B9
true, xrefs: 004881AD

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Exception@8Throw__itow
String ID: Type is not convertible to string$false$true
API String ID: 3213073191-1606231287
Opcode ID: 9cfb54b54a2def87a13a8d773182a9c56cb3ae6aed8fdbad434ed9fcf3a099da
Instruction ID: b3a5e9ba3b08f3a40702ed86ea1df6c55f52f5d5767838cfd72a4b3c1900c727
Opcode Fuzzy Hash: 9cfb54b54a2def87a13a8d773182a9c56cb3ae6aed8fdbad434ed9fcf3a099da
Instruction Fuzzy Hash: D531B3B1208B009FC310EB65C891A6F77E8AB88714F90492FF45587691DF7CAD08C79B

Function 00476F70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D,?,?,?,00476F18,?,?,?), ref: 00476FB0
FlushInstructionCache.KERNEL32(00000000,?,00476F18,?,?,?), ref: 00476FB7
CreateWindowExW.USER32(000000E9,?,?,?,?,00000000,000000E9,?,00476F18,?,00450000,00000000), ref: 00477024

Part of subcall function 0048ED27: GetProcessHeap.KERNEL32(00000000,0000000D,000000E9,0045B0E3,?,?,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECA8
Part of subcall function 0048ED27: HeapAlloc.KERNEL32(00000000,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECAF

SetLastError.KERNEL32(0000000E,?,?,?,00476F18,?,?,?), ref: 00477032

Strings

D6L, xrefs: 00476FEA

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: HeapProcess$AllocCacheCreateCurrentErrorFlushInstructionLastWindow
String ID: D6L
API String ID: 806723916-2124701888
Opcode ID: f1e929bc12bf56ce78a807bdf4d12f7f2397bcc2d1e0e1fd435fdf1a8e6c9baf
Instruction ID: 023a4ddb45c7c72876f0a0500348f9973ade40740f34da4eafc5c57f8308380f
Opcode Fuzzy Hash: f1e929bc12bf56ce78a807bdf4d12f7f2397bcc2d1e0e1fd435fdf1a8e6c9baf
Instruction Fuzzy Hash: E4216B32600211AFD310DF69E908F6BB7E9EB88710F05866AF449A7350D764EC04CBA5

Function 0045B0D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,0000000D,?,?,?,00476FCC,?,00476F18,?,?,?), ref: 0045B10F
FlushInstructionCache.KERNEL32(00000000,?,00476FCC,?,00476F18,?,?,?), ref: 0045B116
CreateWindowExW.USER32(?,?,000000E9,?,?,00000000,000000E9,?,00000000,?,00450000,00000000), ref: 0045B181

Part of subcall function 0048ED27: GetProcessHeap.KERNEL32(00000000,0000000D,000000E9,0045B0E3,?,?,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECA8
Part of subcall function 0048ED27: HeapAlloc.KERNEL32(00000000,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECAF

SetLastError.KERNEL32(0000000E,?,?,?,00476FCC,?,00476F18,?,?,?), ref: 0045B18F

Strings

D6L, xrefs: 0045B14A

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: HeapProcess$AllocCacheCreateCurrentErrorFlushInstructionLastWindow
String ID: D6L
API String ID: 806723916-2124701888
Opcode ID: 290ea3a9729e9c5f72052a59e313c5f6c81232238f7c56f21d902f5e87c0c77d
Instruction ID: 27d5172d9f9359b14c0e1cde88cae48b05d637b3c34974d087a0179fb4934076
Opcode Fuzzy Hash: 290ea3a9729e9c5f72052a59e313c5f6c81232238f7c56f21d902f5e87c0c77d
Instruction Fuzzy Hash: 66216672600201AFD3109F69E818F27B7E8EB88751F05862AF9559B3A1D764EC04CBA8

Function 004616E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,iexplore,00000004,00000000,00000005), ref: 00461734
GetLastError.KERNEL32 ref: 0046173B
ShellExecuteW.SHELL32(00000000,open,00000004,00000000,00000000,00000005), ref: 0046174F

Strings

open, xrefs: 0046172D, 00461748
iexplore, xrefs: 00461728

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ExecuteShell$ErrorLast
String ID: iexplore$open
API String ID: 599085185-2775380274
Opcode ID: a3251bbbf3e7724ebc2676aac4853be010dd09c41dfc99f29b83e66f06abf379
Instruction ID: 1a8f8360a70b18a821878ab92933fe02c09a5817fee6adeeab7a1b123bd68ce4
Opcode Fuzzy Hash: a3251bbbf3e7724ebc2676aac4853be010dd09c41dfc99f29b83e66f06abf379
Instruction Fuzzy Hash: 2D11203628030167D710EF58CD0AF5B3760BB91716F19456AF5086B2A1E27CE945CBAF

Function 00451A75 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 004794D0: CreateWindowExW.USER32(00000000,004C63CC,?,80000000,?,?,?,?,00000000,00000000,6A8A24C0,00000000), ref: 00479508
Part of subcall function 004794D0: SetWindowTextW.USER32(00000000), ref: 00479526

GetWindowLongW.USER32(00000000), ref: 00451AA1
SetWindowLongW.USER32(00000000,?,00000000), ref: 00451AC3
GetWindowLongW.USER32(00000000), ref: 00451AD4
SetWindowLongW.USER32(00000000,?,00000000), ref: 00451AFC

Strings

37Lander, xrefs: 00451A80

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$Long$CreateText
String ID: 37Lander
API String ID: 4221524402-3989498111
Opcode ID: 1d891dde426f5e70340c3a0b593c8cdbfad84982cacf37aef6b7e516db107561
Instruction ID: 08cdc352bfbaf7755bee787ae002d399b367913a42fe9b0526946a10e6fa3ba4
Opcode Fuzzy Hash: 1d891dde426f5e70340c3a0b593c8cdbfad84982cacf37aef6b7e516db107561
Instruction Fuzzy Hash: AA0152352101106BDA14EBACCC80F5E73ADABC9320F248725F565C72D2CA789D018BA8

Function 0045FDA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 004794D0: CreateWindowExW.USER32(00000000,004C63CC,?,80000000,?,?,?,?,00000000,00000000,6A8A24C0,00000000), ref: 00479508
Part of subcall function 004794D0: SetWindowTextW.USER32(00000000), ref: 00479526

GetWindowLongW.USER32(00000000), ref: 0045FDD0
SetWindowLongW.USER32(00000000,?,00462283), ref: 0045FDF2
GetWindowLongW.USER32(00000000), ref: 0045FE03
SetWindowLongW.USER32(00000000,?,00462283), ref: 0045FE1F

Strings

37Lander, xrefs: 0045FDAF

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$Long$CreateText
String ID: 37Lander
API String ID: 4221524402-3989498111
Opcode ID: be9e575928df0372290f8ebef7441f519851cceecd4f3ecd429d26911fce624d
Instruction ID: 03a7c5219d4b1bd3bbd7cd0a7cd6a2bffeee6f453b2d38383ce90e8363416598
Opcode Fuzzy Hash: be9e575928df0372290f8ebef7441f519851cceecd4f3ecd429d26911fce624d
Instruction Fuzzy Hash: 8B01FF75300510ABDA54DBACCC90F1EB3ADAFD8720F348759B565C72D1CA78A90187A8

Function 0046B260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,0046BA7E), ref: 0046B26E
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0046B27E
RegDeleteKeyW.ADVAPI32(00000000,?), ref: 0046B2AA

Strings

Advapi32.dll, xrefs: 0046B269
RegDeleteKeyExW, xrefs: 0046B278

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 588496660-2191092095
Opcode ID: 3d4a68c848728f53de4b956c2f701ca1de36271c4d3526e70d60c21a58d05968
Instruction ID: 4d01b41dfddcd284fb7ca2e5aca231cd836a3f01997a647caae51f64c9cad13f
Opcode Fuzzy Hash: 3d4a68c848728f53de4b956c2f701ca1de36271c4d3526e70d60c21a58d05968
Instruction Fuzzy Hash: 43F01C70620280AFDB50AB759C5CF173BE8AB84B40F10596EB845C6360DBB9A480CB68

Function 00497BDD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00497BF7

Part of subcall function 0049AA11: __getptd_noexit.LIBCMT ref: 0049AA14
Part of subcall function 0049AA11: __amsg_exit.LIBCMT ref: 0049AA21

__getptd.LIBCMT ref: 00497C08
__getptd.LIBCMT ref: 00497C16

Strings

csm, xrefs: 00497BF0
MOC, xrefs: 00497BE9

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: a2feafd0a66fc24cd5b9f2a48ea219ad289e604d3963a55c5d01b7ee795b8cd8
Instruction ID: 7673d49eee28336d942ab629fc82e24c8446a9f1ced29a630febc36606ef2df2
Opcode Fuzzy Hash: a2feafd0a66fc24cd5b9f2a48ea219ad289e604d3963a55c5d01b7ee795b8cd8
Instruction Fuzzy Hash: 5EE04F315142049FCF10AB69D54AF693BD8EB55318F1604BFE40CC7322D73CD860969B

Function 004668E0 Relevance: 7.8, APIs: 5, Instructions: 284COMMON

Download Yara Rule

APIs

_fgetc.LIBCMT ref: 0046695E
_fgetc.LIBCMT ref: 0046698C
_fgetc.LIBCMT ref: 00466BB3
_ungetc.LIBCMT ref: 00466C36

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _fgetc$_ungetc
String ID:
API String ID: 1266601628-0
Opcode ID: 9773f51cbe647e39443e0530001c1b832ef7d8cf0be10d396d858c1b43610027
Instruction ID: 8ea6242f12dbd6452e0bfee10900bee6637c720245430a799a58a1ddd38af366
Opcode Fuzzy Hash: 9773f51cbe647e39443e0530001c1b832ef7d8cf0be10d396d858c1b43610027
Instruction Fuzzy Hash: 10A1C1716083119FC714DB28C48082FBBE6AF86754F550A2EF892D7391E738ED458B8B

Function 00470930 Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 004709BB
_memmove_s.LIBCMT ref: 00470A0B
std::_String_base::_Xlen.LIBCPMT ref: 00470A34
_memmove_s.LIBCMT ref: 00470AD6

Part of subcall function 0048F246: __EH_prolog3.LIBCMT ref: 0048F24D
Part of subcall function 0048F246: __CxxThrowException@8.LIBCMT ref: 0048F278

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String_base::_Xlen_memmove_sstd::_$Exception@8H_prolog3Throw
String ID:
API String ID: 4116154367-0
Opcode ID: a5d95ea354f296b805b3f1b29d5509df090a607191707792a40239c0779d6809
Instruction ID: 1ba9838203df5db70579e8dffc68d90fd4c8f13ea10c0e532b2ece13e2e845f5
Opcode Fuzzy Hash: a5d95ea354f296b805b3f1b29d5509df090a607191707792a40239c0779d6809
Instruction Fuzzy Hash: 6761B4B1205705CF8728DF28D6D08ABB3E5FF957047108A2EE19B87655DB34F908C799

Function 0045E5D0 Relevance: 7.7, APIs: 5, Instructions: 193COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004C8338,6A8A24C0,?,?), ref: 0045E63A
GetModuleFileNameW.KERNEL32(00450000,?,00000104), ref: 0045E6B0
LoadTypeLib.OLEAUT32(?,?), ref: 0045E6D7
LoadRegTypeLib.OLEAUT32(?,00000000,?,?,?), ref: 0045E708
LeaveCriticalSection.KERNEL32(004C8338), ref: 0045E823

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalLoadSectionType$EnterFileLeaveModuleName
String ID:
API String ID: 2487232618-0
Opcode ID: 05b5e860d2bf851a4a07ba48fa1037aa86d2b83390db9c73c992e69fd9d37063
Instruction ID: 8079738cadb0c75f843203d3f65b0577ab0a3acb719a87d95ebc4b10114b6a8c
Opcode Fuzzy Hash: 05b5e860d2bf851a4a07ba48fa1037aa86d2b83390db9c73c992e69fd9d37063
Instruction Fuzzy Hash: 7C71AC71604341DFC714DF55C88496BB7E5FF88304F10892EF9499B262C738EA49CB96

Function 00458F50 Relevance: 7.6, APIs: 5, Instructions: 116windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00458F77
GetDlgItem.USER32(?,?), ref: 00458F93
CallWindowProcW.USER32(00000001,?,?,?,?), ref: 00459017
GetDlgItem.USER32(?,?), ref: 00459030
SendMessageW.USER32(?,?,?,?), ref: 00459080

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ItemWindow$CallMessageProcSend
String ID:
API String ID: 2403035917-0
Opcode ID: 90bcedbe603a45257b47beb84a0205de32fb1eacb2d68eb461f21a8cb466f16e
Instruction ID: 5418daa9d55da36a3ae52fac740115c49f05d7b7c55a7100459b3ce97649b31c
Opcode Fuzzy Hash: 90bcedbe603a45257b47beb84a0205de32fb1eacb2d68eb461f21a8cb466f16e
Instruction Fuzzy Hash: 7B316232304201DBD7248B19D884E6BB7AAAB99712F14891EFC4597392CF38ED49C728

Function 00451380 Relevance: 7.6, APIs: 5, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 004513A7
TransparentBlt.MSIMG32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,00000000,00000000,?,00451C91,?,?), ref: 004513D7
SelectObject.GDI32(00000000,?), ref: 0045144C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ObjectSelect$Transparent
String ID:
API String ID: 3303225721-0
Opcode ID: 13ca74b2975255865f5f9fc7d8290868331d43ef62e03193ad7c068eb3da6c5a
Instruction ID: c57432998e7d75cf8037613faa6182459a3a54563000c772568dda3b8f1f492f
Opcode Fuzzy Hash: 13ca74b2975255865f5f9fc7d8290868331d43ef62e03193ad7c068eb3da6c5a
Instruction Fuzzy Hash: 5B317F71204740AFE320DB25CC55F2BB7E9EB89B15F204A1DF695966E1C374BC098B29

Function 004798C0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004798E3
GetClientRect.USER32(00000000,?), ref: 004798F5
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000041), ref: 0047992E
ShowWindow.USER32(00000000,?), ref: 00479940
UpdateWindow.USER32(00000000), ref: 0047994D

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$ClientInfoParametersRectShowSystemUpdate
String ID:
API String ID: 919627442-0
Opcode ID: 7a72ccc8618aa5b77ea478b9ff43ea6da68f970df853b2891827f87c6f595bb6
Instruction ID: bd71f70bc87f9723f5d7c619ed16b4cee51af6971e60eab8f94e70296dbbb625
Opcode Fuzzy Hash: 7a72ccc8618aa5b77ea478b9ff43ea6da68f970df853b2891827f87c6f595bb6
Instruction Fuzzy Hash: C6116576204301AFE310CF78CC89FDBB7E8AB48704F448A18FA95D3290E670F4488B66

Function 00455E80 Relevance: 7.6, APIs: 5, Instructions: 53timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000000), ref: 00455EC4
KillTimer.USER32(00000000), ref: 00455ED8
KillTimer.USER32(00000000), ref: 00455EEC
SetTimer.USER32(00000000), ref: 00455F1C
SetTimer.USER32(00000000), ref: 00455F37

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Timer$Kill
String ID:
API String ID: 3307318486-0
Opcode ID: 165fa2c086dfa55589938c2ff2dc8fac3611a5994081262dcb35752106358bbc
Instruction ID: b1d2d8fe9fca43426db4b5dd0494f8eb24448b7a88aa305420a32dadee82514f
Opcode Fuzzy Hash: 165fa2c086dfa55589938c2ff2dc8fac3611a5994081262dcb35752106358bbc
Instruction Fuzzy Hash: A6111C717006049BE715DF69CC44F5AB3E9BFDC700F118969F289DB290CAB4A9058BA8

Function 0045B820 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0045B83C
BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0045B86C
DeleteDC.GDI32(?), ref: 0045B873
ReleaseDC.USER32(?,00000000), ref: 0045B882
ReleaseDC.USER32(?,00000000), ref: 0045B89A

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Release$ClientDeleteRect
String ID:
API String ID: 2936606340-0
Opcode ID: c76492f3ebb59c1aa7af94d7a77e0c502aa557a5188f3daff3deaf6107072049
Instruction ID: ea3988210f0744a601084610054c32372b7656d731e6c78729fd287f39cc235c
Opcode Fuzzy Hash: c76492f3ebb59c1aa7af94d7a77e0c502aa557a5188f3daff3deaf6107072049
Instruction Fuzzy Hash: 49111B75204200AFE314EB68DC59EABB7E9FB8C714F408A1DF98593760D630E844CB65

Function 004606E0 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000), ref: 004606EF
SetWindowLongW.USER32(00000000), ref: 0046070F
SetWindowPos.USER32(00000000,?,?,?,?,?,?,?,?,00469818), ref: 00460741
ShowWindow.USER32(00000000,?,?,?,?,?,?,?,?,00469818), ref: 00460756
UpdateWindow.USER32(00000000), ref: 00460769

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$Long$ShowUpdate
String ID:
API String ID: 633754731-0
Opcode ID: f75d9ccd8884cfdebc69748f90f5b7469470873c5b99abd69806de4d4705412e
Instruction ID: f9c6dbea830195345a1b206b4bc9230117112282483aa3946593e8ab54feeb86
Opcode Fuzzy Hash: f75d9ccd8884cfdebc69748f90f5b7469470873c5b99abd69806de4d4705412e
Instruction Fuzzy Hash: A4011E747105109FEB10AB68CC58F3973E9BB88710F258764F596D73E0DB35A801CB68

Function 00490906 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00490924

Part of subcall function 00498BE4: __mtinitlocknum.LIBCMT ref: 00498BFA
Part of subcall function 00498BE4: __amsg_exit.LIBCMT ref: 00498C06
Part of subcall function 00498BE4: EnterCriticalSection.KERNEL32(?,?,?,0049AABC,0000000D,004BB768,00000008,004913B5,?,00000000), ref: 00498C0E

___sbh_find_block.LIBCMT ref: 0049092F
___sbh_free_block.LIBCMT ref: 0049093E
HeapFree.KERNEL32(00000000,?,004BB1F0,0000000C,0049AA02,00000000,?,00497326,?,00000001,?,?,00498B6E,00000018,004BB660,0000000C), ref: 0049096E
GetLastError.KERNEL32(?,00497326,?,00000001,?,?,00498B6E,00000018,004BB660,0000000C,00498BFF,?,?,?,0049AABC,0000000D), ref: 0049097F

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 8f267aee87fee2f9fd3ff67d48287ca48d3b22d7ca9a619a0c07369967731409
Instruction ID: e4779c83b841e963eac68afc5a0a6d0412edb06f4ca2b00cbfa8a32955782789
Opcode Fuzzy Hash: 8f267aee87fee2f9fd3ff67d48287ca48d3b22d7ca9a619a0c07369967731409
Instruction Fuzzy Hash: 530184B1805605EEEF346BB29C09B5E7E649F01364F20013FF404AA192DB3C8980CA9D

Function 0045AE70 Relevance: 7.5, APIs: 5, Instructions: 42threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004C5340), ref: 0045AE79
GetCurrentThreadId.KERNEL32 ref: 0045AE89
LeaveCriticalSection.KERNEL32(004C5340), ref: 0045AEA4
LeaveCriticalSection.KERNEL32(004C5340), ref: 0045AEC2
LeaveCriticalSection.KERNEL32(004C5340), ref: 0045AEDA

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalSection$Leave$CurrentEnterThread
String ID:
API String ID: 2905768538-0
Opcode ID: eb2ff697f765b965e152cfb258f823315fcc58ffd9b3790c598a8571ec6c97df
Instruction ID: ab7ebfa4f2899ee5b840b7d732e11cf7a9f69234243f7fc46b4c371853784cc5
Opcode Fuzzy Hash: eb2ff697f765b965e152cfb258f823315fcc58ffd9b3790c598a8571ec6c97df
Instruction Fuzzy Hash: AE01F23D3007508BC7688B15F80591E7BA0EBC4B62369017FEC46E3330C374AC828A68

Function 0049134A Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0049551D: _doexit.LIBCMT ref: 00495529

___set_flsgetvalue.LIBCMT ref: 0049135C

Part of subcall function 0049A823: TlsGetValue.KERNEL32(?,00491361), ref: 0049A82C
Part of subcall function 0049A823: __decode_pointer.LIBCMT ref: 0049A83E
Part of subcall function 0049A823: TlsSetValue.KERNEL32(00000000,00491361), ref: 0049A84D

___fls_getvalue@4.LIBCMT ref: 00491367

Part of subcall function 0049A803: TlsGetValue.KERNEL32(?,?,0049136C,00000000), ref: 0049A811

___fls_setvalue@8.LIBCMT ref: 0049137A

Part of subcall function 0049A857: __decode_pointer.LIBCMT ref: 0049A868

GetLastError.KERNEL32(00000000,?,00000000), ref: 00491383
ExitThread.KERNEL32 ref: 0049138A
GetCurrentThreadId.KERNEL32 ref: 00491390
__freefls@4.LIBCMT ref: 004913B0
__IsNonwritableInCurrentImage.LIBCMT ref: 004913C3

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 132634196-0
Opcode ID: 070f5904429d8568e3711c32ec0917aeda88dfb2ea6c2ff21f4df7d4f1e26dc5
Instruction ID: cd49ff1d6a177d77d9ffaa9ceb5d41152e73332bc215bea7529fc2ce5a2c5dc7
Opcode Fuzzy Hash: 070f5904429d8568e3711c32ec0917aeda88dfb2ea6c2ff21f4df7d4f1e26dc5
Instruction Fuzzy Hash: DEE0BF35800215BB9F1577F38C1ADAF3E2CDD05358B55447AFE11A3522EA2C98234AEF

Function 00485610 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

Bad escape sequence in string, xrefs: 004858E3
Empty escape sequence in string, xrefs: 00485884

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String_base::_Xlenstd::_
String ID: Bad escape sequence in string$Empty escape sequence in string
API String ID: 1541887531-928816353
Opcode ID: b62d8888343e1b19b9f88d74070ef48e4048ff1a7c6a208f4eafa797c1f8c515
Instruction ID: 3a9749a6924dea815108e969509fd0ead5c1f57708dfa136e9ba40640930a573
Opcode Fuzzy Hash: b62d8888343e1b19b9f88d74070ef48e4048ff1a7c6a208f4eafa797c1f8c515
Instruction Fuzzy Hash: 48919B30508B40DFD720FF15C441B6EB7E1BB81704F544E2FE4994B282D779A855CBAA

Function 004852C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

_swscanf.LIBCMT ref: 0048533E

Part of subcall function 00495B8F: _vscan_fn.LIBCMT ref: 00495BA6

_swscanf.LIBCMT ref: 00485387

Strings

%lf, xrefs: 00485332, 00485381
' is not a number., xrefs: 004853F3

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _swscanf$_vscan_fn
String ID: %lf$' is not a number.
API String ID: 241522225-357672074
Opcode ID: 2c3aedfbffa86e2425d3308d3af0c9a7bee895881337f7f2e52bad3245b5dfb3
Instruction ID: 11ae5dd7a0de54035fa98914464781936d14f3d6687b552e883d349b38852d8f
Opcode Fuzzy Hash: 2c3aedfbffa86e2425d3308d3af0c9a7bee895881337f7f2e52bad3245b5dfb3
Instruction Fuzzy Hash: DD517AB19087809FD710EB65C841A6FFBE8BF84704F444D2EF59987241DBB8A908CB97

Function 0045E400 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 0045E521
SysStringLen.OLEAUT32(00000000), ref: 0045E52C
SysFreeString.OLEAUT32(00000000), ref: 0045E557

Strings

`<u, xrefs: 0045E521, 0045E557

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String$Free
String ID: `<u
API String ID: 1391021980-3367579956
Opcode ID: 33cd762a17ae49f314d2888199a4d9ee7e2fbbfaa9d4067a6546cdbf4a0d1ba3
Instruction ID: b852cd38863ab4f6a00337f10043ffef793faa1f21ce6bbd1e224bad32857547
Opcode Fuzzy Hash: 33cd762a17ae49f314d2888199a4d9ee7e2fbbfaa9d4067a6546cdbf4a0d1ba3
Instruction Fuzzy Hash: 7F5161B5A00609AFDB04CF95C880BAEB7B9FF88310F10855EE915D7351E774EA05CBA4

Function 0045EDF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0045EE29
__CxxThrowException@8.LIBCMT ref: 0045EE40
_memcpy_s.LIBCMT ref: 0045EF0F

Part of subcall function 0049100C: _malloc.LIBCMT ref: 00491026

Strings

Z}E, xrefs: 0045EE66

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Exception@8Throw_malloc_memcpy_sstd::exception::exception
String ID: Z}E
API String ID: 1787139365-38650064
Opcode ID: fa58bf582ed5bb896ddfe84978a68963eab2d051e2e804438ceb99111fdc52ef
Instruction ID: 4c1631efb04b50ed2143836076bd2bfc23f2d6409b733dea98d3249b62b8b1a5
Opcode Fuzzy Hash: fa58bf582ed5bb896ddfe84978a68963eab2d051e2e804438ceb99111fdc52ef
Instruction Fuzzy Hash: A131E7B2904205BFD708DF59D541B5ABBE9FB54310F00462FF82987782DB74AA08C7E9

Function 004605F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0046062C
ClientToScreen.USER32(00000000), ref: 004606A4
SetWindowPos.USER32(00000000), ref: 004606CC

Strings

liK, xrefs: 004606B2, 004606C4

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ClientScreenStateWindow
String ID: liK
API String ID: 2732942704-3955073952
Opcode ID: 3e6824c6d2cfc39c2f5d502c2a7358dab639d19503d2c406639eb41d3685b3fc
Instruction ID: fbb8736acc529003295cbdbbc4c7f4647a8dab05907444cd93b8212987264adb
Opcode Fuzzy Hash: 3e6824c6d2cfc39c2f5d502c2a7358dab639d19503d2c406639eb41d3685b3fc
Instruction Fuzzy Hash: 1321DA742002029BDB28D748D8D89ABB7A5FFD5710F148937E455D3361F678DCA08B9B

Function 0046E480 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32 ref: 0046E49E
swprintf.LIBCMT ref: 0046E4F8

Part of subcall function 0049176B: __vswprintf_s_l.LIBCMT ref: 0049177F

Strings

2D9765A5-A2ED-4CE2-ADBD-5F7D47905931, xrefs: 0046E4F3, 0046E514, 0046E52F, 0046E530
%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X, xrefs: 0046E4E9

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CreateGuid__vswprintf_s_lswprintf
String ID: %.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X$2D9765A5-A2ED-4CE2-ADBD-5F7D47905931
API String ID: 3172161272-4212350294
Opcode ID: f17e0428b9dd3b69fd55ca7272c1a5a2f82f36b73c71d5da319abe8858b4f9bc
Instruction ID: 78545792283a6f53765e50ac85d718209d9729544cb9a0c482ed25fda9faf818
Opcode Fuzzy Hash: f17e0428b9dd3b69fd55ca7272c1a5a2f82f36b73c71d5da319abe8858b4f9bc
Instruction Fuzzy Hash: 7311D5A110C2516EC354DF668811B7BBBE89F8C705F04890EF9D5C2241E67CD604CBBA

Function 00454E40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 00454E5F
RegCloseKey.ADVAPI32(00000000,?,00000000,00000000), ref: 00454E6E
RegDeleteValueW.ADVAPI32(00000000,004B3EA4,?,00000000,00000000), ref: 00454EA3

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00454E47

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseCreateDeleteValue
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1363933034-1428018034
Opcode ID: c0c206f7ac175e9f0bfd37a8625a956a7e1bee00b24e566e360ab7f7e5a23880
Instruction ID: 2d38b8cb9dea3873322b683f82a092678e1f4e9b4da8b88e36fe6a053d274c1c
Opcode Fuzzy Hash: c0c206f7ac175e9f0bfd37a8625a956a7e1bee00b24e566e360ab7f7e5a23880
Instruction Fuzzy Hash: E3117C742006019FD304DB6CCC56A16B3E5FFC5336B548769A469CB3E5EB38D846CBA4

Function 0049824E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00498261

Part of subcall function 004981BC: ___BuildCatchObjectHelper.LIBCMT ref: 004981F2

_UnwindNestedFrames.LIBCMT ref: 00498278
___FrameUnwindToState.LIBCMT ref: 00498286

Strings

csm, xrefs: 0049825D, 00498272, 00498285, 004982A3, 004982B3

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 65e2e6bd79cdbbeac5300aee0305423ad19a250091d4e67b5ee60e7890e604b9
Instruction ID: 18428426f68156c5017de1feaecbab9004f46af023e03252cf9cedcaee0ec2f8
Opcode Fuzzy Hash: 65e2e6bd79cdbbeac5300aee0305423ad19a250091d4e67b5ee60e7890e604b9
Instruction Fuzzy Hash: B9014671001509BFDF126F56CC46EAB7F6AEF49354F00406ABD1814121DB3AE8B1DBA8

Function 004A714D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,004979E4), ref: 004A7152
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004A7162

Strings

KERNEL32, xrefs: 004A714D
IsProcessorFeaturePresent, xrefs: 004A715C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 68da3ddd4c6b7a194eb67ffed3e201bcc2b3f9f158d394723542daaddef2c18b
Instruction ID: f87674fc3272e2064c62838fea2434e2e1acef3135c6af97ee47b6277397ea33
Opcode Fuzzy Hash: 68da3ddd4c6b7a194eb67ffed3e201bcc2b3f9f158d394723542daaddef2c18b
Instruction Fuzzy Hash: 0DF09030A00A0AE3DF112FA6BC0A2AFBAB8BB81707F9105A1D181A0194DF348071865A

Function 00454BA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,00000000,?,?,?,?,00454204,?,?), ref: 00454BB8
RegQueryValueExW.ADVAPI32(00000000,004B3EA4,00000000,?,00000000,?,?,?,?,?,?,00454204,?,?), ref: 00454BE0
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00454204,?,?), ref: 00454BF2

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00454BAE

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 3677997916-1428018034
Opcode ID: d77958d908346c981e07d8ea7aa958fc52dbeccfe8518c491471c877e50e5c6d
Instruction ID: b5c8f0391e989eb42da8b04df6806485662fe2102179431e49fdb19cc262edf6
Opcode Fuzzy Hash: d77958d908346c981e07d8ea7aa958fc52dbeccfe8518c491471c877e50e5c6d
Instruction Fuzzy Hash: 79F02E347402107BD310E760FC05FA773E8DB84F41F900629FD45D6280D6649948CAEA

Function 00459A20 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CharNextW.USER32(004B4520,?,?,00459B66,6A8A24C0,?,?,?), ref: 00459A4E
CharNextW.USER32(?,?,?,00459B66,6A8A24C0,?,?,?), ref: 00459A55
CharNextW.USER32(?,?,?,00459B66,6A8A24C0,?,?,?), ref: 00459A63

Strings

EK, xrefs: 00459A36

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CharNext
String ID: EK
API String ID: 3213498283-2869738666
Opcode ID: e8442c898956458785dec4fa02057fbc89e6744b8ca05531a195c240dded3f3b
Instruction ID: 7e2384b852a720fbd1528faa2b51fa21e3f4995f9a5bb68f6b9277a8036d39f9
Opcode Fuzzy Hash: e8442c898956458785dec4fa02057fbc89e6744b8ca05531a195c240dded3f3b
Instruction Fuzzy Hash: 74E09223A025B1C28F716A2DA8009BB12989FC1BA331A0127DC41D7702F36C8C8B92FC

Function 004599B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32stringCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004599C5
GetClassNameW.USER32(00000000,00000008,00000008), ref: 004599D3
lstrcmpW.KERNEL32(?,#32770), ref: 004599F8

Strings

#32770, xrefs: 004599EE

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ClassNameParentlstrcmp
String ID: #32770
API String ID: 3513268407-463685578
Opcode ID: 3485a3515098a60fa483ea4f380dba034c025b643cdfcb3e7090116477de4511
Instruction ID: c923cc630d43d6dec72ae89df6f0fc49de4dca5efe0619ecb12ebc3d4f54cd5f
Opcode Fuzzy Hash: 3485a3515098a60fa483ea4f380dba034c025b643cdfcb3e7090116477de4511
Instruction Fuzzy Hash: DCF030B5A143019FCB04EF74C95AD5B77E4BB98B04F804D2DB542C7261EB74D408CBAA

Function 0048C690 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 0048C74B
std::_String_base::_Xlen.LIBCPMT ref: 0048C759

Part of subcall function 0045EF90: std::_String_base::_Xlen.LIBCPMT ref: 0045EF9D

std::_String_base::_Xlen.LIBCPMT ref: 0048C7B7
std::_String_base::_Xlen.LIBCPMT ref: 0048C7C5

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String_base::_Xlenstd::_
String ID:
API String ID: 1541887531-0
Opcode ID: a30a47e2cedf35c902d48af24f5faeed5d71de688d1d2d6a3e0f8f30c40f38ae
Instruction ID: e0b38856d04336daf0a8839763d48f19608e061a35b1cab82da9aeefe70cc6a8
Opcode Fuzzy Hash: a30a47e2cedf35c902d48af24f5faeed5d71de688d1d2d6a3e0f8f30c40f38ae
Instruction Fuzzy Hash: 20515A75544B018BC731FF18D6C061AB7F5AB91710F200E2FE4A287B81D778E949CBAA

Function 004924E6 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 004925AA
__fileno.LIBCMT ref: 004925CA
__locking.LIBCMT ref: 004925D1
__flsbuf.LIBCMT ref: 004925FC

Part of subcall function 004974C6: __getptd_noexit.LIBCMT ref: 004974C6

Part of subcall function 00491735: __decode_pointer.LIBCMT ref: 00491740

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: 70c6afe248c3dd997a09a840cfbdf77412873b06402612f41ed9507649d34295
Instruction ID: c77b2e7b8256b20895cd9e4e7863d9af7fa9231fc101fdaf486d151028102c0e
Opcode Fuzzy Hash: 70c6afe248c3dd997a09a840cfbdf77412873b06402612f41ed9507649d34295
Instruction Fuzzy Hash: 4D41D431A00605BBDF249F698A9499FBFB5AF80334F25853EE41597640E7B8DE428B48

Function 00486050 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 004860D8
_memmove_s.LIBCMT ref: 00486104

Part of subcall function 004870D0: __CxxThrowException@8.LIBCMT ref: 00487146

_memmove_s.LIBCMT ref: 00486149
_memmove_s.LIBCMT ref: 00486174

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _memmove_s$Exception@8Throw
String ID:
API String ID: 2992690706-0
Opcode ID: 3dc925620b8c5d54522f62fea4e89346214ffeca2f7ffafe530897f58d1d9c85
Instruction ID: ba2a49e3e08dfe97d950e4d248ab090ab54935e5a71ddb495b898c34c2245441
Opcode Fuzzy Hash: 3dc925620b8c5d54522f62fea4e89346214ffeca2f7ffafe530897f58d1d9c85
Instruction Fuzzy Hash: C141D071A002015FDB18EF28DC81A7F77A5EB81300F054E2EEC15DB306E639ED158B99

Function 004861B0 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 00486241
_memmove_s.LIBCMT ref: 0048626D

Part of subcall function 004870D0: __CxxThrowException@8.LIBCMT ref: 00487146

_memmove_s.LIBCMT ref: 004862AC
_memmove_s.LIBCMT ref: 004862D7

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _memmove_s$Exception@8Throw
String ID:
API String ID: 2992690706-0
Opcode ID: 814f3dc2a2881bdf9e653cc1f9a0fc0de7196353008aa1e8afdf3f5d04d7678b
Instruction ID: afd7d1b3f2400c21f4952f60f37140b1cb7b2ae7523020dd2318448e3964c957
Opcode Fuzzy Hash: 814f3dc2a2881bdf9e653cc1f9a0fc0de7196353008aa1e8afdf3f5d04d7678b
Instruction Fuzzy Hash: BD417D71A042015FDB18FF28CC91A7F73A5FB80310F054EAEEC2297346EA78E9158795

Function 0046A210 Relevance: 6.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,6A8A24C0), ref: 0046A255
lstrlenW.KERNEL32(?), ref: 0046A2A1
_memcpy_s.LIBCMT ref: 0046A30D
_memcpy_s.LIBCMT ref: 0046A31F

Part of subcall function 00469750: __recalloc.LIBCMT ref: 0046975A

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _memcpy_slstrlen$__recalloc
String ID:
API String ID: 1038713732-0
Opcode ID: f2fa417ab3cc3a330c2a2eae021cc8e7e909c30e974a7465e4847c6a269f6a4f
Instruction ID: 380480d51d2d70d70316cfb427078a5266b6ded45a04aacf56483e47adfd9305
Opcode Fuzzy Hash: f2fa417ab3cc3a330c2a2eae021cc8e7e909c30e974a7465e4847c6a269f6a4f
Instruction Fuzzy Hash: 46417171E01209AFCB04DFA5D881AAFBBB8EB48314F10457FE905A7341D7799A11CBA6

Function 0045B340 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0045B426
GetClientRect.USER32(?,?), ref: 0045B431
CreateAcceleratorTableW.USER32(?,00000001), ref: 0045B456
GetParent.USER32(?), ref: 0045B47C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ClientRect$AcceleratorCreateParentTable
String ID:
API String ID: 2716292469-0
Opcode ID: ee65e4ed1b257fa36e4ecf62e0af59e4436e7df8897c50ad28fccd44817bfcb9
Instruction ID: b83bf7790a43f5dff39fecb8b769273a411e5f667fa2166b57ee13f2c5aa1a43
Opcode Fuzzy Hash: ee65e4ed1b257fa36e4ecf62e0af59e4436e7df8897c50ad28fccd44817bfcb9
Instruction Fuzzy Hash: B04156752043019FD720DF25C880B6BB3E9FF89305F148A2EE84997352E778E949CBA5

Function 004A776C Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004A77A0
__isleadbyte_l.LIBCMT ref: 004A77D4
MultiByteToWideChar.KERNEL32(00000080,00000009,004918D8,?,00000000,00000000,?,?,?,?,004918D8,00000000,?), ref: 004A7805
MultiByteToWideChar.KERNEL32(00000080,00000009,004918D8,00000001,00000000,00000000,?,?,?,?,004918D8,00000000,?), ref: 004A7873

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 34624aa606051e965e7c3ec34826e21be1c2a8c7879838b8ad39ea96e58e1b3f
Instruction ID: 2d5df908a8021c3e018dd65708d7f4d77203fc616c1190a75d29bba9b90782d3
Opcode Fuzzy Hash: 34624aa606051e965e7c3ec34826e21be1c2a8c7879838b8ad39ea96e58e1b3f
Instruction Fuzzy Hash: CE31C235A09246EFCB30DF64CC94DAE3BA1BF12310F1585AEE4658B291D338ED40DB59

Function 00458D70 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00458E17
IsChild.USER32(?,00000000), ref: 00458E22
GetWindow.USER32(?,00000005), ref: 00458E32
SetFocus.USER32(00000000,?,?,?,004AC038,000000FF,00459257), ref: 00458E39

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Focus$ChildWindow
String ID:
API String ID: 501040988-0
Opcode ID: 5277197dec423bb3c8713d26d3f4586fe0077bed78f160d8067f4a3603a08142
Instruction ID: 0e171ba7850dd9349b2bd11fce62111bd4edc69a4000a89bfc57b8d8012a30ac
Opcode Fuzzy Hash: 5277197dec423bb3c8713d26d3f4586fe0077bed78f160d8067f4a3603a08142
Instruction Fuzzy Hash: 67315C75204701AFD714CF24CD85F27B7E8EB49B11F508A1DE8A9D77A1DB34A808CB55

Function 00469410 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 00469443
_memmove_s.LIBCMT ref: 00469467
__recalloc.LIBCMT ref: 00469486
__recalloc.LIBCMT ref: 004694A5

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __recalloc_memmove_s
String ID:
API String ID: 1992126439-0
Opcode ID: d050924c596b3eb6996db2df183d312b88fd9b6da051bbd37a36643660fda7d8
Instruction ID: 8f912185f77224502ca88c91a697dc64fcac873bf338f878c8a84d5fd443870f
Opcode Fuzzy Hash: d050924c596b3eb6996db2df183d312b88fd9b6da051bbd37a36643660fda7d8
Instruction Fuzzy Hash: CD21C6B62006029FCB20DA6ACD85D67B7EEDBD0304714892EE885C7655FA79EC86C650

Function 00454290 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004542BC
SetWindowPos.USER32(00000000,?,?,?,?,?), ref: 00454303
ShowWindow.USER32(00000000,?,?,?,?,?), ref: 0045431D
UpdateWindow.USER32(00000000), ref: 00454330

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$InfoParametersShowSystemUpdate
String ID:
API String ID: 2353380074-0
Opcode ID: 9a2d4ec19bc59251ad0b9fc4739885c1ea9bc4496ded8a949cbb7288bad941c2
Instruction ID: 7435f36b771e96c36796a4f72a2b5de2cdf7bbc6919aabb2201e41478f984b8c
Opcode Fuzzy Hash: 9a2d4ec19bc59251ad0b9fc4739885c1ea9bc4496ded8a949cbb7288bad941c2
Instruction Fuzzy Hash: 452193753006009FE700DF3CCC59FAA77EAABC8710F588569FA85C7395DA34E80587A0

Function 004615D0 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004615FC
SetWindowPos.USER32(00000000,?,00000008), ref: 00461643
ShowWindow.USER32(00000000,?,00000008), ref: 0046165D
UpdateWindow.USER32(00000000), ref: 00461670

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$InfoParametersShowSystemUpdate
String ID:
API String ID: 2353380074-0
Opcode ID: dd858f7793fbd52df485fac822e1986dd3d0ac05417038668de075457181aec5
Instruction ID: a1e0b0df3926975358bd7b46a1725993ec4af5a0122e19a34d5638aca5c15b39
Opcode Fuzzy Hash: dd858f7793fbd52df485fac822e1986dd3d0ac05417038668de075457181aec5
Instruction Fuzzy Hash: 021175753001019FE700DF2CDC95FA677AABBC8751F598165F944C7394DB34E8058BA1

Function 00479FB0 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000), ref: 00479FF6
CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000000,00000000), ref: 0047A02B
SetWindowRgn.USER32(00000000), ref: 0047A047
DeleteObject.GDI32(00000000), ref: 0047A052

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Rect$ClientCreateDeleteObjectRoundWindow
String ID:
API String ID: 259905628-0
Opcode ID: 28554ab353795982c7148fc7f9e5e65475701338f86f696f4a2bbd26e2f6f957
Instruction ID: 34690c9bb9b4aa05066d5ac91a191eb045c83061a390d44f035f8081a40ac8e4
Opcode Fuzzy Hash: 28554ab353795982c7148fc7f9e5e65475701338f86f696f4a2bbd26e2f6f957
Instruction Fuzzy Hash: 04116D71248341AFE304CF14C849FABB7E8FB88B04F144A1AF955976D0D77898458B96

Function 0047A960 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00477040: LoadCursorW.USER32(00000000,00007F00), ref: 0047713B

EnterCriticalSection.KERNEL32(004C52A4,?,6A8A24C0,?,?,?,?,004AE706,000000FF,00460FC6,?,?,6A8A24C0,00000000,?,00000000), ref: 0047A9FA
LeaveCriticalSection.KERNEL32(004C52A4,?,?,?,?,004AE706,000000FF,00460FC6,?,?,6A8A24C0,00000000,?,00000000,004AF297,000000FF), ref: 0047AA0B

Strings

CSQImage, xrefs: 0047AA52
4<K, xrefs: 0047A9A4

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalSection$CursorEnterLeaveLoad
String ID: 4<K$CSQImage
API String ID: 4139785880-1206782983
Opcode ID: 95da6f13e12b01040b3cbec0d6e77ee1d87558caa9d83e76a9402a75dbaf19fc
Instruction ID: 80236f72a1d326c5f2fc72bd49c9c47ce0cd813d0d637e6624c83ea68628b478
Opcode Fuzzy Hash: 95da6f13e12b01040b3cbec0d6e77ee1d87558caa9d83e76a9402a75dbaf19fc
Instruction Fuzzy Hash: 9E31F5B1645B82EFD348CF6AC880B85FBA0FB19310F90872ED56C93241C7746068CFA5

Function 0046B349 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

CharNextW.USER32(00000000,?,?,?,00000000,?,?,0046BBEB), ref: 0046B35D
CharNextW.USER32(00000000,?,?,?,00000000,?,?,0046BBEB), ref: 0046B376
CharNextW.USER32(?,?,?,?,00000000,?,?,0046BBEB), ref: 0046B37D
CharNextW.USER32(00000000,?,?,?,00000000,?,?,0046BBEB), ref: 0046B3CB

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 033bc88fcd1ce046f5fac20f840840cd78f7502ed2b91407b93bdef7d99d6648
Instruction ID: 0aa0a501cad7c1023fdd3aa4ac501e69c215a11850aafeb883bee32872545bb9
Opcode Fuzzy Hash: 033bc88fcd1ce046f5fac20f840840cd78f7502ed2b91407b93bdef7d99d6648
Instruction Fuzzy Hash: 7C1109717102028ADB249F39C895667B3E2FFA9710BA4496AD885C3354FB39D8C1C78A

Function 0046A540 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00000025,0046A953,?,6A8A24C0), ref: 0046A549

Part of subcall function 0046A500: lstrcmpiW.KERNEL32(?,?,?,?,?,0046A55C,?), ref: 0046A51E

LeaveCriticalSection.KERNEL32(?,?), ref: 0046A564
LeaveCriticalSection.KERNEL32(?,?), ref: 0046A582

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalSection$Leave$Enterlstrcmpi
String ID:
API String ID: 431788158-0
Opcode ID: cc0343effb1bb08f50e5a6dd707c0b0a35b7676d446d91b615ddc78d17d37cd0
Instruction ID: 157eefda7f5e09bd798739cc2646877c5e6b5c9d17dd5536aeae3e4cdcb3dff9
Opcode Fuzzy Hash: cc0343effb1bb08f50e5a6dd707c0b0a35b7676d446d91b615ddc78d17d37cd0
Instruction Fuzzy Hash: 2AF0F672200610BBD720CBB4AC84E8AF3ACFB44365F104A67F212F3160D370E8118BAA

Function 00454350 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00454378
SetWindowPos.USER32(00000000,?,?,?,?), ref: 0045439D
ShowWindow.USER32(00000000,?,?,?,?), ref: 004543B7
UpdateWindow.USER32(00000000), ref: 004543CA

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$InfoParametersShowSystemUpdate
String ID:
API String ID: 2353380074-0
Opcode ID: 5541e6b3219f335e637aa8eac9ef4a4e1103884e0e9ca677103b85027b81c529
Instruction ID: 261349190360dbd204bc809431b832e9e678b5679b114f7406f039803b332d91
Opcode Fuzzy Hash: 5541e6b3219f335e637aa8eac9ef4a4e1103884e0e9ca677103b85027b81c529
Instruction Fuzzy Hash: 3B0196343002109FF710EB18CC59FAA73E5BFC8704F548558FD858B3A1EA75A80587E5

Function 004A7039 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 004A705F

Part of subcall function 004A6E84: __fltout2.LIBCMT ref: 004A6EB0

__cftog_l.LIBCMT ref: 004A7085
__cftoe_l.LIBCMT ref: 004A70B7

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: af89d32a5917390cb481d44b7400d8387c5b52d864917067cc5fb3739a0f8e25
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 89117573008049FBCF225E94CC01CEE3F62BB2A354F598416FE1855131D23AC971AB85

Function 0047A410 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 0047A437
SystemParametersInfoW.USER32(00000025,00000000,00000000,00000000), ref: 0047A448
SendMessageW.USER32(?,00000112,?,00000000), ref: 0047A45D
SystemParametersInfoW.USER32(00000025,00000001,00000000,00000000), ref: 0047A472

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: InfoParametersSystem$MessageSend
String ID:
API String ID: 3675817773-0
Opcode ID: 4ebdd1900dca068ce0861df0d77ccfc8685a3496b595e51401189793a79551f6
Instruction ID: 0fa9b2debf9486141e41f57959f9cfea1bb3829c4b4682e2b3c003fba6d415fe
Opcode Fuzzy Hash: 4ebdd1900dca068ce0861df0d77ccfc8685a3496b595e51401189793a79551f6
Instruction Fuzzy Hash: E4F0FF317807006BF324DA54DC0AFAA62A9ABC4B15F258529B354AB1D1D7F46805C76A

Function 0048EDAB Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004C52F0,00000000,Software\Microsoft\Windows\CurrentVersion\Run,004AD538,0045DFE6,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,?,0045679A,Software\Microsoft\Windows\CurrentVersion\Run), ref: 0048EDB8
LeaveCriticalSection.KERNEL32(004C52F0,00454E51,?,0045679A,Software\Microsoft\Windows\CurrentVersion\Run), ref: 0048EDD4
LeaveCriticalSection.KERNEL32(004C52F0,?,0045679A,Software\Microsoft\Windows\CurrentVersion\Run), ref: 0048EDEC

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048EDB0

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 2978645861-1428018034
Opcode ID: 80f119cbfe84f9b851a7af1fcccd984ea7100dea7b8b5838314695951fe50b68
Instruction ID: a63bf18669a7edee405b81e7a39228c10ba239c7c11f37172547953d667efda6
Opcode Fuzzy Hash: 80f119cbfe84f9b851a7af1fcccd984ea7100dea7b8b5838314695951fe50b68
Instruction Fuzzy Hash: F1F0E23B2002029B8728AB13D8588AF77F8EE95750300093FFD07E3A20C724BC0A8799

Function 00493143 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0049314F

Part of subcall function 0049AA11: __getptd_noexit.LIBCMT ref: 0049AA14
Part of subcall function 0049AA11: __amsg_exit.LIBCMT ref: 0049AA21

__getptd.LIBCMT ref: 00493166
__amsg_exit.LIBCMT ref: 00493174
__lock.LIBCMT ref: 00493184

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: b052526583acce3ed756ef6b6d07f82aef86f43fc3d182baf577e3cd9ef1d9ab
Instruction ID: 89599249c2c99a77e37d06e9f3e2f56a2c1dd53b48fc93bf8048f6c90054a2d3
Opcode Fuzzy Hash: b052526583acce3ed756ef6b6d07f82aef86f43fc3d182baf577e3cd9ef1d9ab
Instruction Fuzzy Hash: CDF062315407009BDF21AFA69507B597BA0AB01716F14413FE400A72A1CBAC5A41CB5E

Function 0046FBC0 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0046FBD1
OpenProcessToken.ADVAPI32(00000000), ref: 0046FBD8
CloseHandle.KERNEL32 ref: 0046FBE6
GetTokenInformation.ADVAPI32 ref: 0046FC09

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 2206f76d278fa2536edf7db04a8eb974675cd8c271ca715defb3c72bc0d85b04
Instruction ID: 0a3e307e7dc5d01ddf8ec421315a4bcafabd7d04564ead7eafbfdeacf2b94341
Opcode Fuzzy Hash: 2206f76d278fa2536edf7db04a8eb974675cd8c271ca715defb3c72bc0d85b04
Instruction Fuzzy Hash: B4F082B0158201ABD304EF60EC49F6A7BE8BF84705F80892CF985C21A0E778C54CCB57

Function 0047DF80 Relevance: 6.0, APIs: 4, Instructions: 24synchronizationthreadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,0047EB5A,?,?,?,?,?,?,00000007,?,?,00000000,00000007), ref: 0047DF8F
WaitForSingleObject.KERNEL32(?,00001388,0047EB5A,?,?,?,?,?,?,00000007,?,?,00000000,00000007), ref: 0047DFA9
TerminateThread.KERNEL32(?,00000000,?,?,?,?,?,?,00000007,?,?,00000000,00000007), ref: 0047DFBC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000007,?,?,00000000,00000007), ref: 0047DFC6

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseEventHandleObjectSingleTerminateThreadWait
String ID:
API String ID: 1091591685-0
Opcode ID: 5287b3d5fdca89f3044fd8dda8298ddd025afdb2e50eac10924f318771fd4937
Instruction ID: f983a26b9e8d1a416339dc3b078b3f9db7e25e494911fc42c57c311c8675b66a
Opcode Fuzzy Hash: 5287b3d5fdca89f3044fd8dda8298ddd025afdb2e50eac10924f318771fd4937
Instruction Fuzzy Hash: A3F0C9746007019BEB249F62DD5CB8777E9AF04315F908A58F99BD2BA0C778E880CF18

Function 00459D70 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

AXWIN, xrefs: 0045A0D2

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID: AXWIN
API String ID: 0-1948516679
Opcode ID: 3045ebab668d19405f6cb1f6fb17103835e43a74c3bf70f3fbaba53854cfc850
Instruction ID: a09a4e3f5d66eb0a2014bf3d9865df2488b48849e3072251f1358525d077e0a9
Opcode Fuzzy Hash: 3045ebab668d19405f6cb1f6fb17103835e43a74c3bf70f3fbaba53854cfc850
Instruction Fuzzy Hash: 95020074204701AFD714DF68C880F6BB3EABF89704F248A4DE9598B391DB75E805CB65

Function 0048B2D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0048B324

Strings

0~K, xrefs: 0048B392

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _strpbrk
String ID: 0~K
API String ID: 3221230779-2342056162
Opcode ID: 569a9424ced047a5ade32a7ffacdb57e5453567200d10f64cec6996344a5ad8b
Instruction ID: 50ecb89c09680153307712cdc9706cd85c9dea3efed48745f1105fb8aee19961
Opcode Fuzzy Hash: 569a9424ced047a5ade32a7ffacdb57e5453567200d10f64cec6996344a5ad8b
Instruction Fuzzy Hash: 9BB1D0701583809FD321EB14C882BDEB7E4EF95708F504D6FE58947292E7B89908CB9A

Function 00474C30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

_localeconv.LIBCMT ref: 00474C5E

Part of subcall function 00494285: __getptd.LIBCMT ref: 00494285

Part of subcall function 0048FB87: ____lc_handle_func.LIBCMT ref: 0048FB8A
Part of subcall function 0048FB87: ____lc_codepage_func.LIBCMT ref: 0048FB92

Strings

false, xrefs: 00474CC8
true, xrefs: 00474CE4

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ____lc_codepage_func____lc_handle_func__getptd_localeconv
String ID: false$true
API String ID: 679402580-2658103896
Opcode ID: 772d1111ed6ef927082d708584d524eca174466b64710e9a00fe5f9d57ef8bea
Instruction ID: 9f120e960a0ef7e9fab3217b1965bc9200feb9e3c24f7b3260c41b4c3821a958
Opcode Fuzzy Hash: 772d1111ed6ef927082d708584d524eca174466b64710e9a00fe5f9d57ef8bea
Instruction Fuzzy Hash: C5713DB5C002499FCB01EFA9C4819EEBBF4FF88314F14856EE559AB301E735A645CBA4

Function 0048D0C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 0048D251

Strings

+, xrefs: 0048D1E7
%, xrefs: 0048D1D9

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 16fd30fbf3cf97c2d91c197c44616b0c913702e2f74b4d2545d6370493b968f1
Instruction ID: ec31653f9aab5e337a2975d31fcffee83e4016cd3351e925913e95d716d5f53b
Opcode Fuzzy Hash: 16fd30fbf3cf97c2d91c197c44616b0c913702e2f74b4d2545d6370493b968f1
Instruction Fuzzy Hash: 61515972E093006BD716BE58C8487DF7BA8EF41740F204D5AE981933E2E76D8C458BDA

Function 0048D2A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 0048D421

Strings

+, xrefs: 0048D3B7
%, xrefs: 0048D3A9

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 398118066320a8c24a706dcb6d37c89136ad34059682eb666c371a74cb36a458
Instruction ID: add250e83193e4684fa205fa2ef2b26919a9544da2137f407ce22d1a2b1a2e49
Opcode Fuzzy Hash: 398118066320a8c24a706dcb6d37c89136ad34059682eb666c371a74cb36a458
Instruction Fuzzy Hash: E7515A72E09340ABDB15BA18C844BDF7BE4EB46340F205D5AED81973D2E62D8C42879B

Function 0048E920 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_localeconv.LIBCMT ref: 0048E94E

Part of subcall function 00494285: __getptd.LIBCMT ref: 00494285

Part of subcall function 0048FB87: ____lc_handle_func.LIBCMT ref: 0048FB8A
Part of subcall function 0048FB87: ____lc_codepage_func.LIBCMT ref: 0048FB92

Strings

false, xrefs: 0048E9A5
true, xrefs: 0048E9DC

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ____lc_codepage_func____lc_handle_func__getptd_localeconv
String ID: false$true
API String ID: 679402580-2658103896
Opcode ID: dd139186df67c299ae47c43c1e964121d5327ee6d00ab91cc4dadf6c641c5e57
Instruction ID: 5ac17f6b7151259de82c25c6c302ac856d79d25f4cf1c8a3175ca99dd3c46cae
Opcode Fuzzy Hash: dd139186df67c299ae47c43c1e964121d5327ee6d00ab91cc4dadf6c641c5e57
Instruction Fuzzy Hash: 40418BB6C042808BC702FF398454A9E7BE1AF8635871885BAD8958F302D739D909C7E4

Function 00476650 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0047678C

Strings

iK, xrefs: 00476766
`<u, xrefs: 0047678C

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: FreeString
String ID: iK$`<u
API String ID: 3341692771-1785270266
Opcode ID: f71f4b2509f3f38360443408aef474b13bbbf45bf1c37015c14fcf0fce756473
Instruction ID: 80d78b0ef62d3d448011b5eeb5b8c009eadb74e78757c0fc172511b113854297
Opcode Fuzzy Hash: f71f4b2509f3f38360443408aef474b13bbbf45bf1c37015c14fcf0fce756473
Instruction Fuzzy Hash: 0B5116752087819FC704DF58C880E5BB7E5BBC8304F548A6DF589CB361D739E8098B66

Function 00471080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00468570: std::_Lockit::_Lockit.LIBCPMT ref: 0046857F

std::_Lockit::_Lockit.LIBCPMT ref: 00471125
__Stoulx.LIBCPMT ref: 00471185

Strings

-, xrefs: 004711DA

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LockitLockit::_std::_$Stoulx
String ID: -
API String ID: 3418229591-2547889144
Opcode ID: dffab84135a19c51ec45f181fc983f6f7a2d87b3984cf2cd8440c235e8a6bba0
Instruction ID: 0970817978bcbfaa31a1c8b6480a5d7c9dd22c2af11c382aa13c4daefc1745ee
Opcode Fuzzy Hash: dffab84135a19c51ec45f181fc983f6f7a2d87b3984cf2cd8440c235e8a6bba0
Instruction Fuzzy Hash: 85512B715083419FD724DF28C840BABB7E4FB89754F508A2EF99997360E778A904CB86

Function 00471230 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00468570: std::_Lockit::_Lockit.LIBCPMT ref: 0046857F

std::_Lockit::_Lockit.LIBCPMT ref: 004712D5
__Stoulx.LIBCPMT ref: 00471335

Strings

-, xrefs: 00471387

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LockitLockit::_std::_$Stoulx
String ID: -
API String ID: 3418229591-2547889144
Opcode ID: d9fbb6dd6602342d6e8fb88ab43b609eabe77af4ec1a5f6fa91e26004fa9e3c6
Instruction ID: ef927b2eab90c62fe6754a84ce4bacc6e1596ca350b0490f4452040da7b6bd58
Opcode Fuzzy Hash: d9fbb6dd6602342d6e8fb88ab43b609eabe77af4ec1a5f6fa91e26004fa9e3c6
Instruction Fuzzy Hash: A7515C715083419FD724DF28C441BABB7E4BF89714F108A1EF9A9977A0E778E904CB86

Function 0048B140 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 0048B16B

Part of subcall function 004946A8: __vsprintf_s_l.LIBCMT ref: 004946BC

Strings

%#.16g, xrefs: 0048B159
0, xrefs: 0048B189

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __vsprintf_s_lswprintf
String ID: %#.16g$0
API String ID: 2827182839-3304050424
Opcode ID: 6033a34449c198e7db5a9f6c18650fcb988510ade52104286d731baa4bd241c3
Instruction ID: 59272aa76727bb02a4b5c91db9c6e0c2e1c35c8ec04f14b5312cab77244ea671
Opcode Fuzzy Hash: 6033a34449c198e7db5a9f6c18650fcb988510ade52104286d731baa4bd241c3
Instruction Fuzzy Hash: 324194701083449FD321EF24C4A8AABFBE5EB85740F588D6ED4D68B212D734E64C87D6

Function 00456440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,?,00000000,00000000), ref: 00456488

Part of subcall function 00457360: std::_String_base::_Xlen.LIBCPMT ref: 004573BD
Part of subcall function 00457360: _memcpy_s.LIBCMT ref: 0045741E

Part of subcall function 0046EBD0: _memset.LIBCMT ref: 0046EC7D
Part of subcall function 0046EBD0: GetPrivateProfileStringW.KERNEL32(?,?,?,?,00000104,?), ref: 0046ECEF

Strings

ProcessList, xrefs: 00456508
version, xrefs: 00456537

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: MessagePrivateProfileSendStringString_base::_Xlen_memcpy_s_memsetstd::_
String ID: ProcessList$version
API String ID: 1720257080-4229193483
Opcode ID: df4b21ca4a0a7abb7ca69b3bb53001f818689dc589da1cfb5a06b3ff283175c3
Instruction ID: c395533f5cfa3b538012d94a9b2024749d34d361b8097429382797dc49d5c1f7
Opcode Fuzzy Hash: df4b21ca4a0a7abb7ca69b3bb53001f818689dc589da1cfb5a06b3ff283175c3
Instruction Fuzzy Hash: A841D6715083809FD320EF29958271BFBE4BF85714F44492EF88547352DB79A808C7AB

Function 0045F050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 0045F0AC
_memcpy_s.LIBCMT ref: 0045F106

Strings

Z}E, xrefs: 0045F0A3, 0045F08D, 0045F091, 0045F0BC, 0045F102

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String_base::_Xlen_memcpy_sstd::_
String ID: Z}E
API String ID: 923394732-38650064
Opcode ID: d152463ea84878c2b347d788924dfe98beeb2aaa4460ac0fd36a608cec71466e
Instruction ID: 5a94a0cc1494398658a6a2066a64acada534f10b40a8e839ee12f92041a5d6b9
Opcode Fuzzy Hash: d152463ea84878c2b347d788924dfe98beeb2aaa4460ac0fd36a608cec71466e
Instruction Fuzzy Hash: 2D21F732300A148BD724DA49D58092FB3AADBD2B11B14083FE892877D3D625AC4D83AA

Function 0045D9E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045DE30: EnterCriticalSection.KERNEL32(004C5340,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0045D9F2,00000000), ref: 0045DE42
Part of subcall function 0045DE30: RegisterWindowMessageW.USER32(WM_ATLGETHOST,?,?,?,?,?,?,?,?,?,?,?,0045D9F2,00000000,00000000), ref: 0045DE53
Part of subcall function 0045DE30: RegisterWindowMessageW.USER32(WM_ATLGETCONTROL,?,?,?,?,?,?,?,?,?,?,?,0045D9F2,00000000,00000000), ref: 0045DE5F
Part of subcall function 0045DE30: GetClassInfoExW.USER32(00450000,AtlAxWin90,?), ref: 0045DE80
Part of subcall function 0045DE30: LoadCursorW.USER32 ref: 0045DEBC
Part of subcall function 0045DE30: RegisterClassExW.USER32 ref: 0045DEE3
Part of subcall function 0045DE30: _memset.LIBCMT ref: 0045DF0E
Part of subcall function 0045DE30: GetClassInfoExW.USER32(00450000,AtlAxWinLic90,?), ref: 0045DF2A
Part of subcall function 0045DE30: LoadCursorW.USER32 ref: 0045DF6A
Part of subcall function 0045DE30: RegisterClassExW.USER32 ref: 0045DF91
Part of subcall function 0045DE30: LeaveCriticalSection.KERNEL32(004C5340,?,?,?,?,?,?,?,?,?,?,?,?,0045D9F2,00000000,00000000), ref: 0045DFBF

SysFreeString.OLEAUT32(00000000), ref: 0045DA54
SysAllocString.OLEAUT32(00000000), ref: 0045DA80

Strings

`<u, xrefs: 0045DA54

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ClassRegister$CriticalCursorInfoLoadMessageSectionStringWindow$AllocEnterFreeLeave_memset
String ID: `<u
API String ID: 2093999386-3367579956
Opcode ID: 631a171a3118c8320755a9722250d585ad4d83780a7ecd29f56da5ce3e27d176
Instruction ID: e23d0a2d603b1e53d3015bed6081287a4bafd3e2e7ff1764bf6d5200c16a30c9
Opcode Fuzzy Hash: 631a171a3118c8320755a9722250d585ad4d83780a7ecd29f56da5ce3e27d176
Instruction Fuzzy Hash: 7C313E72A043019F8310EFA9C8C086BB3E9AFC8705B144A6EF949D7215D635DD09CBA5

Function 00456F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,00000000,00000006,00000000,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,004567AB,00000000,00000000), ref: 00456F27

Part of subcall function 0045E050: LoadResource.KERNEL32(QNE,00000000,00000000,004AD538,0045E01A,00000000,?,00000000,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,?,0045679A,Software\Microsoft\Windows\CurrentVersion\Run), ref: 0045E05A

_memcpy_s.LIBCMT ref: 00456F9D

Part of subcall function 004521E0: __CxxThrowException@8.LIBCMT ref: 004521F2

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00456F16

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Resource$Exception@8FindLoadThrow_memcpy_s
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 2622827100-1428018034
Opcode ID: a5edb1645dba0a489596ebd2f4aa72c1655310f4837f84bd405ae18880910685
Instruction ID: 00773358713e589c3a84f72efc87911b3e28231d936ae5bc4be909193186258c
Opcode Fuzzy Hash: a5edb1645dba0a489596ebd2f4aa72c1655310f4837f84bd405ae18880910685
Instruction Fuzzy Hash: CC212333A001009FD7109F6DDC44A6BB3E9EF90726B42862BFD46DB352EA78ED058794

Function 0045EC20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 0045EC7D

Part of subcall function 0048F246: __EH_prolog3.LIBCMT ref: 0048F24D
Part of subcall function 0048F246: __CxxThrowException@8.LIBCMT ref: 0048F278

Strings

DZ}E, xrefs: 0045EC6E, 0045EC76
Z}E, xrefs: 0045EC36

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Exception@8H_prolog3Throw_memmove_s
String ID: DZ}E$Z}E
API String ID: 2183016878-3131264266
Opcode ID: a52828ca245e625efbb0a6ef4e77483d998c399b1a379e048f93d022fba9ffb8
Instruction ID: 8cba2480792e9a8765ec247c40941eaa9f545704cdb55661c3fc38b15c16c976
Opcode Fuzzy Hash: a52828ca245e625efbb0a6ef4e77483d998c399b1a379e048f93d022fba9ffb8
Instruction Fuzzy Hash: 0311E531200605CBD729DE5DDAC481BB7A6EB91741B14492EE88787702D634EA4D8769

Function 004773B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004773E2
OffsetRect.USER32(?,?,?), ref: 0047744E

Strings

right, xrefs: 004773C6

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Rect$ClientOffset
String ID: right
API String ID: 3549191583-3033167124
Opcode ID: 2def78d775a49b20d2072f20a95f37d453d810435368ff21a1aa5cd28c67bf15
Instruction ID: 5f9bc91cb4c6f67756fef9a410981ce193e7ae3fc02b61bba5b031829bc357f5
Opcode Fuzzy Hash: 2def78d775a49b20d2072f20a95f37d453d810435368ff21a1aa5cd28c67bf15
Instruction Fuzzy Hash: DD110D756047019FC314DF69D980A9BBBE5AF88314F008A2EF9AD83351EB34E905CB95

Function 00497FC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004964FB: __getptd.LIBCMT ref: 00496501
Part of subcall function 004964FB: __getptd.LIBCMT ref: 00496511

__getptd.LIBCMT ref: 00497FD6

Part of subcall function 0049AA11: __getptd_noexit.LIBCMT ref: 0049AA14
Part of subcall function 0049AA11: __amsg_exit.LIBCMT ref: 0049AA21

__getptd.LIBCMT ref: 00497FE4

Strings

csm, xrefs: 00497FF2

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 980e35c139e1447fe6e507883ce6249f3e91ba2297657663e328b97f825f920c
Instruction ID: 29a18eb4f03158ae0b7de7f717c74cbf40686345a48761c63286375f00fd1e9f
Opcode Fuzzy Hash: 980e35c139e1447fe6e507883ce6249f3e91ba2297657663e328b97f825f920c
Instruction Fuzzy Hash: 41018B30801201DACF389F69C444AAEBFB4AF11350F16443FE88096392CF389998CB59

Function 00475C10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(753CF6A8), ref: 00475C1B
SysFreeString.OLEAUT32(00000000), ref: 00475C30

Strings

`<u, xrefs: 00475C30

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: DecrementFreeInterlockedString
String ID: `<u
API String ID: 3298718523-3367579956
Opcode ID: 4acf6b61c8e92903f3742a0e7ec39c0175cba6902abdad8509ef0f4ef5a0255e
Instruction ID: 6a54decced34be0e47392deb34e85a4b32597995f42c9dabd713c55cca4170d9
Opcode Fuzzy Hash: 4acf6b61c8e92903f3742a0e7ec39c0175cba6902abdad8509ef0f4ef5a0255e
Instruction Fuzzy Hash: A0E06DB1E01B114FEB31AF25A804B87779C5F00B00B14442AEC1ADB308E778EC9086D9

Function 00451F70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(00000000), ref: 00451F92
SetWindowPos.USER32(00000000,?,00000000,00000000,00000000,00000011), ref: 00451FBC

Strings

liK, xrefs: 00451F9F, 00451FB4

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ClientScreenWindow
String ID: liK
API String ID: 1643562046-3955073952
Opcode ID: 8d38feeb64a0b0c18321d65540aa7ec13deb0d9ff7791b943eeb41c551896fa0
Instruction ID: aa74287333d5ec4340d472b6bd05825ccfd061852a20b8ccb6f9d238a40a9144
Opcode Fuzzy Hash: 8d38feeb64a0b0c18321d65540aa7ec13deb0d9ff7791b943eeb41c551896fa0
Instruction Fuzzy Hash: C0F03074204200EFE700EB54DC59F6AB7F4FB88704F54C628F949CB3A4D675A8088B65

Function 0045D2A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0045D2B5
SysAllocString.OLEAUT32(?), ref: 0045D2C0

Part of subcall function 004521E0: __CxxThrowException@8.LIBCMT ref: 004521F2

Strings

`<u, xrefs: 0045D2B5

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String$AllocException@8FreeThrow
String ID: `<u
API String ID: 1688122297-3367579956
Opcode ID: d515bfd5c474545a9b524f19784a41d61cf964d61159bf70cd3e12563921c3ee
Instruction ID: 05141fb0bb45f9be9364944e954399cf5768a21e8d3b9a4b9a01c189cdf4833a
Opcode Fuzzy Hash: d515bfd5c474545a9b524f19784a41d61cf964d61159bf70cd3e12563921c3ee
Instruction Fuzzy Hash: FAE09232900511ABD3209B358804B8BF3D4BF50325F04811BFC18E3201D734D8258FE8

Function 0049F0CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0049F0DC

Part of subcall function 0049CAC8: __lock.LIBCMT ref: 0049CAED

__ftelli64_nolock.LIBCMT ref: 0049F0E9

Part of subcall function 0049ED81: __fileno.LIBCMT ref: 0049EDA1
Part of subcall function 0049ED81: __lseeki64.LIBCMT ref: 0049EDBE

Strings

0(I, xrefs: 0049F101

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __fileno__ftelli64_nolock__lock__lock_file__lseeki64
String ID: 0(I
API String ID: 1600627125-2306304796
Opcode ID: 65db321c07c4915bfa9059fd4ec4d37498876a3e8bf1393771f9048f725ca757
Instruction ID: 03c4359fabc1136cb22ad514fbbc72ac10832d53703b46da2d122fff49610b8d
Opcode Fuzzy Hash: 65db321c07c4915bfa9059fd4ec4d37498876a3e8bf1393771f9048f725ca757
Instruction Fuzzy Hash: 46E09A3194060DAACF01EFA6D8427CDBFB1AF44315F60822AE414A6191CB7D5A429B58

Function 0048F246 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048F24D
__CxxThrowException@8.LIBCMT ref: 0048F278

Part of subcall function 0049617B: RaiseException.KERNEL32(?,?,?,?), ref: 004961BD

Strings

invalid string position, xrefs: 0048F252

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: invalid string position
API String ID: 1961742612-1799206989
Opcode ID: 9576535cc3cae4f854903ec330d1d2069a541da2d14c6ba8705543f341d68694
Instruction ID: 11ae92ceabc05c9dab179e4aaec5a5fb30320cdb403a4987d4b0e1ac687be1b1
Opcode Fuzzy Hash: 9576535cc3cae4f854903ec330d1d2069a541da2d14c6ba8705543f341d68694
Instruction Fuzzy Hash: E9D0127195010C9ACF00EBD1CC52FDD7738AF14315F50042BB10076496DFAC6A48C67C

Function 0048ED27 Relevance: 5.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0000000D,000000E9,0045B0E3,?,?,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECA8
HeapAlloc.KERNEL32(00000000,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECAF

Part of subcall function 0048EBC0: IsProcessorFeaturePresent.KERNEL32(0000000C,0048EC96,000000E9,0045B0E3,?,?,?,00476FCC,?,00476F18,?,?,?), ref: 0048EBC2

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECD1
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECFE

Memory Dump Source

Source File: 00000001.00000002.1722207412.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000001.00000002.1722193308.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722259446.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722272653.00000000004C4000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722287143.00000000004C5000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1722301664.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: AllocHeapVirtual$FeatureFreePresentProcessProcessor
String ID:
API String ID: 4058086966-0
Opcode ID: 24019b389bf53897120c8bd13645edac9e37c3c27cbdadbe68596101610e46b6
Instruction ID: cd7417b4e642ec6e12a6acf7c58530312f3f18b0982facc6bd27b5725622b39f
Opcode Fuzzy Hash: 24019b389bf53897120c8bd13645edac9e37c3c27cbdadbe68596101610e46b6
Instruction Fuzzy Hash: 5F018431A40611A7E7717726BC1CF5E3695AB80751F250972F901D62E0DA28EC809B5C

Analysis Process: dqwhj_errwd.exePID: 7428, Parent PID: 7288COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	73

Executed Functions

Function 00483070 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 162
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004830C0

Part of subcall function 00483860: _vswprintf_s.LIBCMT ref: 00483870

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,?), ref: 004830F1
DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 00483135
_memset.LIBCMT ref: 0048318B
DeviceIoControl.KERNEL32 ref: 0048320E
CloseHandle.KERNEL32(00000000,?,?,?,?,?), ref: 004832BA

Strings

\\.\PhysicalDrive%d, xrefs: 004830C6

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ControlDevice_memset$CloseCreateFileHandle_vswprintf_s
String ID: \\.\PhysicalDrive%d
API String ID: 1038176960-2935326385
Opcode ID: da542eeb89de7324432b8145120ca7ce58ba442e1ddd121a664c65cbc249384f
Instruction ID: f3898ba99fe75acfd9b1f1efb0af23f0974ef8e624e69a4ed446c6e77d0c0313
Opcode Fuzzy Hash: da542eeb89de7324432b8145120ca7ce58ba442e1ddd121a664c65cbc249384f
Instruction Fuzzy Hash: E26119B15083809ED360DF69C854BABBBE4BBC9704F044E2EF6D887291E7B89544CB57

Function 004834E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00483860: _vswprintf_s.LIBCMT ref: 00483870

CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,00000000), ref: 00483539
_memset.LIBCMT ref: 00483575
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002000,?,00000000), ref: 004835A3
_memset.LIBCMT ref: 004835FF
DeviceIoControl.KERNEL32(00000000,002D0C10,00000000,00000000,?,00002000,?,00000000), ref: 00483625
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00483666

Strings

\\.\PhysicalDrive%d, xrefs: 0048351B

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ControlDevice_memset$CloseCreateFileHandle_vswprintf_s
String ID: \\.\PhysicalDrive%d
API String ID: 1038176960-2935326385
Opcode ID: 39029b944d379be02082c04c6c92d5ba017d879924236a72e6ec1fe828d804ac
Instruction ID: cf365d9a303a816d5872ede22f580b52e5c7ab1f6516214c2db05c6edb1a7025
Opcode Fuzzy Hash: 39029b944d379be02082c04c6c92d5ba017d879924236a72e6ec1fe828d804ac
Instruction Fuzzy Hash: 0A4153B1504300AFD320EF69C885F6BB3E8BB88748F404E2EF55596651E774EA09CB96

Function 00483509 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00483860: _vswprintf_s.LIBCMT ref: 00483870

CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,00000000), ref: 00483539
_memset.LIBCMT ref: 00483575
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002000,?,00000000), ref: 004835A3
_memset.LIBCMT ref: 004835FF
DeviceIoControl.KERNEL32(00000000,002D0C10,00000000,00000000,?,00002000,?,00000000), ref: 00483625
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00483666

Strings

\\.\PhysicalDrive%d, xrefs: 0048351B

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ControlDevice_memset$CloseCreateFileHandle_vswprintf_s
String ID: \\.\PhysicalDrive%d
API String ID: 1038176960-2935326385
Opcode ID: 9eb62af13c80dab98ea1cfe9dc343091b5efebd0cd05ff24226a551f267b2d85
Instruction ID: 8339faf587d4618df9dfe7b0c4efb13d2807381d430c8089faac255bd272f8c1
Opcode Fuzzy Hash: 9eb62af13c80dab98ea1cfe9dc343091b5efebd0cd05ff24226a551f267b2d85
Instruction Fuzzy Hash: 8D4181B1504300AFD330EF29C885F6BB3E8BB88708F404E2DF55596681E774EA09CB95

Function 004697C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004697CA
OleInitialize.OLE32(00000000), ref: 004697D2

Part of subcall function 00469AA0: GetCurrentThreadId.KERNEL32 ref: 00469ADB

LoadStringW.USER32(?,00000067,004C63CC,00000064), ref: 004697FE
LoadStringW.USER32(?,0000006D,37Lander,00000064), ref: 0046980A

Part of subcall function 00469840: LoadIconW.USER32 ref: 00469875
Part of subcall function 00469840: LoadCursorW.USER32(00000000,00007F00), ref: 00469886
Part of subcall function 00469840: RegisterClassExW.USER32 ref: 004698B4

Part of subcall function 00462220: EnterCriticalSection.KERNEL32(004C8338), ref: 0046280F
Part of subcall function 00462220: GetCurrentThreadId.KERNEL32 ref: 00462815
Part of subcall function 00462220: LeaveCriticalSection.KERNEL32(004C8338,004B5404,?), ref: 00462835

Part of subcall function 00469A00: DeleteCriticalSection.KERNEL32(004C8358,75C0EBF0,00000000,0046981F), ref: 004699EF

OleUninitialize.OLE32 ref: 0046981F
CoUninitialize.OLE32 ref: 00469825

Strings

37Lander, xrefs: 00469802

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Load$CriticalSection$CurrentInitializeStringThreadUninitialize$ClassCursorDeleteEnterIconLeaveRegister
String ID: 37Lander
API String ID: 2168486795-3989498111
Opcode ID: f8970c7fdd1a58161d9854213971ceda1e1f1ea0e2ea8fdf9579d02677123616
Instruction ID: 0b8ff4cd4dc6173925658e8260eb098cd5427f9daee228d13a25d85c01f946a5
Opcode Fuzzy Hash: f8970c7fdd1a58161d9854213971ceda1e1f1ea0e2ea8fdf9579d02677123616
Instruction Fuzzy Hash: 41F0623164035477C3207FA9AC0BF4A7B589F85B15F414227F902972F1DAF55920C6AE

Function 00479A60 Relevance: 6.3, APIs: 4, Instructions: 296COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00479AB2
BeginPaint.USER32(?,?), ref: 00479AC0
EndPaint.USER32(?,?,?,?), ref: 00479ADA

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Paint$Begin_memset
String ID:
API String ID: 3615005463-0
Opcode ID: 694fa0929ee65eabf1fdcbeadf1e50e1db09a93e89864183e8d89318afd6daa9
Instruction ID: 86c7a3d4742d993e21498bd98bd513f760e267ff46b375d09d0ab9f102117dd6
Opcode Fuzzy Hash: 694fa0929ee65eabf1fdcbeadf1e50e1db09a93e89864183e8d89318afd6daa9
Instruction Fuzzy Hash: 4EA118717182059FC744EF29E89196FB7E5EBC8310F00C92EF99AC7281EA35D8118BD6

Function 0047F940 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0047F957

Part of subcall function 004909E3: __FF_MSGBANNER.LIBCMT ref: 00490A06
Part of subcall function 004909E3: __NMSG_WRITE.LIBCMT ref: 00490A0D
Part of subcall function 004909E3: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00497326,?,00000001,?,?,00498B6E,00000018,004BB660,0000000C,00498BFF), ref: 00490A5A

_malloc.LIBCMT ref: 0047F97C
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 0047F98C

Part of subcall function 0047F8F0: __snwprintf_s.LIBCMT ref: 0047F932

GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 0047F967

Part of subcall function 00490906: __lock.LIBCMT ref: 00490924
Part of subcall function 00490906: ___sbh_find_block.LIBCMT ref: 0049092F
Part of subcall function 00490906: ___sbh_free_block.LIBCMT ref: 0049093E
Part of subcall function 00490906: HeapFree.KERNEL32(00000000,?,004BB1F0,0000000C,0049AA02,00000000,?,00497326,?,00000001,?,?,00498B6E,00000018,004BB660,0000000C), ref: 0049096E
Part of subcall function 00490906: GetLastError.KERNEL32(?,00497326,?,00000001,?,?,00498B6E,00000018,004BB660,0000000C,00498BFF,?,?,?,0049AABC,0000000D), ref: 0049097F

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: AdaptersHeapInfo_malloc$AllocateErrorFreeLast___sbh_find_block___sbh_free_block__lock__snwprintf_s
String ID:
API String ID: 531247599-0
Opcode ID: 82d2b5489058df5650fbcd5bf811a472200cb9da8bfad8ae898285b73c30a68f
Instruction ID: ceda9a1a9c2a7177615b2b39df6d6a3ca0b38fe9052dbaf64be7fb8374001254
Opcode Fuzzy Hash: 82d2b5489058df5650fbcd5bf811a472200cb9da8bfad8ae898285b73c30a68f
Instruction Fuzzy Hash: 7111E9F26412106FAA50AA259C016FF73989E91724F24853FFD5987302EB2C9D4DD2DF

Function 0047DFE0 Relevance: 40.7, APIs: 18, Strings: 5, Instructions: 417
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0047E03D
InternetCrackUrlW.WININET(?,?,00000000,0000003C), ref: 0047E0B3
InternetOpenW.WININET(HTTPDownloader,00000000,00000000,00000000,00000000), ref: 0047E0CE
InternetConnectW.WININET(00000000,?,?,?,?,00000003,00000000,00000000), ref: 0047E11A
InternetCloseHandle.WININET(00000000), ref: 0047E495
InternetCloseHandle.WININET(00000000), ref: 0047E4A4
InternetCloseHandle.WININET(?), ref: 0047E4AF
CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 0047E501
InternetReadFile.WININET(?,?,00002800,00000000), ref: 0047E568
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0047E5CF
CloseHandle.KERNEL32(00000000), ref: 0047E5E6

Strings

POST, xrefs: 0047E162
GET, xrefs: 0047E1BA
HTTPDownloader, xrefs: 0047E0C9
Content-Type: application/x-www-form-urlencoded; charset=UTF-8;, xrefs: 0047E170, 0047E194, 0047E195
<, xrefs: 0047E08D

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Internet$CloseHandle$File$ConnectCrackCreateOpenReadWrite_memset
String ID: <$Content-Type: application/x-www-form-urlencoded; charset=UTF-8;$GET$HTTPDownloader$POST
API String ID: 1421527622-246836014
Opcode ID: 48c8663b00465a6797a1c17b4897ae030462c433898ed869760fc1637174f6da
Instruction ID: 0b74eb504d167b019270e2a4ce9f90fcf256779fc82808f597aa11caa52a835c
Opcode Fuzzy Hash: 48c8663b00465a6797a1c17b4897ae030462c433898ed869760fc1637174f6da
Instruction Fuzzy Hash: 83F181701083419FE720DF25C845B9BB7E8BB88718F108B6EF5A9972D0D778D905CB9A

Function 00462360 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 332
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(00000000), ref: 00462468
ShowWindow.USER32(00000000), ref: 0046247F

Part of subcall function 00453210: _memset.LIBCMT ref: 00453334

SendMessageW.USER32(00000000), ref: 004624C2

Part of subcall function 0049100C: _malloc.LIBCMT ref: 00491026

Strings

(gL, xrefs: 00462713
(gL, xrefs: 0046272F
(gL, xrefs: 004626FD
(gL, xrefs: 004623F7
<<K, xrefs: 0046246A, 00462477, 004625DE, 004625EA, 004625FB, 0046260A, 004626AB, 004626C3, 004626D1, 004626DF
(gL, xrefs: 00462697
(gL, xrefs: 00462526
(gL, xrefs: 00462652
(gL, xrefs: 0046245A
(gL, xrefs: 00462631

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ShowWindow$MessageSend_malloc_memset
String ID: (gL$(gL$(gL$(gL$(gL$(gL$(gL$(gL$(gL$<<K
API String ID: 414038305-1077617039
Opcode ID: fa81db6c443367ef772d26681c34548c224eae7daed8a408a9dfce91e5f2c2bc
Instruction ID: 8f9e0aeb898dc7f266b0a1927e8849a67004c0a1ab81777016583668f7966463
Opcode Fuzzy Hash: fa81db6c443367ef772d26681c34548c224eae7daed8a408a9dfce91e5f2c2bc
Instruction Fuzzy Hash: 26C19F756042009FD754DFA8D880F2AB7E5FBC8714F10863EF94987350EB79A845CBAA

Function 00458430 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 236
commemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00458497
GetWindowLongW.USER32(?,000000EC), ref: 004584A7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004584B2
GetWindowLongW.USER32(?,000000EB), ref: 004584C0
OleUninitialize.OLE32 ref: 004584D2
OleInitialize.OLE32(00000000), ref: 004584E0
GetWindowTextLengthW.USER32(?), ref: 004584E7
__alloca_probe_16.LIBCMT ref: 004584FA
GetWindowTextW.USER32(?,00000000,00000001), ref: 0045853E
SetWindowTextW.USER32(?,004B450C), ref: 0045854A
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00458566
GlobalLock.KERNEL32(00000000), ref: 00458580
GlobalUnlock.KERNEL32(00000000), ref: 0045859C
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 004585A9
DefWindowProcW.USER32(?,?,?,?), ref: 004586A3

Strings

Fju, xrefs: 004585A9

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$GlobalLong$Text$AllocCreateInitializeLengthLockProcStreamUninitializeUnlock__alloca_probe_16
String ID: Fju
API String ID: 335951283-1243383758
Opcode ID: 8fba56b42ccdcea89520a580b33007d119e4b304378a2274b7d2526fb885e481
Instruction ID: 53bb00e6df03b1bff7c165b0929ff98e6583b398753f83b89572c5f7543aeb2e
Opcode Fuzzy Hash: 8fba56b42ccdcea89520a580b33007d119e4b304378a2274b7d2526fb885e481
Instruction Fuzzy Hash: 32817271A00205AFDB10DFA8CC44AAF7BB8AF45311F14465AE906F7292DF38DD45CB69

Function 0045F740 Relevance: 30.2, APIs: 13, Strings: 4, Instructions: 425
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004794D0: CreateWindowExW.USER32(00000000,004C63CC,?,80000000,?,?,?,?,00000000,00000000,FFB063A1,00000000), ref: 00479508
Part of subcall function 004794D0: SetWindowTextW.USER32(00000000), ref: 00479526

GetWindowLongW.USER32(00000000), ref: 0045F7B2
SetWindowLongW.USER32(00000000), ref: 0045F7D4
GetWindowLongW.USER32(00000000), ref: 0045F7E5
SetWindowLongW.USER32(00000000), ref: 0045F80D
SetLayeredWindowAttributes.USER32(00000000), ref: 0045F826
LoadCursorW.USER32(00000000,00007F89), ref: 0045F90B
LoadCursorW.USER32(00000000,00007F89), ref: 0045F979
LoadCursorW.USER32(00000000,00007F89), ref: 0045F9D8
LoadCursorW.USER32(00000000,00007F89), ref: 0045FA46
LoadCursorW.USER32(00000000,00007F89), ref: 0045FAB4
LoadCursorW.USER32(00000000,00007F89), ref: 0045FB22
LoadCursorW.USER32(00000000,00007F89), ref: 0045FB91
LoadCursorW.USER32(00000000,00007F89), ref: 0045FD69

Strings

37Lander, xrefs: 0045F791
<<K, xrefs: 0045F772, 0045F783
about:blank, xrefs: 0045FBB3
k, xrefs: 0045F958

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CursorLoad$Window$Long$AttributesCreateLayeredText
String ID: 37Lander$<<K$about:blank$k
API String ID: 4084743896-3453783548
Opcode ID: dd44935a3f6eecce81b496bc5662843218cccad791163396b54f24d43a92a098
Instruction ID: c2bc4217ca9161658d7524009d7b03f2f064de261320ec5ee44b76db6115a91b
Opcode Fuzzy Hash: dd44935a3f6eecce81b496bc5662843218cccad791163396b54f24d43a92a098
Instruction Fuzzy Hash: 1D025E712087419FD304DF69C884F9AF7E5BF88704F10861DF25887392DBB4A949CB96

Function 0047BDB0 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SaveDC.GDI32(?), ref: 0047BE07
SetBkColor.GDI32(?,?), ref: 0047BE22
SetBkMode.GDI32(?,00000001), ref: 0047BE2F
SetTextColor.GDI32(?,?), ref: 0047BE53
SelectObject.GDI32(?,?), ref: 0047BE6C
DrawTextW.USER32(?,?,?,?,00000400), ref: 0047BEF8

Strings

..., xrefs: 0047C0A4, 0047C1BA, 0047C21B

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ColorText$DrawModeObjectSaveSelect
String ID: ...
API String ID: 1550268266-440645147
Opcode ID: 5c691edb4b7eb1a418a4f4100658a5c899409fcd539600ca1ade1a85c64a9012
Instruction ID: b6bf72ac57015833bb5306b59f3e494b3191bb252137b02cd618111ba7e8137c
Opcode Fuzzy Hash: 5c691edb4b7eb1a418a4f4100658a5c899409fcd539600ca1ade1a85c64a9012
Instruction Fuzzy Hash: 24F15EB1608381EFD724DF64C885B9BF7E5FB85304F508A2EF59983251DB34A848CB96

Function 0045A330 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RedrawWindow.USER32(?,00000000,00000000,00000507), ref: 0045A38C
IsWindow.USER32(?), ref: 0045A39B
GetSysColor.USER32(00000005), ref: 0045A3ED

Strings

Fju, xrefs: 0045A5CD

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$ColorRedraw
String ID: Fju
API String ID: 826266318-1243383758
Opcode ID: 97faf9a09f38d8cc4121642f98d162ef75843f1450646119fca9003bcffb18a0
Instruction ID: f5fbb35be1a4901e19ef32fa9bf3de730cd1cc3c9d91dda0a14588959476d7b0
Opcode Fuzzy Hash: 97faf9a09f38d8cc4121642f98d162ef75843f1450646119fca9003bcffb18a0
Instruction Fuzzy Hash: 97C1C1742042029FD710DF59C844B6B77E4AF88715F54861AFC84973A2D738EC5ACBAA

Function 004514E0 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImagePixelFormat.GDIPLUS(?,?), ref: 00451503
GdipGetImageHeight.GDIPLUS(?,?,?,?), ref: 00451562
GdipGetImageWidth.GDIPLUS(?,?,?,?,?,?), ref: 00451580
GdipGetImagePaletteSize.GDIPLUS(?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 004515C8
__alloca_probe_16.LIBCMT ref: 004515EE
_malloc.LIBCMT ref: 00451605

Part of subcall function 004909E3: __FF_MSGBANNER.LIBCMT ref: 00490A06
Part of subcall function 004909E3: __NMSG_WRITE.LIBCMT ref: 00490A0D
Part of subcall function 004909E3: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00497326,?,00000001,?,?,00498B6E,00000018,004BB660,0000000C,00498BFF), ref: 00490A5A

GdipGetImagePalette.GDIPLUS(?,00000008,00000000,80070057,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0045164A
GdipBitmapLockBits.GDIPLUS(?,?,00000001,?,?,00000000,?,?,?,?,?,?,?,?), ref: 004516FB

Strings

&, xrefs: 00451550

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Gdip$Image$Palette$AllocateBitmapBitsFormatHeapHeightLockPixelSizeWidth__alloca_probe_16_malloc
String ID: &
API String ID: 1016857358-3042966939
Opcode ID: 23dca05f71d618fb2fdf3e2b535ef12e4e37900e0a5d1035a337eed6a5b88afc
Instruction ID: 86bf57d83cb3a27a84e94539885b6b6e371aa195c19b79f2942f1a4544911dcd
Opcode Fuzzy Hash: 23dca05f71d618fb2fdf3e2b535ef12e4e37900e0a5d1035a337eed6a5b88afc
Instruction Fuzzy Hash: 00B171B1D00209AFDB14DFA9C880BAFB7B4EF48305F04852EED15A7352D738A944CBA5

Function 0047F6D0 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 167
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0047F719
_memset.LIBCMT ref: 0047F739
MultiByteToWideChar.KERNEL32(00000000,00000000,00000008,0000000A,?,0000000A,?,?,?,?,00000000,00000000), ref: 0047F769
__snwprintf_s.LIBCMT ref: 0047F78A
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0047F7AE

Strings

PnpInstanceID, xrefs: 0047F808
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection, xrefs: 0047F778
pci, xrefs: 0047F851
MediaSubType, xrefs: 0047F8A2

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _memset$ByteCharMultiOpenWide__snwprintf_s
String ID: MediaSubType$PnpInstanceID$System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection$pci
API String ID: 381994169-3020186376
Opcode ID: 7bee4e27d8735b5509b8323f3b0bd7e0064460ec98eb8221aef09604e1fdb847
Instruction ID: 68ccf66a788fb6ef1834f55c1c940ca3e03566432b3848b4e730f1c96edca0d3
Opcode Fuzzy Hash: 7bee4e27d8735b5509b8323f3b0bd7e0064460ec98eb8221aef09604e1fdb847
Instruction Fuzzy Hash: 065177B1504301AFD724EB50CC81FEB77ECAF98358F404A2EB58997191E778D509CBAA

Function 004775D0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00450000,?,PNG,?,?,?,?,004535ED,000000DB), ref: 004775E4
FindResourceW.KERNEL32(00450000,?,00000002,?,?,?,?,004535ED,000000DB), ref: 004775F4
LoadImageW.USER32(00450000,?,00000000,00000000,00000000,00002000), ref: 0047760C

Part of subcall function 00451890: GetObjectW.GDI32(?,00000054,?), ref: 004518A1

LoadResource.KERNEL32(00450000,00000000,?,?,?,?,004535ED,000000DB), ref: 00477625
FreeResource.KERNEL32(00000000,?,?,?,?,004535ED,000000DB), ref: 00477630

Strings

PNG, xrefs: 004775D9
Fju, xrefs: 00477682

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Resource$FindLoad$FreeImageObject
String ID: Fju$PNG
API String ID: 134311421-3866893982
Opcode ID: d39bed5bebf0aacdc43cb3f1946800484889ac50888324105adce312d43c749b
Instruction ID: e7e255f335e0971553519d8972e1535205034a203645da8e42d0b58b824c0f36
Opcode Fuzzy Hash: d39bed5bebf0aacdc43cb3f1946800484889ac50888324105adce312d43c749b
Instruction Fuzzy Hash: CA31C3726002046FD7046FBABC89DBB7BACDF867A6780817BF505D2231DB358C059638

Function 00452600 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 225
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 004526A8
VariantInit.OLEAUT32(?), ref: 004526CF
VariantClear.OLEAUT32(?), ref: 0045270B
VariantClear.OLEAUT32(?), ref: 00452712
VariantInit.OLEAUT32(?), ref: 00452748
VariantInit.OLEAUT32(?), ref: 0045274F
SysAllocString.OLEAUT32(Content-Type: application/x-www-form-urlencoded), ref: 00452760
SafeArrayCreate.OLEAUT32 ref: 004527BE
SafeArrayPutElement.OLEAUT32(00000000,00000000,00000000), ref: 004527DE
VariantClear.OLEAUT32 ref: 0045285C
VariantClear.OLEAUT32(?), ref: 00452863

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 00452756

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Variant$Clear$Init$AllocArraySafeString$CreateElement
String ID: Content-Type: application/x-www-form-urlencoded
API String ID: 2495145655-2811858139
Opcode ID: 11b1e9215c8da8a6290df8d9dc8f03a13e2d1dbab309d7473d2f4f86782ad62f
Instruction ID: eacf3052b9dade290c21c106f635dc27dc705a33f4e8734420b9dddda29ed3c1
Opcode Fuzzy Hash: 11b1e9215c8da8a6290df8d9dc8f03a13e2d1dbab309d7473d2f4f86782ad62f
Instruction Fuzzy Hash: E181B272504301AFC710DF68C984B5BB7E8FF89714F104A2EF95587261EB74E909CBA6

Function 00462220 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 147
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004656E0: GetCommandLineW.KERNEL32(00640077,?,?,?,?,?,004657B2,FFB063A1,00320039,00640077), ref: 004656F0

EnterCriticalSection.KERNEL32(004C8338), ref: 0046280F
GetCurrentThreadId.KERNEL32 ref: 00462815
LeaveCriticalSection.KERNEL32(004C8338,004B5404,?), ref: 00462835

Part of subcall function 0045FDA0: GetWindowLongW.USER32(00000000), ref: 0045FDD0
Part of subcall function 0045FDA0: SetWindowLongW.USER32(00000000,?,00462283), ref: 0045FDF2
Part of subcall function 0045FDA0: GetWindowLongW.USER32(00000000), ref: 0045FE03
Part of subcall function 0045FDA0: SetWindowLongW.USER32(00000000,?,00462283), ref: 0045FE1F

Strings

(gL, xrefs: 00462279
\TK, xrefs: 00462843
<<K, xrefs: 004622B0, 004622BE, 004622E5, 004622F1, 004622F8
(gL, xrefs: 0046234A
(gL, xrefs: 00462310
(gL, xrefs: 00462237
(gL, xrefs: 00462343
(gL, xrefs: 0046225D

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LongWindow$CriticalSection$CommandCurrentEnterLeaveLineThread
String ID: (gL$(gL$(gL$(gL$(gL$(gL$<<K$\TK
API String ID: 3332472655-4075603304
Opcode ID: 7460a67f78fbf2eaf05eae9e8ff602b65565ec80d3fbfccd62f19ec1f40b70b1
Instruction ID: 80f1c7be952597dcf7251686c5fae30d8966762df70b3530c30b3ba2a1e359e1
Opcode Fuzzy Hash: 7460a67f78fbf2eaf05eae9e8ff602b65565ec80d3fbfccd62f19ec1f40b70b1
Instruction Fuzzy Hash: 5451E0B1904300ABC740EF59C844B5FBBE4EB84718F408A2FF48497311EB79A9098B9F

Function 00451B10 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadResource.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 00451B1C
FreeResource.KERNEL32(00000000,?,?,00000000), ref: 00451B27
LockResource.KERNEL32(00000000,?,?,00000000), ref: 00451B3A
SizeofResource.KERNEL32(00000000,00000000,?,?,00000000), ref: 00451B45
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000), ref: 00451B50
GlobalLock.KERNEL32(00000000), ref: 00451B59
GlobalUnlock.KERNEL32(00000000), ref: 00451B6B
CreateStreamOnHGlobal.OLE32 ref: 00451B81
GlobalFree.KERNELBASE(00000000), ref: 00451BB0

Strings

Fju, xrefs: 00451B81

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Global$Resource$FreeLock$AllocCreateLoadSizeofStreamUnlock
String ID: Fju
API String ID: 2766553018-1243383758
Opcode ID: 713ee1ef5aa6061868998710a8e3c179249956b4008329ffba3cd1184cbaf9ed
Instruction ID: 31862a80de76183fe9b8c2042dd292381c1125a53ac3621dacf7b7598520bcfa
Opcode Fuzzy Hash: 713ee1ef5aa6061868998710a8e3c179249956b4008329ffba3cd1184cbaf9ed
Instruction Fuzzy Hash: 6F415B727042105BC3049B29DC95A3BBBE9EFD5286F08416FFC88DB372D635D80A87A5

Function 00451CC0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 116
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32(00000000), ref: 00451D23
CreateCompatibleDC.GDI32(00000000), ref: 00451D2C
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00451D60
SelectObject.GDI32(?,00000000), ref: 00451D6E
FindResourceW.KERNEL32(00000000,000000AA,PNG), ref: 00451D80
UpdateLayeredWindow.USER32(00000000), ref: 00451DBB
DeleteObject.GDI32(00000000), ref: 00451DC2
ReleaseDC.USER32(00000000), ref: 00451DE0
ReleaseDC.USER32(00000000), ref: 00451DF0

Part of subcall function 00451B10: LoadResource.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 00451B1C
Part of subcall function 00451B10: FreeResource.KERNEL32(00000000,?,?,00000000), ref: 00451B27

Strings

po)u0F)u, xrefs: 00451D60
PNG, xrefs: 00451D74

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Resource$CompatibleCreateObjectRelease$BitmapDeleteFindFreeLayeredLoadSelectUpdateWindow
String ID: PNG$po)u0F)u
API String ID: 3808468193-1086448810
Opcode ID: 8bcc8a1b516d1fa73cfc1d21997ee42fcf066de73cb3651643da074119fcde5e
Instruction ID: f536792f324e07ec1903c0f8d2ca5faf65407612b49dc10bd8f80be2529636b3
Opcode Fuzzy Hash: 8bcc8a1b516d1fa73cfc1d21997ee42fcf066de73cb3651643da074119fcde5e
Instruction Fuzzy Hash: DF411B75204240AFD304DFA8C894E6AB7E9BFCC210F158A5DF599C7261DB34E905CBA6

Function 00460770 Relevance: 15.1, APIs: 10, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(00000000), ref: 00460784
SetWindowLongW.USER32(00000000), ref: 004607B0
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004607C1
GetClientRect.USER32(00000000), ref: 004607D9
MoveWindow.USER32(?,0000009C,0000009C,00000032,00000032,00000000), ref: 004607F7
LoadCursorW.USER32(00000000,00007F89), ref: 0046081C
MoveWindow.USER32(?,00000180,000000C3,0000025C,0000014D,00000000), ref: 0046083F
ShowWindow.USER32(00000000), ref: 0046086F
SetWindowPos.USER32(00000000), ref: 004608B6
ShowWindow.USER32(00000000), ref: 004608CB

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$LongMoveShow$ClientCursorInfoLoadParametersRectSystem
String ID:
API String ID: 1741983491-0
Opcode ID: 6e2c8af7b4f7765086a0eeaf66897551ca18b0d134c0d74b9abc6b21b2f6afa4
Instruction ID: 08c6374872682f5156a9e0676e10ee84b2a3fff35d9684ac431bd8096a719f41
Opcode Fuzzy Hash: 6e2c8af7b4f7765086a0eeaf66897551ca18b0d134c0d74b9abc6b21b2f6afa4
Instruction Fuzzy Hash: 4D419F71204301AFE714DB68CC99F6B77E9FB88710F148728F699C72D0DA74E9008BA9

Function 004832F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00483860: _vswprintf_s.LIBCMT ref: 00483870

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?), ref: 00483356
_memset.LIBCMT ref: 0048337C
_memcpy_s.LIBCMT ref: 004833AF
DeviceIoControl.KERNEL32 ref: 004833E2
CloseHandle.KERNEL32(00000000), ref: 004834A6

Strings

SCSIDISK, xrefs: 00483383
\\.\Scsi%d:, xrefs: 0048332B

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memcpy_s_memset_vswprintf_s
String ID: SCSIDISK$\\.\Scsi%d:
API String ID: 2759781257-2176293039
Opcode ID: 90666de75e8b7c7e2258f698abb1046b246d545033322c0ac184432daf4400a4
Instruction ID: a9069b8b54287551b19e8d6eeed792e9de5c7add2b79ff23a32c34d8c56644a0
Opcode Fuzzy Hash: 90666de75e8b7c7e2258f698abb1046b246d545033322c0ac184432daf4400a4
Instruction Fuzzy Hash: D4415BB05083409BD334DF25C885B6BB7E4BBC8B05F40491EFAD996291E7B89548CB5A

Function 00459A70 Relevance: 12.2, APIs: 8, Instructions: 165comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004B4AAC,00000000,00000001,004B4A6C,?,FFB063A1,?,?,?), ref: 00459B4F

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: cc3d95f15fb27299137ebfd6806c8ffa0e7bb071ec4a9d7b8dc3eebf16643c1b
Instruction ID: 3e9892cb8424a598bd859128bad0a1c8d7a4cdb34b520f347074df10d5b4c7cf
Opcode Fuzzy Hash: cc3d95f15fb27299137ebfd6806c8ffa0e7bb071ec4a9d7b8dc3eebf16643c1b
Instruction Fuzzy Hash: 3851D534204341EFD721EF589C44B6777E5EB88702F80492FFD8686296E3B89C49876E

Function 0046E7C0 Relevance: 10.6, APIs: 7, Instructions: 146COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(02578E88,FFB063A1,00000007,?,004B6608), ref: 0046E802
PathFileExistsW.SHLWAPI(02578E88,004B6608,02578E86), ref: 0046E85A
CreateDirectoryW.KERNEL32(02578E88,00000000), ref: 0046E866
PathFileExistsW.SHLWAPI(?,00000000,004B6608,02578E86), ref: 0046E8AD
CreateDirectoryW.KERNEL32(?,00000000), ref: 0046E8C8
PathFileExistsW.SHLWAPI(02578E88,004B6608), ref: 0046E911
CreateDirectoryW.KERNEL32(02578E88,00000000), ref: 0046E919

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ExistsFilePath$CreateDirectory
String ID:
API String ID: 3245115503-0
Opcode ID: 9a1eb6150bc2c7564f058fa452fa151373df09a72915a3b0479f718baa45607a
Instruction ID: 4b461e0a2fc56c71fb0729a2205dde4d94cedcacf14e3a5f0b877fa318eca12b
Opcode Fuzzy Hash: 9a1eb6150bc2c7564f058fa452fa151373df09a72915a3b0479f718baa45607a
Instruction Fuzzy Hash: 69518EB56083009FDB50EF25D881A5BB7E8AF85B18F440A2EF94597250F739E9088B5B

Function 0045AEF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0045AF6F
GetWindowLongW.USER32(?,000000FC), ref: 0045AF84
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 0045AF99
GetWindowLongW.USER32(?,000000FC), ref: 0045AFB4
SetWindowLongW.USER32(?,000000FC,?), ref: 0045AFC6

Strings

$, xrefs: 0045AF36

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 30aeb968268711938c4dfdaaddf6a85755b3112e411b3978f5aad88ef8fe1982
Instruction ID: cf2bf5ca6b90cf6f906a5a72a727895d7b4c4e9b43cd3eb4324c8a569174446a
Opcode Fuzzy Hash: 30aeb968268711938c4dfdaaddf6a85755b3112e411b3978f5aad88ef8fe1982
Instruction Fuzzy Hash: B14105B1608700AFC364DF5AD88081BFBF8FF88714F508A1EF99A83661D731E8458B56

Function 004913D9 Relevance: 10.6, APIs: 7, Instructions: 71threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0049140A
__calloc_crt.LIBCMT ref: 00491416
__getptd.LIBCMT ref: 00491423
__initptd.LIBCMT ref: 0049142C
CreateThread.KERNEL32(?,?,00491356,00000000,?,?), ref: 0049145A
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00491464
__dosmaperr.LIBCMT ref: 0049147C

Part of subcall function 004974C6: __getptd_noexit.LIBCMT ref: 004974C6

Part of subcall function 00491735: __decode_pointer.LIBCMT ref: 00491740

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit__initptd
String ID:
API String ID: 3358092440-0
Opcode ID: e5322eb4d9cd110d5c34f2183c3930919b4e54033834b88694205051df2635b5
Instruction ID: dcf85f5cb9e4d9d4a37837c999e6d2c40302297bf75cdf65a592699783313585
Opcode Fuzzy Hash: e5322eb4d9cd110d5c34f2183c3930919b4e54033834b88694205051df2635b5
Instruction Fuzzy Hash: 7611EB72504206AFDF10BFA5DC4289F7FA4EF04368B10407FF50597161E7398911D7A9

Function 0048ED27 Relevance: 10.6, APIs: 7, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0000000D,000000E9,0045B0E3,?,?,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECA8
HeapAlloc.KERNEL32(00000000,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECAF

Part of subcall function 0048EBC0: IsProcessorFeaturePresent.KERNEL32(0000000C,0048EC96,000000E9,0045B0E3,?,?,?,00476FCC,?,00476F18,?,?,?), ref: 0048EBC2

RtlInterlockedPopEntrySList.NTDLL(008C1468), ref: 0048ECBC
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECD1
RtlInterlockedPopEntrySList.NTDLL(00000000), ref: 0048ECEA
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECFE
RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 0048ED15

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: EntryInterlockedList$AllocHeapVirtual$FeatureFreePresentProcessProcessorPush
String ID:
API String ID: 2304957937-0
Opcode ID: 24019b389bf53897120c8bd13645edac9e37c3c27cbdadbe68596101610e46b6
Instruction ID: cd7417b4e642ec6e12a6acf7c58530312f3f18b0982facc6bd27b5725622b39f
Opcode Fuzzy Hash: 24019b389bf53897120c8bd13645edac9e37c3c27cbdadbe68596101610e46b6
Instruction Fuzzy Hash: 5F018431A40611A7E7717726BC1CF5E3695AB80751F250972F901D62E0DA28EC809B5C

Function 00451E00 Relevance: 9.1, APIs: 6, Instructions: 76COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000), ref: 00451E12
SetWindowLongW.USER32(00000000), ref: 00451E3E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00451E4F
GetClientRect.USER32(00000000), ref: 00451E66
SetWindowPos.USER32(00000000), ref: 00451EC2
ShowWindow.USER32(00000000), ref: 00451ED7

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$Long$ClientInfoParametersRectShowSystem
String ID:
API String ID: 3719960163-0
Opcode ID: 76536baa52cbf26c7128254cc4f4ec70317c2d1dfc4331806bf4f1ef27ce1e1d
Instruction ID: 4bffc79954e1fe554e0c0a900234a624fd4675323296e32b5d28b008282d92b6
Opcode Fuzzy Hash: 76536baa52cbf26c7128254cc4f4ec70317c2d1dfc4331806bf4f1ef27ce1e1d
Instruction Fuzzy Hash: 83216D75204201AFE704DBACDC59F2E77E9EB88715F148B28F695C72E0CB34E9048B69

Function 00476F70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D,?,?,?,00476F18,?,?,?), ref: 00476FB0
FlushInstructionCache.KERNEL32(00000000,?,00476F18,?,?,?), ref: 00476FB7
CreateWindowExW.USER32(000000E9,?,?,?,?,00000000,000000E9,?,00476F18,?,00450000,00000000), ref: 00477024

Part of subcall function 0048ED27: GetProcessHeap.KERNEL32(00000000,0000000D,000000E9,0045B0E3,?,?,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECA8
Part of subcall function 0048ED27: HeapAlloc.KERNEL32(00000000,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECAF

SetLastError.KERNEL32(0000000E,?,?,?,00476F18,?,?,?), ref: 00477032

Strings

D6L, xrefs: 00476FEA

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: HeapProcess$AllocCacheCreateCurrentErrorFlushInstructionLastWindow
String ID: D6L
API String ID: 806723916-2124701888
Opcode ID: f1e929bc12bf56ce78a807bdf4d12f7f2397bcc2d1e0e1fd435fdf1a8e6c9baf
Instruction ID: 023a4ddb45c7c72876f0a0500348f9973ade40740f34da4eafc5c57f8308380f
Opcode Fuzzy Hash: f1e929bc12bf56ce78a807bdf4d12f7f2397bcc2d1e0e1fd435fdf1a8e6c9baf
Instruction Fuzzy Hash: E4216B32600211AFD310DF69E908F6BB7E9EB88710F05866AF449A7350D764EC04CBA5

Function 0045B0D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,0000000D,?,?,?,00476FCC,?,00476F18,?,?,?), ref: 0045B10F
FlushInstructionCache.KERNEL32(00000000,?,00476FCC,?,00476F18,?,?,?), ref: 0045B116
CreateWindowExW.USER32(?,?,000000E9,?,?,00000000,000000E9,?,00000000,?,00450000,00000000), ref: 0045B181

Part of subcall function 0048ED27: GetProcessHeap.KERNEL32(00000000,0000000D,000000E9,0045B0E3,?,?,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECA8
Part of subcall function 0048ED27: HeapAlloc.KERNEL32(00000000,?,00476FCC,?,00476F18,?,?,?), ref: 0048ECAF

SetLastError.KERNEL32(0000000E,?,?,?,00476FCC,?,00476F18,?,?,?), ref: 0045B18F

Strings

D6L, xrefs: 0045B14A

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: HeapProcess$AllocCacheCreateCurrentErrorFlushInstructionLastWindow
String ID: D6L
API String ID: 806723916-2124701888
Opcode ID: 290ea3a9729e9c5f72052a59e313c5f6c81232238f7c56f21d902f5e87c0c77d
Instruction ID: 27d5172d9f9359b14c0e1cde88cae48b05d637b3c34974d087a0179fb4934076
Opcode Fuzzy Hash: 290ea3a9729e9c5f72052a59e313c5f6c81232238f7c56f21d902f5e87c0c77d
Instruction Fuzzy Hash: 66216672600201AFD3109F69E818F27B7E8EB88751F05862AF9559B3A1D764EC04CBA8

Function 00451A75 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 004794D0: CreateWindowExW.USER32(00000000,004C63CC,?,80000000,?,?,?,?,00000000,00000000,FFB063A1,00000000), ref: 00479508
Part of subcall function 004794D0: SetWindowTextW.USER32(00000000), ref: 00479526

GetWindowLongW.USER32(00000000), ref: 00451AA1
SetWindowLongW.USER32(00000000,?,00000000), ref: 00451AC3
GetWindowLongW.USER32(00000000), ref: 00451AD4
SetWindowLongW.USER32(00000000,?,00000000), ref: 00451AFC

Strings

37Lander, xrefs: 00451A80

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$Long$CreateText
String ID: 37Lander
API String ID: 4221524402-3989498111
Opcode ID: 1d891dde426f5e70340c3a0b593c8cdbfad84982cacf37aef6b7e516db107561
Instruction ID: 08cdc352bfbaf7755bee787ae002d399b367913a42fe9b0526946a10e6fa3ba4
Opcode Fuzzy Hash: 1d891dde426f5e70340c3a0b593c8cdbfad84982cacf37aef6b7e516db107561
Instruction Fuzzy Hash: AA0152352101106BDA14EBACCC80F5E73ADABC9320F248725F565C72D2CA789D018BA8

Function 00469840 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25registrywindowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 00469875
LoadCursorW.USER32(00000000,00007F00), ref: 00469886
RegisterClassExW.USER32 ref: 004698B4

Strings

0, xrefs: 00469849
37Lander, xrefs: 004698A8

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Load$ClassCursorIconRegister
String ID: 0$37Lander
API String ID: 738324305-3700166263
Opcode ID: 253854a41ad20a6928dc40bb6d517f7cc3dadfdbfb65e701117c28a6a50da902
Instruction ID: bb8fbe3425908a097d17c36c4967c81b074fd601eb329fc38815d0af35cbd1c6
Opcode Fuzzy Hash: 253854a41ad20a6928dc40bb6d517f7cc3dadfdbfb65e701117c28a6a50da902
Instruction Fuzzy Hash: 15F097B04083419FE700DF64C458B0BBFE4BB84348F408E1DF4999A2A1E3B9820DCF8A

Function 0045E5D0 Relevance: 7.7, APIs: 5, Instructions: 193COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004C8338,FFB063A1,?,?), ref: 0045E63A
GetModuleFileNameW.KERNEL32(00450000,?,00000104), ref: 0045E6B0
LoadTypeLib.OLEAUT32(?,?), ref: 0045E6D7
LoadRegTypeLib.OLEAUT32(?,00000000,?,?,?), ref: 0045E708
LeaveCriticalSection.KERNEL32(004C8338), ref: 0045E823

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalLoadSectionType$EnterFileLeaveModuleName
String ID:
API String ID: 2487232618-0
Opcode ID: 05b5e860d2bf851a4a07ba48fa1037aa86d2b83390db9c73c992e69fd9d37063
Instruction ID: 8079738cadb0c75f843203d3f65b0577ab0a3acb719a87d95ebc4b10114b6a8c
Opcode Fuzzy Hash: 05b5e860d2bf851a4a07ba48fa1037aa86d2b83390db9c73c992e69fd9d37063
Instruction Fuzzy Hash: 7C71AC71604341DFC714DF55C88496BB7E5FF88304F10892EF9499B262C738EA49CB96

Function 00480F30 Relevance: 7.6, APIs: 5, Instructions: 65processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,75A8E9B0,00000008), ref: 00480F4C
_memset.LIBCMT ref: 00480F68
Process32FirstW.KERNEL32 ref: 00480F7E
Process32NextW.KERNEL32(00000000,00000000), ref: 00480FC5
CloseHandle.KERNEL32(00000000), ref: 00480FD3

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
String ID:
API String ID: 2526126748-0
Opcode ID: fa3e16d3e49749b972a7e7c0dc76f3f7f5fe35e7cfb816d305fb43e3cd41f95d
Instruction ID: 3424d5d7b58fe7bbb6681ce520f497edc16338cbdc80c396e1de28dd831c2138
Opcode Fuzzy Hash: fa3e16d3e49749b972a7e7c0dc76f3f7f5fe35e7cfb816d305fb43e3cd41f95d
Instruction Fuzzy Hash: AB1126212202016AD670FB30CC56BEF7295AF24354F448E2AEB55862C0F7ADD509C79A

Function 004606E0 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000), ref: 004606EF
SetWindowLongW.USER32(00000000), ref: 0046070F
SetWindowPos.USER32(00000000,?,?,?,?,?,?,?,?,00469818), ref: 00460741
ShowWindow.USER32(00000000,?,?,?,?,?,?,?,?,00469818), ref: 00460756
KiUserCallbackDispatcher.NTDLL(00000000), ref: 00460769

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$Long$CallbackDispatcherShowUser
String ID:
API String ID: 3811841433-0
Opcode ID: f75d9ccd8884cfdebc69748f90f5b7469470873c5b99abd69806de4d4705412e
Instruction ID: f9c6dbea830195345a1b206b4bc9230117112282483aa3946593e8ab54feeb86
Opcode Fuzzy Hash: f75d9ccd8884cfdebc69748f90f5b7469470873c5b99abd69806de4d4705412e
Instruction Fuzzy Hash: A4011E747105109FEB10AB68CC58F3973E9BB88710F258764F596D73E0DB35A801CB68

Function 00482C10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,00000000,0047FA5E,?,00000000,00481C22,?,00000007,00000008), ref: 00482C35
GetProcessAffinityMask.KERNEL32(00000000,00000004,00000008), ref: 00482C46

Strings

000806F8-00010800-7FFA3203-0F8BFBFF, xrefs: 00482C24, 00482C7F

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID: 000806F8-00010800-7FFA3203-0F8BFBFF
API String ID: 1231390398-3195693976
Opcode ID: 3a7f2daaf5fb419eb4f2608440b72b9bb797fc9cdf110d6d379fad633610175b
Instruction ID: 4f1874bbb1c0e56d45d82e758fcc547ccdd78befb8005049f115a70a38c9ee7c
Opcode Fuzzy Hash: 3a7f2daaf5fb419eb4f2608440b72b9bb797fc9cdf110d6d379fad633610175b
Instruction Fuzzy Hash: 6901B5362011185FD7609F19FC84BABB3E8FB81321F10497FF809C7610DAB59C459754

Function 004599B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32stringCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004599C5
GetClassNameW.USER32(00000000,00000008,00000008), ref: 004599D3
lstrcmpW.KERNEL32(?,#32770), ref: 004599F8

Strings

#32770, xrefs: 004599EE

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ClassNameParentlstrcmp
String ID: #32770
API String ID: 3513268407-463685578
Opcode ID: 3485a3515098a60fa483ea4f380dba034c025b643cdfcb3e7090116477de4511
Instruction ID: c923cc630d43d6dec72ae89df6f0fc49de4dca5efe0619ecb12ebc3d4f54cd5f
Opcode Fuzzy Hash: 3485a3515098a60fa483ea4f380dba034c025b643cdfcb3e7090116477de4511
Instruction Fuzzy Hash: DCF030B5A143019FCB04EF74C95AD5B77E4BB98B04F804D2DB542C7261EB74D408CBAA

Function 0045FE30 Relevance: 6.1, APIs: 4, Instructions: 89windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 0045FE7F
DefWindowProcW.USER32(?,?,?,?,?,?,?,?), ref: 0045FEA8

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: cef10a143b76a94c18941a08c5e015496b0586bd81e6d562d1605b8323d34845
Instruction ID: aad86407ebda4bcd8d3816eb99924bf0949c9a3bf8d75d9e635288677960d575
Opcode Fuzzy Hash: cef10a143b76a94c18941a08c5e015496b0586bd81e6d562d1605b8323d34845
Instruction Fuzzy Hash: 9B21C57330410867D714DE6DAC49EAB7359EB89322F144637FE09C7692DA249C1483AA

Function 00469620 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(004B5420,00000000,00000000,00000000,00000000), ref: 0046963D
KiUserCallbackDispatcher.NTDLL(004B5420,00000000,00000000,00000000), ref: 0046965F
TranslateMessage.USER32(004B5420), ref: 0046967C
DispatchMessageW.USER32(004B5420), ref: 00469683

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherPeekTranslateUser
String ID:
API String ID: 1533324876-0
Opcode ID: 7f96d1d111aa591b72bc74d7fefee1a6c7dc71fd5f331ebe01fdaebb0d61938d
Instruction ID: dc083664a1f2b947bd20b60bc784c35ccc1e182cc64421e4e691a837ee6eff82
Opcode Fuzzy Hash: 7f96d1d111aa591b72bc74d7fefee1a6c7dc71fd5f331ebe01fdaebb0d61938d
Instruction Fuzzy Hash: 1C115B303423056BE7245A68DC98BAB736CEF45344F644216E611DA2E0F7B9EC16869F

Function 00459D70 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

AXWIN, xrefs: 0045A0D2

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID: AXWIN
API String ID: 0-1948516679
Opcode ID: 3045ebab668d19405f6cb1f6fb17103835e43a74c3bf70f3fbaba53854cfc850
Instruction ID: a09a4e3f5d66eb0a2014bf3d9865df2488b48849e3072251f1358525d077e0a9
Opcode Fuzzy Hash: 3045ebab668d19405f6cb1f6fb17103835e43a74c3bf70f3fbaba53854cfc850
Instruction Fuzzy Hash: 95020074204701AFD714DF68C880F6BB3EABF89704F248A4DE9598B391DB75E805CB65

Function 00457360 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 004573BD
_memcpy_s.LIBCMT ref: 0045741E

Strings

about:blank, xrefs: 004573A2, 00457418

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String_base::_Xlen_memcpy_sstd::_
String ID: about:blank
API String ID: 923394732-258612819
Opcode ID: ac0f1ac8c91b34b44f0343ad7b65e9815004c50d6554e4abf011edd9b4cfb785
Instruction ID: e10435239e2d429f34b11fd57d32cf50ea13ac9161265c5141ffbfed111157ca
Opcode Fuzzy Hash: ac0f1ac8c91b34b44f0343ad7b65e9815004c50d6554e4abf011edd9b4cfb785
Instruction Fuzzy Hash: EF31B6713086008B8724DE59E9C482FB3EAEFD6312350493FED56CB612E738E849D769

Function 0045D9E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045DE30: EnterCriticalSection.KERNEL32(004C5340,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0045D9F2,00000000), ref: 0045DE42
Part of subcall function 0045DE30: RegisterWindowMessageW.USER32(WM_ATLGETHOST,?,?,?,?,?,?,?,?,?,?,?,0045D9F2,00000000,00000000), ref: 0045DE53
Part of subcall function 0045DE30: RegisterWindowMessageW.USER32(WM_ATLGETCONTROL,?,?,?,?,?,?,?,?,?,?,?,0045D9F2,00000000,00000000), ref: 0045DE5F
Part of subcall function 0045DE30: GetClassInfoExW.USER32(00450000,AtlAxWin90,?), ref: 0045DE80
Part of subcall function 0045DE30: LoadCursorW.USER32 ref: 0045DEBC
Part of subcall function 0045DE30: RegisterClassExW.USER32 ref: 0045DEE3
Part of subcall function 0045DE30: _memset.LIBCMT ref: 0045DF0E
Part of subcall function 0045DE30: GetClassInfoExW.USER32(00450000,AtlAxWinLic90,?), ref: 0045DF2A
Part of subcall function 0045DE30: LoadCursorW.USER32 ref: 0045DF6A
Part of subcall function 0045DE30: RegisterClassExW.USER32 ref: 0045DF91
Part of subcall function 0045DE30: LeaveCriticalSection.KERNEL32(004C5340,?,?,?,?,?,?,?,?,?,?,?,?,0045D9F2,00000000,00000000), ref: 0045DFBF

SysFreeString.OLEAUT32(00000000), ref: 0045DA54
SysAllocString.OLEAUT32(00000000), ref: 0045DA80

Strings

`<u, xrefs: 0045DA54

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ClassRegister$CriticalCursorInfoLoadMessageSectionStringWindow$AllocEnterFreeLeave_memset
String ID: `<u
API String ID: 2093999386-3367579956
Opcode ID: 631a171a3118c8320755a9722250d585ad4d83780a7ecd29f56da5ce3e27d176
Instruction ID: e23d0a2d603b1e53d3015bed6081287a4bafd3e2e7ff1764bf6d5200c16a30c9
Opcode Fuzzy Hash: 631a171a3118c8320755a9722250d585ad4d83780a7ecd29f56da5ce3e27d176
Instruction Fuzzy Hash: 7C313E72A043019F8310EFA9C8C086BB3E9AFC8705B144A6EF949D7215D635DD09CBA5

Function 00461DB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

__localtime64_s.LIBCMT ref: 00461DE0
__cftof.LIBCMT ref: 00461DFC

Strings

%Y-%m-%d %H:%M:%S, xrefs: 00461DF1

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __cftof__localtime64_s
String ID: %Y-%m-%d %H:%M:%S
API String ID: 1985225485-1763325376
Opcode ID: 19365608cb843dc275f8ff1d03f1bdc8f5e803a6da692a4661076768d2a138bd
Instruction ID: f4631ec264e976ddc2c1a257e90104668739890aec5bc8aa07ba63c2ba026b82
Opcode Fuzzy Hash: 19365608cb843dc275f8ff1d03f1bdc8f5e803a6da692a4661076768d2a138bd
Instruction Fuzzy Hash: E6F0A4715143005BD760E724C942BFF76D4AF98705F04092EFD85C6250FA38E624C79B

Function 00481000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\MpSoft\smenu,00000000,00000001,-00000002,00000008,SOFTWARE\MpSoft\smenu,004810DF,?,00481AE9), ref: 00481016
RegCloseKey.ADVAPI32(-00000002,?,00481AE9), ref: 00481027

Strings

SOFTWARE\MpSoft\smenu, xrefs: 00481000, 0048100C

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseOpen
String ID: SOFTWARE\MpSoft\smenu
API String ID: 47109696-256314576
Opcode ID: edf2fa2f7d5c9bf4f402438bf21270ceeb4d8c23434ee8f7ba6fea3dc985a463
Instruction ID: 873a400f418687dd1b0290f2988910c8e8de8bbb26455dcff6aab73918611d84
Opcode Fuzzy Hash: edf2fa2f7d5c9bf4f402438bf21270ceeb4d8c23434ee8f7ba6fea3dc985a463
Instruction Fuzzy Hash: AAD05BF51453047FF3009F50DCC9E6777ACEB54654F205A2FF54582521E6B1DC849B61

Function 0047E630 Relevance: 4.7, APIs: 3, Instructions: 172sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0047EEB0: EnterCriticalSection.KERNEL32(?), ref: 0047EEC6
Part of subcall function 0047EEB0: LeaveCriticalSection.KERNEL32(?), ref: 0047EED3

Sleep.KERNEL32(00000064), ref: 0047E6F2
DeleteFileW.KERNEL32(00000020), ref: 0047E74B
WaitForSingleObject.KERNEL32(?,00002710,FFB063A1), ref: 0047E7DA

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalSection$DeleteEnterFileLeaveObjectSingleSleepWait
String ID:
API String ID: 1903541510-0
Opcode ID: 77148a001e13d7b3ad368715a5aebe34275835bdada5f25d7ac67b57444119a6
Instruction ID: 13d5b28e0eb345f7c92225ca105a0242755f57c56730215e12fdd51784962b66
Opcode Fuzzy Hash: 77148a001e13d7b3ad368715a5aebe34275835bdada5f25d7ac67b57444119a6
Instruction Fuzzy Hash: CB516F75600741DFCB24EF66C9C5957B3E4BB48308F408F6EF19A86A50E738E844CB9A

Function 00468030 Relevance: 4.6, APIs: 3, Instructions: 121COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 0046809A
std::_String_base::_Xlen.LIBCPMT ref: 004680B4
_memcpy_s.LIBCMT ref: 00468122

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String_base::_Xlenstd::_$_memcpy_s
String ID:
API String ID: 709706234-0
Opcode ID: e406e7a910b18f140a7029c51586f88add215af7d614582a5b81ec085b0c48ee
Instruction ID: c30ba7ed8798bd09416fd486b7fcc027af76fa32f2c5691180ac0cb2cac77936
Opcode Fuzzy Hash: e406e7a910b18f140a7029c51586f88add215af7d614582a5b81ec085b0c48ee
Instruction Fuzzy Hash: FB31D5327006048B8720EE68D98086BB3E6EFD67117114F6FE552CB611FF35EC4987AA

Function 004571B0 Relevance: 4.6, APIs: 3, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00457266
DispCallFunc.OLEAUT32(?,00000000,?,?,?,?,00000000,?), ref: 00457292
VariantClear.OLEAUT32(?), ref: 0045729F

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Variant$CallClearDispFuncInit
String ID:
API String ID: 47416843-0
Opcode ID: 77915e7d40e9207d934a40ba8a4a08377af325f659a4089cb5a2b1f455e5f052
Instruction ID: 6b09b38a26965b2f1bff90d6f8d4b46c08d558319d4fbb94685b9b7f647586c5
Opcode Fuzzy Hash: 77915e7d40e9207d934a40ba8a4a08377af325f659a4089cb5a2b1f455e5f052
Instruction Fuzzy Hash: 8C318D719083149BC700CF69D88496BB7E5FBC4741F148A6AFC49CB305E335E906CB99

Function 00451470 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00451080: EnterCriticalSection.KERNEL32(004C52A4,00000000,?,?,?,?,?,?,00451479,00000000,?,?,?,00000000,00000001,?), ref: 00451089
Part of subcall function 00451080: GdiplusStartup.GDIPLUS(004C52A0,?,?,?,?,?,?,?,?,00451479,00000000,?,?,?,00000000,00000001), ref: 004510BD
Part of subcall function 00451080: LeaveCriticalSection.KERNEL32(004C52A4,?,?,?,?,?,?,00451479,00000000,?,?,?,00000000,00000001,?), ref: 004510CD

GdipCreateBitmapFromStream.GDIPLUS ref: 00451495
GdipDisposeImage.GDIPLUS(00000000), ref: 004514AB
GdipDisposeImage.GDIPLUS(?), ref: 004514D1

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Gdip$CriticalDisposeImageSection$BitmapCreateEnterFromGdiplusLeaveStartupStream
String ID:
API String ID: 1309914149-0
Opcode ID: 4603b1e323d989ad622e6f3062b00b0a9f367d1f21e42781c343f8209d4e34a7
Instruction ID: ae4bcc93fd5826b2fc187e7fe4f0ccefc6406ab0fafc3b6de0a1cf155c971971
Opcode Fuzzy Hash: 4603b1e323d989ad622e6f3062b00b0a9f367d1f21e42781c343f8209d4e34a7
Instruction Fuzzy Hash: 67F04F765083116B8610FF59884195FBBE4ABC4759F408A1EF98897312D738C9088FDA

Function 0049100C Relevance: 4.5, APIs: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00491026

Part of subcall function 004909E3: __FF_MSGBANNER.LIBCMT ref: 00490A06
Part of subcall function 004909E3: __NMSG_WRITE.LIBCMT ref: 00490A0D
Part of subcall function 004909E3: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00497326,?,00000001,?,?,00498B6E,00000018,004BB660,0000000C,00498BFF), ref: 00490A5A

std::bad_alloc::bad_alloc.LIBCMT ref: 00491049

Part of subcall function 00490FF1: std::exception::exception.LIBCMT ref: 00490FFD

__CxxThrowException@8.LIBCMT ref: 0049106B

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::exception::exception
String ID:
API String ID: 3715980512-0
Opcode ID: cd827a9be48b88993810e250669b71114ca4f0e71a0b8a2ce180ffb4aad765b2
Instruction ID: a562860a76a56b82c36a29c0f9f00d3469ad090ebf969bc9d23e9f603e6992bb
Opcode Fuzzy Hash: cd827a9be48b88993810e250669b71114ca4f0e71a0b8a2ce180ffb4aad765b2
Instruction Fuzzy Hash: 64F0273150014776CF08BB22DC0BE9E3F699F40358B10403FF800A98A6DFAEEE84915C

Function 00482CA0 Relevance: 4.5, APIs: 3, Instructions: 29sleepCOMMON

Download Yara Rule

APIs

SetProcessAffinityMask.KERNEL32(?,?), ref: 00482CB6
Sleep.KERNEL32(00000000), ref: 00482CC2
SetProcessAffinityMask.KERNEL32(?,?), ref: 00482CE4

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: AffinityMaskProcess$Sleep
String ID:
API String ID: 398880829-0
Opcode ID: caba7f621f8367dc9632a05fb67698a6281ec647f0b71c79c7f8b4a1defc21e5
Instruction ID: 6a29e3d004cb85b80939e943fbf754084ed079af5d6c177f100555dac38e3dc1
Opcode Fuzzy Hash: caba7f621f8367dc9632a05fb67698a6281ec647f0b71c79c7f8b4a1defc21e5
Instruction Fuzzy Hash: B5F012753006019BD724EB61CA54E2F73E8AF54B42B50CD2EF856C3790D7B8D880DB28

Function 00451080 Relevance: 4.5, APIs: 3, Instructions: 27COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004C52A4,00000000,?,?,?,?,?,?,00451479,00000000,?,?,?,00000000,00000001,?), ref: 00451089
GdiplusStartup.GDIPLUS(004C52A0,?,?,?,?,?,?,?,?,00451479,00000000,?,?,?,00000000,00000001), ref: 004510BD
LeaveCriticalSection.KERNEL32(004C52A4,?,?,?,?,?,?,00451479,00000000,?,?,?,00000000,00000001,?), ref: 004510CD

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalSection$EnterGdiplusLeaveStartup
String ID:
API String ID: 389129658-0
Opcode ID: cfc545d36d4c0c992aaa0b24d869e1d22de9a6675526b470dd88a736e6872fb7
Instruction ID: b3c51f0bcdc031e9d6e6e83704eb9bb00e757d5b20b953f04f19fdebc9d283aa
Opcode Fuzzy Hash: cfc545d36d4c0c992aaa0b24d869e1d22de9a6675526b470dd88a736e6872fb7
Instruction Fuzzy Hash: 7AF08C74540302AF8344CF609C41B9FBAE4AB48700F90097FE841D22A1E638A58CCFAB

Function 0046E590 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,0000009E,0000001A,00000000,FFB063A1,00000000,?,?,00000007), ref: 0046E633

Strings

mk-jzcq, xrefs: 0046E6A2

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: FolderPathSpecial
String ID: mk-jzcq
API String ID: 994120019-1212179800
Opcode ID: 14ed87298bfd8c99aad9995a13a571f604bead3da1527d67213e3e1ff353b234
Instruction ID: 58e9e75e6fcdd02f48654ae291f57622ed89eb52d0a389cbe55f578db2a1bbe9
Opcode Fuzzy Hash: 14ed87298bfd8c99aad9995a13a571f604bead3da1527d67213e3e1ff353b234
Instruction Fuzzy Hash: B951E0799093409FD760EF15DC45B8BB7E4EB84328F604A3EF565872D1FA399804CB8A

Function 0046EBD0 Relevance: 3.1, APIs: 2, Instructions: 138COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046EC7D
GetPrivateProfileStringW.KERNEL32(?,?,?,?,00000104,?), ref: 0046ECEF

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: PrivateProfileString_memset
String ID:
API String ID: 52020338-0
Opcode ID: 58d4d9a12d8a1c13c3bdc0e298cca58a9983d4f703ca6481d5c757ef08a2c7cc
Instruction ID: 7f83581d13d0def05e9dc7bb50dbd6b326ec2913ab28b98ef96225f921faffdc
Opcode Fuzzy Hash: 58d4d9a12d8a1c13c3bdc0e298cca58a9983d4f703ca6481d5c757ef08a2c7cc
Instruction Fuzzy Hash: 34515EB59093819FC770EF16D989B9BB7E4FF84700F504A2EE58987251EB35A404CB8B

Function 0047EA70 Relevance: 3.1, APIs: 2, Instructions: 117COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000004), ref: 0047EB07
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000007,?,?,00000000,00000007), ref: 0047EB62

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseCreateEventHandle
String ID:
API String ID: 3369476804-0
Opcode ID: 696995c876d9bd120cc482a557da52048feac9fc48b4550984fbe6b5a2fe0974
Instruction ID: b350264dc4147bc7e307c44dcc38b95b4d1b717be00e288ae1ca8a26e8f303d0
Opcode Fuzzy Hash: 696995c876d9bd120cc482a557da52048feac9fc48b4550984fbe6b5a2fe0974
Instruction Fuzzy Hash: 7641B1716047019FD710DF26C881B4BBBE4FB48B14F108A6EF85A97781E778E804CB9A

Function 004628F0 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004628F5
IsWindowVisible.USER32(00000000), ref: 00462956

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$ForegroundVisible
String ID:
API String ID: 4078700383-0
Opcode ID: 6c2a2a6aedfdef41d40a7406949041cc53637a456eb4ff2155e36027b6c71570
Instruction ID: dbfd2f92f8e45736d0589e1eac4db5aba1cb586b1420891682e528021164a8a2
Opcode Fuzzy Hash: 6c2a2a6aedfdef41d40a7406949041cc53637a456eb4ff2155e36027b6c71570
Instruction Fuzzy Hash: EF219DB53006019FD720EB28C884FA7B3A9AFC4314F15847AEA45CB320EB75AC45CB64

Function 00457A00 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00457A35
__CxxThrowException@8.LIBCMT ref: 00457A4C

Part of subcall function 0049100C: _malloc.LIBCMT ref: 00491026

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 2d11708e951f66f1bbfeb943cffffb7156bcdb5c63b3c3dea56af56483e606ab
Instruction ID: cb209e357de410b9f6be5aa6937413b319aab4f7ff5c2c38efa6f32b043c2e02
Opcode Fuzzy Hash: 2d11708e951f66f1bbfeb943cffffb7156bcdb5c63b3c3dea56af56483e606ab
Instruction Fuzzy Hash: 6CE02BF000820266D70CEB50D402A9F3A90AB90314F50CE7FF47A81592FB78821DC55A

Function 004794D0 Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,004C63CC,?,80000000,?,?,?,?,00000000,00000000,FFB063A1,00000000), ref: 00479508
SetWindowTextW.USER32(00000000), ref: 00479526

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$CreateText
String ID:
API String ID: 1475799734-0
Opcode ID: f4705e4940b8a3e35563eb9e46f4814ad042d87e29dfe78a8f79b7a40099fdc0
Instruction ID: 8dbab90f993958bdcf4dc339e480c9814c1e6a3a84c8ebd0d0ae87665c36165d
Opcode Fuzzy Hash: f4705e4940b8a3e35563eb9e46f4814ad042d87e29dfe78a8f79b7a40099fdc0
Instruction Fuzzy Hash: 75F0C4B6214711EFE724CF54D845FABB3E9EB88710F508A1DB59A93280C774AC41CB75

Function 0049A40E Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0049A426

Part of subcall function 00498BE4: __mtinitlocknum.LIBCMT ref: 00498BFA
Part of subcall function 00498BE4: __amsg_exit.LIBCMT ref: 00498C06
Part of subcall function 00498BE4: EnterCriticalSection.KERNEL32(?,?,?,0049AABC,0000000D,004BB768,00000008,004913B5,?,00000000), ref: 00498C0E

__tzset_nolock.LIBCMT ref: 0049A437

Part of subcall function 00499CF9: __lock.LIBCMT ref: 00499D1B
Part of subcall function 00499CF9: __get_daylight.LIBCMT ref: 00499D30
Part of subcall function 00499CF9: __invoke_watson.LIBCMT ref: 00499D3F
Part of subcall function 00499CF9: __get_daylight.LIBCMT ref: 00499D4B
Part of subcall function 00499CF9: __invoke_watson.LIBCMT ref: 00499D5A
Part of subcall function 00499CF9: __get_daylight.LIBCMT ref: 00499D66
Part of subcall function 00499CF9: __invoke_watson.LIBCMT ref: 00499D75
Part of subcall function 00499CF9: ____lc_codepage_func.LIBCMT ref: 00499D7D
Part of subcall function 00499CF9: __getenv_helper_nolock.LIBCMT ref: 00499D9F
Part of subcall function 00499CF9: _strlen.LIBCMT ref: 00499DDD
Part of subcall function 00499CF9: __malloc_crt.LIBCMT ref: 00499DE4
Part of subcall function 00499CF9: _strlen.LIBCMT ref: 00499DFA

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __get_daylight__invoke_watson$__lock_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock
String ID:
API String ID: 4157481694-0
Opcode ID: efa1372f723a516f8b24e9aa1a5ba88a5edc37be958103b13e2e3824108b8269
Instruction ID: 19833e931c5f11f0dc61cde7fe2595e3ca9883150f85415b71ff37f66a74ae04
Opcode Fuzzy Hash: efa1372f723a516f8b24e9aa1a5ba88a5edc37be958103b13e2e3824108b8269
Instruction Fuzzy Hash: D2E08630480B149ACE526BA2580754D7AA0A710759B24413FB40415182CDF81A80CBDF

Function 0046EE10 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0046EEC5

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: ce289e096d241c7115d197daa36d8ed272433835fd6b12081072288fe2a56bba
Instruction ID: 6561ad3d167b71de5a7d25c991db639ad0bc42b41b63ca5051ce35f55beb3517
Opcode Fuzzy Hash: ce289e096d241c7115d197daa36d8ed272433835fd6b12081072288fe2a56bba
Instruction Fuzzy Hash: 484136759087809FD720EB22C941B4BB7E5BBC5714F504E2EF19983250EB799444CF8B

Function 0046EF80 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 0046F01F

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: PrivateProfile
String ID:
API String ID: 1469295129-0
Opcode ID: e3a41aba4ce8bd85f752e09b146e03af29bb6316ce5de6be51ab81ba82862784
Instruction ID: e591a3a2f12169ce2225fb19855776b091f3d6541356d65eed89ef14187511c6
Opcode Fuzzy Hash: e3a41aba4ce8bd85f752e09b146e03af29bb6316ce5de6be51ab81ba82862784
Instruction Fuzzy Hash: BF315775908780EFD710EB61D845B0BBBE4AB88714F504E2EF49583291EB79E448CF5B

Function 00452360 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?), ref: 004523E8

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d91e4bf8194755a2fd3620da408ae1636a71b1f28c958cdc447d791ffbc4f655
Instruction ID: 2d197c9e53525644d7eff3229c2661c14ca21a874504d83ae35de237b4977296
Opcode Fuzzy Hash: d91e4bf8194755a2fd3620da408ae1636a71b1f28c958cdc447d791ffbc4f655
Instruction Fuzzy Hash: 05217432600112DBCF20EEB8C6C192E7775BF4631571145ABEC569B313D77CEC8586A9

Function 00458BD0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 00459C70: GetDC.USER32(00000000), ref: 00459C91
Part of subcall function 00459C70: GetDeviceCaps.GDI32(00000000,00000058), ref: 00459CA2
Part of subcall function 00459C70: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00459CAB
Part of subcall function 00459C70: ReleaseDC.USER32(00000000,00000000), ref: 00459CB2
Part of subcall function 00459C70: MulDiv.KERNEL32(000009EC,?,?), ref: 00459CCB
Part of subcall function 00459C70: MulDiv.KERNEL32(000009EC,?,00000000), ref: 00459CD9

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,004591FF,?), ref: 00458C3C

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1584001007-0
Opcode ID: 78298b91e85ba02f2788bb953b3a7c7d2dc5be2f5f3d02e4be4d484dbc237420
Instruction ID: 20030a67273cc2950c00566ba376cec48276019aee0eae78b896cd8fedd6a305
Opcode Fuzzy Hash: 78298b91e85ba02f2788bb953b3a7c7d2dc5be2f5f3d02e4be4d484dbc237420
Instruction Fuzzy Hash: 3D114671300B049FC724CF39C984B67B7EAAF85700F04891EE59A8B291DB71F806CB20

Function 00451EF0 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?), ref: 00451F1D

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: eccf3b81a35eefedc3ca8409e1ef2355f69bd873b8ac4cd6777aa5876cd189ba
Instruction ID: f6be5b1a93e7c1ba9201b3b03de934b65539d39a774f0eefc66850df275eb146
Opcode Fuzzy Hash: eccf3b81a35eefedc3ca8409e1ef2355f69bd873b8ac4cd6777aa5876cd189ba
Instruction Fuzzy Hash: 53E022332052196B8320968AAC48DEBF7ACEAC9372F04443BFA59930029314AC00C370

Function 00498A38 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00498A4D

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 2ef8454525e160c3130ec3568d28e468a60707cf86a4edf41c630b0039d84ad3
Instruction ID: bbe32718e185d9d317ee28e33bf1540342c386835073c25cd7551310a96b38fd
Opcode Fuzzy Hash: 2ef8454525e160c3130ec3568d28e468a60707cf86a4edf41c630b0039d84ad3
Instruction Fuzzy Hash: F8D05E72990704AEEB009F756C08B2A3BDCA7883A5F10443AB90CC6260E674D990DA48

Function 0E553000 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2973511506.000000000E550000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e550000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea611ec5ad5cb80996500bbc3aa3974bc5d6be2535fe716caccb981bdac935d6
Instruction ID: 39a6d547e6d34a87c921109fef592d6447cd82b06af42638f646199efdf6961b
Opcode Fuzzy Hash: ea611ec5ad5cb80996500bbc3aa3974bc5d6be2535fe716caccb981bdac935d6
Instruction Fuzzy Hash: FFE10032A44204EFEB10CF59C864B7EB3E1BF44298F15885AEC59AB399D770EC41CB91

Function 0E55D800 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2973511506.000000000E550000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e550000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c67975ea8db87c6f4b7a16c129ebb2b080541e97a5dc85686b2102fa19636f
Instruction ID: b03924b37aa4087d7e83d56b595ed8b1eaf0d76c29bebb136cb540a0b1c872fe
Opcode Fuzzy Hash: e5c67975ea8db87c6f4b7a16c129ebb2b080541e97a5dc85686b2102fa19636f
Instruction Fuzzy Hash: 92810233740200AFEB10CB08C965E7AB3E6FF48659F14899AED55AB392D770EC42C790

Function 0BC08800 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2962304667.000000000BC06000.00000010.00000800.00020000.00000000.sdmp, Offset: 0BC06000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc06000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2953b3f927fec0bfa9676779494f9ac471bc6171e4b2d3aff0b469506a0604d5
Instruction ID: 2c1b9b0bde9cf0cf966cc8b5b08b8cf82f19de2d02bf08126d3827cac6b1d285
Opcode Fuzzy Hash: 2953b3f927fec0bfa9676779494f9ac471bc6171e4b2d3aff0b469506a0604d5
Instruction Fuzzy Hash: B761E230F303019FDB24DF58C841B6EB3E5BF84615F058629EA66A76C1DB74E940CBA1

Function 0BC034FD Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2962250319.000000000BC00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc00000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b64ab9a0acd6bb1f00b3ef69095e82a141dc529830b21920f4f57534b1f706a
Instruction ID: 35bfb04b504ebb37cb856f01018656e817f5af963ed13bbae95e6e6908488495
Opcode Fuzzy Hash: 8b64ab9a0acd6bb1f00b3ef69095e82a141dc529830b21920f4f57534b1f706a
Instruction Fuzzy Hash: 2941D570A603449FDB10DF99C981EAEB7B5BF8C608F008119E965AB2D2DF70D845C765

Function 0E552CC7 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2973511506.000000000E550000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e550000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b512ca8e40b9918531caf7e623a3a0412e34e6d728961fcd23b97cee8e0228
Instruction ID: 3c789c3672ec57fd5f65fa07a2021856f2764fc519281e9b4eff8de105794c41
Opcode Fuzzy Hash: 25b512ca8e40b9918531caf7e623a3a0412e34e6d728961fcd23b97cee8e0228
Instruction Fuzzy Hash: 1F4102352403009FE724CB54C8A1EBAF3E2BF84314F11C98AE9955B3A6C770EC56CB92

Function 0BC0796C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2962304667.000000000BC06000.00000010.00000800.00020000.00000000.sdmp, Offset: 0BC06000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc06000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d920674566605c6315434cc5f082e34768fed18b6fa3e66fe2c8251c7de48aa2
Instruction ID: 9f015794690c6a3c2f99c1fc2444021194da54773379631762e8cc9230ecfb3e
Opcode Fuzzy Hash: d920674566605c6315434cc5f082e34768fed18b6fa3e66fe2c8251c7de48aa2
Instruction Fuzzy Hash: EC219235B14210DFD714CF85C8809A9F3A1FF84628F158196E9646B396D731FE52CBA1

Function 0BC07AA5 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2962304667.000000000BC06000.00000010.00000800.00020000.00000000.sdmp, Offset: 0BC06000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc06000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4735351c95d60b0ff511ab9b9a65569d05e5c424e008ebced6773230671fc81e
Instruction ID: ea8b23b18bd4e38c09a1fb822c60ff6ab7db63d71b0a899cdb13676af28f8357
Opcode Fuzzy Hash: 4735351c95d60b0ff511ab9b9a65569d05e5c424e008ebced6773230671fc81e
Instruction Fuzzy Hash: C3F0E231B50204AFD710DB88DC81DE9F3A4FF84268F158187ED659B292C771EE11CBA0

Function 0BC07B7D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2962304667.000000000BC06000.00000010.00000800.00020000.00000000.sdmp, Offset: 0BC06000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc06000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91731e3317b5b8ee50ebc2ad18ff51d664e7ad983179da133fb1cc5c45013ecf
Instruction ID: 944ec0c6b4515fe8f96e5fdce17d38a9f3945602cebe27381e15ebd62d95b4af
Opcode Fuzzy Hash: 91731e3317b5b8ee50ebc2ad18ff51d664e7ad983179da133fb1cc5c45013ecf
Instruction Fuzzy Hash: 96E09276B542049FD710CB89DC41ED9F3E8EF84264F158583EE2987242C7B1EA118BA1

Function 0E552DDA Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2973511506.000000000E550000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e550000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b428bcd635b5f295c6fa5256ef3213b22b5ec283cad2b43302bb43aa7d0c6ce3
Instruction ID: da47b3ef04eec1c60791ca57d0482a13d16da2b1f4333990522866731efa7b66
Opcode Fuzzy Hash: b428bcd635b5f295c6fa5256ef3213b22b5ec283cad2b43302bb43aa7d0c6ce3
Instruction Fuzzy Hash: 24E02B3B601105CEE700DF44DCE0AE9F3F9FB00325F144987ED0A57221D310A9068741

Function 0E221294 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2970980379.000000000E220000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e220000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c551ad2b8157f7adf4468e9906842aa494b68df758b310577b65fb62e2a1549
Instruction ID: ec1b21fc91f41ad450524e05e7c3e270d1b73a8922d54248f6e643dee7761b47
Opcode Fuzzy Hash: 2c551ad2b8157f7adf4468e9906842aa494b68df758b310577b65fb62e2a1549
Instruction Fuzzy Hash: 07E09A31B162208FC720CE8CEC80916F3E4FB48224B004A7EEA4EC3711CA20EC108BA2

Function 028B0FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.1781630997.00000000028B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_28b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: e08e335080e1fb21b80daf257fda1b04a52e20e71522bc2165ce629bf8f984eb
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Function 029B0A97 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0A8F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0A87 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0ABF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0EBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0AB7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B02AF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0AAF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0EDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B06DF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0AD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B06D7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0EFF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B06F7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B06EF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B06E7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0EE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0A17 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0A0F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0A07 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0E3F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B027F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0E77 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0F9F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0F97 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0B8F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B078F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0B87 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0F87 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B07BF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B07B7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B07AF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B03AF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B03A7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0FA7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0BD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B07CF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0FC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B07FF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0BF7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B07F7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0BE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B030F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B033F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0F2F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B035F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0B5F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B034F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0F4F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0347 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0F47 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0F7F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0777 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0B6F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B076F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0767 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B009F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B089F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0497 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0897 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B048F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0CBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B00B7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0CB7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0CAF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B00AF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B08A7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B08DF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B04DF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B08D7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B04D7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B00D7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B00CF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B04CF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B08CF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B08C7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0CFF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0CEF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B04E7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B00E7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B041F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0417 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0807 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0C07 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B083F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0837 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0827 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B045F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0457 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0C57 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B044F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B047F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0877 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0467 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0867 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B099F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0D87 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B09AF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B01A7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B09DF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B01DF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B09D7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B09CF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B09FF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B09F7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B01E7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B051F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B090F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0D07 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B093F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B052F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0927 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B095F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0157 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B014F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B094F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0147 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0947 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0D7F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0177 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0977 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B096F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 029B0967 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2940972885.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29b0000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction ID: 8b9f5e71d97c7fe1c8f476b495aca1fa00d2f0fc9bb2472fb86643322016ad62
Opcode Fuzzy Hash: 8419497e100b1cf84741ccf66349996577d21a49c44bc92652de030d45891f09
Instruction Fuzzy Hash:

Function 0D940F9F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2964757760.000000000D940000.00000010.00000800.00020000.00000000.sdmp, Offset: 0D940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d940000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction ID: 551af2b4bb8debda010ba88cd3183330f63ac628361ad6c64c49a1a29e83ada8
Opcode Fuzzy Hash: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction Fuzzy Hash:

Function 0D940F87 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2964757760.000000000D940000.00000010.00000800.00020000.00000000.sdmp, Offset: 0D940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d940000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction ID: 551af2b4bb8debda010ba88cd3183330f63ac628361ad6c64c49a1a29e83ada8
Opcode Fuzzy Hash: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction Fuzzy Hash:

Function 0D940F8F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2964757760.000000000D940000.00000010.00000800.00020000.00000000.sdmp, Offset: 0D940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d940000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction ID: 551af2b4bb8debda010ba88cd3183330f63ac628361ad6c64c49a1a29e83ada8
Opcode Fuzzy Hash: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction Fuzzy Hash:

Function 0D940FA7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2964757760.000000000D940000.00000010.00000800.00020000.00000000.sdmp, Offset: 0D940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d940000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction ID: 551af2b4bb8debda010ba88cd3183330f63ac628361ad6c64c49a1a29e83ada8
Opcode Fuzzy Hash: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction Fuzzy Hash:

Function 0D940FAF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2964757760.000000000D940000.00000010.00000800.00020000.00000000.sdmp, Offset: 0D940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d940000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction ID: 551af2b4bb8debda010ba88cd3183330f63ac628361ad6c64c49a1a29e83ada8
Opcode Fuzzy Hash: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction Fuzzy Hash:

Function 0D940FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2964757760.000000000D940000.00000010.00000800.00020000.00000000.sdmp, Offset: 0D940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d940000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction ID: 551af2b4bb8debda010ba88cd3183330f63ac628361ad6c64c49a1a29e83ada8
Opcode Fuzzy Hash: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction Fuzzy Hash:

Function 0D940FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2964757760.000000000D940000.00000010.00000800.00020000.00000000.sdmp, Offset: 0D940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d940000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction ID: 551af2b4bb8debda010ba88cd3183330f63ac628361ad6c64c49a1a29e83ada8
Opcode Fuzzy Hash: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction Fuzzy Hash:

Function 0D940F0F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2964757760.000000000D940000.00000010.00000800.00020000.00000000.sdmp, Offset: 0D940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d940000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction ID: 551af2b4bb8debda010ba88cd3183330f63ac628361ad6c64c49a1a29e83ada8
Opcode Fuzzy Hash: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction Fuzzy Hash:

Function 0D940E4F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2964757760.000000000D940000.00000010.00000800.00020000.00000000.sdmp, Offset: 0D940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d940000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction ID: 551af2b4bb8debda010ba88cd3183330f63ac628361ad6c64c49a1a29e83ada8
Opcode Fuzzy Hash: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction Fuzzy Hash:

Function 0E040E0F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040617 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040E1F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040E27 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040E2F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040A2F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040E3F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040A3F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040A47 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040A4F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040A57 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040A67 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040A77 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040EA7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040AF7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E04071F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E04074F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040F4F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040F57 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E04075F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040F5F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040767 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E04076F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040777 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040F8F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040FA7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040FAF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040FB7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040FBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040BD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040BFF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E04081F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E04082F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040C67 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E04087F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040C8F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E0408AF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E0408BF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E0408C7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E0408CF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E040CCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E0408DF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E0408F7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E04099F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E0409AF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Function 0E0409FF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2969322467.000000000E040000.00000010.00000800.00020000.00000000.sdmp, Offset: 0E040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e040000_dqwhj_errwd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction ID: f1dcdf0755a0bb0fc0c1f52a936bd878512065bb48e907959b8b6faf9ac7680d
Opcode Fuzzy Hash: dca5cca948dfb8922432774f8394a9874d2774ada58eb771e003b6de3ea762b9
Instruction Fuzzy Hash:

Non-executed Functions

Function 00482250 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 291COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 004822B5

Strings

SL, xrefs: 004823D8
UninstallStat.tmp, xrefs: 00482528
http://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=%s&ext_1=%d&ext_2=%s&ext_3=%s&, xrefs: 00482478
417, xrefs: 00482473
%Y-%m-%d, xrefs: 004822C6

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: __time64
String ID: SL$%Y-%m-%d$417$UninstallStat.tmp$http://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=%s&ext_1=%d&ext_2=%s&ext_3=%s&
API String ID: 399556195-1732036809
Opcode ID: d2a3b06bddd701adc8e70dc695264098700e1c822ad1987a3cd00140c50836fb
Instruction ID: 7889c8576c322177c7902b9c4010bb318260b4c24cb6e18954d36cbd71f0100b
Opcode Fuzzy Hash: d2a3b06bddd701adc8e70dc695264098700e1c822ad1987a3cd00140c50836fb
Instruction Fuzzy Hash: BFC1E171508380CFD724EF29C941B8FBBE5BF85314F448A2EE58997291DB78A904CB97

Function 0047A0D0 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 265COMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000), ref: 0047A225
LoadCursorW.USER32(00000000,00007F82), ref: 0047A23F
SetCursor.USER32(00000000), ref: 0047A246
LoadCursorW.USER32(00000000,00007F82), ref: 0047A286
SetCursor.USER32(00000000), ref: 0047A28D
LoadCursorW.USER32(00000000,00007F83), ref: 0047A2C0
SetCursor.USER32(00000000), ref: 0047A2C7
LoadCursorW.USER32(00000000,00007F83), ref: 0047A2FD
SetCursor.USER32(00000000), ref: 0047A304
LoadCursorW.USER32(00000000,00007F84), ref: 0047A332
SetCursor.USER32(00000000), ref: 0047A339
LoadCursorW.USER32(00000000,00007F84), ref: 0047A369
SetCursor.USER32(00000000), ref: 0047A370
LoadCursorW.USER32(00000000,00007F85), ref: 0047A39E
SetCursor.USER32(00000000), ref: 0047A3A5
LoadCursorW.USER32(00000000,00007F85), ref: 0047A3D2
SetCursor.USER32(00000000), ref: 0047A3D9

Strings

CSQButton, xrefs: 0047A13F
CSQIconButton, xrefs: 0047A170

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Cursor$Load$ClientRect
String ID: CSQButton$CSQIconButton
API String ID: 144240930-1883793265
Opcode ID: 5ebde127eadfec2af9c836d816f8363c8afb913aadd96e93f06ffb177be13ccd
Instruction ID: bd938d9d1ba32c1809078d0541e0adda0eaa51d22967692eb14997b25d879428
Opcode Fuzzy Hash: 5ebde127eadfec2af9c836d816f8363c8afb913aadd96e93f06ffb177be13ccd
Instruction Fuzzy Hash: 51A190756083809FE710DF64CC44B9E77E5AB89704F54861AFA698B3E1C778E850CB4A

Function 0046C2F0 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 355processCOMMON

Download Yara Rule

APIs

Part of subcall function 0046C9B0: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0046C33B,FFB063A1,?,?,?,00000000), ref: 0046C9BA
Part of subcall function 0046C9B0: OpenProcessToken.ADVAPI32(00000000,?,?,?,0046C33B,FFB063A1,?,?,?,00000000), ref: 0046C9C1
Part of subcall function 0046C9B0: LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0046C9D7
Part of subcall function 0046C9B0: CloseHandle.KERNEL32(?,?,?,?,0046C33B,FFB063A1,?,?,?,00000000), ref: 0046C9E6

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0046C4A7
Process32NextW.KERNEL32(00000000,?), ref: 0046C4E5
Process32NextW.KERNEL32(?,?), ref: 0046C7BF
CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 0046C7D2

Strings

LOCAL SERVICE, xrefs: 0046C72C
NETWPRK SERVICE, xrefs: 0046C747
lrising,RAVmonD,RAVmon,RAVtimer,rav,KAVsvc,KAVsvcUI,baiduan,baiduantray,taskmgr,chrome,foxmail,, xrefs: 0046C376
wps,Microsoft Excel,Microsoft Word,explorer,SogouCloud,wpscenter,firefox,youku,YY,UCBrowser,avnotify,, xrefs: 0046C3C7
ekrn,avp,qqpcmgr,rsmain,qqexternal,txplatform,baidupinyin,SogouExplorer,, xrefs: 0046C413
.exe, xrefs: 0046C533
kav32,kavstare,kpfw32,Navapw32,Navapsvc,NMain,navw32,KVFW,KAVSvcUI,RAVmonD,RAVmon,RAVtimer,Rising,, xrefs: 0046C362
The world,opera,knbcenter,Thunder,ThunderPlatform,Safari,Maxthon,iexplore, xrefs: 0046C45F
SYSTEM, xrefs: 0046C711

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CloseHandleNextProcessProcess32$CreateCurrentLookupOpenPrivilegeSnapshotTokenToolhelp32Value
String ID: .exe$LOCAL SERVICE$NETWPRK SERVICE$SYSTEM$The world,opera,knbcenter,Thunder,ThunderPlatform,Safari,Maxthon,iexplore$ekrn,avp,qqpcmgr,rsmain,qqexternal,txplatform,baidupinyin,SogouExplorer,$kav32,kavstare,kpfw32,Navapw32,Navapsvc,NMain,navw32,KVFW,KAVSvcUI,RAVmonD,RAVmon,RAVtimer,Rising,$lrising,RAVmonD,RAVmon,RAVtimer,rav,KAVsvc,KAVsvcUI,baiduan,baiduantray,taskmgr,chrome,foxmail,$wps,Microsoft Excel,Microsoft Word,explorer,SogouCloud,wpscenter,firefox,youku,YY,UCBrowser,avnotify,
API String ID: 689045952-2500648686
Opcode ID: 595e7f867de6c6eaf5f8fc5bb75cdf2df5cc0a95619054bb7cf81001dec8457a
Instruction ID: 2f126f68549a894e352c4813244e619e128ef42524288b6f08633092aa23d619
Opcode Fuzzy Hash: 595e7f867de6c6eaf5f8fc5bb75cdf2df5cc0a95619054bb7cf81001dec8457a
Instruction Fuzzy Hash: 3CD182715183819FD720EB25C885BAFB7E5AF85314F10492FF59987391EB38A804CB9B

Function 004A20EF Relevance: 16.7, APIs: 11, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,004B1AA8,00000001,?,00000002,00000000,00000000,?,?,?,004A22D9,00000001,?,00000000,?,?), ref: 004A211E
GetLastError.KERNEL32(?,004A22D9,00000001,?,00000000,?,?,?,?,00000000,?,00000001,00000000,00000000,00000008,?), ref: 004A2130
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000002,00000000,00000000,?,?,?,004A22D9,00000001,?,00000000), ref: 004A2195
__alloca_probe_16.LIBCMT ref: 004A21B6
_malloc.LIBCMT ref: 004A21CA
_memset.LIBCMT ref: 004A21EA
MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,00000000,?,00000001,00000000,00000000,00000008,?,00000000), ref: 004A21FF
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004A220D
___ansicp.LIBCMT ref: 004A2241
___convertcp.LIBCMT ref: 004A2262

Part of subcall function 004A6455: GetCPInfo.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,004A22D9,00000001,?,00000000,?,?,?), ref: 004A64A0
Part of subcall function 004A6455: GetCPInfo.KERNEL32(?,00000001,?,004A22D9,00000001,?), ref: 004A64B9
Part of subcall function 004A6455: _strlen.LIBCMT ref: 004A64D7
Part of subcall function 004A6455: __alloca_probe_16.LIBCMT ref: 004A64F7
Part of subcall function 004A6455: _memset.LIBCMT ref: 004A654F
Part of subcall function 004A6455: MultiByteToWideChar.KERNEL32(?,00000001,?,004A22D9,?,00000000,?,?,?,?,?,?,?,004A22D9,00000001,?), ref: 004A6566
Part of subcall function 004A6455: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,004A22D9), ref: 004A6581

GetStringTypeA.KERNEL32(?,?,?,?,?,00000002,00000000,00000000,?,?,?,004A22D9,00000001,?,00000000,?), ref: 004A2282

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Info__alloca_probe_16_memset$ErrorLast___ansicp___convertcp_malloc_strlen
String ID:
API String ID: 1190950686-0
Opcode ID: 9ebd957ad742b4ab9dca44f61cfa64eae2e0c4079737444e84bd15da36552ebe
Instruction ID: ca4044ecca1d640bec734be1bf60d705fb3aeb433e7f15327cf516d7adb19d4d
Opcode Fuzzy Hash: 9ebd957ad742b4ab9dca44f61cfa64eae2e0c4079737444e84bd15da36552ebe
Instruction Fuzzy Hash: 3551D47250010AEFDF109F5CDD81EAF3BA9EB29350B14412BFA14D7260D7B8DD90AB98

Function 004601A0 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 234windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(00000000), ref: 00460349
PostMessageW.USER32(00000000), ref: 0046046B

Strings

Error, xrefs: 00460505
wd_thirdlogin, xrefs: 00460218
server_id, xrefs: 0046029E
ErrorUrl, xrefs: 004604F2
<<K, xrefs: 00460494, 00460544
wd_entergame=1, xrefs: 00460403
otype, xrefs: 0046023F

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: MessagePost
String ID: <<K$Error$ErrorUrl$otype$server_id$wd_entergame=1$wd_thirdlogin
API String ID: 410705778-1508025510
Opcode ID: 6eb80e03bc648c5e223cfc57b19e32379ac88fbd54bbe06af85f98dee07f37ea
Instruction ID: 31bc0bebfcf81387cf3749d870ffa86c0345eddb1a07bd2886f4546d3cd60ece
Opcode Fuzzy Hash: 6eb80e03bc648c5e223cfc57b19e32379ac88fbd54bbe06af85f98dee07f37ea
Instruction Fuzzy Hash: 519109716083805BD720FB25C842BDF77A06F45318F454B1FF969572C2DB7869088BAB

Function 00472170 Relevance: 15.4, APIs: 10, Instructions: 392COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 004721C7
std::_String_base::_Xlen.LIBCPMT ref: 004721F3
_memmove_s.LIBCMT ref: 0047227C
_memcpy_s.LIBCMT ref: 004722BA
_memmove_s.LIBCMT ref: 00472304
_memmove_s.LIBCMT ref: 0047239C
_memmove_s.LIBCMT ref: 00472425
_memmove_s.LIBCMT ref: 004724A8
_memmove_s.LIBCMT ref: 004724F0
_memmove_s.LIBCMT ref: 0047253F

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _memmove_s$String_base::_Xlenstd::_$_memcpy_s
String ID:
API String ID: 3470545318-0
Opcode ID: 4e6e729c26da5a1ea4befaec735a8771c414b066690feba3067c95492ab9fd7c
Instruction ID: 7bd5197d4a5f709a925bace89eff7bd9f786be56681b1120e76b53a1d0333b02
Opcode Fuzzy Hash: 4e6e729c26da5a1ea4befaec735a8771c414b066690feba3067c95492ab9fd7c
Instruction Fuzzy Hash: A4E154702042029F8B04CF68CAD48AF77E6FFC5308B548A5EE449D7319D778E946CB9A

Function 0047C1AC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DrawTextW.USER32(?,?,?,?,00000400), ref: 0047C290
InflateRect.USER32(?,00000000,?), ref: 0047C2E8
DrawTextW.USER32(?,?,00000008,?,?), ref: 0047C31C
SelectObject.GDI32(?,?), ref: 0047C328
SetTextColor.GDI32(?,?), ref: 0047C334
SetBkMode.GDI32(?,?), ref: 0047C340
RestoreDC.GDI32(?,?), ref: 0047C34C

Strings

..., xrefs: 0047C1BA

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Text$Draw$ColorInflateModeObjectRectRestoreSelect
String ID: ...
API String ID: 132038385-440645147
Opcode ID: 53cffef93b938ea175802bffb4e2cf09c295503aba823436a5a3fa383e747553
Instruction ID: b7ea7545b367b9266916cf9edf75954f80bd5f884aeafbc0486109a6bacbbb65
Opcode Fuzzy Hash: 53cffef93b938ea175802bffb4e2cf09c295503aba823436a5a3fa383e747553
Instruction Fuzzy Hash: 7E31FDB5208341AFD714DF24D985FABB7E9FB84300F40892DF98A83651D734E844CB56

Function 004763D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(WebSuperCall), ref: 0047647C
VariantInit.OLEAUT32(?), ref: 004764F4
SysAllocString.OLEAUT32(00000000), ref: 0047650F
VariantInit.OLEAUT32(?), ref: 0047651E
SysFreeString.OLEAUT32(?), ref: 00476580

Part of subcall function 004521E0: __CxxThrowException@8.LIBCMT ref: 004521F2

Strings

WebSuperCall, xrefs: 00476477
`<u, xrefs: 00476580

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String$AllocInitVariant$Exception@8FreeThrow
String ID: WebSuperCall$`<u
API String ID: 491998546-2164882518
Opcode ID: 33f8fb8ae9f728bc1c2c55807ede50f6cdb90433f2f3ba2fc7810d3c6a97aa99
Instruction ID: b88162becc209e5177e16599c522f05a67f0f5845b5cfca98829d4dd7b48ee27
Opcode Fuzzy Hash: 33f8fb8ae9f728bc1c2c55807ede50f6cdb90433f2f3ba2fc7810d3c6a97aa99
Instruction Fuzzy Hash: 0C614F75E00208AFDB00DFA9D980BDEB7F9FF48714F10855AE919A7341D779A904CBA8

Function 004742A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004742CB
std::_Lockit::_Lockit.LIBCPMT ref: 004742F1
std::bad_exception::bad_exception.LIBCMT ref: 00474375
__CxxThrowException@8.LIBCMT ref: 00474384
std::_Lockit::_Lockit.LIBCPMT ref: 00474399
std::locale::facet::facet_Register.LIBCPMT ref: 004743B4

Strings

bad cast, xrefs: 0047436C

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: cb5094c541da561e7913b5257211b25cc7f540ed401702930480dd872bd3062c
Instruction ID: 3846ec0aa1f03b98f7cc3dbc8eb5dba0f4b0fa5a83c33afbc9478108843361ef
Opcode Fuzzy Hash: cb5094c541da561e7913b5257211b25cc7f540ed401702930480dd872bd3062c
Instruction Fuzzy Hash: C631A6715042008FC754EF55D881FBE73E0EB94724F508A2EE86D97291DB38A948CB9A

Function 004743F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0047441B
std::_Lockit::_Lockit.LIBCPMT ref: 00474441
std::bad_exception::bad_exception.LIBCMT ref: 004744C5
__CxxThrowException@8.LIBCMT ref: 004744D4
std::_Lockit::_Lockit.LIBCPMT ref: 004744E9
std::locale::facet::facet_Register.LIBCPMT ref: 00474504

Strings

bad cast, xrefs: 004744BC

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: df6f861da6196e3dfd731daee6d993cad7d32d2d8a4c4bf046bb4b1e4d7430e7
Instruction ID: d3a205cada47c4f6e2b17422379c13f1091f1152368bad40577da3d16e0025ff
Opcode Fuzzy Hash: df6f861da6196e3dfd731daee6d993cad7d32d2d8a4c4bf046bb4b1e4d7430e7
Instruction Fuzzy Hash: B031C4315043009FC754EF50C981FAF77A0FB94728F504A2EF966972E1DB38A948CB9A

Function 0048E400 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0048E42B
std::_Lockit::_Lockit.LIBCPMT ref: 0048E451
std::bad_exception::bad_exception.LIBCMT ref: 0048E4D5
__CxxThrowException@8.LIBCMT ref: 0048E4E4
std::_Lockit::_Lockit.LIBCPMT ref: 0048E4F9
std::locale::facet::facet_Register.LIBCPMT ref: 0048E514

Strings

bad cast, xrefs: 0048E4CC

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: 64530b563a5f8cbc901cd90dd4d2e63f71b3d7246c42bd4f040aa855f4b9dc05
Instruction ID: b60350b7fba4df6a092cceffe492aa9c0cdce7f03517310e4f108b20e84882be
Opcode Fuzzy Hash: 64530b563a5f8cbc901cd90dd4d2e63f71b3d7246c42bd4f040aa855f4b9dc05
Instruction Fuzzy Hash: E831BF314042009FC754FF12D981B5E73E0FB54B28F504A6EE866972D1EB38A948CB9A

Function 00454030 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,?,?), ref: 00454079

Strings

http://kf.37.com/, xrefs: 00454164
http://bbs.37.com/list-3829-1.html, xrefs: 004541DE
http://jzcq.37.com/, xrefs: 004541BF

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ShowWindow
String ID: http://bbs.37.com/list-3829-1.html$http://jzcq.37.com/$http://kf.37.com/
API String ID: 1268545403-209637737
Opcode ID: 15fc45ae690398999941970bc4d3544b08269fe83f2ae8c931544c44622e7f6b
Instruction ID: af3b15c4d05596e53b887ea0c9ea2d4f919f378a550c242077cb1eee6f27bd44
Opcode Fuzzy Hash: 15fc45ae690398999941970bc4d3544b08269fe83f2ae8c931544c44622e7f6b
Instruction Fuzzy Hash: 30510B3770010047C710EA99E4809EAF391E7E431AF50457BFD59CF341EA266D9AC7E9

Function 00488270 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00488304
__CxxThrowException@8.LIBCMT ref: 0048837C
__CxxThrowException@8.LIBCMT ref: 004883F7

Strings

Type is not convertible to int, xrefs: 004883BF
Real out of signed integer range, xrefs: 00488344
integer out of signed integer range, xrefs: 004882D2

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Exception@8Throw
String ID: Real out of signed integer range$Type is not convertible to int$integer out of signed integer range
API String ID: 2005118841-3748601619
Opcode ID: cd2cc83ed9ca415f482d9a6909bb0c0e07d12e6b0ffba1f19b896d25679f8339
Instruction ID: ba50063c11d9c420ad19b7c16f512edabaa1d7314222c9f771d14a8587a41e84
Opcode Fuzzy Hash: cd2cc83ed9ca415f482d9a6909bb0c0e07d12e6b0ffba1f19b896d25679f8339
Instruction Fuzzy Hash: 4841D3B1008780DBD724DB60D842B9AB7B8FB84704F904A6FF48952691EBBD5408CB6A

Function 00488440 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 100COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004884B9
__CxxThrowException@8.LIBCMT ref: 00488562
__CxxThrowException@8.LIBCMT ref: 004885BC

Strings

Type is not convertible to uint, xrefs: 00488584
Negative integer can not be converted to unsigned integer, xrefs: 00488487
Real out of unsigned integer range, xrefs: 0048852A

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Exception@8Throw
String ID: Negative integer can not be converted to unsigned integer$Real out of unsigned integer range$Type is not convertible to uint
API String ID: 2005118841-1738163505
Opcode ID: 892273d6c02e3c0470505d8e9c60be528918d1a4d961e0610e689f995a27285a
Instruction ID: d7807cff9dadbae159f474284b7286e759698cba5559bf26482c7f7f606633f3
Opcode Fuzzy Hash: 892273d6c02e3c0470505d8e9c60be528918d1a4d961e0610e689f995a27285a
Instruction Fuzzy Hash: A0416E71048780EED724DF20D942B9FB7E8FB84700F908E6EE59946281EBBD9504CB5A

Function 004A2070 Relevance: 9.2, APIs: 6, Instructions: 152COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,004B1AA8,00000001,?,00000002,00000000,00000000,?,?,?,004A22D9,00000001,?,00000000,?,?), ref: 004A211E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000002,00000000,00000000,?,?,?,004A22D9,00000001,?,00000000), ref: 004A2195
__alloca_probe_16.LIBCMT ref: 004A21B6
_memset.LIBCMT ref: 004A21EA

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide__alloca_probe_16_memset
String ID:
API String ID: 9217213-0
Opcode ID: 014e4d13ff6ad88a40d365eca239c6927b2721715d5ba4ba39326f464009b625
Instruction ID: 9a1f2b5e59a1c9c305880485b9089f1f6af703c614c4616396cacdc250f37928
Opcode Fuzzy Hash: 014e4d13ff6ad88a40d365eca239c6927b2721715d5ba4ba39326f464009b625
Instruction Fuzzy Hash: 4D514631508286AFDB05CF28CC80A9BBFB4FF56350B5986AFE9008A552D77CDD95C784

Function 00488130 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 004881CD
__CxxThrowException@8.LIBCMT ref: 00488211

Strings

Type is not convertible to string, xrefs: 004881E3
true, xrefs: 004881AD
false, xrefs: 004881B4, 004881B9

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Exception@8Throw__itow
String ID: Type is not convertible to string$false$true
API String ID: 3213073191-1606231287
Opcode ID: 9cfb54b54a2def87a13a8d773182a9c56cb3ae6aed8fdbad434ed9fcf3a099da
Instruction ID: b3a5e9ba3b08f3a40702ed86ea1df6c55f52f5d5767838cfd72a4b3c1900c727
Opcode Fuzzy Hash: 9cfb54b54a2def87a13a8d773182a9c56cb3ae6aed8fdbad434ed9fcf3a099da
Instruction Fuzzy Hash: D531B3B1208B009FC310EB65C891A6F77E8AB88714F90492FF45587691DF7CAD08C79B

Function 0045E400 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 0045E521
SysStringLen.OLEAUT32(00000000), ref: 0045E52C
SysFreeString.OLEAUT32(00000000), ref: 0045E557

Strings

`<u, xrefs: 0045E521, 0045E557

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: String$Free
String ID: `<u
API String ID: 1391021980-3367579956
Opcode ID: 33cd762a17ae49f314d2888199a4d9ee7e2fbbfaa9d4067a6546cdbf4a0d1ba3
Instruction ID: b852cd38863ab4f6a00337f10043ffef793faa1f21ce6bbd1e224bad32857547
Opcode Fuzzy Hash: 33cd762a17ae49f314d2888199a4d9ee7e2fbbfaa9d4067a6546cdbf4a0d1ba3
Instruction Fuzzy Hash: 7F5161B5A00609AFDB04CF95C880BAEB7B9FF88310F10855EE915D7351E774EA05CBA4

Function 0045E050 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(QNE,00000000,00000000,004AD538,0045E01A,00000000,?,00000000,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,?,0045679A,Software\Microsoft\Windows\CurrentVersion\Run), ref: 0045E05A
LockResource.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,?,0045679A,Software\Microsoft\Windows\CurrentVersion\Run), ref: 0045E069
SizeofResource.KERNEL32(QNE,00000000,?,00000000,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,?,0045679A,Software\Microsoft\Windows\CurrentVersion\Run), ref: 0045E077

Strings

QNE, xrefs: 0045E051, 0045E057, 0045E076

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID: QNE
API String ID: 2853612939-4201859585
Opcode ID: 7c557c7c554e37542180ec2c127855f233ae36179ac92f2d49cea990e047d9b1
Instruction ID: dc0885a375040d6e432607a50f982c005d5d6ce59df89da3a0e7dca2cb761073
Opcode Fuzzy Hash: 7c557c7c554e37542180ec2c127855f233ae36179ac92f2d49cea990e047d9b1
Instruction Fuzzy Hash: 37F09633B001355A8B341BBAAC044BBBBDCD980FA73050577FF59D3251E2689D598168

Function 0049824E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00498261

Part of subcall function 004981BC: ___BuildCatchObjectHelper.LIBCMT ref: 004981F2

_UnwindNestedFrames.LIBCMT ref: 00498278
___FrameUnwindToState.LIBCMT ref: 00498286

Strings

csm, xrefs: 0049825D, 00498272, 00498285, 004982A3, 004982B3

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 65e2e6bd79cdbbeac5300aee0305423ad19a250091d4e67b5ee60e7890e604b9
Instruction ID: 18428426f68156c5017de1feaecbab9004f46af023e03252cf9cedcaee0ec2f8
Opcode Fuzzy Hash: 65e2e6bd79cdbbeac5300aee0305423ad19a250091d4e67b5ee60e7890e604b9
Instruction Fuzzy Hash: B9014671001509BFDF126F56CC46EAB7F6AEF49354F00406ABD1814121DB3AE8B1DBA8

Function 00486050 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 004860D8
_memmove_s.LIBCMT ref: 00486104

Part of subcall function 004870D0: __CxxThrowException@8.LIBCMT ref: 00487146

_memmove_s.LIBCMT ref: 00486149
_memmove_s.LIBCMT ref: 00486174

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _memmove_s$Exception@8Throw
String ID:
API String ID: 2992690706-0
Opcode ID: 3dc925620b8c5d54522f62fea4e89346214ffeca2f7ffafe530897f58d1d9c85
Instruction ID: ba2a49e3e08dfe97d950e4d248ab090ab54935e5a71ddb495b898c34c2245441
Opcode Fuzzy Hash: 3dc925620b8c5d54522f62fea4e89346214ffeca2f7ffafe530897f58d1d9c85
Instruction Fuzzy Hash: C141D071A002015FDB18EF28DC81A7F77A5EB81300F054E2EEC15DB306E639ED158B99

Function 004861B0 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 00486241
_memmove_s.LIBCMT ref: 0048626D

Part of subcall function 004870D0: __CxxThrowException@8.LIBCMT ref: 00487146

_memmove_s.LIBCMT ref: 004862AC
_memmove_s.LIBCMT ref: 004862D7

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _memmove_s$Exception@8Throw
String ID:
API String ID: 2992690706-0
Opcode ID: 814f3dc2a2881bdf9e653cc1f9a0fc0de7196353008aa1e8afdf3f5d04d7678b
Instruction ID: afd7d1b3f2400c21f4952f60f37140b1cb7b2ae7523020dd2318448e3964c957
Opcode Fuzzy Hash: 814f3dc2a2881bdf9e653cc1f9a0fc0de7196353008aa1e8afdf3f5d04d7678b
Instruction Fuzzy Hash: BD417D71A042015FDB18FF28CC91A7F73A5FB80310F054EAEEC2297346EA78E9158795

Function 0046A210 Relevance: 6.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,FFB063A1), ref: 0046A255
lstrlenW.KERNEL32(?), ref: 0046A2A1
_memcpy_s.LIBCMT ref: 0046A30D
_memcpy_s.LIBCMT ref: 0046A31F

Part of subcall function 00469750: __recalloc.LIBCMT ref: 0046975A

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: _memcpy_slstrlen$__recalloc
String ID:
API String ID: 1038713732-0
Opcode ID: 8816ead8854c5c859d7b8e6617d2620f493ed6f2cef6e2b70ea229ca199c32d5
Instruction ID: 380480d51d2d70d70316cfb427078a5266b6ded45a04aacf56483e47adfd9305
Opcode Fuzzy Hash: 8816ead8854c5c859d7b8e6617d2620f493ed6f2cef6e2b70ea229ca199c32d5
Instruction Fuzzy Hash: 46417171E01209AFCB04DFA5D881AAFBBB8EB48314F10457FE905A7341D7799A11CBA6

Function 00454290 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004542BC
SetWindowPos.USER32(00000000,?,?,?,?,?), ref: 00454303
ShowWindow.USER32(00000000,?,?,?,?,?), ref: 0045431D
UpdateWindow.USER32(00000000), ref: 00454330

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$InfoParametersShowSystemUpdate
String ID:
API String ID: 2353380074-0
Opcode ID: 9a2d4ec19bc59251ad0b9fc4739885c1ea9bc4496ded8a949cbb7288bad941c2
Instruction ID: 7435f36b771e96c36796a4f72a2b5de2cdf7bbc6919aabb2201e41478f984b8c
Opcode Fuzzy Hash: 9a2d4ec19bc59251ad0b9fc4739885c1ea9bc4496ded8a949cbb7288bad941c2
Instruction Fuzzy Hash: 452193753006009FE700DF3CCC59FAA77EAABC8710F588569FA85C7395DA34E80587A0

Function 0046A540 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00000025,0046A953,?,FFB063A1), ref: 0046A549

Part of subcall function 0046A500: lstrcmpiW.KERNEL32(?,?,?,?,?,0046A55C,?), ref: 0046A51E

LeaveCriticalSection.KERNEL32(?,?), ref: 0046A564
LeaveCriticalSection.KERNEL32(?,?), ref: 0046A582

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CriticalSection$Leave$Enterlstrcmpi
String ID:
API String ID: 431788158-0
Opcode ID: cc0343effb1bb08f50e5a6dd707c0b0a35b7676d446d91b615ddc78d17d37cd0
Instruction ID: 157eefda7f5e09bd798739cc2646877c5e6b5c9d17dd5536aeae3e4cdcb3dff9
Opcode Fuzzy Hash: cc0343effb1bb08f50e5a6dd707c0b0a35b7676d446d91b615ddc78d17d37cd0
Instruction Fuzzy Hash: 2AF0F672200610BBD720CBB4AC84E8AF3ACFB44365F104A67F212F3160D370E8118BAA

Function 00454350 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00454378
SetWindowPos.USER32(00000000,?,?,?,?), ref: 0045439D
ShowWindow.USER32(00000000,?,?,?,?), ref: 004543B7
UpdateWindow.USER32(00000000), ref: 004543CA

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: Window$InfoParametersShowSystemUpdate
String ID:
API String ID: 2353380074-0
Opcode ID: 5541e6b3219f335e637aa8eac9ef4a4e1103884e0e9ca677103b85027b81c529
Instruction ID: 261349190360dbd204bc809431b832e9e678b5679b114f7406f039803b332d91
Opcode Fuzzy Hash: 5541e6b3219f335e637aa8eac9ef4a4e1103884e0e9ca677103b85027b81c529
Instruction Fuzzy Hash: 3B0196343002109FF710EB18CC59FAA73E5BFC8704F548558FD858B3A1EA75A80587E5

Function 0047A410 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 0047A437
SystemParametersInfoW.USER32(00000025,00000000,00000000,00000000), ref: 0047A448
SendMessageW.USER32(?,00000112,?,00000000), ref: 0047A45D
SystemParametersInfoW.USER32(00000025,00000001,00000000,00000000), ref: 0047A472

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: InfoParametersSystem$MessageSend
String ID:
API String ID: 3675817773-0
Opcode ID: 4ebdd1900dca068ce0861df0d77ccfc8685a3496b595e51401189793a79551f6
Instruction ID: 0fa9b2debf9486141e41f57959f9cfea1bb3829c4b4682e2b3c003fba6d415fe
Opcode Fuzzy Hash: 4ebdd1900dca068ce0861df0d77ccfc8685a3496b595e51401189793a79551f6
Instruction Fuzzy Hash: E4F0FF317807006BF324DA54DC0AFAA62A9ABC4B15F258529B354AB1D1D7F46805C76A

Function 00456440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,?,00000000,00000000), ref: 00456488

Part of subcall function 00457360: std::_String_base::_Xlen.LIBCPMT ref: 004573BD
Part of subcall function 00457360: _memcpy_s.LIBCMT ref: 0045741E

Part of subcall function 0046EBD0: _memset.LIBCMT ref: 0046EC7D
Part of subcall function 0046EBD0: GetPrivateProfileStringW.KERNEL32(?,?,?,?,00000104,?), ref: 0046ECEF

Strings

ProcessList, xrefs: 00456508
version, xrefs: 00456537

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: MessagePrivateProfileSendStringString_base::_Xlen_memcpy_s_memsetstd::_
String ID: ProcessList$version
API String ID: 1720257080-4229193483
Opcode ID: df4b21ca4a0a7abb7ca69b3bb53001f818689dc589da1cfb5a06b3ff283175c3
Instruction ID: c395533f5cfa3b538012d94a9b2024749d34d361b8097429382797dc49d5c1f7
Opcode Fuzzy Hash: df4b21ca4a0a7abb7ca69b3bb53001f818689dc589da1cfb5a06b3ff283175c3
Instruction Fuzzy Hash: A841D6715083809FD320EF29958271BFBE4BF85714F44492EF88547352DB79A808C7AB

Function 0046E480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32 ref: 0046E49E
swprintf.LIBCMT ref: 0046E4F8

Part of subcall function 0049176B: __vswprintf_s_l.LIBCMT ref: 0049177F

Strings

%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X, xrefs: 0046E4E9

Memory Dump Source

Source File: 00000002.00000002.2933889570.0000000000451000.00000020.00000001.01000000.00000008.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2933744422.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934213278.00000000004C2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000004CA000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.000000000059F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.2934328684.00000000005A4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_dqwhj_errwd.jbxd

Similarity

API ID: CreateGuid__vswprintf_s_lswprintf
String ID: %.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X
API String ID: 3172161272-2550169060
Opcode ID: f17e0428b9dd3b69fd55ca7272c1a5a2f82f36b73c71d5da319abe8858b4f9bc
Instruction ID: 78545792283a6f53765e50ac85d718209d9729544cb9a0c482ed25fda9faf818
Opcode Fuzzy Hash: f17e0428b9dd3b69fd55ca7272c1a5a2f82f36b73c71d5da319abe8858b4f9bc
Instruction Fuzzy Hash: 7311D5A110C2516EC354DF668811B7BBBE89F8C705F04890EF9D5C2241E67CD604CBBA

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.FileRepMalware.6479.21607.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E6F1PLIB\turing.captcha.qcloud[1].xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\19141848xsCpC[1].jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\btn-reg[1].jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\drag_ele[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\dy-jy3[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\game1[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\istat.controller[1].php

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\proxy_yk[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sq.core[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\third-logo-24[1].png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\dy-jy3[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\httpsEnable[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\ico[1].png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\kv-ico[1].png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\rem_on[1].png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sq.core[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sq.login[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sq.statis[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\200x42[1].png

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.6479.21607.exe

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre